03-25-2019 02:47 AM
03-25-2019 02:47 AM
We use a SCCM 1810 environment. Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients.
Since we use Windows 10 1809 I noticed also RSAT and Language.Handwriting packages are not available anymore in WSUS/SCCM environment.
Instead, you need to download them directly from Windows Update. So just used Get-WindowsCapability commandline and tried to install missing features and ran into
0x800f0954 error. After changing the GPO “Download repair content and optional…” we now receive a different error: 0x8024002e. Changing Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess from “1” to “0” prevents error 0x8024002e and
commandline: ”Get-WindowsCapability -Online | where name -like *.....* | Add-WindowsCapability -Online” works now.
But now, our users are able to use “Windows Update – Check online for updates from Microsoft Windows” directly.
I have something to consider that our users are now able to download and install Windows Feature Updates (f.e. 1809) over here.
Is there any best practice how to prevent users from installing updates from WindowsUpdate directly?
03-29-2019 05:50 AM
@RahamimL Thank you for your answer. Which GPO setting do you mean will prevent users in checking the updates? It's not really clear for me.
03-29-2019 06:57 AM
@Jochen SchmittI believe it is 2 of them:
04-02-2019 06:39 AM
@RahamimL But it seems Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess is the same as R"emove access to all Windows Update features" So this will not help for my scenario.
04-02-2019 07:55 AM
@Jochen Schmitt, That is weird... I use this policy on 1803 and don't have this issue... I can run "Add-WindowsCapabilty" elevated without errors.
Also, I just tested this on a 1809 that I have and it is working perfectly... Can you share your policies?
04-03-2019 02:53 AMSolution
04-03-2019 05:19 AM
seems the suggested config solves my problem,
Turn off access to all Windows Update features is set to "1" at the moment. Changing it to "0" and configure "Remove access to use all Windows Update features" to "1" shows now the behavior I wanted.
The description of DisableWindowsUpdateAccess says "..and enable automatic updating to receive notifications and critical updates from Windows Update" Is there any risk that my clients will receive feature updates from windowsupdate and not from my SCCM environment?
04-07-2019 03:10 AM
If you enabled the "Do not allow update deferral policies to cause scan against windows update" than you're all good.
08-12-2019 07:09 AM - edited 08-12-2019 07:11 AM
Windows environment: 1803 Enterprise
After a lot of pain, I am happy I found this post.
So in our occassion where we really need to have the clients blocked from WU, I had to allow them to download FODs from WU since hosting them is a -no go- from Microsoft for the future builds.
1. Specify settings for optional component installation and component repair
Computer Configuration\Policies\Administrative Templates\System\Specify settings for optional component installation and component repair.
Once we set this up, with a Blank alternate source and only checked that clients should contact WU instead of WSUS, we got the following error on Add-WindowsCapability -Online
This meant that something else was blocking access to WU so we changed the following:
2. Do not connect to any Windows Update Internet locations
Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations
We set this to Disabled since we need clients to be able to contact WU, Store and DO.
"When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working."
In reality this has been the case for a year now and our clients never misbehaved (I have set the proper policy setting for Dual Scan so clients will not get tricked into pulling Feature Updates from WU).
But then it still failed for us with another error code! So what is blocking this functionality?
3. Turn off access to all Windows Update features
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off access to all Windows Update feature. Registry Value: DisableWindowsUpdateAccess
We had to set this to Disabled.
But this time we were faced with the critical issue of the GUI allowing the users to "Check for Updates from Microsoft Update".
By enabling the Group Policy setting administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
So, finally we had to block access to Check for Updates altogether!
4. Remove access to use all Windows update features
Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features
We had to set this to Enabled
So as it is now, we are able to properly do FoDs over WU and our clients will not use WU for anything else other than that.
Hope this helps someone :)