locked
Stop SLS in WSUS supported W10 1709 with Windows Apps disabled RRS feed

  • Question

  • Would like recommended registry and GP settings for Windows 10 1709 environments with App store functionality blocked, for both standalone machines without internet access as well as machines with internet access, that facilitate locally managed updates via a local WSUS and that stop associated Windows Update Engine Dual Scan functionality.

    Goals for associated locally managed environments include:

    1) Stop use of local network bandwidth buy all assets for continual Windows Update attempts to reach any of the following URLs:

        *.download.windowsupdate.com

        *.au.windowsupdate.com

        *.tlu.dl.delivery.mp.microsoft.com

    2)  In standalone environments without any internet access, stop the following local Windows Update Control Panel "Check For Updates" response from occurring:

    "Device at risk because it's out of date and missing important security Security and Quality updates.  Let's get you back on track so windows can run more securely. Select this button to get going."

    Thanks,

    Rus

       
    • Edited by Rus680 Wednesday, May 22, 2019 6:00 PM
    Wednesday, May 22, 2019 3:17 PM

All replies

  • Hi Rus,
      

    If your Windows 10 client is using the Enterprise or Education edition, you can disable the Microsoft Store feature through Group Policy:
      

    • Computer Configuration - Administrative Templates - Windows Components - Store
      [Turn off Store application] set Enabled.
        

    Enabling the following group policies will prevent client computers from directly accessing Windows Update to check for updates:
      

    • Computer Configuration - Administrative Templates - Windows Components - Windows Update
      [Do not connect to any Windows Update Internet locations] set Enabled.
        

    Hope the above can help you.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 4:45 AM
  • Thanks Yic,

    More info follows:

    Target is Win10 1709 Enterprise

    The following Computer Configuration - Administrative Templates - Windows Components - Store GPs are enabled: Turn off store application, Turn off Automatic Download and Install of updates, Turn off the offer to update to the latest version of windows

     The Computer Configuration - Administrative Templates - Windows Components - Windows Update "Do not connect to any Windows Update Internet locations" GP is Enabled

    However, still appear to be getting Windows Update Engine Dual Scan, i.e., very frequently getting SLS requests... Wondering if WSUS update filter includes updates for SW that does not exist on WSUS could be causing the hosts to reach out to MS?  Sample of associated WindowsUpdateLog data follows (to protect the client..., in a few places I've removed host names and annotated such with (host name removed)):

    2019/05/20 03:36:27.9599438 4328  4620  IdleTimer       Non-AoAc machine.  Aoac operations will be ignored.

    2019/05/20 03:36:27.9601561 4328  4620  Agent           WU client version 10.0.16299.1059

    2019/05/20 03:36:27.9604294 4328  4620  Agent           SleepStudyTracker: Machine is non-AOAC. Sleep study tracker disabled.

    2019/05/20 03:36:27.9606335 4328  4620  Agent           Base directory: C:\WINDOWS\SoftwareDistribution

    2019/05/20 03:36:27.9614140 4328  4620  Agent           Datastore directory: C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb

    2019/05/20 03:36:27.9626545 4328  4620  DataStore       JetEnableMultiInstance succeeded - applicable param count: 5, applied param count: 5

    2019/05/20 03:36:28.0019052 4328  4620  Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.

    2019/05/20 03:36:28.0019284 4328  4620  Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 2.

    2019/05/20 03:36:28.0023799 4328  4620  Shared          Network state: Connected

    2019/05/20 03:36:28.1465026 4328  4620  Misc            *FAILED* [8024000C] LoadHistoryEventFromRegistry completed

    2019/05/20 03:36:28.1466312 4328  4620  Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.

    2019/05/20 03:36:28.1466398 4328  4620  Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 2.

    2019/05/20 03:36:28.1466512 4328  4620  Shared          Power status changed

    2019/05/20 03:36:28.1479933 4328  5496  Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2019-05-20 14:35:48, not idle-only, not network-only

    2019/05/20 03:36:28.1484421 4328  4620  Agent           Initializing global settings cache

    2019/05/20 03:36:28.1484437 4328  4620  Agent           WSUS server: http://(host name removed):8530

    2019/05/20 03:36:28.1484491 4328  4620  Agent           WSUS status server:  http://(host name removed):8530

    2019/05/20 03:36:28.1484502 4328  4620  Agent           Alternate Download Server:  http://(host name removed):8530

    2019/05/20 03:36:28.1484513 4328  4620  Agent           Fill Empty Content Urls: No

    2019/05/20 03:36:28.1484523 4328  4620  Agent           Target group: (Unassigned Computers)

    2019/05/20
    03:36:28.1484534 4328  4620  Agent           Windows Update access disabled: No

    2019/05/20 03:36:28.1484545 4328  4620  Agent           Do not connect to Windows Update Internet locations: No

    2019/05/20 03:36:28.1716674 4328  5496  Agent           Initializing Windows Update Agent

    2019/05/20 03:36:28.1717819 4328  5496  Agent           CPersistentTimeoutScheduler | GetTimer, returned hr = 0x00000000

    2019/05/20 03:36:28.1740502 4328  5496  ComApi          Added service, URL = https://fe2.update.microsoft.com/v6/

    2019/05/20 03:36:28.1788078 4328  5496  ComApi          * START *   Federated Search ClientId = UpdateOrchestrator (cV: u7/nhv1XdkqDAQRz.0.1.0)

    2019/05/20 03:36:28.1789877 4328  5496  IdleTimer       WU operation (SR.UpdateOrchestrator ID 1) started; operation # 6; does use network; is not at background priority

    2019/05/20 03:36:28.1802120 4328  10168 DownloadManager PurgeExpiredFiles::Found 0 expired files to delete.

    2019/05/20 03:36:28.1802223 4328  5200  IdleTimer       WU operation (SR.UpdateOrchestrator ID 1, operation # 6) stopped; does use network; is not at background priority

    2019/05/20 03:36:28.1810270 4328  10168 DownloadManager PurgeExpiredUpdates::Found 523 non expired updates.

    2019/05/20 03:36:28.1871246 4328  8044  ComApi          Federated Search: Starting search against 1 service(s) (cV = u7/nhv1XdkqDAQRz.0.1.0)

    2019/05/20 03:36:28.1872240 4328  8044  ComApi          * START *   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

    2019/05/20 03:36:28.1876468 4328  8044  IdleTimer       WU operation (CSearchCall::Init ID 2) started; operation # 9; does use network; is at background priority

    2019/05/20 03:36:28.1971091 4328  8044  Reporter        OS Product Type = 0x00000004

    2019/05/20 03:36:28.2253107 4328  8044  Agent           * START * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 2]

    2019/05/20 03:36:28.2253183 4328  8044  Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is not in sequential scan list

    2019/05/20 03:36:28.2253226 4328  8044  Agent           Added service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 to sequential scan list

    2019/05/20 03:36:28.2256694 4328  6292  Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is in sequential scan list

    2019/05/20 03:36:28.2298221 4328  1264  Agent           * END * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 2]

    2019/05/20 03:36:28.2336966 4328  1264  Agent           * START * Finding updates CallerId = UpdateOrchestrator  Id = 2

    2019/05/20 03:36:28.2336993 4328  1264  Agent           Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No

    2019/05/20 03:36:28.2337031 4328  1264  Agent           Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""

    2019/05/20 03:36:28.2337080 4328  1264  Agent           ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

    2019/05/20 03:36:28.2337128 4328  1264  Agent           Search Scope = {Machine}

    2019/05/20 03:36:28.2337188 4328  1264  Agent           Caller SID for Applicability: S-1-5-18

    2019/05/20 03:36:28.2337204 4328  1264  Agent           ProcessDriverDeferrals is set

    2019/05/20 03:36:28.2812857 4328  1264  Misc            Got WSUS Client/Server URL: http://(host name removed):8530/ClientWebService/client.asmx""

    2019/05/20 03:36:28.3115963 4328  1264  Driver          Skipping printer driver 4 due to incomplete info or mismatched environment - HWID[(null)] Provider[Lexmark International] MfgName[Lexmark] Name[Lexmark Color XPS Class Driver] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]

    2019/05/20 03:36:28.3115996 4328  1264  Driver          Skipping printer driver 5 due to incomplete info or mismatched environment - HWID[(null)] Provider[HP] MfgName[HP] Name[HP Color LaserJet A4/Letter Hardware-Copy PCL6 Class Driver] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]

    2019/05/20 03:36:28.3116055 4328  1264  Driver          Skipping printer driver 9 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]

    2019/05/20 03:36:28.4048036 4328  10168 DownloadManager PurgeExpiredUpdates::Found 0 expired updates.

    2019/05/20 03:36:28.4085696 4328  10168 DownloadManager Received power state change notification: Old: <unknown>; New: AC.

    2019/05/20 03:36:28.4085718 4328  10168 DownloadManager Power state changed from <unknown> to AC.

    2019/05/20 03:36:29.1359926 4328  1264  ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http:// http://(host name removed):8530/ClientWebService/client.asmx

    2019/05/20 03:36:29.1360099 4328  1264  ProtocolTalker  OK to reuse existing configuration

    2019/05/20 03:36:29.1360342 4328  1264  ProtocolTalker  Cached cookie has expired or new PID is available

    2019/05/20 03:36:29.1360542 4328  1264  Misc            Got WSUS SimpleTargeting URL:  http://(host name removed):8530""

    2019/05/20 03:36:29.1367439 4328  1264  IdleTimer       WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie) started; operation # 10; does use network; is at background priority

    2019/05/20 03:36:29.1367476 4328  1264  ProtocolTalker  Initializing simple targeting cookie, clientId = 584680e9-e212-40df-8dd3-04b6109853de, target group = , DNS name =  (host name removed)

    2019/05/20 03:36:29.1367493 4328  1264  ProtocolTalker    Server URL =  http://(host name removed):8530/SimpleAuthWebService/SimpleAuth.asmx

    2019/05/20 03:36:29.1367601 4328  1264  WebServices     Auto proxy settings for this web service call.

    2019/05/20 03:36:29.1587188 4328  1264  IdleTimer       WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie, operation # 10) stopped; does use network; is at background priority

    2019/05/20 03:36:29.1590353 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::GetCookie_WithRecovery) started; operation # 11; does use network; is at background priority

    2019/05/20 03:36:29.1590564 4328  1264  WebServices     Auto proxy settings for this web service call.

    2019/05/20 03:36:29.6866701 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::GetCookie_WithRecovery, operation # 11) stopped; does use network; is at background priority

    2019/05/20 03:36:29.6867873 4328  1264  ProtocolTalker  PTInfo: Server requested registration

    2019/05/20 03:36:32.0317697 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 12; does use network; is at background priority

    2019/05/20 03:36:32.5360523 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 12) stopped; does use network; is at background priority

    2019/05/20 03:36:32.5660578 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 13; does use network; is at background priority

    2019/05/20 03:36:32.5871136 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 13) stopped; does use network; is at background priority

    2019/05/20 03:36:32.5871260 4328  1264  ProtocolTalker  SyncUpdates round trips: 2

    2019/05/20 03:36:37.6424507 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:37.7252187 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:38.5605824 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:38.6521862 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:41.4684418 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:42.2967515 4328  1264  EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    2019/05/20 03:36:42.3875366 4328  1264  ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =  http://(host name removed):8530/ClientWebService/client.asmx

    2019/05/20 03:36:42.3875441 4328  1264  ProtocolTalker  OK to reuse existing configuration

    2019/05/20 03:36:42.3875484 4328  1264  ProtocolTalker  Existing cookie is valid, just use it

    2019/05/20 03:36:42.3875511 4328  1264  ProtocolTalker  PTInfo: Server requested registration

    2019/05/20 03:36:42.4047042 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery) started; operation # 14; does use network; is at background priority

    2019/05/20 03:36:42.9221325 4328  1264  IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation # 14) stopped; does use network; is at background priority

    2019/05/20 03:36:42.9411451 4328  1264  SLS             Retrieving SLS response from server using ETAG mqexjdhSnje2KqesC2MU5xEv6HBrqJaFMGr79eFdqXs=_480"..."

    2019/05/20 03:36:42.9416269 4328  1264  SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.16299.0/0?CH=682&L=en-US&P=&PT=0x4&WUA=10.0.16299.1059&MK=Dell+Inc.&MD=Latitude+5590

    2019/05/20 03:37:03.9598639 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:37:03.9599120 4328  1264  Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

    2019/05/20 03:37:25.0066741 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:37:25.0067060 4328  1264  Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:0

    2019/05/20 03:37:46.0500797 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:37:46.0501007 4328  1264  Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

    2019/05/20 03:38:07.0794592 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:38:07.0794895 4328  1264  Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:1

    2019/05/20 03:38:28.1074140 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:38:28.1074243 4328  1264  Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

    2019/05/20 03:38:49.2072357 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:38:49.2072633 4328  1264  Misc            *FAILED* [80072EE2] Library download error. Will retry. Retry Counter:2

    2019/05/20 03:39:10.2436558 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:39:10.2436666 4328  1264  Misc            *FAILED* [80072EE2] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

    2019/05/20 03:39:31.2660456 4328  1264  Misc            *FAILED* [80072EE2] Send request

    2019/05/20 03:39:31.2661033 4328  1264  SLS             *FAILED* [80072EE2] GetDownloadedOnWeakSSLCert

    2019/05/20 03:39:31.2662643 4328  1264  SLS             *FAILED* [80072EE2] Method failed [CSLSClient::GetResponse:525]

    2019/05/20 03:39:31.2663642 4328  1264  Metadata        *FAILED* [80072EE2] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfig:793]

    2019/05/20 03:39:31.2663739 4328  1264  Metadata        *FAILED* [80072EE2] GetFragmentSigningConfig (Using default enforcement mode: Audit)

    2019/05/20 03:39:31.2663837 4328  1264  Metadata        *FAILED* [80072EE2] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfigAndUpdateEnforcementPolicy:745]

    2019/05/20 03:39:31.2663977 4328  1264  Metadata        Policy-driven service enabled. Using Ignore Policy.

    2019/05/20 03:39:31.2664247 4328  1264  ProtocolTalker  SyncExtendedUpdateInfo - 0 bad out of 0 metadata signatures checked using Audit enforcement mode.

    2019/05/20 03:39:31.2848600 4328  1264  DownloadManager *FAILED* [80240008] Failed to lock the revision for the update DFD0CD0C-46CF-4F0C-9850-2EBF54D4C775.200 (SessionData = (null))

    2019/05/20 03:39:31.3678618 4328  1264  Agent           Found 0 updates and 98 categories in search; evaluated appl. rules of 2395 out of 3169 deployed entities

    2019/05/20 03:39:31.3831095 4328  1264  Agent           * END * Finding updates CallerId = UpdateOrchestrator  Id = 2

    2019/05/20 03:39:31.3866584 4328  1264  IdleTimer       WU operation (CSearchCall::Init ID 2, operation # 9) stopped; does use network; is at background priority

    2019/05/20 03:39:31.3904681 4328  8684  ComApi          *RESUMED*   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

    2019/05/20 03:39:31.3909461 4328  8684  ComApi          * END *   Search ClientId = UpdateOrchestrator, Updates found = 0, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = u7/nhv1XdkqDAQRz.0.1.0.0)

    2019/05/20 03:39:31.3912901 4328  8044  ComApi          * END *   All federated searches have completed. Jobs = 1, Succeeded = 1, ClientId = UpdateOrchestrator (cV = u7/nhv1XdkqDAQRz.0.1.0)

      

    Thursday, May 23, 2019 12:40 PM
  • Hi,
      

    Dual Scan behavior is enabled automatically if the following Group Policies or Mobile Device Management (MDM) options are set:
      

    • Specify intranet Microsoft update service location (i.e. WSUS)
    • Either of the policies belonging to Windows Update for Business:
      - Select when Feature Updates are received
      - Select when Quality Updates are received
        

    To enable WSUS updates only, make sure that all Windows Update for Business options are set to Not Configured and that the Turn off access to all Windows Update features policy under "System > Internet Communication Management > Internet Communication" settings is Enabled.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 6:53 AM
  • Thanks Yic,

    Apologize for not getting back sooner.

    FYSA:  All Windows for Business options were/are set to Not Configured.  That said, "System > Internet Communication Management > Internet Communication" Turn off access to all Windows Update features setting was set to Not Configured too.   Enabled it, GPupdate /force…; however, Dual Scan behavior / symptoms are persisting.

    Any other suggestions or ideas?

    v/r,

    Rus


    • Edited by Rus680 Wednesday, June 12, 2019 3:09 PM confusing text
    Monday, June 3, 2019 7:41 PM