5

I am gradually installing Windows 10 in an environment where users hate Windows 10. So, everything has to go perfect.

This environment already used WSUS to delivery updates to Windows 7 and Windows 8.1 computers, as well as Windows Server 2008 R2 and Windows Server 2012 R2 servers. There was not a single problem.

Then, I deployed Windows 10 1703 on three computers. And now, each month it is giving me migraine! Windows 10 computers circumvent WSUS and download the update straight from the Internet, especially updates that I have not tested or approved, which pretty much defeats the purpose of having a WSUS.

I tried:

  • Disabling delivery optimization using the group policy
  • Increasing the grace period
  • Forcing group policy updates on those computers times and again
  • Running Windows Update troubleshooter
  • Clearing the Windows Update cache (SoftwareDistribution)
  • Running Disk Cleanup and choosing "Windows Update Cleanup" (8 GB was cleaned)

Here are my client settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
"WUServer"="http://evolution-pit:8530"
"WUStatusServer"="http://evolution-pit:8530"
"UpdateServiceUrlAlternate"=""
"SetActiveHours"=dword:1
"ActiveHoursStart"=dword:8
"ActiveHoursEnd"=dword:12
"DeferFeatureUpdates"=dword:1
"BranchReadinessLevel"=dword:20
"DeferFeatureUpdatesPeriodInDays"=dword:b4
"PauseFeatureUpdatesStartTime"=""
"DeferQualityUpdates"=dword:1
"DeferQualityUpdatesPeriodInDays"=dword:f
"PauseQualityUpdatesStartTime"=""
"DoNotConnectToWindowsUpdateInternetLocations"=dword:1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:0
"AUOptions"=dword:4
"AutomaticMaintenanceEnabled"=dword:1
"ScheduledInstallDay"=dword:0
"ScheduledInstallTime"=dword:11
"AllowMUUpdateService"=dword:1
"UseWUServer"=dword:1
"EnableFeaturedSoftware"=dword:0
  • 1
    I assume your WSUS server fulfills the [requirements](https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus#requirements-for-windows-10-servicing-with-wsus)...? – Daniel B Jan 08 '18 at 11:29
  • Yeah. An update that supersedes KB3095113 and KB3159706 is installed. All Windows 10 clients report to WSUS and properly inventory their configurations. Even they download from WSUS. But they also download from the Internet, which I don't want. –  Jan 08 '18 at 11:42
  • There is supposedly a GPO setting called [“Do not connect to any Windows Update Internet locations”](https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#do-not-connect-to-any-windows-update-internet-locations). Do you have that enabled? – Daniel B Jan 08 '18 at 11:49
  • Yes. It only disables the link that allows me to manually circumvent Windows Update on a case-by-case basis, as well as Windows Store. –  Jan 08 '18 at 12:06
  • Could there be a conflict in the policies? You may want to run a GPResult report. – Davidw Jan 09 '18 at 04:17
  • @Davidw I do that quite often. (And I posted the actual policy effect on the Registry above, so any conflict would be visible in it.) As I said, it is a pilot deployment, so the policy set is extremely simple. One GPO called "WSUS vanilla" is in charge of setting all Windows Update settings for these clients. Windows 7 and 8.1 clients behave normally in its presence. Therefore, I don't think it is a server or policy issue at all. Rather, I believe it is a quirk of Windows 10 that must not be. –  Jan 09 '18 at 06:03
  • Maybe I should delay the deployment until Update 1803 is out. (What are they calling it? "Destroyers Update"?) –  Jan 09 '18 at 06:08

2 Answers2

5

Thank you for your question. It makes me feel that I'm not the only one who is in pain since the inception of Windows 10!

The solution is very simple: Ensure that you copy of Windows 10 1703 does not have any of the following value names listed under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

(These values names are checked against WindowsUpdate.admx for Windows 10 version 1703.)

 DeferFeatureUpdates
 DeferFeatureUpdatesPeriodInDays
 DeferQualityUpdates
 DeferQualityUpdatesPeriodInDays
 PauseFeatureUpdatesStartTime
 PauseQualityUpdatesStartTime
 ExcludeWUDriversInQualityUpdate

Quoting further from the same article "Why WSUS and SCCM managed clients are reaching out to Microsoft Online":

What just happened here? Aren’t these update or upgrade deferral policies?

Not in a managed environment. These policies are meant for Windows Update for Business (WUfB).

Windows Update for Business aka WUfB enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.

We also recommend that you do not use these new settings with WSUS/SCCM.

If you are already using an on-prem solution to manage Windows updates/upgrades, using the new WUfB settings will enable your clients to also reach out to Microsoft Update online to fetch update bypassing your WSUS/SCCM end-point.

To manage updates, you have two solutions:

  1. Use WSUS (or SCCM) and manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment (in your intranet).
  2. Use the new WUfB settings to manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment directly connecting to Windows Update. — Rasheed, Shadab (9 January 2017) "Why WSUS and SCCM managed clients are reaching out to Microsoft Online". Windows Server Blog. Microsoft Corporation

Be advised that this article's list of Registry value names has typos. Use the value names given above instead.

Run5k
  • 103
  • 4
Am_I_Helpful
  • 499
  • 1
  • 6
  • 17
  • Alright. I am starting verification. First problem: The listed registry value names are wrong. I am going find out their correct version. But `DeferFeatureUpdate` must be `DeferFeatureUpdates`. I'll edit the answer to reflect this when I am done. –  Jan 13 '18 at 05:20
  • One system has starting behaving! :) Hooray. Let's see what other systems do. I've approved an Adobe Flash update today. –  Jan 15 '18 at 09:41
  • @FleetCommand - Cheers, Good Luck for the future endeavour. :) – Am_I_Helpful Jan 15 '18 at 12:24
  • Of the four pilot computers, three has started behaving. One is still connecting to the Internet. So, I am giving your answer the green check-mark. Now, I must go about finding what's wrong with the last one. –  Jan 16 '18 at 12:47
  • @FleetCommand - I don't want to repeat the same line what I've added in the top of my answer (you know how good their product is)!. It's just that you'd have to take extra pain to find out the culprit. But, I'm very sure once you make the necessary changes as described here, it'll do the desired job. Good Luck once again, :) – Am_I_Helpful Jan 16 '18 at 13:03
  • 1
    I fixed that last computer too. I disconnected it from the network, deleted the whole `Policies\Microsoft\Windows\WindowsUpdate` key, and nudged the Windows Update in the ribs until it acknowledged a policy change. Then, I went on and reset every single Windows Update setting to default. Next, I enabled the network connection with no gateway settings (so it won't connect to the Internet) and applied the policy. Finally... Windows Update logs says WSUS is the default service. –  Feb 07 '18 at 07:44
  • 1
    @FleetCommand - Cheers Friend. :) – Am_I_Helpful Feb 07 '18 at 07:52
1

Dual Scan - this is the reasoning behind it ... such a pain. Fixed in our environment. https://batchpatch.com/deciphering-dual-scan-behavior-in-windows-10

sean
  • 11
  • 1