0

I have a windows domain that, at one time, used a WSUS server.

This setup wasn't well maintained, and I wanted to stop using it.

I removed the GPO, but it seems that many machines still think the domain: "specifies target server to host updates"

How can I get the Windows 10 fleet to use normal, default Windows updates?

Windows Upgrade Assistant successfully moves the machine to a current patch level, but the machines in question continue NOT looking to MS for updates.

user145837
  • 361
  • 5
  • 17
  • Try a GPO with the "Intranet Microsoft Update Service Location" set to Disabled. You may also need to disable some of the other settings to get everything back to normal. Or I guess you could use group policy preferences to delete the relevant registry key, which is `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` – Harry Johnston Dec 13 '19 at 23:58
  • ... if you go the latter route, make sure you don't have any other group policy anywhere that is trying to configure Windows Update. If two group policies are fighting, one creating registry entries and the other one deleting them, you could wind up with confusing behaviour. :-) – Harry Johnston Dec 14 '19 at 00:00
  • @HarryJohnston i will try that out and report back. thanks! – user145837 Dec 15 '19 at 03:20

2 Answers2

3

Here's how I eventually got the hard-core non-updating windows 10 machines back to normal.

  • Restart
  • Log in as a local administrator
  • Stop Windows Update and Background Intelligent Transfer services
  • Clear out c:\windows\softwaredistribution\
  • Clear out c:\windows\system32\grouppolicy
  • gpupdate /force
  • Restart

In SOME cases, the Windows 10 Update Assistant would at least bump up the current patch level, in some cases not.

user145837
  • 361
  • 5
  • 17
0

Windows Server 2016 not updating through WSUS discusses where the Server 2016 install would not talk to WSUS. I'm referencing it because of the GPO setting Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off access to all Windows Update features

If that's on somewhere else in GPO, it needs turned off. Note that it's not in Windows Update section of Administrative Templates, but rather System > Internet Communication Management, and so might not necessarily been included in your old WSUS GPO(s).

After that, for testing purposes, pick a server to work on, export (for backup) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, delete the registry key, gpupdate /force, then 

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

If you are still pointing at a WSUS server, then I recommend gpresult /h c:\gpresult.htm and looking through the first section labeled Computer Details to determine if anything is still coming through on the Windows Update section. If the policy is still there, you could be looking at a DFS replication issue isn't pulling your GPO changes across the DCs.

C C
  • 56
  • 4
  • 1
    I did update the gpo and gpupdate machines, and even manually checked the registry. It turned out in some cases it was necessary to nuke c:\windows\softwaredistribution\ even after all that to get machines back to a normal state. – user145837 Jan 28 '20 at 17:27