SOLVED
Home

Windows 10 1809 - Feature on Demand but prevent users from using WindowsUpdate

Highlighted
Jochen Schmitt
Occasional Contributor

We use a SCCM 1810 environment. Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients.
Since we use Windows 10 1809 I noticed also RSAT and Language.Handwriting packages are not available anymore in WSUS/SCCM environment.
Instead, you need to download them directly from Windows Update. So just used Get-WindowsCapability commandline and tried to install missing features and ran into 

0x800f0954 error. After changing the GPO “Download repair content and optional…” we now receive a different error: 0x8024002e. Changing  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess from “1” to “0” prevents error 0x8024002e and
commandline: ”Get-WindowsCapability -Online | where name -like *.....* | Add-WindowsCapability -Online” works now.

 

But now, our users are able to use “Windows Update – Check online for updates from Microsoft Windows” directly.

 

Windows_Update.jpg

I have something to consider that our users are now able to download and install Windows Feature Updates (f.e. 1809) over here.

Is there any best practice how to prevent users from installing updates from WindowsUpdate directly?

 

9 Replies

@RahamimL  Thank you for your answer. Which GPO setting do you mean will prevent users in checking the updates? It's not really clear for me. 

@Jochen SchmittI believe it is 2 of them:

  1. Remove access to all Windows Update features.
  2. Allow non-administrators to receive update notification

@RahamimL  But it seems Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess is the same as R"emove access to all Windows Update features" So this will not help for my scenario.

 

@Jochen Schmitt, That is weird... I use this policy on 1803 and don't have this issue... I can run "Add-WindowsCapabilty" elevated without errors.

Also, I just tested this on a 1809 that I have and  it is working perfectly... Can you share your policies?

 

Rahamim

@RahamimL 

seems the suggested config solves my problem,

 

Turn off access to all Windows Update features is set to "1" at the moment. Changing it to "0" and configure "Remove access to use all Windows Update features" to "1" shows now the behavior I wanted.

 

The description of DisableWindowsUpdateAccess says "..and enable automatic updating to receive notifications and critical updates from Windows Update" Is there any risk that my clients will receive feature updates from windowsupdate and not from my SCCM environment?

 

@Jochen Schmitt

 

If you enabled the "Do not allow update deferral policies to cause scan against windows update" than you're all good.