Do not allow update deferral policies to cause scans against Windows Update
ConfigMgr / Windows 10 / Windows Update / WSUS

Dual scan or Windows Update for Business with ConfigMgr/Software Updates?

Posted by

Problem – I get unwanted updates

I’m sure most of you already read about dual scan with Windows 10?

No? In short this is what’s it all about. Even if you configure Software Update with Configuration Manager (or WSUS..) your clients will still go to Windows Update and ask for Windows updates/upgrades and install it.

This scenario will happen if you configure – with MDM, group policy settings or registry keys – a combination of the following settings

  • Specify intranet Microsoft update service location (this is automatically set by ConfigMgr agent through local group policies)
    • Group  Policy: Specify intranet Microsoft update service location
      Specify intranet Microsoft update service location
    • Registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate\WUServer

together with

  • One of the “deferral” policies belonging to Windows Update for Business
    • Group Policy settings (Depending on ADMX versions there may be different naming)
      Select when Preview Builds and Feature Updates are received
      Select when Quality Updates are received
      Select when Feature Updates are received
      Deferral policies belonging to Windows Update for Business
    • Registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate\BranchReadinessLevel,
      DeferFeatureUpdates,
      DeferFeatureUpdatesPeriodInDays,
      DeferQualityUpdates,
      DeferQualityUpdatesPeriodInDays…

 

So to make this very clear, if you are getting unwanted Windows updates or upgrades even if you have ConfigMgr Software Updates or WSUS configured – You have configured the settings above.

Solve dual scan

So what should be done to get rid of dual scan?

First of all do not configure the deferral settings

Deferral policies belonging to Windows Update for Business

 

With Windows 10 1709 there came a new policy called: Do not allow update deferral policies to cause scans against Windows Update

Do not allow update deferral policies to cause scans against Windows Update

Make sure to enable this!

Or if you prefer registry settings, use this

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\WindowsUpdate
  • DisableDualScan [REG_DWORD] = 1

 

The following builds of Windows do support this setting

  • Windows 10 1709
  • Windows 10 1703 and October cumulative update (OS Build 15063.674)
  • Windows 10 1607 and August cumulative update (OS Build 14393.1593)

If you want this setting as a group policy setting, download the new Windows 10 1709 Administrative Templates and update your policy store, see post How do you update your Group Policy ADMX files?

Related sources

Using ConfigMgr with Windows 10 WUfB deferral policies

Windows 10 and Windows Server 2016 update history

Demystifying dual scan

Windows 10 1709 Administrative Templates

How do you update your Group Policy ADMX files?

One comment

  1. Hi the information on this blog is just amazing it keeps us coming back time and time again ,personally i met my wife using this site so i couldnt love it any more i have done my best to promote this blog as i feel that others need to see this thang ,cheers for all your effort spent in making this fabulous site !

    Cloud Migration

    Like

    Reply

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.