Windows 10 circumvents WSUS

Thank you for your question. It makes me feel that I'm not the only one who is in pain since the inception of Windows 10!

The solution is very simple: Ensure that you copy of Windows 10 1703 does not have any of the following value names listed under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

(These values names are checked against WindowsUpdate.admx for Windows 10 version 1703.)

 DeferFeatureUpdates
 DeferFeatureUpdatesPeriodInDays
 DeferQualityUpdates
 DeferQualityUpdatesPeriodInDays
 PauseFeatureUpdatesStartTime
 PauseQualityUpdatesStartTime
 ExcludeWUDriversInQualityUpdate

Quoting further from the same article "Why WSUS and SCCM managed clients are reaching out to Microsoft Online":

What just happened here? Aren’t these update or upgrade deferral policies?

Not in a managed environment. These policies are meant for Windows Update for Business (WUfB).

Windows Update for Business aka WUfB enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.

We also recommend that you do not use these new settings with WSUS/SCCM.

If you are already using an on-prem solution to manage Windows updates/upgrades, using the new WUfB settings will enable your clients to also reach out to Microsoft Update online to fetch update bypassing your WSUS/SCCM end-point.

To manage updates, you have two solutions:

  1. Use WSUS (or SCCM) and manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment (in your intranet).
  2. Use the new WUfB settings to manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment directly connecting to Windows Update. — Rasheed, Shadab (9 January 2017) "Why WSUS and SCCM managed clients are reaching out to Microsoft Online". Windows Server Blog. Microsoft Corporation

Be advised that this article's list of Registry value names has typos. Use the value names given above instead.


Dual Scan - this is the reasoning behind it ... such a pain. Fixed in our environment. https://batchpatch.com/deciphering-dual-scan-behavior-in-windows-10