SOLVED

Windows 10 1809 - Feature on Demand but prevent users from using WindowsUpdate

Copper Contributor

We use a SCCM 1810 environment. Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients.
Since we use Windows 10 1809 I noticed also RSAT and Language.Handwriting packages are not available anymore in WSUS/SCCM environment.
Instead, you need to download them directly from Windows Update. So just used Get-WindowsCapability commandline and tried to install missing features and ran into 

0x800f0954 error. After changing the GPO “Download repair content and optional…” we now receive a different error: 0x8024002e. Changing  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess from “1” to “0” prevents error 0x8024002e and
commandline: ”Get-WindowsCapability -Online | where name -like *.....* | Add-WindowsCapability -Online” works now.

 

But now, our users are able to use “Windows Update – Check online for updates from Microsoft Windows” directly.

 

Windows_Update.jpg

I have something to consider that our users are now able to download and install Windows Feature Updates (f.e. 1809) over here.

Is there any best practice how to prevent users from installing updates from WindowsUpdate directly?

 

12 Replies

@RahamimL  Thank you for your answer. Which GPO setting do you mean will prevent users in checking the updates? It's not really clear for me. 

@Jochen SchmittI believe it is 2 of them:

  1. Remove access to all Windows Update features.
  2. Allow non-administrators to receive update notification

@RahamimL  But it seems Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess is the same as R"emove access to all Windows Update features" So this will not help for my scenario.

 

@Jochen Schmitt, That is weird... I use this policy on 1803 and don't have this issue... I can run "Add-WindowsCapabilty" elevated without errors.

Also, I just tested this on a 1809 that I have and  it is working perfectly... Can you share your policies?

 

Rahamim

@RahamimL 

Please see the config attached. 

 

@RahamimL 

seems the suggested config solves my problem,

 

Turn off access to all Windows Update features is set to "1" at the moment. Changing it to "0" and configure "Remove access to use all Windows Update features" to "1" shows now the behavior I wanted.

 

The description of DisableWindowsUpdateAccess says "..and enable automatic updating to receive notifications and critical updates from Windows Update" Is there any risk that my clients will receive feature updates from windowsupdate and not from my SCCM environment?

 

@Jochen Schmitt

 

If you enabled the "Do not allow update deferral policies to cause scan against windows update" than you're all good.

@Jochen Schmitt

 

Windows environment: 1803 Enterprise

 

After a lot of pain, I am happy I found this post.

So in our occassion where we really need to have the clients blocked from WU, I had to allow them to download FODs from WU since hosting them is a -no go- from Microsoft for the future builds.

 

1. Specify settings for optional component installation and component repair

Computer Configuration\Policies\Administrative Templates\System\Specify settings for optional component installation and component repair.

 

Once we set this up, with a Blank alternate source and only checked that clients should contact WU instead of WSUS, we got the following error on Add-WindowsCapability -Online

 

0x8024002e

 

This meant that something else was blocking access to WU so we changed the following:

 

2. Do not connect to any Windows Update Internet locations

Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations

We set this to Disabled since we need clients to be able to contact WU, Store and DO. 

 

Microsoft documentation:

"When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working."

 

In reality this has been the case for a year now and our clients never misbehaved (I have set the proper policy setting for Dual Scan so clients will not get tricked into pulling Feature Updates from WU).

 

But then it still failed for us with another error code! So what is blocking this functionality?

 

3. Turn off access to all Windows Update features 

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off access to all Windows Update feature. Registry Value: DisableWindowsUpdateAccess

 

We had to set this to Disabled.

 

But this time we were faced with the critical issue of the GUI allowing the users to "Check for Updates from Microsoft Update".

 

Microsoft documentation:

By enabling the Group Policy setting administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.

 

So, finally we had to block access to Check for Updates altogether!

 

4. Remove access to use all Windows update features

Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features

 

We had to set this to Enabled

 

So as it is now, we are able to properly do FoDs over WU and our clients will not use WU for anything else other than that.

 

Hope this helps someone :)

 

 

-

Alex

@Alexander Kanakaris 

 

I'm very deperate right now.

We are currently deploying Windows 10 Enterprise 1909 with some convertables (HP 1030 G3)

My issue is, that besides of the english language (with TTS, Handwriting, Speech) no other languages (especially german) do offer me TTS, Handwriting, Speech recognitin when I want to add a additional language.

We are using WSUS.

 

2020-01-17_23h09_58.png

 

I set the following GPOs

  • "Download optional component installation and component repair"
  • Do not connect to any Windows Update Internet locations -> Disabled 
  • Turn off access to all Windows Update features -> Disabled
  • Remove access to use all Windows update features -> Enabled

Additionally: how can I deploy additional voice packages without having the user to install it manually?

 

Best regards!

 

@DanielAld I'm reattaching the policy I have.

If you are using SCCM you might have overlapping GPO's and you will need to run RSOP to see the winning GPO. I would also suggest in this case to put a specific computer in an OU that blocks all inheritance to see exactly which policy are being applied by sccm to the "Local Policy"

If you are using WSUS alone use try to set up the polcies the same way I did and see if it works for you.

Rahamim.

1 best response