Skip to content

Ensure that online 'dual scan' is mitigated #198

Description

@canihavethisone

Use Case

As per https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ (assuming this is still a known issue), Windows has a potential to perform dual-scan for updates even when a WSUS server is defined

Describe the Solution You Would Like

Mitigation in place if this is still an issue

Describe Alternatives You've Considered

As I manage a range of registry keys in a private module (based on CIS), I use the following overrides to mitigate the issue. This may serve as an example with affected registry keys

  # Disable setting of registry keys that result in 'dual scan', reaching out to Windows Update as well as WSUS
  # https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays' |> { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays' |> { ensure => absent }
  # Settings below are required to avoid 'dual scan', but prevent v1909 from contacting WSUS 
  unless $facts['os']['windows']['release_id'] == '1909' {
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' |>            { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuildsPolicyValue' |> { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel' |>           { ensure => absent }
  }

Additional Context

Not limiting update source purely to a defined WSUS server is probably undesirable

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions