Problem – I get unwanted updates

I’m sure most of you already read about dual scan with Windows 10?

No? In short this is what’s it all about. Even if you configure Software Update with Configuration Manager (or WSUS..) your clients will still go to Windows Update and ask for Windows updates/upgrades and install it.

This scenario will happen if you configure – with MDM, group policy settings or registry keys – a combination of the following settings

  • Specify intranet Microsoft update service location (this is automatically set by ConfigMgr agent through local group policies)
    • Group  Policy: Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    • Registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate\WUServer

together with

  • One of the “deferral” policies belonging to Windows Update for Business
    • Group Policy settings (Depending on ADMX versions there may be different naming)
      Select when Preview Builds and Feature Updates are received
      Select when Quality Updates are received
      Select when Feature Updates are received
      Deferral policies belonging to Windows Update for Business
    • Registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate\BranchReadinessLevel,
      DeferFeatureUpdates,
      DeferFeatureUpdatesPeriodInDays,
      DeferQualityUpdates,
      DeferQualityUpdatesPeriodInDays…

 

So to make this very clear, if you are getting unwanted Windows updates or upgrades even if you have ConfigMgr Software Updates or WSUS configured – You have configured the settings above.

Solve dual scan

So what should be done to get rid of dual scan?

First of all do not configure the deferral settings

Deferral policies belonging to Windows Update for Business

 

With Windows 10 1709 there came a new policy called: Do not allow update deferral policies to cause scans against Windows Update

Do not allow update deferral policies to cause scans against Windows Update

Make sure to enable this!

Or if you prefer registry settings, use this

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate
  • DisableDualScan [REG_DWORD] = 1

 

The following builds of Windows do support this setting

  • Windows 10 1709
  • Windows 10 1703 and October cumulative update (OS Build 15063.674)
  • Windows 10 1607 and August cumulative update (OS Build 14393.1593)

If you want this setting as a group policy setting, download the new Windows 10 1709 Administrative Templates and update your policy store, see post How do you update your Group Policy ADMX files?

Related sources

Using ConfigMgr with Windows 10 WUfB deferral policies

Windows 10 and Windows Server 2016 update history

Demystifying dual scan

Windows 10 1709 Administrative Templates

How do you update your Group Policy ADMX files?

Advertisements