Microsoft has given an all new meaning to update management with the combination of Windows Update for Business and Windows as a Service; here comes Dual Scan. This is a Windows Update feature which does not require the administrators to approve every update manually.
“We believe that this automated management solution is the future, and we want to ensure that everyone who wants to move to modern (i.e., Cloud-first) update management can do so.” – Says Microsoft.
What is Dual Scan
Dual Scan is a Windows Update (WU) client behavior that was introduced with Windows 10 1607 to automatically manage the workflow of receiving updates directly from Windows Updates (WU) and still be able to dispense content such as drivers or locally-published updates through WSUS.
Triggering dual scanning effectively means getting Windows Updates from the internet and non-Windows updates from WSUS. Dual Scan is automatically enabled when a combination of Windows Update group policies is enabled:
This model can be used only by those Enterprises who want WU to be its main update source while Windows Server Update Services (WSUS) provides all other content.
Dual Scan’s Unwanted Loss of Control
Dual Scan introduces an unwanted loss of control for those who still want to continue managing updates in their old way. Earlier to Windows 10, one couldn’t unintentionally upgrade a managed machine to a new build by simply scanning against Windows Update (WU). This was because only quality updates were provided by that channel, typically because the administrators were unconcerned about their clients scanning against WU as it could never lead to any significant changes in the state of the client.
But with feature updates being offered on WU, clients managed through WSUS or Configuration Manager can receive feature update which was earlier disapproved by its administrator by clicking “Check online for updates from Microsoft Update” link.
Business Controls in the On-Premises Scenario
Since the on-premises admins were rightly concerned about the above scenario, they selected to enable the WU fo the Business policy which allowed them to select when feature updates were received which had the planned effect: scans against Windows Update no longer pushed the unapproved feature updates.
Nevertheless, this configuration also fulfilled the criteria for enabling Dual Scan, which lead to the machine being not controlled by WSUS or Configuration Manager for the purposes of Windows updates.
But how does a user keep unapproved feature updates from installing while maintaining control of update management with your existing on-premises tools?
“We’ve gotten enough feedback on this scenario that we have committed to release a quality update for 1607 that allows you to leverage WU for Business controls even in the on-premises scenario; i.e., for “Check online for updates” scans. You’ll be able to defer feature updates without automatically shifting into Dual Scan behavior.”
The policy could not be configured by default, the same needs to be enabled to ensure that the WU client behaves as intended. Microsoft plans to release the quality update to 1607 is released this Summer.
To Unblock this Scenario
Microsoft listed steps to unblock the scenario immediately. With these steps, the managed clients can perform scans against WSUS/Configuration Manager and access the Microsoft Store. With this configuration, it will restrict feature updates to get automatically installed on the machines and also restrict any update content to get installed via Windows Update. For all managed clients, Microsoft recommend the following workarounds:
- Set all WU for Business policies to Not Configured. This ensures that you are not in Dual Scan mode.
- Verify that you have installed the November 2016 Cumulative Update for 1607, or any Cumulative Update more recent.
- Enable the group policy System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features
- In an elevated command prompt, run “gpupdate /force”, followed by “UsoClient.exe startscan”
- Open the Windows Update UI (wait for the scan to complete), and observe:
Microsoft said activating “Remove access to all Windows Update features” would not be useful for this scenario. Dual Scan is also supported in the on-premises scenario. Group Policy includes a setting – Do not allow update deferral policies to cause scans against Windows Update. For a full read on the subject, visit Microsoft.