Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that online 'dual scan' is mitigated #198

Open
canihavethisone opened this issue Mar 25, 2023 · 2 comments · May be fixed by #225
Open

Ensure that online 'dual scan' is mitigated #198

canihavethisone opened this issue Mar 25, 2023 · 2 comments · May be fixed by #225
Labels
community

Comments

@canihavethisone
Copy link

canihavethisone commented Mar 25, 2023
edited
Loading

Use Case

As per https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ (assuming this is still a known issue), Windows has a potential to perform dual-scan for updates even when a WSUS server is defined

Describe the Solution You Would Like

Mitigation in place if this is still an issue

Describe Alternatives You've Considered

As I manage a range of registry keys in a private module (based on CIS), I use the following overrides to mitigate the issue. This may serve as an example with affected registry keys

  # Disable setting of registry keys that result in 'dual scan', reaching out to Windows Update as well as WSUS
  # https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays' |> { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays' |> { ensure => absent }
  # Settings below are required to avoid 'dual scan', but prevent v1909 from contacting WSUS 
  unless $facts['os']['windows']['release_id'] == '1909' {
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' |>            { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuildsPolicyValue' |> { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel' |>           { ensure => absent }
  }

Additional Context

Not limiting update source purely to a defined WSUS server is probably undesirable
@brajjan
Copy link

brajjan commented May 22, 2024

This is a big problem for us. As we use the wsus_client module with the purge_values => true (to remove all the settings from different GPOs) and the disable_windows_update_access => true. The clients with Dual Scan enabled can not get any updates from WSUS on certain clients.

I will look through some other settings applied to the clients and see if I can find another solution but the provided solution below should be ok to implement to the module now without any breaking changes

Before disabling Dual Scan

PS C:\> Get-WUServiceManager

ServiceID                            IsManaged IsDefault Name
---------                            --------- --------- ----
7971f918-a847-4430-9279-4a52d1efe18d False     False     Microsoft Update
8b24b027-1dee-babb-9a95-3517dfb9c552 False     False     DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False     False     Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True      False     Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False     True      Windows Update

No updates at all are found when searching for new updates.

When disabling Dual Scan

New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableDualScan -PropertyType dword -Value 1

PS C:\> Get-WUServiceManager

ServiceID                            IsManaged IsDefault Name
---------                            --------- --------- ----
7971f918-a847-4430-9279-4a52d1efe18d False     False     Microsoft Update
8b24b027-1dee-babb-9a95-3517dfb9c552 False     False     DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False     False     Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True      True      Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False     False     Windows Update

Updates are found when searching for updates

All settings set by puppet below

Title                                                                                                                      Value
-----                                                                                                                      -----
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer                                                          1
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer                                  https://internal.wsus.server:8531/
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer                            https://internal.wsus.server:8531/
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions                                                            4
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts                                         False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates                                           True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency                                                   2
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess                                           True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins                                                    False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers                                    False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate                                                     False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootRelaunchTimeout                                               15
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeout                                                 5
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTime                                                  30
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay                                                  6
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime                                                 4
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup                                                       InternalServers
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTime                                   True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTimeMinutes                              15

Solution

The soulution for me would be to update the module with a parameter for DisableDualScan that defaults to undef

@brajjan
Copy link

brajjan commented May 23, 2024

Some more information. Seems like the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache folders keeps a Cache for Windows Update Client Settings. The values were set by a previous applied GPO in CacheSet001 and the puppet applied settings in CacheSet002. As the CacheSet001 had settings for Deferal they were also applied to the machine (even though the GPO was gone and the machine was restarted). They were not set in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key - only in the cache.

So the solution would be to either remove the GPCache-key and restart wuauserv ( it gets recreated with the correct values ) - or preferrably set the DisableDualScan to 1

I will post a pull request for setting that value as a parameter

@brajjan brajjan linked a pull request May 23, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Issue 198 - Disable Dual Scan brajjan/puppetlabs-wsus_client
3 participants
@canihavethisone @brajjan @ia-content