locked
WSUS GPO - Download only approved updates RRS feed

  • Question

  • Hello everyone,

    I installed a server WSUS windows server 2019
    I created a test OU with a PC
    This OU contains two GPOs
    - WSUS_Policy_Global
    - WSUS_Group_Windows10

    The WSUS_Policy_Global GPO contains this:

    The WSUS_Group_Windows10 GPO contains this:

    If I go to the WSUS console, I can see that the PC is back in the right group:

    My issue is the following:


    When I go to Update and security of the PC, and I click on "Check for updates", updates are installed.


    I would like ONLY approved updates in WSUS to be installed on this machine.


    Can you help me for this configuration please?


    Thank you in advance for your feedback.

    Thursday, May 9, 2019 1:19 PM

Answers

  • Hi Damilien,
      

    If you only want to install an update that has been approved by WSUS, it is recommended to enable the following policies in your GPO:
      

    • "Computer Configuration > Policies> Administrative Templates > Windows components > Windows Update"
      [Do not connect to any Windows Update Internet locations] set it enabled.
        

    This will disable the client's ability to directly access Microsoft Update to check for updates. Waiting for these clients to complete the report, try to approve updates and check if it meets your needs.
      

    Any questions are welcome to continue to reply.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Damilien Tuesday, May 14, 2019 6:13 PM
    Friday, May 10, 2019 2:09 AM
  • Hi,

    To solve my problem, I followed the steps of this post:

    https://social.technet.microsoft.com/Forums/windows/en-US/aa7fe057-fd95-4427-b99d-75e8c15860bd/wsus-0x8024500c?forum=winserverwsus

    If the following group policies are enabled:
    [Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update]
    > "Do not connect to any Windows Update Internet rental"
    This caused the Windows Update on the clients to break, instead they should
    [Computer Configuration \ Administrative Templates \ System \ Internet Communication]
    > "Turn off all Windows Update features"
       
    Remove the following registry key to disable the dual scan feature.
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ PolicyManager \ current \ device \ Update]
      - BranchReadinessLevel
      - DeferFeatureUpdatesPeriodInDays
      - DeferQualityUpdatesPeriodInDays
      - DeferUpdatePeriod
      - DeferUpgradePeriod
      - ExcludeWUDriversInQualityUpdate
      - PauseDeferrals
      - PauseFeatureUpdates
      - PauseQualityUpdates
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsUpdate \ UX \ Settings]
      - BranchReadinessLevel
      - DeferFeatureUpdatesPeriodInDays
      - DeferQualityUpdatesPeriodInDays
      - ExcludeWUDriversInQualityUpdate
      - DeferUpgrade

    • Marked as answer by Damilien Friday, May 31, 2019 7:29 PM
    Friday, May 31, 2019 7:29 PM

All replies

  • Hi Damilien,
      

    If you only want to install an update that has been approved by WSUS, it is recommended to enable the following policies in your GPO:
      

    • "Computer Configuration > Policies> Administrative Templates > Windows components > Windows Update"
      [Do not connect to any Windows Update Internet locations] set it enabled.
        

    This will disable the client's ability to directly access Microsoft Update to check for updates. Waiting for these clients to complete the report, try to approve updates and check if it meets your needs.
      

    Any questions are welcome to continue to reply.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Damilien Tuesday, May 14, 2019 6:13 PM
    Friday, May 10, 2019 2:09 AM
  • Hi Yic,

    Thank you for your answer.

    I checked the GPO at ENABLED.

    So, normally, the tuesday patch should not be installed on this machine this May 14? Unless I approve it via WSUS?

    Regards,

    Saturday, May 11, 2019 3:43 PM
  • So, normally, the tuesday patch should not be installed on this machine this May 14? Unless I approve it via WSUS?

    Hi damilien,

    That is what wsus does in normal way. Based on your specified GPO for intranet update server and default configuration of WSUS, Clients wait for approved updates unless you do the automatic upgrade configuration on your WSUS. So it is expect that your client don't install unapproved updates. If you have more question about thsi process, feel free to ask

    Saturday, May 11, 2019 4:00 PM
  • First, I'd suggest upgrading your ADMX files because I'm not seeing the 'alternate download server' in your GPOs

    Part 3 and 4 of my 8 part blog series on How to Setup, Manage and Maintain WSUS deal with the ADMX Templates and GPO policies

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-3-windows-as-a-service-waas-and-group-policy-administrative-templates/

    Feel free to read the full 8 part series and other guides on my site.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Sunday, May 12, 2019 8:02 PM
  • So, normally, the tuesday patch should not be installed on this machine this May 14? Unless I approve it via WSUS?

    Mohsen is right.
    Exceptions, please note if you have an automatic approval rule. According to your description, it is recommended not to set automatic approval rules.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 13, 2019 1:35 AM
  • Hi Yic, Adam, Mohsen,

    So for now, I only enabled the GPO (Do not connect to any Windows Update Internet Rentals)

    Today, I forced the update search in windows update and the KB4499167 was not downloaded / installed.

    I will wait until Friday and I will approve this KB via WSUS to see the result.

    I will come back to you in case of additional questions.

    Thanks for your help.


    • Edited by Damilien Tuesday, May 14, 2019 6:13 PM
    Tuesday, May 14, 2019 6:12 PM
  • Hi all,

    I approved the tuesday patch in WSUS on Monday. Normally, according to my configuration above, the update should have been installed this Friday at 12:00.

    Except that in Windows Update of my test pc, I have the following error message:

    Error encountered 0x8024500c.

    I have already tried to reset the Windows update settings of my test pc but I still have this error.

    Do you know why please?
    Thank you in advance for your answers.

    Friday, May 24, 2019 7:12 PM
  • Hi,

    To solve my problem, I followed the steps of this post:

    https://social.technet.microsoft.com/Forums/windows/en-US/aa7fe057-fd95-4427-b99d-75e8c15860bd/wsus-0x8024500c?forum=winserverwsus

    If the following group policies are enabled:
    [Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update]
    > "Do not connect to any Windows Update Internet rental"
    This caused the Windows Update on the clients to break, instead they should
    [Computer Configuration \ Administrative Templates \ System \ Internet Communication]
    > "Turn off all Windows Update features"
       
    Remove the following registry key to disable the dual scan feature.
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ PolicyManager \ current \ device \ Update]
      - BranchReadinessLevel
      - DeferFeatureUpdatesPeriodInDays
      - DeferQualityUpdatesPeriodInDays
      - DeferUpdatePeriod
      - DeferUpgradePeriod
      - ExcludeWUDriversInQualityUpdate
      - PauseDeferrals
      - PauseFeatureUpdates
      - PauseQualityUpdates
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsUpdate \ UX \ Settings]
      - BranchReadinessLevel
      - DeferFeatureUpdatesPeriodInDays
      - DeferQualityUpdatesPeriodInDays
      - ExcludeWUDriversInQualityUpdate
      - DeferUpgrade

    • Marked as answer by Damilien Friday, May 31, 2019 7:29 PM
    Friday, May 31, 2019 7:29 PM