TechNsight

Ask a Question

How to stop endpoints from contacting Windows Update after switching from WSUS to Action1

Question:

How can I prevent endpoints from contacting Windows Update service after switching from WSUS to Action1?

I have migrated 50 endpoints and 25 servers from WSUS to Action1 for patch management. I have disabled the previous Windows Update GPOs and deleted the registry keys under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU. I have also enabled the option in Action1 to take control of the Windows updates, which sets the NoAutoUpdate value to 1 in the same registry location.

However, I noticed that the endpoints are still checking in with the Windows Update service, even though nothing has been installed without Action1. The Windows Update settings show the last checked time as today, while the servers show the time when the NoAutoUpdate value was added. I am worried that the endpoints will install patches directly from Microsoft on patch Tuesday.

I have verified that removing some patches did not trigger any installation from Windows Update. The Windows Update operational log shows that the endpoints are contacting Windows every 10 minutes.

Why are the endpoints behaving differently from the servers? How can I stop them from contacting Windows Update service completely? What are the best practices for managing Windows updates in a mixed environment of endpoints and servers?

Any advice would be appreciated.

Thank you..

Answer:

How to prevent endpoints from contacting Windows Update service after switching from WSUS to Action1

If you have migrated your endpoints and servers from WSUS to Action1 for patch management, you may encounter a situation where the endpoints are still contacting the Windows Update service, even though you have disabled the previous Windows Update GPOs and deleted the registry keys under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU. You may also notice that the Windows Update settings show the last checked time as today, while the servers show the time when the NoAutoUpdate value was added. This can cause confusion and concern, as you may worry that the endpoints will install patches directly from Microsoft on patch Tuesday, bypassing the Action1 control.

In this article, we will explain why this happens, how to stop it, and what are the best practices for managing Windows updates in a mixed environment of endpoints and servers.

The reason why the endpoints are still contacting the Windows Update service is because of a feature called Dual Scan. Dual Scan is a feature that was introduced in Windows 10 and Windows Server 2016 to allow devices to scan for updates from both WSUS and Windows Update. This feature is enabled by default when you enable the policy “Do not connect to any Windows Update Internet locations” under Computer Configuration > Administrative Templates > Windows Components > Windows Update.

The purpose of Dual Scan is to allow devices to receive updates that are not available on WSUS, such as feature updates, drivers, and Microsoft Store apps. However, this feature can also cause problems when you switch from WSUS to another patch management solution, such as Action1. This is because the devices will still try to scan for updates from Windows Update, even though you have disabled the previous Windows Update GPOs and deleted the registry keys. This can result in unexpected behavior, such as:

  • The devices will show the last checked time as today in the Windows Update settings, even though they are not supposed to contact Windows Update.
  • The devices will display notifications about missing important updates and fixes, even though they are managed by Action1.
  • The devices will download and install updates from Windows Update, if they meet certain criteria, such as being on a metered connection, having a battery level above 40%, and having no user activity for at least 4 hours.

    • How to stop the endpoints from contacting Windows Update service?

    The solution to stop the endpoints from contacting Windows Update service is to disable the Dual Scan feature. There are two ways to do this:

  • Option 1: Disable the policy “Do not connect to any Windows Update Internet locations”. This policy is the one that enables Dual Scan by default. By disabling it, you will prevent the devices from scanning for updates from Windows Update. However, this option also has some drawbacks, such as:
  • The devices will not be able to receive updates that are not available on Action1, such as feature updates, drivers, and Microsoft Store apps.
  • The devices will not be able to use the “Check online for updates from Microsoft Update” link in the Windows Update settings, which can be useful for troubleshooting or manual updates.
  • The devices will not be able to use the “Delivery Optimization” feature, which allows them to share updates with other devices on the same network or the Internet.
  • Option 2: Enable the policy “Disable Dual Scan”. This policy is a new policy that was introduced in Windows 10 version 1607 and Windows Server 2016 to allow administrators to disable Dual Scan explicitly. By enabling it, you will prevent the devices from scanning for updates from Windows Update, while still allowing them to use the features mentioned above. However, this option also has some requirements, such as:
  • The devices must be running Windows 10 version 1607 or later, or Windows Server 2016 or later.
  • The devices must have the latest cumulative update installed, as some earlier versions had bugs that prevented the policy from working correctly.
  • The devices must have the policy “Configure Automatic Updates” enabled and set to “Auto download and notify for install” or “Auto download and schedule the install”. If the policy is disabled or set to “Notify for download and notify for install” or “Never check for updates”, the policy “Disable Dual Scan” will not work.

    • To enable the policy “Disable Dual Scan”, you can use the following steps:

  • Open the Group Policy Management Console on your domain controller or administrative workstation.
  • Create a new GPO or edit an existing one that applies to your endpoints.
  • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
  • Double-click on the policy “Disable Dual Scan” and set it to “Enabled”.
  • Click “OK” and close the Group Policy Management Console.
  • Run “gpupdate /force” on your endpoints or wait for the next Group Policy refresh cycle.

    • Alternatively, you can also use the registry to enable the policy “Disable Dual Scan”. To do this, you can use the following steps:

  • Open the Registry Editor on your endpoints or use a remote registry tool.
  • Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate.
  • Create a new DWORD value named “DisableDualScan” and set its value to “1”.
  • Close the Registry Editor and restart your endpoints.

    • What are the best practices for managing Windows updates in a mixed environment of endpoints and servers?

    The best practices for managing Windows updates in a mixed environment of endpoints and servers depend on your specific needs and preferences. However, some general recommendations are:

  • Use a patch management solution that supports both endpoints and servers, such as Action1. This will allow you to have a centralized and consistent way of deploying and monitoring updates across your devices.
  • Use the policy “Disable Dual Scan” to prevent the endpoints from contacting Windows Update service, while still allowing them to use the features that depend on it. This will avoid confusion and potential conflicts between Action1 and Windows Update.
  • Use the policy “Do not connect to any Windows Update Internet locations” to prevent the servers from contacting Windows Update service, as they usually do not need the features that depend on it. This will reduce the network bandwidth and the risk of unwanted updates.
  • Use the policy “Specify intranet Microsoft update service location” to point the devices to Action1 as the update source, instead of WSUS or Windows Update. This will ensure that the devices receive the updates that are approved and managed by Action1.
  • Use the policy “Configure Automatic Updates” to control how the devices download and install updates. You can choose the option that suits your schedule and preferences, such as “Auto download and notify for install”, “Auto download and schedule the install”, or “Notify for download and notify for install”. You can also use the policy “No auto-restart with logged on users for scheduled automatic updates installations” to prevent the devices from restarting automatically when users are logged on.
  • Use the policy “Defer Windows Updates” to delay the installation of feature updates and quality updates on the devices. This will allow you to test the updates before deploying them to your production environment. You can defer feature updates for up to 365 days and quality updates for up to 30 days.
  • Use the policy “Exclude drivers from Windows quality updates” to prevent the devices from receiving driver updates from Windows Update. This will avoid potential compatibility and performance issues with the drivers that are provided by Action1 or the device manufacturer.
  • Use the policy “Manage preview builds” to control whether the devices can enroll in the Windows Insider Program and receive preview builds of Windows 10. This will allow you to test the upcoming features and provide feedback to Microsoft, but also expose the devices to potential bugs and instability.

    • Conclusion

    In this article, we have explained how to prevent endpoints from contacting Windows Update service after switching from WSUS to Action1. We have also provided some best practices for managing Windows updates in a mixed environment of endpoints and servers. We hope that this article has been helpful and informative. If you have any questions or feedback, please feel free to contact us.

    Thank you for reading.

    — : [https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#dual-scan](https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#dual-scan) : [https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#do-not-connect-to-any-windows-update-internet-locations](https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#do-not-connect-to-any-windows-update-internet-locations) : [https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#additional-features-of-dual-scan](https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#additional-features-of-dual-scan) : [https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#automatic-update-behavior-and-dual-scan](https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#automatic-update-behavior-and-dual-scan) [^5

Related posts:

  1. Preparing Your Computer for WinSettings Pro Installation
  2. Crafting Cutting-Edge Apps with BlackBerry 10’s Adobe AIR SDK
  3. How to Create a Photo DVD with Astroburn Lite: A Step-by-Step Guide
  4. Deciphering History: The Evolutionary Path of Cuneiform Script
  5. Mane vs. Matriarch: The Strength Dynamics of Lions and Hyenas
  6. “Managing Your Movies Anywhere: The jMovieManager Mobile App Question”

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us