Windows 10 WSUS Bypass – How Windows 10 Circumvents WSUS

windows 10windows-updatewsus

I am gradually installing Windows 10 in an environment where users hate Windows 10. So, everything has to go perfect.

This environment already used WSUS to delivery updates to Windows 7 and Windows 8.1 computers, as well as Windows Server 2008 R2 and Windows Server 2012 R2 servers. There was not a single problem.

Then, I deployed Windows 10 1703 on three computers. And now, each month it is giving me migraine! Windows 10 computers circumvent WSUS and download the update straight from the Internet, especially updates that I have not tested or approved, which pretty much defeats the purpose of having a WSUS.

I tried:

  • Disabling delivery optimization using the group policy
  • Increasing the grace period
  • Forcing group policy updates on those computers times and again
  • Running Windows Update troubleshooter
  • Clearing the Windows Update cache (SoftwareDistribution)
  • Running Disk Cleanup and choosing "Windows Update Cleanup" (8 GB was cleaned)

Here are my client settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
"WUServer"="http://evolution-pit:8530"
"WUStatusServer"="http://evolution-pit:8530"
"UpdateServiceUrlAlternate"=""
"SetActiveHours"=dword:1
"ActiveHoursStart"=dword:8
"ActiveHoursEnd"=dword:12
"DeferFeatureUpdates"=dword:1
"BranchReadinessLevel"=dword:20
"DeferFeatureUpdatesPeriodInDays"=dword:b4
"PauseFeatureUpdatesStartTime"=""
"DeferQualityUpdates"=dword:1
"DeferQualityUpdatesPeriodInDays"=dword:f
"PauseQualityUpdatesStartTime"=""
"DoNotConnectToWindowsUpdateInternetLocations"=dword:1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:0
"AUOptions"=dword:4
"AutomaticMaintenanceEnabled"=dword:1
"ScheduledInstallDay"=dword:0
"ScheduledInstallTime"=dword:11
"AllowMUUpdateService"=dword:1
"UseWUServer"=dword:1
"EnableFeaturedSoftware"=dword:0

Best Answer

Thank you for your question. It makes me feel that I'm not the only one who is in pain since the inception of Windows 10!

The solution is very simple: Ensure that you copy of Windows 10 1703 does not have any of the following value names listed under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

(These values names are checked against WindowsUpdate.admx for Windows 10 version 1703.)

 DeferFeatureUpdates
 DeferFeatureUpdatesPeriodInDays
 DeferQualityUpdates
 DeferQualityUpdatesPeriodInDays
 PauseFeatureUpdatesStartTime
 PauseQualityUpdatesStartTime
 ExcludeWUDriversInQualityUpdate

Quoting further from the same article "Why WSUS and SCCM managed clients are reaching out to Microsoft Online":

What just happened here? Aren’t these update or upgrade deferral policies?

Not in a managed environment. These policies are meant for Windows Update for Business (WUfB).

Windows Update for Business aka WUfB enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.

We also recommend that you do not use these new settings with WSUS/SCCM.

If you are already using an on-prem solution to manage Windows updates/upgrades, using the new WUfB settings will enable your clients to also reach out to Microsoft Update online to fetch update bypassing your WSUS/SCCM end-point.

To manage updates, you have two solutions:

  1. Use WSUS (or SCCM) and manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment (in your intranet).
  2. Use the new WUfB settings to manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment directly connecting to Windows Update. — Rasheed, Shadab (9 January 2017) "Why WSUS and SCCM managed clients are reaching out to Microsoft Online". Windows Server Blog. Microsoft Corporation

Be advised that this article's list of Registry value names has typos. Use the value names given above instead.

Related Topic