This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 74%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi All,
I wonder if someone can offer me some advice. I recently inherited a server farm consisting of Server 2012, 2012 R2, 2016, 2019 and 2022 VMs. For some reason I cannot figure out why, the Server 2016 servers ALL appear to be bypassing WSUS and getting updates directly from Windows Update online. However, all the other servers are working as expected and waiting on approved WSUS updates.
All the servers are being configured for WSUS with the same group policy settings. The registry keys for HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and \AU are identical on all servers. They all have the WSUS server correctly specified in the WUServer and WUStatusServer keys and all have UseWSUerver set to "1".
WSUS is seeing the 2016 servers without issue and can see that the unapproved updates are installed on them.
After doing some digging, it looks like adding in the Do not connect to any Windows Update Internet locations setting will probably fix the problem, but I'd like to understand why this issue is happening and why it's only happening on the Server 2016 boxes.
Our previous network admin has left the organisation, so I'm unable to ask any questions as to any changes made over the years.
Thanks for the help,
Tim
Dual Scan is the issue. The actual fix should be to REMOVE THE DUAL SCAN SCENARIO, and not add another policy that quazi-negates it.
My guide will get you to the point of REMOVING the dual scan scenario.
https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
Hi All,
I think I may have got to the bottom of the problem. Some research took me to this website:
https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/
And when I checked the entries in the server versions I spotted that the Server 2016 was missing entries that were in the 2019 and 2022. The circled entries were not on the Server 2016 servers.
This suggested that Dual Scan is enabled on the Server 2016 servers, meaning they check Windows Updates instead of WSUS.
I then went here:
https://www.hashmat00.com/disable-dual-scan/
And found that running the first powershell command on Server 2016 showed that Windows Update was set as default update method.
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$status = $MUSM.Services
$status | select name, IsDefaultAUService
Adding in the following registry key with value "1" changes the default to WSUS, confirmed by running that PowerShell command a second time.
Hopefully that'll do the trick!
Tim