Migrating from WSUS to Action1: How to Avoid Unwanted Updates from Windows Update Service on Your Endpoints

Question:

I have migrated 50 endpoints and 25 servers from WSUS to Action1 for patch management. I have disabled the previous windows updates GPOs and deleted the windows update reg keys on all machines. I have also enabled the setting in Action1 to take control of the windows updates, which sets the NoAutoUpdate value to 1 in the reg keys. However, I have noticed that the endpoints are still checking in with the windows update service, while the servers are not. Nothing has been installed from the windows update service, but I am worried that it might happen in the future. Why are the endpoints behaving differently from the servers, and how can I prevent them from checking in with the windows update service? Thank you for your assistance.

Answer:

How to Stop Endpoints from Checking in with Windows Update Service after Migrating to Action1

If you have migrated your endpoints and servers from WSUS to Action1 for patch management, you might encounter a situation where the endpoints are still checking in with the windows update service, while the servers are not. This can cause confusion and anxiety, as you might worry that the windows update service will install unwanted patches on your endpoints. In this article, we will explain why this happens and how to prevent it.

The reason why the endpoints are still checking in with the windows update service is because of a feature called dual scan. Dual scan is a feature that allows devices to scan for updates from both the windows update service and a local update source, such as WSUS or Action1. Dual scan is enabled by default on devices that are managed by Windows Update for Business (WUfB), which is a set of policies that control how and when updates are delivered to devices.

Dual scan is intended to provide devices with the latest updates and features from Microsoft, while still allowing administrators to control the deployment of critical and security updates from a local source. However, dual scan can also cause some issues, such as:

  • Conflicting update policies: If the windows update service and the local update source have different update policies, such as deferment periods or quality levels, the device might receive conflicting signals on when to install updates.
  • Unwanted feature updates: If the windows update service offers a feature update that is not approved by the local update source, the device might install the feature update without the administrator’s consent.
  • Increased network traffic: If the device scans for updates from both the windows update service and the local update source, it might consume more bandwidth and resources than necessary.
  • How to prevent the endpoints from checking in with the windows update service?

    To prevent the endpoints from checking in with the windows update service, you need to disable the dual scan feature on the endpoints. There are two ways to do this:

  • Using Group Policy: You can use the Group Policy setting Do not allow update deferral policies to cause scans against Windows Update under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business. This setting will prevent the device from scanning the windows update service if it has a local update source configured.
  • Using Registry: You can use the registry value DisableDualScan under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate. This value will prevent the device from scanning the windows update service if it has a local update source configured.
  • To apply either of these methods, you need to do the following steps:

    1. Stop the Windows Update service on the endpoints. You can do this by going to Start > Run and typing services.msc. Then, find the Windows Update service, right-click on it and choose Stop.

    2. Apply the Group Policy setting or the registry value on the endpoints. You can use Action1 to deploy the setting or the value to multiple endpoints at once.

    3. Restart the Windows Update service on the endpoints. You can do this by going to Start > Run and typing services.msc. Then, find the Windows Update service, right-click on it and choose Start.

    After doing these steps, the endpoints should stop checking in with the windows update service and only receive updates from Action1.

    Conclusion

    In

this article, we have explained why the endpoints are still checking in with the windows update service after migrating to Action1, and how to prevent it by disabling the dual scan feature. By doing so, you can ensure that your endpoints are only updated by Action1, and avoid any potential issues caused by dual scan. We hope this article was helpful and informative. If you have any questions or feedback, please feel free to contact us. Thank you for using Action1.

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us