Dual Scan – Making Sense of Why So Many Admins Have Issues

by | Last updated 2022.10.29 | Published on 2019.01.31 | Guides, WSUS

why so many admins have problems

What do the following have in common for WSUS Administrators?

  • Select when Preview Builds and Feature Updates are received (BranchReadinessLevel, DeferFeatureUpdates, DeferFeatureUpdatesPeriodInDays, PauseFeatureUpdatesStartTime)
  • Select when Quality Updates are received (DeferQualityUpdates, DeferQualityUpdatesPeriodInDays)

Besides being Windows Update for Business policies (a fundamental change of the way you think about updates), when specified in a WSUS network, they cause havoc because of that pesky little thing called dual scan.

Let’s take a step back.

When utilizing WSUS you are already ‘in control’; or should be. Because of this, in a WSUS network, there is zero reason to enable these policies. They may sound fantastic to the administrator, but the administrator doesn’t know why these policies exist, or how they interact with others (these are not the only policies that I’ve seen WSUS Administrators fumble over either).

An update will only reach a client machine when it is approved; not before. If you don’t want the feature upgrades to install right now, don’t approve them. If you don’t want the cumulative updates to install right away because you want a week or 2 ‘staying’ period to see if others are having issues with them, don’t approve them.

So, What Should I Do?

If you have WSUS, don’t set these polices. If you have them already set, set them to ‘Not configured’. Also make sure that in your WSUS server location settings that you specify ‘Set the alternate download server’ as explained in part 4 of my 8 part blog series on How to Setup, Manage, and Maintain WSUS.

If you’re setting the keys by registry edits, they have multiple places in the registry and can be located at:

HKLM\Software\Microsoft\PolicyManager\default\Update\BranchReadinessLevel
HKLM\Software\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays
HKLM\Software\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays
HKLM\Software\Microsoft\PolicyManager\default\Update\DeferUpdatePeriod
HKLM\Software\Microsoft\PolicyManager\default\Update\DeferUpgradePeriod
HKLM\Software\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate
HKLM\Software\Microsoft\PolicyManager\default\Update\PauseDeferrals
HKLM\Software\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
HKLM\Software\Microsoft\PolicyManager\default\Update\PauseQualityUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime
HKLM\Software\Microsoft\WindowsUpdate\UX\Settings\BranchReadinessLevel
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\DeferUpgrade
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\DeferFeatureUpdatesPeriodInDays
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\DeferQualityUpdatesPeriodInDays
HKLM\Software\Microsoft\WindowsUpdate\UX\Settings\ExcludeWUDriversInQualityUpdate
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate
Domain Controller DNS in an Active Directory Environment

Domain Controller DNS in an Active Directory Environment

Proper domain controller DNS setup is vital for Active Directory to work properly. Best practice dictates that each domain controller should be setup with a different DNS server as it's preferred DNS server, and and the loopback address (127.0.0.1) as it's alternate...

Client Machines Not Reporting to WSUS Properly?

Client Machines Not Reporting to WSUS Properly?

,

WSUS Reporting starts and ends with the Windows Update Agent (WUA) on each individual client. If the client is not reporting properly, it can show up in many different ways. Sometimes it will be obvious (the Last Status Report column is not updating to a recent date)...

WSUS System Requirements – What Should I Plan For?

WSUS System Requirements – What Should I Plan For?

,

Microsoft's official system requirements are a good starting point, however, they don't give you the full picture. Let's look at this one by one. Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended) So, 1.4-2.0 GHz is already in play by pretty...