locked
Windows 10 1709 installed through a Not Approved WSUS? RRS feed

  • Question

  • Hello,

    I'm currently responsible for a client WSUS implementation and i have a weird problem to troubleshooting.

    A specific computer has updated to Windows 10 1709, even thou the update is not approved on WSUS.

    The machine is on the correct WSUS Computer Group and does not get automatic updates.

    Locally on the machine, I've checked the Registry Keys, and everything is configured correctly.

    The user has administrator rights, but since the issue was opened by him, at this point i have no reason to doubt that he installed the update himself.

    The event viewer logs show that the updates was installed at 03:00am precisely on last Thursday , which coincides with the WSUS settings.

    I'm not sure where to look next.

    Thanks for the help.

    Monday, January 15, 2018 10:15 AM

All replies

  • What i your WSUS version...?

    you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the KB3095113 and KB3159706

    https://www.microsoft.com/en-us/download/details.aspx?id=51534

    https://www.microsoft.com/en-us/download/details.aspx?id=51541

    https://support.microsoft.com/en-us/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

    Monday, January 15, 2018 11:33 AM
  • I'm not sure you understood the issue, the problem isn't getting the update, that i can see that i received it always and it's not approved.

    Please read the original issue again, and let me know isn't clear enough.

    Monday, January 15, 2018 12:54 PM
  • Sounds like Dual Scan registry edits are in place.

    https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

    I would recommend finding them in GPO and remove the settings (could possibly be in the 'extra registry settings' from a GPO as the ADMX files have been replaced with the new 1709 ones and no longer have those options - in which case either remove the GPO and re-create it, or backup the admx files and replace them with the 1607 admx files temporarily to fix this by unsetting those registry keys, and then restoring the 1709 ADMX Files)


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Proposed as answer by Yan Li_ Thursday, January 18, 2018 7:03 AM
    Tuesday, January 16, 2018 2:12 AM
  • Same problem here, i have only some workstation that dowloaded the 1709 upgrade even if is it not approved in my WSUS.

    Just last week i update the ADMX for 1709 and release the configuration for non use dual scan.

    Wednesday, January 17, 2018 11:20 AM
  • Yep, I have Windows Server 2016 with WSUS (server version 10.0.14393.1914) and Windows 10 Pro 1703.

    Few days ago when I was on vacation, computers with 1703 began to update to 1709. All updates to 1709 were and still are NOT APPROVED.

    When I run the Status Report on computer with 1709, I don't see, that 1709 update is installed, nor in the list of updates :-O

    WTF is going on?

    I had to block the all update addresses on firewall waiting for resolution.

    Wednesday, January 31, 2018 3:47 PM
  • Set the following key:

    PolicyDo not allow update deferral policies to cause scans against Windows Update

    https://gpsearch.azurewebsites.net/#13740

    More info:

    https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

    Best regards,

    Andrei


    We could change the world, if God would give us the source code.

    Wednesday, January 31, 2018 10:19 PM
  • Thanks, It looks like that it helped.

    Especially this

    https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

    with this http://blog.tofte-it.dk/wsus-windows-10-clients-error-0x8024500c/

    and also, I installed new(1709) admx files into sysvol for policy - Do not allow update deferral policies to cause scans against Windows Update - DisableDualScan.

    Thanks a lot

    P.

    Thursday, February 1, 2018 3:26 PM