For those of you who utilize WSUS as your main method of updating your firm's computers, be aware of the "Dual Scan" capabilities of Windows 10 b1607 and later. I was not aware of this "new feature" that MS built into Win10, and it started causing me some grief yesterday...
We are a VDI shop using VMware Horizon View. We leverage linked-clones heavily as it helps us manage our systems easier, and keeps storage use considerably lower. We perform updates to our base image 1-2 times per month using WSUS, and keep Windows Updates disabled on the linked-clone. We've been using this method for years and have never had any issues. Our current build is 1607 Enterprise, as we were unable to upgrade to 1703 or later in our previous Horizon View build 6.22. We recently completed our upgrade to Horizon 7.3.2 and have begun testing b1709.
Yesterday, while connected to my remote session, I was greeted with "Microsoft Update Assistant" and was being force-fed the b1709 feature update on my computer. Needless to say, I was quite puzzled as to how this was even being accomplished. We had all our GPO settings configured, and the WU service disabled. (So I thought...) After a little research, I found that the "Update Assistant" was installed this day and the WU service was re-enabled. I then checked this against my base image and found that we had NOT installed the assistant. So, where did it come from? Off to Google and Reddit I went.
I located a couple articles which led me to the answer. The first one outlined the issues of MS force-feeding us the latest Win10 build, even though it wasn't supposed to occur with Win10 Enterprise users. Report: Forced Windows 10 version 1709 upgrades that bypass Windows Update - gHacks Tech News The second article "demystified dual scan" https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/. It was a combination of this second article and Jason Baker’s post in the “Win10 Updates Using SCCM” thread, that led me to the solution.
I have completed the first three steps under “What You Can Do in the Meantime” in the “Demystifying Dual Scan article.” These are:
- Set all WU for Business policies to Not Configured. This ensures that you are not in Dual Scan mode.
- Verify that you have installed the November 2016 Cumulative Update for 1607, or any Cumulative Update more recent.
- Enable the group policy System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features
I hope this information helps you prevent a situation at your office.#Microsoft#ApplicationInterfacesandDeployment