This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
Just today, many systems are installing the Windows 10 Feature update 20H2 without permission. My WSUS server has lost control of my workstations.
I don't even find KB4562830 on the Microsoft Update Catalog nor do I find it in my WSUS.
Why is 20H2 installing without my permission?
Because you have a dual scan scenario going on
https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
Thank you for that information.
I found no suspect dual-scan policies applied:
egrep 'BranchReadinessLevel|DeferFeatureUpdatesPeriodInDays|DeferQualityUpdatesPeriodInDays|DeferUpdatePeriod|DeferUpgradePeriod|ExcludeWUDriversInQualityUpdate|PauseDeferrals|PauseFeatureUpdates|PauseQualityUpdates|DeferFeatureUpdates|WindowsUpdate|DeferFeatureUpdatesPeriodInDays|PauseFeatureUpdates|PauseFeatureUpdatesStartDate|DeferQualityUpdates|DeferQualityUpdatesPeriodInDays|PauseQualityUpdates|PauseQualityUpdatesStartTime|BranchReadinessLevel|DeferUpgrade|DeferFeatureUpdatesPeriodInDays|DeferQualityUpdatesPeriodInDays|ExcludeWUDriversInQualityUpdate|ExcludeWUDriversInQualityUpdate' gpresult.htm
I also saw your recommendations here: https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/
A location policy was present with the recommended items. Delivery optimization was LAN. The workstation and server policies are similar in design
I am still looking for the reason but I did find a workaround setting this gpo to 2004 prevents 20H2 from installing:
Windows Components/Windows Update/Windows Update for Business/Target Version for Feature Updates
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Hi TheNetworkCompany-0419,
Thanks for your posting on this forum.
Please try to apply the following policy on the client to prevent 20H2 from installing:
Policy: Do not allow update deferral policies to cause scans against Windows Update
This policy is helpful in preventing from dual scan.
If there are any updates about this issue, please keep us in touch.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
egreping for the result may not work due to how the html file is built. Those terms are the registry side names, not the GPO side names. You would have to cross reference the ADMX/ADML files for the actual names of the verbage that is outputted into the GPO.htm file, and that's more work than actually just looking through a gpo.htm file example and reading /looking for items that relate to Windows Update For Business