Juli 9

Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed

Quelle: https://blogs.technet.microsoft.com/swisspfe/2018/04/13/win10-updates-store-gpos-dualscandisabled-sup-wsus/

Firstly…

Before
you start reading this, you should be familiar with the DualScan Feature of
Windows 10. Find more information on the following blog posts.

https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

https://blogs.technet.microsoft.com/configurationmgr/2017/10/10/using-configmgr-with-windows-10-wufb-deferral-policies/

If
you decided to disable DualScan (Do not allow update deferral policies to
cause scan against Windows Update – Enabled) this post is for
you.

Let’s double check that!

To
check if dualscan is disabled. Simple run the following PowerShell commands on
your target machines.

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" $MUSM.Services | select Name, IsDefaultAUService

Verify
that DefaultAUService is WSUS. Also make sure that you have the following reg
key set to
1.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DisableDualScan REG_DWORD 1

Note:
The recent SCCM Client configures a local policy if Software Updates are enabled
via Client settings.

Which GPO does what?

Let’s
assume you want to control:

the „Check for Updates“
Button to be disabled or not

Note: the Button has no use if
dualscan is disabled.

The Link „Check online for
updates from Microsoft Update“ whether it is shown or not

Note: a click on the link would fetch
updates and upgrades from Microsoft Update

Whether you can manually search for
drivers against Microsoft Update in the Device Manager or
not

Whether drivers are updated via
Microsoft Update, WSUS or not at all

Whether Apps
are getting updates from the Microsoft Store or
not

then
find your scenario in the following table:

Check Updates
Button

Check online for updates
from Microsoft
Update

Updates / Upgrades from SUP/WSUS
(SUP) or Microsoft
Updates (MU)

Updates for Microsoft Store

Manual driver search against
Microsoft
Update

Drivers via Updates
SUP/WSUS (SUP)

Windows 10 Ent with 2017-11 CU

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

1607

1703

1709

Remove access to use all Windows Update
features –
enabled

dis

yes

rem

SUP

yes

Do not connect to any Windows Update Internet
locations
–
enabled

yes

rem

SUP

Turn Off Access to all Windows Update
Feature –
enabled

yes

rem

SUP

yes

Do not include drivers with Windows Update –
enabled

yes

SUP

yes

Specify the search server for device driver
updates –
Managed
Server

yes

SUP

yes

SUP

Specify search order for device driver source –
Do not search
Windows
Update

yes

SUP

yes

Turn Off Windows Update device driver
searching

Notes

dis = disabled, rem = removed, *SUP = SCCM’s Software
Update Point or WSUS

	Change
	No change
	Not a Win10 GPO

Where do i find these GPOs?

Remove
access to use all Windows Update features

GPO:
Computer Configuration\Administrative Templates\Windows Components\Windows
Updates\
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
SetDisableUXWUAccess REG_DWORD

Do
not connect to any Windows Update Internet locations

Turn
Off Access to all Windows Update Feature

GPO:
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication settings\
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DisableWindowsUpdateAccess REG_DWORD

Do
not include drivers with Windows Update

Specify
the search server for device driver updates

GPO:
Computer Configuration\Administrative Templates\System\Device
Installation\
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSearching\
DriverServerSelection REG_DWORD

Specify
search order for device driver source locations

there
are many more GPOs related to Windows Update. In the SCCM/SUP & dualscan
disabled scenario these should fulfil most of your basic needs.

Managing Microsoft Store and App Updates!

You
may have your own requirements on how you want to configure the Microsoft Store
and its App Updates. Let me show you what and how you can do that.
Some might
not know, but it’s the Microsoft Store App that updates Apps, including calc,
photos, etc.. So if you have removed it, which I do not recommend, there is not
much to configure nor are you getting any updates.

Let’s
see what these Microsoft Store GPOs do…

Turn Off Access to the Store

Description

This policy setting
specifies whether to use the Store service for finding an application to open a
file with an unhandled file type or protocol association. When a user opens a
file type or protocol that is not associated with any applications on the
computer, the user is given the choice to select a local application or use the
Store service to find an application. If you enable this policy setting, the
„Look for an app in the Store“ item in the Open With dialog is removed. If you
disable or do not configure this policy setting, the user is allowed to use the
Store service and the Store item is available in the Open With
dialog.

GPO:
Computer Configuration\Administrative Templates\System\Internet Communication
Management\Internet Communication
settings\
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer

NoUseStoreOpenWith REG_DWORD
App
Updates: not affected

One might think
this is the GPO to disable the Microsoft Store, this is what is really
does:
Your users won’t be asked to find a app in the store if they try to
open an unknown file extension.

Turn off Store application

Description

Denies or allows
access to the Store application.If you enable this setting, access to the Store
application is denied. Access to the Store is required for installing app
updates. If you disable or don’t configure this setting, access to the Store
application is allowed.

GPO:
Computer Configuration\Administrative
Templates\Windows Components\Store
or
User Configuration\Administrative
Templates\Windows
Components\Store
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

RemoveWindowsStore REG_DWORD
or
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore

RemoveWindowsStore REG_DWORD
App Updates: If
configured in the computer context, it turns off app updates

Blocks the
Microsoft Store app, with the following message

Only display the private store within the Microsoft
Store app

Description

Denies access to
the retail catalog in the Windows Store app, but displays the private store. If
you enable this setting, users will not be able to view the retail catalog in
the Windows Store app, but they will be able to view apps in the private store.
If you disable or don’t configure this setting, users can access the retail
catalog in the Windows Store app

GPO:
Computer Configuration\Administrative
Templates\Windows Components\Store
or
User Configuration\Administrative
Templates\Windows
Components\Store
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

RequirePrivateStoreOnly REG_DWORD
or
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore

RequirePrivateStoreOnly REG_DWORD
App Updates: not
affected

Users will only be
presented with the Apps you have added into the Store for Business

Disable all apps from Windows Store

Description

Disable turns off
the launch of all apps from the Windows Store that came pre-installed or were
downloaded. Apps will not be updated. Your Store will also be disabled. Enable
turns all of it back on. This setting applies only to Enterprise and Education
editions of Windows.

Apps cannot be
started and you will be presented witht this message

Note:
Does include Calculator, Maps, Photos, Camera, etc. Does not affect
Edge.

Turn off Automatic Download and Install of
updates

Description

Enables or disables
the automatic download and installation of app updates. If you enable this
setting, the automatic download and installation of app updates is turned off.
If you disable this setting, the automatic download and installation of app
updates is turned on. If you don’t configure this setting, the automatic
download and installation of app updates is determined by a registry setting
that the user can change using Settings in the Windows
Store.

GPO:
Computer Configuration\Administrative Templates\Windows
Components\Store
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore

AutoDownload REG_DWORD (NB: enable = 2 = apps will not be updated, disable
= 4 = app will be automatically updated)
App Update: Yes and
No, Keyword here is automatic, the “Get Updates” button in the store app will
not be disabled.

Automatic App
updates can be locked to be on or off, again „Get Updates“ in the Download and
Updates Menu would still download and update apps

Finally…

Please make sure you have tested your GPO
settings thoroughly, before you continue to implement them in your production
environment.
Especially if you use a combination of the GPOs explained in
this blog or any other Update/Store related GPO.

Things might change with the soon to be
release Win10 1803 Release.

Stop hurting yourself by not
updating: https://blogs.technet.microsoft.com/yongrhee/2018/03/20/stop-hurting-yourself-by-not-updating-the-drivers-and-firmwares-in-windows-and-windows-server/