Windows 10 21H1 Enablement Package not deployed via SCCM

Ronnie 21 Reputation points
2021-07-21T14:06:09.183+00:00

Hi There.

Hope someone can help shed some light on the problem we have.
I have an ever-increasing number of machines in our environment is installing Windows 10 "21H1 Update" this update is not being deployed via SCCM at all for the last 5 months.

None of the SCCM logs show the installation of 21H1 however they do appear in the Windows Update Logs, We have also had a 3rd party company confirm it's not SCCM but they are also not sure as to how Windows updates are getting this update if all updates come from SCCM.

I have all 3 of these KB's are installed in our environment and it seems that they include the "Enablement Package" for the version of Windows installed. Article ID 4517245, Article ID 4562830 and KB5000736

I don't use Windows for Business nor have I deployed the Enablement Package out to my machines so. About 75% of my environment has 1909 installed.
As we run 3rd party applications across a large majority of our machine any so any changes in our environment needs to be tested before a full deployment goes out to them all.

I have 3 questions:

How can I stop this from happening?
And gain control of this deployment?
How can I roll these machines back as most have past the 10 days grace period to roll back?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,718 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
971 questions
0 comments
Accepted answer
  1. Amandayou-MSFT 11,046 Reputation points
    2021-07-22T07:34:38.32+00:00

    Hi @Ronnie ,

    Agree with Jason, please check if dual-scan is checked.
    Here is the related article we could refer to:
    https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278

    If the policy is enable, we could use the policy " Do not allow update deferral policies to cause scans against Windows Update" to disable it.

    116958-7225.png

    And if it is disabled, the new record will be written in Registry Editor:

    117021-7224.png

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,171 Reputation points Microsoft Employee
    2021-07-21T15:00:28.62+00:00

    The typical answer here is that you've inadvertently enabled dual-scan by configuring feature update deferrals using a group policy. Dual-scan, by definition, uses WUfB for updates. Thus, you need to validate that you have no deferrals configured anywhere.

    Is rolling back truly business critical?

    0 comments
  2. Ronnie 21 Reputation points
    2021-07-22T09:03:20.207+00:00

    @Jason Sandys and @Amandayou-MSFT Thanks for getting back to me.

    Jason to answer your question Yes and No If I can stop them from going to the next version automatically then No not business critical but if they keep upgrading then Yes, I need to stop them.

    My main concern is to stop more machines from upgrading else I will lose full control of my environment which is a major problem for us due to the 3rd party apps then need to go through a testing phase first.

    Below is our current config.

    It would appear to be enabled
    117063-image.png

    I've shared a bit more info that might also be causing a problem or not but would appreciate you thoughts on our current setup?
    117073-image.png

    Windows Update for Business is not configured in our environment
    117053-image.png

    Thanks again for getting back to me.

    0 comments
  3. Jason Sandys 31,171 Reputation points Microsoft Employee
    2021-07-22T14:16:34.22+00:00

    Sorry, not exactly following your comment here.

    Based on the above, the most likely cause here still is that you've inadvertently enabled dual-scan. I strongly suggest you remove the deferral policy as the only purpose of this policy is to control WUfB and thus setting this policy enables WUfB usage. It does appear you've also configured the disable dual scan setting but it's possible, for whatever reason, that it is not configured on the systems that upgraded; you'll have to directly examine them to validate.

    0 comments
  4. Ronnie 21 Reputation points
    2021-07-23T08:21:44.227+00:00

    Hi Jason

    So, the screen shot I posted earlier was from a machine that has 21H1 installed.
    I'll do a bit of investigation on few machines that have not yet updated to 21H1 and see what the outcome is.

    So by disabling the DualScan my machines will stop looking for update from WSUS and not Windows updates or the other way around?
    And the important question will it stop to the Enablement package automatically installing? As I am finding conflicting info on the web.

    I've run a PS Script below before disabling the DualScan and then Disabled it and this is my results.
    $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
    $status = $MUSM.Services
    $status | select name, IsDefaultAUService

    117047-image.png

    0 comments