question

CaseyThroop-9694 avatar image
0 Votes"
CaseyThroop-9694 asked CaseyThroop-9694 commented

Windows Updates For Business Failing updates

Hey Everyone,



I've been plagued by a Windows update issue for some time now and I'm having trouble pinning it down.

Environment;

Azure AD only

Windows update for business enabled

NO Sccm client on the machines

Fresh out of the Autopilot process



A device that was new out of box went through Autopilot and when I went to test running updates on the device they failed and undid changes.

WUfB policies are successfully applying to the device.



Now I successfully updated by REMOVING the firewall config policy we have set up which was great UNTIL I tested reapplying the firewall policy and running the update again. After reapplying the firewall policy it successfully updated again. This has thrown me for a loop in trying to pin point where my issue is.



Has anyone ran into this before? Or could anyone office any input?

windows-10-generalmem-intune-device-configurations
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

More details here- This is what my Windows defender policies look like In Intune -

policy Enabling defender for all interfaces: set to allow inbound and outbound connections on all interfaces and to allow inbound notifications on all interfaces. Nothing mentioning a block in this profile.

A policy Blocking RDP in and out

A policy blocking NetBios TCP and UDP Inbound and outbound

A policy specifying allowed applications, services and ports.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered CaseyThroop-9694 commented

Can happen if your FW policies are restrictive and blocking Windows update urls.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That was my thought as well.

I don't have anything specifically set to block update URLS.

The Weird thing to me is after successful update without firewall, I reapplied the firewall policy and uninstalled update to retry. After reinstalling with Firewall policies enabled this time it was successful.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered CaseyThroop-9694 commented

The content and meta data of the installed updates gets cached. I am not sure to what extent you are removing the already installed updates. The main thing is that without FW rules things work so the rules should be checked out. I did a search to access the list of urls, but couldn’t find anything official right now. Found an unofficial link here.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response.

This happens both on network and off network.

Is there a specific profile I can create within Intune to set these to allowed within Windows Defender Firewall? Our FW policy just configures Windows defender and I haven't seen anything within Intune Config policies that mentions how to allow URLs.

0 Votes 0 ·

Sounds like you don’t really have any fw rules configured in Intune and maybe you are just switching defender fw on and that’s it. The rules I was referring to was for your network fw or proxy.

0 Votes 0 ·

That's why I responded to clarify. We've got a policy enabling defender on all types of interfaces and then a policy allowing specific services or apps to function.

I've tried allowing wuauserv, svchost, and things like that through it but no success

0 Votes 0 ·