Firstly...
Before you start reading this, you should be familiar with the DualScan Feature of Windows 10. Find more information on the following blog posts.
- https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/
- https://blogs.technet.microsoft.com/configurationmgr/2017/10/10/using-configmgr-with-windows-10-wufb-deferral-policies/
If you decided to disable DualScan (Do not allow update deferral policies to cause scan against Windows Update - Enabled) this post is for you.
Let's double check that!
To check if dualscan is disabled. Simple run the following PowerShell commands on your target machines.
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService
Verify that DefaultAUService is WSUS. Also make sure that you have the following reg key set to 1.
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
DisableDualScan REG_DWORD 1
Note: The recent SCCM Client configures a local policy if Software Updates are enabled via Client settings.
Which GPO does what?
Let's assume you want to control:
- the "Check for Updates" Button to be disabled or not
- Note: the Button has no use if dualscan is disabled.
- The Link "Check online for updates from Microsoft Update" whether it is shown or not
- Note: a click on the link would fetch updates and upgrades from Microsoft Update
- Whether you can manually search for drivers against Microsoft Update in the Device Manager or not
- Whether drivers are updated via Microsoft Update, WSUS or not at all
- Whether Apps are getting updates from the Microsoft Store or not
then find your scenario in the following table:
Notes*dis = disabled, *rem = removed, *SUP = SCCM's Software Update Point or WSUS
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Where do i find these GPOs?
Remove access to use all Windows Update features
GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Updates
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
SetDisableUXWUAccess REG_DWORD
Do not connect to any Windows Update Internet locations
GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Updates
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
DoNotConnectToWindowsUpdateInternetLocations REG_DWORD
Turn Off Access to all Windows Update Feature
GPO: Computer ConfigurationAdministrative TemplatesInternet Communication ManagementInternet Communication settings
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
DisableWindowsUpdateAccess REG_DWORD
Do not include drivers with Windows Update
GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Updates
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
ExcludeWUDriversInQualityUpdate REG_DWORD
Specify the search server for device driver updates
GPO: Computer ConfigurationAdministrative TemplatesSystemDevice Installation
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDriverSearching
DriverServerSelection REG_DWORD
Specify search order for device driver source locations
GPO: Computer ConfigurationAdministrative TemplatesSystemDevice Installation
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDriverSearching
SearchOrderConfig REG_DWORD
there are many more GPOs related to Windows Update. In the SCCM/SUP & dualscan disabled scenario these should fulfil most of your basic needs.
Managing Microsoft Store and App Updates!
You may have your own requirements on how you want to configure the Microsoft Store and its App Updates. Let me show you what and how you can do that.
Some might not know, but it's the Microsoft Store App that updates Apps, including calc, photos, etc.. So if you have removed it, which I do not recommend, there is not much to configure nor are you getting any updates.
Let's see what these Microsoft Store GPOs do...
Turn Off Access to the Store
Description
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
GPO: Computer ConfigurationAdministrative TemplatesInternet Communication ManagementInternet Communication settings
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsExplorer
NoUseStoreOpenWith REG_DWORD
App Updates: not affected
One might think this is the GPO to disable the Microsoft Store, this is what is really does:
Your users won't be asked to find a app in the store if they try to open an unknown file extension.
Turn off Store application
Description
Denies or allows access to the Store application.If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed.
GPO:
Computer ConfigurationAdministrative TemplatesWindows ComponentsStore
or
User ConfigurationAdministrative TemplatesWindows ComponentsStore
Registry:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStore
RemoveWindowsStore REG_DWORD
or
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsStore
RemoveWindowsStore REG_DWORD
App Updates: If configured in the computer context, it turns off app updates
Blocks the Microsoft Store app, with the following message
Only display the private store within the Microsoft Store app
Description
Denies access to the retail catalog in the Windows Store app, but displays the private store. If you enable this setting, users will not be able to view the retail catalog in the Windows Store app, but they will be able to view apps in the private store. If you disable or don't configure this setting, users can access the retail catalog in the Windows Store app
GPO:
Computer ConfigurationAdministrative TemplatesWindows ComponentsStore
or
User ConfigurationAdministrative TemplatesWindows ComponentsStore
Registry:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStore
RequirePrivateStoreOnly REG_DWORD
or
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsStore
RequirePrivateStoreOnly REG_DWORD
App Updates: not affected
Users will only be presented with the Apps you have added into the Store for Business
Disable all apps from Windows Store
Description
Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows.
GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsStore
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStore
DisableStoreApps REG_DWORD (Note: disable = 1 = apps disabled)
App Updates: not affected
Apps cannot be started and you will be presented witht this message
Note: Does include Calculator, Maps, Photos, Camera, etc. Does not affect Edge.
Turn off Automatic Download and Install of updates
Description
Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don't configure this setting, the automatic download and installation of app updates is determined by a registry setting that the user can change using Settings in the Windows Store.
GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsStore
Registry: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStore
AutoDownload REG_DWORD (NB: enable = 2 = apps will not be updated, disable = 4 = app will be automatically updated)
App Update: Yes and No, Keyword here is automatic, the “Get Updates” button in the store app will not be disabled.
Automatic App updates can be locked to be on or off, again "Get Updates" in the Download and Updates Menu would still download and update apps
Finally...
- Please make sure you have tested your GPO settings thoroughly, before you continue to implement them in your production environment.
Especially if you use a combination of the GPOs explained in this blog or any other Update/Store related GPO. - Things might change with the soon to be release Win10 1803 Release.
- Stop hurting yourself by not updating: https://blogs.technet.microsoft.com/yongrhee/2018/03/20/stop-hurting-yourself-by-not-updating-the-drivers-and-firmwares-in-windows-and-windows-server/