Windows 10 Feature update, version 1809 - declined but has installed on PCs RRS feed

  • Question

  • As far as I can tell, we have declined the Windows 10 Feature update, version 1809, but it has downloaded and installed on a number of PCs, in one case wiping a user's Desktop folder. Not a good move. All of these endpoint PCs are AD-joined and managed by our WSUS server. Looking through my declined updates, I can confirm that the 1809 upgrades are amongst them:

    What on earth has happened? Is it possible someone here has approved them, the installation has taken place and then they have been changed to be marked as declined by MS after the problems surfaced?

    Wednesday, October 10, 2018 9:48 AM

All replies

  • Hello,
    Have you disabled duel-scan? If not, clients could get updates from both WSUS and WU. That's why your clients could get upgrade files even if you decline them in WSUS.
    To disable duel-scan, you could enable "Do not allow update deferral policies to cause scans against Windows Update" under Windows Components/Windows Update in the group policy. This policy is available from 1607, you may need the latest ADMX file installed on your DC.
    You could get more information about duel-scan from below articles.

    Demystifying “Dual Scan”



    Improving Dual Scan on 1607



    Using ConfigMgr With Windows 10 WUfB Deferral Policies



    Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed


    Hope my answer could help you and look forward to your feedback.
    Best Regards,

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 11, 2018 12:58 AM
  • https://www.zdnet.com/article/microsoft-halts-rollout-of-windows-10-october-2018-update-what-happens-next/

    If it has downloaded on systems through WSUS when it was in the approved state, they have already queued up for installation on the local machine. You can check the Update's report page to see what systems have 'downloaded' it already and are waiting to install it.

    After you find out which systems have it, you'll need to run the following script on each of those clients in an Admin CMD prompt in order to CLEAR the pending install

    net stop bits
    net stop wuauserv
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
    This code will get rid of the local Cache and then re-check for updates where it will find that this update is no longer needed (as it's now expired in WSUS).

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Thursday, October 11, 2018 3:20 AM
  • Thanks for the responses guys; it looks like there was certainly something wrong with my GP as I was getting the following when I checked it:

    Downloading the new ADMX files (the latest seem to still be for 1803) seems to have cured it and I can see and edit the GP again. Is it possible that this caused my problems? The reason I ask is that I had successfuly prevented 1803 from being pushed out to clients up until last week; at that point I decided it was "safe" to install and pushed it out, declining 1809 at the same time. That's when 1809 began to install.

    From the Dual-Scan info you linked to, I notice that I have the "Specify settings for optional component installation and component repair" setting enabled, with "Download repair content and optional features..." ticked. Whilst this sounds like a recipe for getting feature upgrades automatically from WU, something has prevented 1803 up until this time; presumably my GP?

    Thursday, October 11, 2018 12:50 PM
  • Thanks for the info Adam; sadly, I think I've missed that boat now ;-)
    Thursday, October 11, 2018 12:50 PM
  • Hello,

    According to official blog, Dual Scan is automatically enabled when a combination of Windows Update group policies [or their MDM equivalents, or the underlying registry keys corresponding to either set of policies] is configured:

    • Specify intranet Microsoft update service location (i.e., WSUS)
    • Either of the policies belonging to Windows Update for Business
         Select when Feature Updates are received
         Select when Quality Updates are received

    So I don't think the policies you mentioned would enable the dual scan.

    Note: the polices in the current version is a little different from the ones in the blog.
    Best Regards,


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 12, 2018 6:18 AM
  • Windows 10 build 1809 rollout is currently unavailable except to insiders.

    Those already using Windows 10 1809 have had cumulative upgrades.

    The current I'm using to post this thread was upgraded.

    There were problems that were fixed.

    It is unknown when Windows 10 build 1809 rollout will resume as the reported problems were fixed and there is now testing by insiders.

    For Windows 1809 problems you can get free support at Microsoft.  This may also include Microsoft stores.

    Some problems can be fixed by rolling back to the prior build of Windows and then a later upgrade.


    Updated version of Windows 10 October 2018 Update released to Windows Insiders - Windows Experience BlogWindows Experience Blog

    Use this link to report the problems that you are having with Windows 10 1809:

    Feedback Hub introduces ability to indicate severity of issues - Windows Insider

    Friday, October 12, 2018 6:30 AM