03-25-2019 02:47 AM
03-25-2019 02:47 AM
We use a SCCM 1810 environment. Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients.
Since we use Windows 10 1809 I noticed also RSAT and Language.Handwriting packages are not available anymore in WSUS/SCCM environment.
Instead, you need to download them directly from Windows Update. So just used Get-WindowsCapability commandline and tried to install missing features and ran into
0x800f0954 error. After changing the GPO “Download repair content and optional…” we now receive a different error: 0x8024002e. Changing Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess from “1” to “0” prevents error 0x8024002e and
commandline: ”Get-WindowsCapability -Online | where name -like *.....* | Add-WindowsCapability -Online” works now.
But now, our users are able to use “Windows Update – Check online for updates from Microsoft Windows” directly.
I have something to consider that our users are now able to download and install Windows Feature Updates (f.e. 1809) over here.
Is there any best practice how to prevent users from installing updates from WindowsUpdate directly?
03-29-2019 05:50 AM
@RahamimL Thank you for your answer. Which GPO setting do you mean will prevent users in checking the updates? It's not really clear for me.
03-29-2019 06:57 AM
@Jochen SchmittI believe it is 2 of them:
04-02-2019 06:39 AM
@RahamimL But it seems Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess is the same as R"emove access to all Windows Update features" So this will not help for my scenario.
04-02-2019 07:55 AM
@Jochen Schmitt, That is weird... I use this policy on 1803 and don't have this issue... I can run "Add-WindowsCapabilty" elevated without errors.
Also, I just tested this on a 1809 that I have and it is working perfectly... Can you share your policies?
04-03-2019 02:53 AMSolution
04-03-2019 05:19 AM
seems the suggested config solves my problem,
Turn off access to all Windows Update features is set to "1" at the moment. Changing it to "0" and configure "Remove access to use all Windows Update features" to "1" shows now the behavior I wanted.
The description of DisableWindowsUpdateAccess says "..and enable automatic updating to receive notifications and critical updates from Windows Update" Is there any risk that my clients will receive feature updates from windowsupdate and not from my SCCM environment?
04-07-2019 03:10 AM
If you enabled the "Do not allow update deferral policies to cause scan against windows update" than you're all good.