locked
WSUS clients download updates directly from Microsoft not WSUS Server RRS feed

  • Question

  • Hi,

    I have several Windows 7 and Windows 10 machines on the network. Some of the Windows 10 machines(not all) don't get updates from WSUS server and getting from Microsoft using the Internet. My Windows 7 machines haven't this issue. The users are domain users and logged on with the domain user account on their computers. And GPO is successfully applied to the machines. Any help would be appreciated.

    Wednesday, January 9, 2019 9:47 AM

All replies

  • Hello,
     
    Base on your description, It seems to be caused by "Dual Scan".
     
    Dual Scan is a Windows Update (WU) client behavior that debuted in 1607. When it is enabled by some policy, the WU client automatically scans against both WSUS and WU, but it only accepts scan results for Windows content from WU.
     
    To disable dual scan, we could enable policy "Do not allow update deferral policies to cause scans against Windows Update". 
     

     
    References:
     

    Demystifying “Dual Scan”

    https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

     

    Improving Dual Scan on 1607

    https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 10, 2019 5:30 AM
  • Hello,
     
    I noticed you have not updated for several days. Has your issue been solved? Or is there any update?
     
    Feel free to feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 11, 2019 9:44 AM
  • Hi again,

    When I run Get-WindowsUpdateLog I got the following error:

    And this is policies:

    Sunday, January 13, 2019 12:41 PM
  • Can anyone help me, please??
    Monday, January 14, 2019 12:58 PM
  • This policy(Do not allow update deferral policies to cause scans against Windows Update) isn't there in the windows server 2012 that actually is my domain controller. What should I do?
    Monday, January 14, 2019 1:08 PM
  • Can anyone help me please??
    Tuesday, January 15, 2019 8:58 AM
  • Hello,
     
    Sorry for the delay.
     
    To apply that deferral policy, you may install the latest windows 10 admx file in the DC.
     
    https://www.microsoft.com/en-us/download/details.aspx?id=56880
     
    Above link is for 1803, you could search for the Admx file based on the client OS version.
     
    And how do you find that the client is getting updates from Windows Update instead of WSUS?
     
    The windowsupdate.log would be very useful for troubleshooting, try to get it from another affect client and upload it here.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 15, 2019 11:25 AM
  • And how do you find that the client is getting updates from Windows Update instead of WSUS?

    Some of the windows 10 client computers were consumed a lot of bandwidth but some of the windows 10 machine not.


    Tuesday, January 15, 2019 12:12 PM
  • Have you updated the ADMX files yet? - A guide on how is at the bottom of Part 3 of my 8 part blog series on How to Setup, Manage, and Maintain WSUS - https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-3-windows-as-a-service-waas-and-group-policy-administrative-templates/

    Once you've done that, if you want us to have a look for dual scan affecting entries, from an Administrative Command Prompt on an affected client, run the following:
    gpresult /h gpo.htm
    and share the result with your favourite method or pastebin it so that we can see it.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, January 18, 2019 4:51 AM
  • Hello,
     
    I noticed that you have not updated for several days. So does your issue solved or is there any update?
     
    Feel free to feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 21, 2019 10:55 AM