locked
How to stop dual scan? RRS feed

  • Question

  • I want to get updates from only wsus.

    But when i watch windows update log, 
    there are lot of log like below.

    2018/01/15 09:04:36.1520630 7364  6424  SLS             [0]1CC4.1918::01/15/2018-09:04:36.152 [sls]Making request with URL HTTPS://sls.update.microsoft.com/SLS/{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}/x64/10.0.15063.0/0?CH=796&L=ja-JP&P=&PT=0x30&WUA=10.0.15063.726&MK=Dell+Inc.&MD=XPS+13+9350

    My computer downloaded from windows update.

    My wsus register settings are below.

    Is there any mistake?

    Please help me and sorry about terrible english.

    Monday, January 15, 2018 2:02 AM

Answers

  • Hi khmbt,

    Enable "Do not connect to any Windows Update Internet locations" policy through Group Policy.

    Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update ->Do not connect to any Windows Update Internet locations

    • Marked as answer by khmbt Thursday, January 18, 2018 1:56 AM
    Monday, January 15, 2018 4:31 AM
  • hello kmbt,

    If you're getting this errors for Win 10,

    Please refere this,

    http://blog.tofte-it.dk/wsus-windows-10-clients-error-0x8024500c/

    As Additionally, use these guidelines to troubleshoot WSUS.

    1. Check whether the WSUS service in running status or not.  Then Stop and restart WSUS service on WSUS client PC.
    2. Check whether the relevant group policy settings are applied or not.

    Open cmd and run:ngpresult /r and rsop.msc

    3. Check Availability of Registry settings.

    HKLM->Software->Policies->Microsoft->Window->WindowsUpdate


    4. Make sure he WSUS client can see the WSUS website by navigating to :

    http://(Name Of WSUS Server):8530/Selfupdate/iuident.cab and make sure open/download the file


    5. View Proxy configuration on WSUS client
    Open cmd and run :
    i. netsh winhttp show proxy
    ii.    netsh winhttp import proxy source=ie

    6. Open cmd and Run ‘wuauclt / detectnow’ command 

    7. Check WSUS log file in below path for errors
    c:\windows\WindowsUpdate.log

    8. Sometimes image a machine (or a clone a VM) keeps it’s unique update ID.
    If this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is the problem, 
    i. locate and stop the WSUS service on the affected client. 
    ii.    Open Registry Editor and navigate to:
    HKLM->Software->Microsoft->Windows->Current Version->WinowsUpdate

    iii. Delete SusClientID entry.
    iv. Restart WSUS service and run below commands.
    Wuauclt /resetauthorization /detectnow
    Wuauclt /reportnow


    • Proposed as answer by Elton_Ji Tuesday, January 16, 2018 5:24 AM
    • Marked as answer by khmbt Thursday, January 18, 2018 12:59 AM
    Monday, January 15, 2018 8:11 AM

All replies

  • Hi khmbt,

    Enable "Do not connect to any Windows Update Internet locations" policy through Group Policy.

    Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update ->Do not connect to any Windows Update Internet locations

    • Marked as answer by khmbt Thursday, January 18, 2018 1:56 AM
    Monday, January 15, 2018 4:31 AM
  • Am 15.01.2018 schrieb khmbt:

    But when i watch windows update log, 
    there are lot of log like below.

    2018/01/15 09:04:36.1520630 7364  6424  SLS             
    [0]1CC4.1918::01/15/2018-09:04:36.152 [sls]Making request with URL HTTPS://sls.update.microsoft.com/SLS/{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}/x64/10.0.15063.0/0?CH=796&L=ja-JP&P=&PT=0x30&WUA=10.0.15063.726&MK=Dell+Inc.&MD=XPS+13+9350

    My computer downloaded from windows update.


    <https://social.technet.microsoft.com/Forums/getfile/1213663>

    There are three entry for your WSUS:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    UpdateServiceUrlAlternate
    http://WSUS:8530

    Set the 3rd entry too, restart the Clients/Server and it will working.

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Monday, January 15, 2018 6:02 AM
  • Thank you for you reply.

    If i enable the policy, a below error will occur.

    0x8024500c


    Monday, January 15, 2018 7:22 AM
  • hello kmbt,

    If you're getting this errors for Win 10,

    Please refere this,

    http://blog.tofte-it.dk/wsus-windows-10-clients-error-0x8024500c/

    As Additionally, use these guidelines to troubleshoot WSUS.

    1. Check whether the WSUS service in running status or not.  Then Stop and restart WSUS service on WSUS client PC.
    2. Check whether the relevant group policy settings are applied or not.

    Open cmd and run:ngpresult /r and rsop.msc

    3. Check Availability of Registry settings.

    HKLM->Software->Policies->Microsoft->Window->WindowsUpdate


    4. Make sure he WSUS client can see the WSUS website by navigating to :

    http://(Name Of WSUS Server):8530/Selfupdate/iuident.cab and make sure open/download the file


    5. View Proxy configuration on WSUS client
    Open cmd and run :
    i. netsh winhttp show proxy
    ii.    netsh winhttp import proxy source=ie

    6. Open cmd and Run ‘wuauclt / detectnow’ command 

    7. Check WSUS log file in below path for errors
    c:\windows\WindowsUpdate.log

    8. Sometimes image a machine (or a clone a VM) keeps it’s unique update ID.
    If this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is the problem, 
    i. locate and stop the WSUS service on the affected client. 
    ii.    Open Registry Editor and navigate to:
    HKLM->Software->Microsoft->Windows->Current Version->WinowsUpdate

    iii. Delete SusClientID entry.
    iv. Restart WSUS service and run below commands.
    Wuauclt /resetauthorization /detectnow
    Wuauclt /reportnow


    • Proposed as answer by Elton_Ji Tuesday, January 16, 2018 5:24 AM
    • Marked as answer by khmbt Thursday, January 18, 2018 12:59 AM
    Monday, January 15, 2018 8:11 AM
  • Hi,

    >>If i enable the policy, a below error will occur.

    >>0x8024500c

    First , I'd suggest you check if that WSUS server works well .

    I mean , you may try to build a new WSUS server and connect that client to new WSUS server to check if these policies ("Do not connect to any Windows Update Internet locations" and "don not allow update deferral policies to cause scans ...") works .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 15, 2018 8:17 AM
  • Hello MAUKP

    Thanks for a your reply.

    I trying to this(i think other settings are ok) → http://blog.tofte-it.dk/wsus-windows-10-clients-error-0x8024500c/

    It seems to working. Thank you.

    But how can i understand dual scan is blocked. 
    I have been using "Get-WindowsUpdateLog" command and checking something windows update site log in windows client log file.

    Is that ok? If there aren't any log of windows update( .com ) and existing wsus log.

    • Proposed as answer by Elton_Ji Tuesday, January 16, 2018 7:33 AM
    Tuesday, January 16, 2018 1:13 AM
  • HI Elton.

    Thank you for a your reply.

    There are no problem in wsus working.

    I think that client(win 10 v1703) is has a problem.

    Tuesday, January 16, 2018 1:24 AM
  • HI Elton.

    Thank you for a your reply.

    There are no problem in wsus working.

    I think that client(win 10 v1703) is has a problem.

    It's a configuration issue usually by GPO to PREVENT windows from upgrading (people trying to control rather than understanding the way MS has moved to SaaS (WaaS).

    from an Admin command prompt on an affected computer, run

    gpresult /h gpo.html

    Post the results file via pastebin and 9 times out of 10 it's a policy setting that is not within the 'Windows Update' section as it doesn't have to do with 'Windows Update' directly, but rather indirectly.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Tuesday, January 16, 2018 3:35 AM
  • Hi khmbt,

    You can check from update log also...

    anyway you can use network monitoring tool(https://www.telerik.com/download/fiddler) to verify where the update source while client getting update..

    Tuesday, January 16, 2018 4:33 AM
  • No to our knowledge and 2 week research that's wrong and produces ANOTHER error:

    Do not connect to any Windows Update Internet locations. If you ENABLE that you get another error.

    Wednesday, July 18, 2018 12:51 PM
  • I've been having fun over the last couple of weeks with what I believe to be Dual scan.

    In our estate we have a mixture of 1607, 1703, and 1709 Windows 10 clients. We have the following 2 problems:

    Problem1:  We noticed that when building a bare metal machine from an SCCM task sequence with the software updates steps in it that it would just time out after an hour of trying. Our TS would carry on as that step is set to continue on error.  Once a machine had then built I noticed that it would take a very very long time (sometimes 2 days) to fully evaluate and start to download and install SCCM/WSUS deployed updates.

    Problem 2:  A machine that receives a Windows 10 Feature Update behaves in the same way as in problem one. This means that a 1607 machine that is fully patched up to July 2018 would then Feature Update to 1709 base build, then take 2 days before patching to 1709 July 2018.

    I started to dig...

    I found that a new machine creates its C:\Windows\SoftwareDistribution folder once the "Windows Update" server starts up. Once the SCCM client requests a "Software Updates Scan Cycle" the machine would then create the C:\Windows\SoftwareDistribution\DataStore and SLS folders.  The machine then stalls.  The wuahandler.log then sits there saying "Async searching of updates using WUAgent started".  If I check the WindowsUpdate.log it shows the machine making connections to "sls.update.microsoft.com" for various SLS (Service Locator Services) sources. My machines seem to be looking to download a small cab file for each of the following SLS's:

    9482F4B4-E343-43B6-B170-9A65BC822C77 - Windows Update

    855E8A7C-ECB4-4CA3-B045-1DFA50104289 - Windows Store (DCat Prod) - Insider Updates for Store Apps

    3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 - Windows Server Update Service - WSUS/SCCM

    8B24B027-1DEE-BABB-9A95-3517DFB9C552 - DCat Flighting Prod - Windows Insider Program

    For each one it should download a small .cab file to the corresponding folder in the "SLS" folder. Each folder is created at the first attempt to contact the SLS.  There then appears to be a lot of retries before it moves onto trying the next SLS.  The "DataStore.edb" file will slowly grow in size as these SLS requests are tried and retried.

    In my environment I am seeing that a 1607 client appears to hit the onsite SCCM/WSUS server first then attempt to get to Windows Update and the Store SLS'.  On a 1703 or 1709 client it's the reverse.  Clients will attempt to hit the other 3 SLS' before the SCCM server, thus causing the delay.

    If I use the GPO setting mentioned above then the machine will instantly hit the SCCM server, I can watch the DataStore.edb file rapidly grow in size to 200+mb in a few seconds and *ping* an SCCM notification of new updates appears on screen.

    I've read through every blog and article regarding dual scan and the problematic GPO settings.  I decided to take the GPO setting out of the equation completely by creating a vanilla VM of a 1607, 1703, and 1709 client.  I then added these to our domain (but left in the computers OU where no Windows Update GPOs are applied) and I then installed the SCCM client.  I'm still experiencing the same problem :(

    I have an open ticket with Microsoft who just want us to push the GPO to block all Microsoft connections but our business wants to use the store in future and this will stop the store from working.

    If anyone else has seen this kind of behaviour and has any suggestions other than those already suggested I'd love to hear them.

    Wednesday, July 25, 2018 3:58 PM
  • Westy182, please provide a gpresult /h gpo.htm from an Admin Command prompt and share it with your favourte medium or pastebin it. I still bet it's an issue with GPOs at the domain level or local level.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Thursday, July 26, 2018 1:11 AM
  • The following are the "Windows Update" GPO settings as shown from a GPResult:

    Default Domain Policy applies these:

    Allow non-administrators to receive update notifications - Disabled

    Do not display 'Install Updates and Shut Down' option in Shut Down Windows - Enabled

    Local Group Policy (From the SCCM client) is applying these:

    Do not all update deferral policies to cause scans against Windows Update - Enabled

    Specify intranet Microsoft update service location - Enabled

    These are the same GPO settings that are applied to my 3 Vanilla VMs and the 1607 one behaves differently to the 1703 and 1709 machines.

    Thursday, July 26, 2018 10:07 AM
  • I need to see the entire result set. There are more than just 'Windows Update' GPOs that play a part.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Thursday, August 9, 2018 4:12 AM