This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Stop SLS in WSUS supported W10 1709 with Windows Apps disabled

Question
0

Sign in to vote
Would like recommended registry and GP settings for Windows 10 1709 environments with App store functionality blocked, for both standalone machines without internet access as well as machines with internet access, that facilitate locally managed updates via a local WSUS and that stop associated Windows Update Engine Dual Scan functionality.

Goals for associated locally managed environments include:

1) Stop use of local network bandwidth buy all assets for continual Windows Update attempts to reach any of the following URLs:

    *.download.windowsupdate.com

    *.au.windowsupdate.com

    *.tlu.dl.delivery.mp.microsoft.com

2) In standalone environments without any internet access, stop the following local Windows Update Control Panel "Check For Updates" response from occurring:

"Device at risk because it's out of date and missing important security Security and Quality updates. Let's get you back on track so windows can run more securely. Select this button to get going."

Thanks,

Rus
- Edited by Rus680 Wednesday, May 22, 2019 6:00 PM
Wednesday, May 22, 2019 3:17 PM

All replies

0

Sign in to vote
Hi Rus,


If your Windows 10 client is using the Enterprise or Education edition, you can disable the Microsoft Store feature through Group Policy:


Computer Configuration - Administrative Templates - Windows Components - Store
[Turn off Store application] set Enabled.


Enabling the following group policies will prevent client computers from directly accessing Windows Update to check for updates:


Computer Configuration - Administrative Templates - Windows Components - Windows Update
[Do not connect to any Windows Update Internet locations] set Enabled.


Hope the above can help you.

Regards,
Yic
Please remember to mark as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Thursday, May 23, 2019 4:45 AM
0

Sign in to vote

Thanks Yic,

More info follows:

Target is Win10 1709 Enterprise

The following Computer Configuration - Administrative Templates - Windows Components - Store GPs are enabled: Turn off store application, Turn off Automatic Download and Install of updates, Turn off the offer to update to the latest version of windows

The Computer Configuration - Administrative Templates - Windows Components - Windows Update "Do not connect to any Windows Update Internet locations" GP is Enabled

However, still appear to be getting Windows Update Engine Dual Scan, i.e., very frequently getting SLS requests... Wondering if WSUS update filter includes updates for SW that does not exist on WSUS could be causing the hosts to reach out to MS? Sample of associated WindowsUpdateLog data follows (to protect the client..., in a few places I've removed host names and annotated such with (host name removed)):

2019/05/20 03:36:27.9599438 4328 4620 IdleTimer       Non-AoAc machine. Aoac operations will be ignored.

2019/05/20 03:36:27.9601561 4328 4620 Agent           WU client version 10.0.16299.1059

2019/05/20 03:36:27.9604294 4328 4620 Agent           SleepStudyTracker: Machine is non-AOAC. Sleep study tracker disabled.

2019/05/20 03:36:27.9606335 4328 4620 Agent           Base directory: C:\WINDOWS\SoftwareDistribution

2019/05/20 03:36:27.9614140 4328 4620 Agent           Datastore directory: C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb

2019/05/20 03:36:27.9626545 4328 4620 DataStore       JetEnableMultiInstance succeeded - applicable param count: 5, applied param count: 5

2019/05/20 03:36:28.0019052 4328 4620 Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.

2019/05/20 03:36:28.0019284 4328 4620 Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 2.

2019/05/20 03:36:28.0023799 4328 4620 Shared          Network state: Connected

2019/05/20 03:36:28.1465026 4328 4620 Misc            *FAILED* [8024000C] LoadHistoryEventFromRegistry completed

2019/05/20 03:36:28.1466312 4328 4620 Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.

2019/05/20 03:36:28.1466398 4328 4620 Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 2.

2019/05/20 03:36:28.1466512 4328 4620 Shared          Power status changed

2019/05/20 03:36:28.1479933 4328 5496 Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2019-05-20 14:35:48, not idle-only, not network-only

2019/05/20 03:36:28.1484421 4328 4620 Agent           Initializing global settings cache

2019/05/20 03:36:28.1484437 4328 4620 Agent           WSUS server: http://(host name removed):8530

2019/05/20 03:36:28.1484491 4328 4620 Agent           WSUS status server: http://(host name removed):8530

2019/05/20 03:36:28.1484502 4328 4620 Agent           Alternate Download Server: http://(host name removed):8530

2019/05/20 03:36:28.1484513 4328 4620 Agent           Fill Empty Content Urls: No

2019/05/20 03:36:28.1484523 4328 4620 Agent           Target group: (Unassigned Computers)

2019/05/20
03:36:28.1484534 4328 4620 Agent           Windows Update access disabled: No

2019/05/20 03:36:28.1484545 4328 4620 Agent           Do not connect to Windows Update Internet locations: No

2019/05/20 03:36:28.1716674 4328 5496 Agent           Initializing Windows Update Agent

2019/05/20 03:36:28.1717819 4328 5496 Agent           CPersistentTimeoutScheduler | GetTimer, returned hr = 0x00000000

2019/05/20 03:36:28.1740502 4328 5496 ComApi          Added service, URL = https://fe2.update.microsoft.com/v6/

2019/05/20 03:36:28.1788078 4328 5496 ComApi          * START *   Federated Search ClientId = UpdateOrchestrator (cV: u7/nhv1XdkqDAQRz.0.1.0)

2019/05/20 03:36:28.1789877 4328 5496 IdleTimer       WU operation (SR.UpdateOrchestrator ID 1) started; operation # 6; does use network; is not at background priority

2019/05/20 03:36:28.1802120 4328 10168 DownloadManager PurgeExpiredFiles::Found 0 expired files to delete.

2019/05/20 03:36:28.1802223 4328 5200 IdleTimer       WU operation (SR.UpdateOrchestrator ID 1, operation # 6) stopped; does use network; is not at background priority

2019/05/20 03:36:28.1810270 4328 10168 DownloadManager PurgeExpiredUpdates::Found 523 non expired updates.

2019/05/20 03:36:28.1871246 4328 8044 ComApi          Federated Search: Starting search against 1 service(s) (cV = u7/nhv1XdkqDAQRz.0.1.0)

2019/05/20 03:36:28.1872240 4328 8044 ComApi          * START *   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

2019/05/20 03:36:28.1876468 4328 8044 IdleTimer       WU operation (CSearchCall::Init ID 2) started; operation # 9; does use network; is at background priority

2019/05/20 03:36:28.1971091 4328 8044 Reporter        OS Product Type = 0x00000004

2019/05/20 03:36:28.2253107 4328 8044 Agent           * START * Queueing Finding updates [CallerId = UpdateOrchestrator Id = 2]

2019/05/20 03:36:28.2253183 4328 8044 Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is not in sequential scan list

2019/05/20 03:36:28.2253226 4328 8044 Agent           Added service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 to sequential scan list

2019/05/20 03:36:28.2256694 4328 6292 Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is in sequential scan list

2019/05/20 03:36:28.2298221 4328 1264 Agent           * END * Queueing Finding updates [CallerId = UpdateOrchestrator Id = 2]

2019/05/20 03:36:28.2336966 4328 1264 Agent           * START * Finding updates CallerId = UpdateOrchestrator Id = 2

2019/05/20 03:36:28.2336993 4328 1264 Agent           Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No

2019/05/20 03:36:28.2337031 4328 1264 Agent           Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""

2019/05/20 03:36:28.2337080 4328 1264 Agent           ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

2019/05/20 03:36:28.2337128 4328 1264 Agent           Search Scope = {Machine}

2019/05/20 03:36:28.2337188 4328 1264 Agent           Caller SID for Applicability: S-1-5-18

2019/05/20 03:36:28.2337204 4328 1264 Agent           ProcessDriverDeferrals is set

2019/05/20 03:36:28.2812857 4328 1264 Misc            Got WSUS Client/Server URL: http://(host name removed):8530/ClientWebService/client.asmx""

2019/05/20 03:36:28.3115963 4328 1264 Driver          Skipping printer driver 4 due to incomplete info or mismatched environment - HWID[(null)] Provider[Lexmark International] MfgName[Lexmark] Name[Lexmark Color XPS Class Driver] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]

2019/05/20 03:36:28.3115996 4328 1264 Driver          Skipping printer driver 5 due to incomplete info or mismatched environment - HWID[(null)] Provider[HP] MfgName[HP] Name[HP Color LaserJet A4/Letter Hardware-Copy PCL6 Class Driver] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]

2019/05/20 03:36:28.3116055 4328 1264 Driver          Skipping printer driver 9 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]

2019/05/20 03:36:28.4048036 4328 10168 DownloadManager PurgeExpiredUpdates::Found 0 expired updates.

2019/05/20 03:36:28.4085696 4328 10168 DownloadManager Received power state change notification: Old: <unknown>; New: AC.

2019/05/20 03:36:28.4085718 4328 10168 DownloadManager Power state changed from <unknown> to AC.

2019/05/20 03:36:29.1359926 4328 1264 ProtocolTalker ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http:// http://(host name removed):8530/ClientWebService/client.asmx

2019/05/20 03:36:29.1360099 4328 1264 ProtocolTalker OK to reuse existing configuration

2019/05/20 03:36:29.1360342 4328 1264 ProtocolTalker Cached cookie has expired or new PID is available

2019/05/20 03:36:29.1360542 4328 1264 Misc            Got WSUS SimpleTargeting URL: http://(host name removed):8530""

2019/05/20 03:36:29.1367439 4328 1264 IdleTimer       WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie) started; operation # 10; does use network; is at background priority

2019/05/20 03:36:29.1367476 4328 1264 ProtocolTalker Initializing simple targeting cookie, clientId = 584680e9-e212-40df-8dd3-04b6109853de, target group = , DNS name =  (host name removed)

2019/05/20 03:36:29.1367493 4328 1264 ProtocolTalker    Server URL = http://(host name removed):8530/SimpleAuthWebService/SimpleAuth.asmx

2019/05/20 03:36:29.1367601 4328 1264 WebServices     Auto proxy settings for this web service call.

2019/05/20 03:36:29.1587188 4328 1264 IdleTimer       WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie, operation # 10) stopped; does use network; is at background priority

2019/05/20 03:36:29.1590353 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::GetCookie_WithRecovery) started; operation # 11; does use network; is at background priority

2019/05/20 03:36:29.1590564 4328 1264 WebServices     Auto proxy settings for this web service call.

2019/05/20 03:36:29.6866701 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::GetCookie_WithRecovery, operation # 11) stopped; does use network; is at background priority

2019/05/20 03:36:29.6867873 4328 1264 ProtocolTalker PTInfo: Server requested registration

2019/05/20 03:36:32.0317697 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 12; does use network; is at background priority

2019/05/20 03:36:32.5360523 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 12) stopped; does use network; is at background priority

2019/05/20 03:36:32.5660578 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 13; does use network; is at background priority

2019/05/20 03:36:32.5871136 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 13) stopped; does use network; is at background priority

2019/05/20 03:36:32.5871260 4328 1264 ProtocolTalker SyncUpdates round trips: 2

2019/05/20 03:36:37.6424507 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:37.7252187 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:38.5605824 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:38.6521862 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:41.4684418 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:42.2967515 4328 1264 EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

2019/05/20 03:36:42.3875366 4328 1264 ProtocolTalker ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://(host name removed):8530/ClientWebService/client.asmx

2019/05/20 03:36:42.3875441 4328 1264 ProtocolTalker OK to reuse existing configuration

2019/05/20 03:36:42.3875484 4328 1264 ProtocolTalker Existing cookie is valid, just use it

2019/05/20 03:36:42.3875511 4328 1264 ProtocolTalker PTInfo: Server requested registration

2019/05/20 03:36:42.4047042 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery) started; operation # 14; does use network; is at background priority

2019/05/20 03:36:42.9221325 4328 1264 IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation # 14) stopped; does use network; is at background priority

2019/05/20 03:36:42.9411451 4328 1264 SLS             Retrieving SLS response from server using ETAG mqexjdhSnje2KqesC2MU5xEv6HBrqJaFMGr79eFdqXs=_480"..."

2019/05/20 03:36:42.9416269 4328 1264 SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.16299.0/0?CH=682&L=en-US&P=&PT=0x4&WUA=10.0.16299.1059&MK=Dell+Inc.&MD=Latitude+5590

2019/05/20 03:37:03.9598639 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:37:03.9599120 4328 1264 Misc           *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

2019/05/20 03:37:25.0066741 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:37:25.0067060 4328 1264 Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:0

2019/05/20 03:37:46.0500797 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:37:46.0501007 4328 1264 Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

2019/05/20 03:38:07.0794592 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:38:07.0794895 4328 1264 Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:1

2019/05/20 03:38:28.1074140 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:38:28.1074243 4328 1264 Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

2019/05/20 03:38:49.2072357 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:38:49.2072633 4328 1264 Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:2

2019/05/20 03:39:10.2436558 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:39:10.2436666 4328 1264 Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

2019/05/20 03:39:31.2660456 4328 1264 Misc            *FAILED* [80072EE2] Send request

2019/05/20 03:39:31.2661033 4328 1264 SLS             *FAILED* [80072EE2] GetDownloadedOnWeakSSLCert

2019/05/20 03:39:31.2662643 4328 1264 SLS             *FAILED* [80072EE2] Method failed [CSLSClient::GetResponse:525]

2019/05/20 03:39:31.2663642 4328 1264 Metadata        *FAILED* [80072EE2] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfig:793]

2019/05/20 03:39:31.2663739 4328 1264 Metadata        *FAILED* [80072EE2] GetFragmentSigningConfig (Using default enforcement mode: Audit)

2019/05/20 03:39:31.2663837 4328 1264 Metadata        *FAILED* [80072EE2] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfigAndUpdateEnforcementPolicy:745]

2019/05/20 03:39:31.2663977 4328 1264 Metadata        Policy-driven service enabled. Using Ignore Policy.

2019/05/20 03:39:31.2664247 4328 1264 ProtocolTalker SyncExtendedUpdateInfo - 0 bad out of 0 metadata signatures checked using Audit enforcement mode.

2019/05/20 03:39:31.2848600 4328 1264 DownloadManager *FAILED* [80240008] Failed to lock the revision for the update DFD0CD0C-46CF-4F0C-9850-2EBF54D4C775.200 (SessionData = (null))

2019/05/20 03:39:31.3678618 4328 1264 Agent           Found 0 updates and 98 categories in search; evaluated appl. rules of 2395 out of 3169 deployed entities

2019/05/20 03:39:31.3831095 4328 1264 Agent           * END * Finding updates CallerId = UpdateOrchestrator Id = 2

2019/05/20 03:39:31.3866584 4328 1264 IdleTimer       WU operation (CSearchCall::Init ID 2, operation # 9) stopped; does use network; is at background priority

2019/05/20 03:39:31.3904681 4328 8684 ComApi          *RESUMED*   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

2019/05/20 03:39:31.3909461 4328 8684 ComApi          * END *   Search ClientId = UpdateOrchestrator, Updates found = 0, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

2019/05/20 03:39:31.3912901 4328 8044 ComApi          * END *   All federated searches have completed. Jobs = 1, Succeeded = 1, ClientId = UpdateOrchestrator (cV = u7/nhv1XdkqDAQRz.0.1.0)


Thursday, May 23, 2019 12:40 PM
0

Sign in to vote
Hi,


Dual Scan behavior is enabled automatically if the following Group Policies or Mobile Device Management (MDM) options are set:


Specify intranet Microsoft update service location (i.e. WSUS)
Either of the policies belonging to Windows Update for Business:
- Select when Feature Updates are received
- Select when Quality Updates are received


To enable WSUS updates only, make sure that all Windows Update for Business options are set to Not Configured and that the Turn off access to all Windows Update features policy under "System > Internet Communication Management > Internet Communication" settings is Enabled.

Regards,
Yic
Please remember to mark as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Friday, May 24, 2019 6:53 AM
0

Sign in to vote
Thanks Yic,

Apologize for not getting back sooner.

FYSA: All Windows for Business options were/are set to Not Configured. That said, "System > Internet Communication Management > Internet Communication" Turn off access to all Windows Update features setting was set to Not Configured too. Enabled it, GPupdate /force…; however, Dual Scan behavior / symptoms are persisting.

Any other suggestions or ideas?

v/r,

Rus
- Edited by Rus680 Wednesday, June 12, 2019 3:09 PM confusing text
Monday, June 3, 2019 7:41 PM