none
How do I determine where a computer got the 1709 feature upgrade?

    Pergunta

  • Hi Folks,

    TL;DR: How can I tell where a Win10 Enterprise machine got a feature upgrade from after the feature upgrade has been performed?

    I've been tasked with getting a hold of Windows Updates at our org. I had a 2016 server stood up with WSUS and attached 3 laptops (w/ 1511, 1607, and 1703 images on them) to it to confirm my understanding of the settings that arbitrate WUA behavior. On this development WSUS server all feature upgrades are denied. Those three laptops sat in my office for 2 months and everything seem to be operating as intended until one day the 1709 machine updated to 1709 one day.

    The only GPO setting I have in place is the "Specify intranet Microsoft update service location" policy. AFAIK, nothing that enables dual scan should be in place, and I see nothing in gpresult /h or rsop.msc which indicates otherwise.

    I'm aware of the Get-WindowsUpdateLog cmdlet and have used it to track what happened on a computer in the past but it only pulls from the online operating system. I tried pointing it at the .etl files in C:\Windows.old, but that didn't work.

    Now I've been approached by a supervisor asking if we can cut over to my WSUS server and I am hesitant to do that for many reasons, chief among them the fact that a client still updated when it wasn't supposed to on my WSUS server.

    Can anyone steer me in the right direction of finding out where/how that 1703 laptop got the 1709 feature upgrade?

    segunda-feira, 9 de julho de 2018 19:38

Todas as Respostas

  • Hello idav0212

    Glad to help.

     

    The only GPO setting I have in place is the "Specify intranet Microsoft update service location" policy.

     

    To disable duel scan, you should perform the following actions on clients:

     

    1. Verify that you have installed the November 2016 Cumulative Update for 1607, or any Cumulative Update more recent. 
    1. Enable the group policy System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features
    2. In an elevated command prompt, run “gpupdate /force”, followed by “UsoClient.exe startscan”
    3. Open the Windows Update UI (wait for the scan to complete), and observe:

     


     

    Refer to this:

     

    Demystifying “Dual Scan”

    https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

     

    Hope above information helps.

     

    Best Regards,

    Ray Jia


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    terça-feira, 10 de julho de 2018 02:08
  • Thank you for the response!

    I had read your linked article several times but I think got this GPO setting confused with the one which also disables access to the Microsoft Store: Windows Components/Microsoft Update/Do not connect to any Windows Update Internet locations.

    I will enable the setting you mentioned and do further testing, however I'd like to note that while this will hopefull set me in the right direction, it doesn't really give me what I want. I want to be able to diagnose WUA/usoclient behavior, and it seems that a feature upgrade being completed makes this impossible. Do you have any insight on that specific matter?


    • Editado idav0212 terça-feira, 10 de julho de 2018 12:01
    terça-feira, 10 de julho de 2018 12:00
  • Hello idav0212,

      

    Thanks for your feedback.

         

    For this issue, i would do some research.

         

    If you have any thought or there is any progress, feel free to feedback.

      

    Best Regards,

    Ray Jia


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 13 de julho de 2018 07:05
  • For this issue, i would do some research.

    What do you think I'm doing here? I can't find any information on the subject. So I'm trying to find someone who knows what they're doing/talking about.
    sexta-feira, 13 de julho de 2018 17:06
  • Run from an Admin command prompt:

    gpresult /h gpo.htm

    Share the results here using your favourite sharing method or pastebin the results. Let's see your policies to figure out what's going on (and I'm not just talking about the Windows Update policies).


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    segunda-feira, 16 de julho de 2018 03:52
  • Thanks for the reply, but:

    1. I'm not asking to review my GPOs, I'm asking where I can find a log that explicitly details WUA behavior. This is normally accomplished with Get-WindowsUpdateLog but, as I said in the original post, that cmdlet processes .etl files from the online windows copy. I need to see the log from c:\windows.old -- before the feature upgrade was processed.

    2. The GPOs have applied to that computer have already been changed by now and do not reflect those in effect when the feature upgrade was processed.

    Can you think of any other resources that might have the information I'm looking for?


    • Editado idav0212 segunda-feira, 16 de julho de 2018 14:23
    segunda-feira, 16 de julho de 2018 14:21
  • The best method to find these out is the GPO settings of the systems that did this. The reason: it is the Windows Update Agent that does all the heavy lifting based on the policies given. Windows Update Settings can conflict with each other giving an undesired effect like what you had. Beyond sharing a sample GPO, I can only refer you to my blog regarding the settings.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    terça-feira, 17 de julho de 2018 02:56