Computers Automatically Updating the Day After Patch Tuesday

Question

We have had a WSUS patch policy for our company since 2012. We deploy Microsoft's security updates first to our IT staff computers the Thursday evening after Patch Tuesday using our WSUS Server, and then deploy the patches out to everyone the following week. This policy helps us to ensure that the security patches are deployed, after making sure that the patches work in our environment.

In 2022, we found some savvy users were navigating to "Check for Updates from Microsoft" and were updating their computers to Windows 11 on their own. I was asked to block Windows 11, as we weren't ready to deploy it yet. We used Group Policy's Windows Updates for Business to block Windows 11 at first, but this introduced a dual scan scenario where computers were updated immediately, violating our patch process. We disabled that policy, and tested and confirmed a new Group Policy with the following policies Enabled: "Turn off access to all Windows Update features," "Do not allow update deferral policies to cause scans against Windows Update," and "Do not connect to any Windows Update Internet locations." This policy worked well for the past 9 months. Computers were still updated from our WSUS Server, but they were no longer allowed to "Check for Updates from Microsoft," as this option no longer appeared in Windows Updates on Windows 10, which meant that they couldn't update their computers to Windows 11 on their own, which was exactly what I was tasked to implement.

After the patch Tuesday on June 13, however, several employees noticed that their computers were being updated automatically, the day after Patch Tuesday, and before I had deployed the updates to IT Staff on Thursday evening. These employees had not navigated to Windows Update at all, they were simply being updated automatically, and this issue was not limited to IT Staff. Once again, our patch policy was being violated, by a change at Microsoft, it appeared. We then blocked access to update.microsoft.com at our firewalls. This restored sanity for a few days, until we realized that new installs of Microsoft Office on new or reimaged computers were failing to complete because they needed to go to the same URL to update Office and complete the install.

To resolve this issue, we allowed IT Staff computers to navigate to update.microsoft.com at our firewalls. IT Staff could now complete new installs of Microsoft Office successfully. However, this means that IT Staff now must assist users in installing Office, rather than allowing ordinary users to install Office from Software Center (SCCM), as we had done in the past, greatly impacting the available time of our IT staff. It also means that our IT Staff are in danger of having their computers updated in the middle of the day on the Wednesday after Patch Tuesday, rather than on Friday, which has been our patching process.

Here is what we are asking for: whatever change was made on June 13, reverse it, so that our Group Policy which allows us to maintain our patch process, which has worked for us for the past 11 years, can be allowed to continue. Perhaps some inadvertent change was made that has already been reversed? Or perhaps there is some other solution for us? Please let us know how we can proceed and maintain our patching policy. Thank you! Sincerely, Richard Roati

Answer 1

99% of the time, the issue has to do with Dual Scan.

https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

You've said that you've 'disabled' it, but what you've done is enabled an option to 'disable' it.... rather than remove the actual policies that create the problem.

As per: https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

Are the clients actually trying to get updates from WSUS?

$(New-Object -ComObject "Microsoft.Update.ServiceManager").Services | Select-Object Name, IsDefaultAUService

You want to remove the option for people to go to Microsoft directly - enable "Remove access to use all Windows Update features" instead.

"Do not connect to any Windows Update Internet locations" does 1 thing that's bad - it blocks access to updates via the Windows Store. Most admins would say that's good - but if there's an update to something like Notepad or Calculator, your systems won't retrieve it.

https://www.digitaltrends.com/computing/the-latest-tool-in-the-hacker-arsenal-microsoft-calculator/

Use my guide - I'd recommend reading the whole series, but Part 4 will help with some of the configuration. The only thing I don't add is the remove access policy mentioned above.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

Answer 2

Hello,

I understand the frustration and challenges you're facing with maintaining your patching policy and dealing with the changes in the Windows update behavior. However, as an AI language model, I don't have access to specific Microsoft internal information or the ability to reverse changes made by Microsoft. I can offer some general guidance and suggestions based on the information you've provided:

Microsoft Support: I recommend reaching out to Microsoft Support directly regarding the issue you're experiencing. They have access to the latest information, updates, and specific guidance that can help you address the problems you're facing with the Windows update behavior. They can also investigate any changes made by Microsoft on June 13th and provide further assistance or solutions.

WSUS Configuration: Review your WSUS (Windows Server Update Services) configuration to ensure it is properly set up and functioning as expected. Verify that the appropriate update classifications and products are selected, and that synchronization with Microsoft Update is working correctly.

Group Policy Settings: Double-check the Group Policy settings you have implemented to block Windows 11 and control Windows Update behavior. Ensure that the policies are applied correctly and consistently across the affected computers. You may also want to review Microsoft's documentation and best practices for managing Windows Update through Group Policy to ensure you are using the most appropriate settings for your environment.

Windows Update for Business: Explore the capabilities of Windows Update for Business (WUfB) and its associated policies. WUfB provides additional control and configuration options for managing Windows Updates in business environments. You can check if there are any new policies or settings related to update behavior that could help you maintain your patching process.

Windows Update Rings: Consider implementing Windows Update Rings to control the deployment of updates in your organization. Windows Update Rings allow you to specify different deployment schedules for different groups of devices, which can help you maintain your desired patching process and stagger the updates within your environment.

Remember, it's essential to stay up to date with the latest information from Microsoft, as they may release updates, changes, or new tools to address specific issues or provide better management options for Windows updates.

Contacting Microsoft Support should be your primary course of action, as they can provide you with the most accurate and relevant guidance tailored to your specific scenario.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

--If the reply is helpful, please Upvote and Accept as answer--