Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed


Firstly...

Before you start reading this, you should be familiar with the DualScan Feature of Windows 10. Find more information on the following blog posts.

If you decided to disable DualScan (Do not allow update deferral policies to cause scan against Windows Update - Enabled) this post is for you.

Let's double check that!

To check if dualscan is disabled. Simple run the following PowerShell commands on your target machines.

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

Dual Scan Check

Verify that DefaultAUService is WSUS. Also make sure that you have the following reg key set to 1.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DisableDualScan REG_DWORD 1

Note: The recent SCCM Client configures a local policy if Software Updates are enabled via Client settings.

Which GPO does what?

Let's assume you want to control:

  • the "Check for Updates" Button to be disabled or not
    • Note: the Button has no use if dualscan is disabled.
  • The Link "Check online for updates from Microsoft Update" whether it is shown or not
    • Note: a click on the link would fetch updates and upgrades from Microsoft Update
  • Whether you can manually search for drivers against Microsoft Update in the Device Manager or not
  • Whether drivers are updated via Microsoft Update, WSUS or not at all
  • Whether Apps are getting updates from the Microsoft Store or not

then find your scenario in the following table:


 

Check Updates
Button

Check online for updates
from Microsoft Update

Updates / Upgrades from SUP/WSUS
(SUP) or Microsoft Updates (MU)

Updates for Microsoft Store

Manual driver search against
Microsoft Update

Drivers via Updates
SUP/WSUS (SUP)

Windows 10 Ent with 2017-11 CU

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

Remove access to use all Windows Update features - enabled

dis

dis

dis

yes

yes

rem

SUP

SUP

SUP

yes

yes

yes

yes

yes

yes

no

no

no

Do not connect to any Windows Update Internet locations -
enabled

yes

yes

yes

rem

rem

rem

SUP

SUP

SUP

no

no

no

no

no

no

no

no

no

Turn Off Access to all Windows Update Feature - enabled

yes

yes

yes

rem

rem

rem

SUP

SUP

SUP

yes

yes

yes

no

no

no

no

no

no

Do not include drivers with Windows Update - enabled

yes

yes

yes

yes

yes

yes

SUP

SUP

SUP

yes

yes

yes

yes

yes

yes

no

no

no

Specify the search server for device driver updates -
Managed Server

yes

yes

yes

yes

yes

yes

SUP

SUP

SUP

yes

yes

yes

yes

yes

yes

SUP

SUP

SUP

Specify search order for device driver source - Do not search
Windows Update

yes

yes

yes

yes

yes

yes

SUP

SUP

SUP

yes

yes

yes

yes

yes

yes

no

no

no

Turn Off Windows Update device driver searching

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Notes

*dis = disabled, *rem = removed, *SUP = SCCM's Software Update Point or WSUS

 

Change

No change

Not a Win10 GPO


Where do i find these GPOs?

Remove access to use all Windows Update features

GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Updates\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
SetDisableUXWUAccess REG_DWORD

Do not connect to any Windows Update Internet locations

GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Updates\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DoNotConnectToWindowsUpdateInternetLocations REG_DWORD

Turn Off Access to all Windows Update Feature

GPO: Computer Configuration\Administrative Templates\Internet Communication Management\System\Internet Communication settings\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DisableWindowsUpdateAccess REG_DWORD

Do not include drivers with Windows Update

GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Updates\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
ExcludeWUDriversInQualityUpdate REG_DWORD

Specify the search server for device driver updates

GPO: Computer Configuration\Administrative Templates\System\Device Installation\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching\
DriverServerSelection REG_DWORD

Specify search order for device driver source locations

GPO: Computer Configuration\Administrative Templates\System\Device Installation\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching\
SearchOrderConfig REG_DWORD

there are many more GPOs related to Windows Update. In the SCCM/SUP & dualscan disabled scenario these should fulfil most of your basic needs.

Managing Microsoft Store and App Updates!

You may have your own requirements on how you want to configure the Microsoft Store and its App Updates. Let me show you what and how you can do that.
Some might not know, but it's the Microsoft Store App that updates Apps, including calc, photos, etc.. So if you have removed it, which I do not recommend, there is not much to configure nor are you getting any updates.

Let's see what these Microsoft Store GPOs do...


Turn Off Access to the Store

Description

This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.

GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer
NoUseStoreOpenWith REG_DWORD
App Updates: not affected

One might think this is the GPO to disable the Microsoft Store, this is what is really does:
Your users won't be asked to find a app in the store if they try to open an unknown file extension.


Turn off Store application

Description

Denies or allows access to the Store application.If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed.

GPO:
Computer Configuration\Administrative Templates\Windows Components\Store
or
User Configuration\Administrative Templates\Windows Components\Store
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore
RemoveWindowsStore REG_DWORD
or
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore
RemoveWindowsStore REG_DWORD
App Updates: If configured in the computer context, it turns off app updates

Blocks the Microsoft Store app, with the following message


Only display the private store within the Microsoft Store app

Description

Denies access to the retail catalog in the Windows Store app, but displays the private store. If you enable this setting, users will not be able to view the retail catalog in the Windows Store app, but they will be able to view apps in the private store. If you disable or don't configure this setting, users can access the retail catalog in the Windows Store app

GPO:
Computer Configuration\Administrative Templates\Windows Components\Store
or
User Configuration\Administrative Templates\Windows Components\Store
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore
RequirePrivateStoreOnly  REG_DWORD
or
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore
RequirePrivateStoreOnly REG_DWORD
App Updates: not affected

Users will only be presented with the Apps you have added into the Store for Business


Disable all apps from Windows Store

Description

Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows.

GPO: Computer Configuration\Administrative Templates\Windows Components\Store
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore
DisableStoreApps REG_DWORD (Note: disable = 1 = apps disabled)
App Updates: not affected

Apps cannot be started and you will be presented witht this message


Note: Does include Calculator, Maps, Photos, Camera, etc. Does not affect Edge.


Turn off Automatic Download and Install of updates

Description

Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don't configure this setting, the automatic download and installation of app updates is determined by a registry setting that the user can change using Settings in the Windows Store.

GPO: Computer Configuration\Administrative Templates\Windows Components\Store
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore
AutoDownload REG_DWORD (NB: enable = 2 = apps will not be updated, disable = 4 = app will be automatically updated)
App Update: Yes and No, Keyword here is automatic, the “Get Updates” button in the store app will not be disabled.

Automatic App updates can be locked to be on or off, again "Get Updates" in the Download and Updates Menu would still download and update apps

Finally...

 

Comments (9)

  1. Imagine an enterprise that wants to install drivers from Microsoft Update but also wants to stay in a tested and very specific Windows 10 version and for sure does not want a user to get not unapproved updates cause this enterprise runs a WSUS.

    Option 1 use the GPO “Do not connect to any Windows Update Internet locations”:
    This leaves you with outdated or non functional device drivers.

    Option 2 use the GPO preventing DualScans:
    This leaves a user able to upgrade a machine to a state prohibited by your enterprise.

    Option 3 use the GPO preventing DualScans and hide the Settings page WindowsUpdate:
    This makes a user unable to schedule a install time and make some useful settings for himself causing the installation of an Update with the possibility of a reboot (WSUS deadline)

    Maybe I am mistaken or I did miss something.
    Otherwise a way to prevent a user from connecting directly to Microsoft (GPO?) and the only way I know is the Link in the WindowsUpdate Settings page would be a really great feature.
    Then an enterprise would be able to provide drivers use WSUS and even really control a Windows 10 version.

  2. DanielB says:

    First of, Thanks for great article!
    You forgot “System” in “GPO: Computer Configuration\Administrative Templates\Internet Communication Management\Internet Communication settings\”.
    Should be: “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\”

  3. Completely agree with MrBishich’s comment. Drivers or Upgrades need to be separated from the general ‘Windows Update’.

    There is currently no configuration available for enterprises to be in complete control of upgrades, but allow devices to update drives from Windows Update.

    The only option in this scenario is to block Windows Update entirely for risk of an Upgrade being installed on a machine outside the realms of the enterprise.

  4. Gricereene says:

    I believe there’s a typo in the GPO paths for the “Turn Off Access to all Windows Update Feature” and “Turn Off Access to the Store” policies. The path “Computer Configuration\Administrative Templates\Internet Communication Management\Internet Communication settings\” should instead be “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\”.

  5. joe says:

    Is the GPO matrix above with or without dualscan enabled? If not, how does it change?

  6. How does “Opt-in to Microsoft Update” factor into this scenario?

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa826676(v=vs.85).aspx

    This seems to be the only way to get updates for products other than Windows when you run ad-hoc scans by clicking “Check online for updates from Microsoft Update”

  7. Marcel says:

    Thx for this great Article. Please Update the Matrix with 1803 release. Based on my Tests, I think there is not much difference from 1709 to 1803. But confirmation and updated Matrix would be nice.

Skip to main content