question

RonnieJudge-5854 avatar image
0 Votes"
RonnieJudge-5854 asked saldana-msft edited

Windows 10 21H1 Enablement Package not deployed via SCCM

Hi There.

Hope someone can help shed some light on the problem we have.
I have an ever-increasing number of machines in our environment is installing Windows 10 "21H1 Update" this update is not being deployed via SCCM at all for the last 5 months.

None of the SCCM logs show the installation of 21H1 however they do appear in the Windows Update Logs, We have also had a 3rd party company confirm it's not SCCM but they are also not sure as to how Windows updates are getting this update if all updates come from SCCM.

I have all 3 of these KB's are installed in our environment and it seems that they include the "Enablement Package" for the version of Windows installed. Article ID 4517245, Article ID 4562830 and KB5000736

I don't use Windows for Business nor have I deployed the Enablement Package out to my machines so. About 75% of my environment has 1909 installed.
As we run 3rd party applications across a large majority of our machine any so any changes in our environment needs to be tested before a full deployment goes out to them all.

I have 3 questions:

How can I stop this from happening?
And gain control of this deployment?
How can I roll these machines back as most have past the 10 days grace period to roll back?

windows-10-generalmem-cm-updates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @RonnieJudge-5854,

Agree with Jason, please check if dual-scan is checked.
Here is the related article we could refer to:
https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278

If the policy is enable, we could use the policy " Do not allow update deferral policies to cause scans against Windows Update" to disable it.

116958-7225.png

And if it is disabled, the new record will be written in Registry Editor:

117021-7224.png



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



7225.png (234.9 KiB)
7224.png (117.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RonnieJudge-5854 avatar image
0 Votes"
RonnieJudge-5854 answered Jason-MSFT commented

Hi Jason

So DualScan impact if I was to use WUfB in the future?

To you knowledge is there any other options that will impact machines using Windows Update instead of WSUS?

Just to be clear the first screen shot is a Local Policy and the last one is a Group Policy.


Sorry for all the questions just want to have all the facts before I make a company wide change.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Enabling dual scan disables the use of a local WSUS instance for Windows Update and thus enables it to use WUfB. The article linked above by @Amandayou-MSFT covers this in detail.

1 Vote 1 ·

Just to be clear the the first Screen shot is a Local Policy and the last one is a Group Policy.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

So by disabling the DualScan my machines will stop looking for update from WSUS and not Windows updates or the other way around?

Other way. Dual-scan enables a system to use both WSUS/ConfigMgr and WUfB. Disabling dual-scan enables only WSUS/ConfigMgr.

And the important question will it stop to the Enablement package automatically installing?

If that's the root cause, then yes.

For the screenshot results of the script execution, the top result shows a system only using WSUS. The bottom shows a system using Windows Update (but not WSUS or WUfB to my knowledge). You definitely need to dig into the configuration of that system.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RonnieJudge-5854 avatar image
0 Votes"
RonnieJudge-5854 answered

Hi Jason

So, the screen shot I posted earlier was from a machine that has 21H1 installed.
I'll do a bit of investigation on few machines that have not yet updated to 21H1 and see what the outcome is.

So by disabling the DualScan my machines will stop looking for update from WSUS and not Windows updates or the other way around?
And the important question will it stop to the Enablement package automatically installing? As I am finding conflicting info on the web.

I've run a PS Script below before disabling the DualScan and then Disabled it and this is my results.
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$status = $MUSM.Services
$status | select name, IsDefaultAUService


117047-image.png





image.png (106.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Sorry, not exactly following your comment here.

Based on the above, the most likely cause here still is that you've inadvertently enabled dual-scan. I strongly suggest you remove the deferral policy as the only purpose of this policy is to control WUfB and thus setting this policy enables WUfB usage. It does appear you've also configured the disable dual scan setting but it's possible, for whatever reason, that it is not configured on the systems that upgraded; you'll have to directly examine them to validate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RonnieJudge-5854 avatar image
0 Votes"
RonnieJudge-5854 answered RonnieJudge-5854 edited

@Jason-MSFT and @Amandayou-MSFT Thanks for getting back to me.

Jason to answer your question Yes and No If I can stop them from going to the next version automatically then No not business critical but if they keep upgrading then Yes, I need to stop them.

My main concern is to stop more machines from upgrading else I will lose full control of my environment which is a major problem for us due to the 3rd party apps then need to go through a testing phase first.



Below is our current config.

It would appear to be enabled
117063-image.png


I've shared a bit more info that might also be causing a problem or not but would appreciate you thoughts on our current setup?
117073-image.png


Windows Update for Business is not configured in our environment
117053-image.png



Thanks again for getting back to me.


image.png (23.8 KiB)
image.png (51.4 KiB)
image.png (26.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

The typical answer here is that you've inadvertently enabled dual-scan by configuring feature update deferrals using a group policy. Dual-scan, by definition, uses WUfB for updates. Thus, you need to validate that you have no deferrals configured anywhere.

Is rolling back truly business critical?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.