Skip to content

Ensure that online 'dual scan' is mitigated #198

New issue
New issue
Open
#225
Open
Ensure that online 'dual scan' is mitigated#198
#225
Labels
community
@canihavethisone

Description

@canihavethisone
canihavethisone
opened on Mar 25, 2023

Use Case

As per https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ (assuming this is still a known issue), Windows has a potential to perform dual-scan for updates even when a WSUS server is defined

Describe the Solution You Would Like

Mitigation in place if this is still an issue

Describe Alternatives You've Considered

As I manage a range of registry keys in a private module (based on CIS), I use the following overrides to mitigate the issue. This may serve as an example with affected registry keys

  # Disable setting of registry keys that result in 'dual scan', reaching out to Windows Update as well as WSUS
  # https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays' |> { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays' |> { ensure => absent }
  # Settings below are required to avoid 'dual scan', but prevent v1909 from contacting WSUS 
  unless $facts['os']['windows']['release_id'] == '1909' {
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' |>            { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuildsPolicyValue' |> { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel' |>           { ensure => absent }
  }

Additional Context

Not limiting update source purely to a defined WSUS server is probably undesirable

Metadata

Metadata

Assignees

No one assigned

    Labels

    community

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions