Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • The unholy mess that has emerged from Win10 WSUS Dual Scan

    Posted on April 16th, 2018 at 07:42 woody Comment on the AskWoody Lounge

    Those of you who just go about your business with Windows don’t need to worry. But the folks who are in charge of Windows Update servers should be conversant with the, uh, nuances of a feature called Dual Scan.

    Dual Scan first came to my attention back in July last year when Win10 1607 machines with “Defer feature updates” set were suddenly getting pushed onto 1703. As I said back then:

    one of the warnings I found surprising goes like this: If you have “Defer feature updates” checked on your machines, that setting triggers a dual-scan mode, where those machines will look for updates both through WSUS and directly through Windows Update — even if they are behind WSUS.

    which, to me, was a bit of dirty pool. Dirty almost-undocumented pool.

    Last Friday, we got a whole bunch of documentation in a Technet article called Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed. If you think that’s a mouthful, take a look at the chart that clarifies what’s up with the GPOs surrounding updates on machines that are attached to an update server.

    Do you think they could make this a bit more complicated?

    Just asking for a friend….

    If that helped, take a second to support AskWoody on Patreon

    Home Forums The unholy mess that has emerged from Win10 WSUS Dual Scan

    Tagged: ,

    This topic contains 11 replies, has 12 voices, and was last updated by  MrJimPhelps 4 months ago.

    • Author
      Posts
    • #185021 Reply

      woody
      Da Boss

      Those of you who just go about your business with Windows don’t need to worry. But the folks who are in charge of Windows Update servers should be con
      [See the full post at: The unholy mess that has emerged from Win10 WSUS Dual Scan]

      4 users thanked author for this post.
    • #185023 Reply

      Microfix
      AskWoody MVP

      KISS for MS?  (for those unfamiliar with forumspeak k.i.s.s = keep it simple stupid) 🙂

      | 2x Group A- W8.1x64 | Group A+ Linux x64 Hybrid | Group B W7x64 Pro | Group W XP Pro
        No problem can be solved from the same level of consciousness that created IT - AE
      2 users thanked author for this post.
    • #185031 Reply

      anonymous

      I love this snippet at the bottom of that article:
      “Things might change with the soon to be release Win10 1803 Release.”

      Thanks Microsoft. As it wasn’t difficult enough to keep our WSUS controlled workstations in a working condition…

      1 user thanked author for this post.
    • #185088 Reply

      Jan K.
      AskWoody Lounger

      *franticly waves raised arm*

      Me, Sir!

      Sir! Sir, I know, Sir!

      Do you think they could make this a bit more complicated?

      Yes.

      Yes, I think they can.

      3 users thanked author for this post.
    • #185107 Reply

      OscarCP
      AskWoody Lounger

      My PC runs Windows 7 and here I am, reading about yet more Win 10 big problems, feeling unusually smug, for a change. How very strange.

      The Patch Lady’s List shows nothing bad, so far, with Win 7 patches, neither  have I heard elsewhere of any serious problems with them  — yet.

      So far this month, there are no new monsters, the likes of Specter, Meltdown, etc., scary enough to make one consider patching in a hurry, with much preliminary agonizing over it.

      So now I can wait, in unaccustomed tranquility, and wish you all the very best of luck.

      Group B, Win 7 Pro SP1 x64.

      1 user thanked author for this post.
    • #185121 Reply

      ch100
      AskWoody MVP

      Those forum members who understand this stuff and use Windows 10 Pro could take an idea or two from this table even if not using a managed environment.
      Thanks for posting Woody!
      Very valuable information. 🙂

      1 user thanked author for this post.
    • #185149 Reply

      PerthMike
      AskWoody Lounger

      You know things are <bleep> when you have to put in firewall rules to specifically block workstations from going direct to Microsoft servers despite all the settings you’ve put in place.

      No matter where you go, there you are.

    • #185231 Reply

      tommyb0y
      AskWoody Lounger

      This answers many of my “What the heck?!? Why is this 2016 server auto updating when it’s pointed to WSUS” questions.

      Thanks for posting about this.

      • This reply was modified 4 months ago by  PKCano.
      • This reply was modified 4 months ago by  PKCano.
      • This reply was modified 4 months ago by  tommyb0y. Reason: Fixed content, per rules
      • This reply was modified 4 months ago by  tommyb0y.
    • #185253 Reply

      millia
      AskWoody Lounger

      Of course, this presumes that workstations can update drivers from WSUS as they’re supposed to. I think it only works on about 10% of my machines.

    • #185280 Reply

      lawrenceB
      AskWoody Lounger

      Thank you for this post.  We’re a Windows 7 shop, trying to get a handle on pushing Windows 10 security updates (but not feature/version updates) through WSUS.

      What a mess!

    • #185300 Reply

      NetDef
      AskWoody Lounger

      That chart is . . .  hideous . . .  And it fails to illuminate some well known GPO conflicts that produce unexpected behaviors.  The SBS Diva explained it perfectly in her recent post at

      https://www.askwoody.com/2018/patch-lady-no-its-not-wsuss-fault/

      Microsoft is hiring the wrong technical documentation writers! Still . . .

      1 user thanked author for this post.
    • #185512 Reply

      MrJimPhelps
      AskWoody MVP

      Rather than spending a huge amount of time trying to make sense of this intentional mess, I’m going to spend that time figuring out the final few Linux issues I am having. I would much rather invest my time in me than in Microsoft.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: The unholy mess that has emerged from Win10 WSUS Dual Scan

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: