Juli 9

Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed

Quelle: https://blogs.technet.microsoft.com/swisspfe/2018/04/13/win10-updates-store-gpos-dualscandisabled-sup-wsus/

Firstly…

Before
you start reading this, you should be familiar with the DualScan Feature of
Windows 10. Find more information on the following blog posts.

  • https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/
  • https://blogs.technet.microsoft.com/configurationmgr/2017/10/10/using-configmgr-with-windows-10-wufb-deferral-policies/
  • If
    you decided to disable DualScan (Do not allow update deferral policies to
    cause scan against Windows Update
    – Enabled) this post is for
    you.

    Let’s double check that!

    To
    check if dualscan is disabled. Simple run the following PowerShell commands on
    your target machines.

    $MUSM = New-Object
    -ComObject "Microsoft.Update.ServiceManager"
    $MUSM.Services | select Name,
    IsDefaultAUService

    Dual Scan Check

    Verify
    that DefaultAUService is WSUS. Also make sure that you have the following reg
    key set to
    1.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
    DisableDualScan REG_DWORD 1

    Note:
    The recent SCCM Client configures a local policy if Software Updates are enabled
    via Client settings.

    Which GPO does what?

    Let’s
    assume you want to control:

  • the „Check for Updates
    Button to be disabled or not

  • Note: the Button has no use if
    dualscan is disabled.
  • The Link „Check online for
    updates from Microsoft Update
    “ whether it is shown or not

  • Note: a click on the link would fetch
    updates and upgrades from Microsoft Update
  • Whether you can manually search for
    drivers against Microsoft Update
    in the Device Manager or
    not
  • Whether drivers are updated via
    Microsoft Update, WSUS
    or not at all
  • Whether Apps
    are getting updates from the Microsoft Store or
    not
  • then
    find your scenario in the following table:


     

    Check Updates
    Button

    Check online for updates
    from Microsoft
    Update

    Updates / Upgrades from SUP/WSUS
    (SUP) or Microsoft
    Updates (MU)

    Updates for Microsoft Store

    Manual driver search against
    Microsoft
    Update

    Drivers via Updates
    SUP/WSUS (SUP)

    Windows 10 Ent with 2017-11 CU

    1607

    1703

    1709

    1607

    1703

    1709

    1607

    1703

    1709

    1607

    1703

    1709

    1607

    1703

    1709

    1607

    1703

    1709

    Remove access to use all Windows Update
    features

    enabled

    dis

    dis

    dis

    yes

    yes

    rem

    SUP

    SUP

    SUP

    yes

    yes

    yes

    yes

    yes

    yes

    no

    no

    no

    Do not connect to any Windows Update Internet
    locations


    enabled

    yes

    yes

    yes

    rem

    rem

    rem

    SUP

    SUP

    SUP

    no

    no

    no

    no

    no

    no

    no

    no

    no

    Turn Off Access to all Windows Update
    Feature

    enabled

    yes

    yes

    yes

    rem

    rem

    rem

    SUP

    SUP

    SUP

    yes

    yes

    yes

    no

    no

    no

    no

    no

    no

    Do not include drivers with Windows Update –
    enabled

    yes

    yes

    yes

    yes

    yes

    yes

    SUP

    SUP

    SUP

    yes

    yes

    yes

    yes

    yes

    yes

    no

    no

    no

    Specify the search server for device driver
    updates

    Managed
    Server

    yes

    yes

    yes

    yes

    yes

    yes

    SUP

    SUP

    SUP

    yes

    yes

    yes

    yes

    yes

    yes

    SUP

    SUP

    SUP

    Specify search order for device driver source –
    Do not search
    Windows
    Update

    yes

    yes

    yes

    yes

    yes

    yes

    SUP

    SUP

    SUP

    yes

    yes

    yes

    yes

    yes

    yes

    no

    no

    no

    Turn Off Windows Update device driver
    searching

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Notes

    *dis = disabled, *rem = removed, *SUP = SCCM’s Software
    Update Point or WSUS

     

    Change

    No change

    Not a Win10
    GPO


    Where do i find these GPOs?

    Remove
    access to use all Windows Update features

    GPO:
    Computer Configuration\Administrative Templates\Windows Components\Windows
    Updates\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
    SetDisableUXWUAccess REG_DWORD

    Do
    not connect to any Windows Update Internet locations

    GPO:
    Computer Configuration\Administrative Templates\Windows Components\Windows
    Updates\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

    DoNotConnectToWindowsUpdateInternetLocations REG_DWORD

    Turn
    Off Access to all Windows Update Feature

    GPO:
    Computer Configuration\Administrative Templates\System\Internet Communication
    Management\Internet Communication settings\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
    DisableWindowsUpdateAccess REG_DWORD

    Do
    not include drivers with Windows Update

    GPO:
    Computer Configuration\Administrative Templates\Windows Components\Windows
    Updates\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
    ExcludeWUDriversInQualityUpdate
    REG_DWORD

    Specify
    the search server for device driver updates

    GPO:
    Computer Configuration\Administrative Templates\System\Device
    Installation\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching\
    DriverServerSelection REG_DWORD

    Specify
    search order for device driver source locations

    GPO:
    Computer Configuration\Administrative Templates\System\Device
    Installation\
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching\
    SearchOrderConfig REG_DWORD

    there
    are many more GPOs related to Windows Update. In the SCCM/SUP & dualscan
    disabled scenario these should fulfil most of your basic needs.

    Managing Microsoft Store and App Updates!

    You
    may have your own requirements on how you want to configure the Microsoft Store
    and its App Updates. Let me show you what and how you can do that.
    Some might
    not know, but it’s the Microsoft Store App that updates Apps, including calc,
    photos, etc.. So if you have removed it, which I do not recommend, there is not
    much to configure nor are you getting any updates.

    Let’s
    see what these Microsoft Store GPOs do…


    Turn Off Access to the Store

    Description

    This policy setting
    specifies whether to use the Store service for finding an application to open a
    file with an unhandled file type or protocol association. When a user opens a
    file type or protocol that is not associated with any applications on the
    computer, the user is given the choice to select a local application or use the
    Store service to find an application. If you enable this policy setting, the
    „Look for an app in the Store“ item in the Open With dialog is removed. If you
    disable or do not configure this policy setting, the user is allowed to use the
    Store service and the Store item is available in the Open With
    dialog.

    GPO:
    Computer Configuration\Administrative Templates\System\Internet Communication
    Management\Internet Communication
    settings\
    Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer

    NoUseStoreOpenWith REG_DWORD

    App
    Updates
    : not affected

    One might think
    this is the GPO to disable the Microsoft Store, this is what is really
    does:
    Your users won’t be asked to find a app in the store if they try to
    open an unknown file extension.


    Turn off Store application

    Description

    Denies or allows
    access to the Store application.If you enable this setting, access to the Store
    application is denied. Access to the Store is required for installing app
    updates. If you disable or don’t configure this setting, access to the Store
    application is allowed.

    GPO:
    Computer Configuration\Administrative
    Templates\Windows Components\Store
    or
    User Configuration\Administrative
    Templates\Windows
    Components\Store
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

    RemoveWindowsStore REG_DWORD

    or
    HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore

    RemoveWindowsStore REG_DWORD

    App Updates: If
    configured in the computer context, it turns off app updates

    Blocks the
    Microsoft Store app, with the following message


    Only display the private store within the Microsoft
    Store app

    Description

    Denies access to
    the retail catalog in the Windows Store app, but displays the private store. If
    you enable this setting, users will not be able to view the retail catalog in
    the Windows Store app, but they will be able to view apps in the private store.
    If you disable or don’t configure this setting, users can access the retail
    catalog in the Windows Store app

    GPO:
    Computer Configuration\Administrative
    Templates\Windows Components\Store
    or
    User Configuration\Administrative
    Templates\Windows
    Components\Store
    Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

    RequirePrivateStoreOnly  REG_DWORD

    or
    HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore

    RequirePrivateStoreOnly REG_DWORD

    App Updates: not
    affected

    Users will only be
    presented with the Apps you have added into the Store for Business


    Disable all apps from Windows Store

    Description

    Disable turns off
    the launch of all apps from the Windows Store that came pre-installed or were
    downloaded. Apps will not be updated. Your Store will also be disabled. Enable
    turns all of it back on. This setting applies only to Enterprise and Education
    editions of Windows.

    GPO:
    Computer Configuration\Administrative Templates\Windows
    Components\Store
    Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

    DisableStoreApps REG_DWORD
    (Note: disable = 1 = apps
    disabled
    )
    App Updates: not affected

    Apps cannot be
    started and you will be presented witht this message


    Note:
    Does include Calculator, Maps, Photos, Camera, etc. Does not affect
    Edge.


    Turn off Automatic Download and Install of
    updates

    Description

    Enables or disables
    the automatic download and installation of app updates. If you enable this
    setting, the automatic download and installation of app updates is turned off.
    If you disable this setting, the automatic download and installation of app
    updates is turned on. If you don’t configure this setting, the automatic
    download and installation of app updates is determined by a registry setting
    that the user can change using Settings in the Windows
    Store.

    GPO:
    Computer Configuration\Administrative Templates\Windows
    Components\Store
    Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

    AutoDownload REG_DWORD
    (NB: enable = 2 = apps will not be updated, disable
    = 4 = app will be automatically updated)
    App Update: Yes and
    No, Keyword here is automatic, the “Get Updates” button in the store app will
    not be disabled.

    Automatic App
    updates can be locked to be on or off, again „Get Updates“ in the Download and
    Updates Menu would still download and update apps

    Finally…

  • Please make sure you have tested your GPO
    settings thoroughly, before you continue to implement them in your production
    environment.
    Especially if you use a combination of the GPOs explained in
    this blog or any other Update/Store related GPO.
  • Things might change with the soon to be
    release Win10 1803 Release.
  • Stop hurting yourself by not
    updating:
    https://blogs.technet.microsoft.com/yongrhee/2018/03/20/stop-hurting-yourself-by-not-updating-the-drivers-and-firmwares-in-windows-and-windows-server/
  •  



    Copyright 2019. All rights reserved.

    Veröffentlicht09/07/2019 von Arnd Rößner in Kategorie "Allgemein