In this post I will be discussing on What is Dual scan and its impact on WUfB policies. Once dual scan is enabled, it allows devices to scan against both Windows Update and Windows Server Update service (WSUS) but apply different kind of patches through this different source.
What is Dual Scan
Dual Scan is a policy which can either be implemented using Group policy or equivalent MDM policy. Policy name is Do not allow update deferral policies to cause scans against Windows Update.
Group policy associated with this policy is located under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Legacy Policies
This is a fully controllable feature, we can make it enable or disable. Though there are few settings which makes this feature automatically enabled even without changing the mentioned policy, which I will discuss further in the post.
Dual Scan policy allow organizations with WSUS or SCCM with Software Update point configured to get the 2 different kinds of scan source. One will be used to download updates directly from Windows update and other to use on-premises WSUS / SCCM infrastructure. These 2 scan sources will be:
- Windows Update
- Windows Server Update service (WSUS)
Windows Update Scan Source
Windows Update scan source policy will allow to download following updates:
- Feature updates
- Windows quality updates
- Driver and firmware updates
- Updates for other Microsoft products
WSUS Scan Source
Once dual scan is enabled, WSUS scan source can still be used to deploy to deploy 3rd part updates. There can be another use case, such as deploying Office 365 updates using WSUS while still using Windows update using WUfB policies.
Why we need Dual Scan behaviour
Without having dual scan behavior, we cannot use different kind of scan source and would have to rely on one specific source only to apply the updates. Microsoft modern management requires to move towards Windows update for Business policies to get all the recent updates without having dependency upon WSUS as standalone or WSUS configured with Configuration manager as software update point.
When WSUS / SCCM for software update is configured, Dual scan gets enabled, hence allowing devices to get unapproved updates as well from Microsoft update. This scenario shows WSUS is not having full control.
Disabling of Dual scan means, policy “Do not allow update deferral policies to cause scans against Windows Update” is enabled. This policy creates following registry key DisableDualScan with value 1 which is located under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
3rd party updates are not supported by Windows updates. This is a perfect scenario for organizations to keep on using WSUS / SCCM for 3rd party updates and rest other updates using WUfB Deferral policies.
As I stated earlier, this Dual scan behaviour can also be helpful in a scenario to separate out Microsoft Updates through Windows Update while keep on using Office 365 updates using WSUS.
When does Dual Scan gets enabled
Dual Scan gets enabled automatically when either of the policies are set:
- Specify intranet Microsoft update service location (i.e., WSUS)
- Either of the policies belonging to Windows Update for Business
- Select when Preview Builds and Feature Updates are received
- Select when Quality Updates are received
WSUS Policy which enables Dual Scan
This policy can get enabled in 2 ways.
- Setting up WSUS / SCCM with SUP – Once WSUS is configured, specify intranet Microsoft Update service location policy is automatically setup and can be seen under registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate with the name:
WUServer & WUStatusServer
- Through Group policy– When WSUS is configured as Standalone, following group policy setting will be applied by administrator to point devices to WSUS Server:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service > Specify intranet Microsoft update service location as Enabled and setting “Set the intranet update service for detecting updates” to existing WSUs server.
Both mentioned above policies will set DisableDualScan registry key value to 0 which means enabling dual scan. You can see following registry keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
WUfB policy which enables Dual Scan
If Windows Update for Business policy is set, then also Dual scan gets enabled. WUfB can be enabled in several ways, it could be either Group Policy, Intune policies or Configuration Manager policies. Corresponding Group policy for WUfB which enables Dual scan is:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update with either of the two policies:
- Select When Preview Builds and Feature Updates are received
- Select when Quality Updates are received
These policies will create following registry key:
- DeferFeatureUpdates
- DeferQualityUpdates
Under what condition Dual Scan is applicable
We need to understand when is Dual Scan policy comes into picture and when it does impact Windows Update for Business policy. Enabling or Disabling of Dual Scan will only make difference if WSUS is configured with following setting “Specify intranet Microsoft update service location” is configured.
Take it in other way, if WSUS is configured using SCCM or Group policy, this will create WUServer & WUStatusServer registry keys. Under this condition Dual scan policy is applicable if it enabled, dual scan will work, if disabled – it won’t.
Above mentioned explanation also means that if WSUS configuration “specify intranet Microsoft update service location” is not set / missing. Dual scan policy will have no impact even though it is set to disable. This means devices will always go to internet to get the updates.
How to disable Dual scan
Let’s understand why we need to disable the dual scan. Though it seems dual scan as a good feature, however it also opens a path for the devices to go to internet to fetch the updates. For example, if user clicks on Check on Updates or Check online for updates from Microsoft Update, this will eventually download the latest updates along with feature updates for which organization was still not ready to apply these updates for devices.
Under these circumstances we can implement 2 policies:
- Enable “Do not allow update deferral policies”
Create or edit any existing Group policy and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Legacy Policies.
Enable the setting “Do not allow update deferral policies to cause scans against Windows Update”
This option will set registry key DisableDualScan value to 1
- Enable “Turn off access to all Windows Update features”
Though 1st policy is sufficient to disable Dual scan. But users can still initiate “Check online for updates from Microsoft Update”. Access to Windows Update features can be disabled by creating or editing following group policy:
Navigate to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication settings and enable “Turn off access to all Windows Update features”
Dual scan no longer supported – Use Windows scan source policy
I have discussed in detail on Dual scan, benefits and pros and cons related to it. And now I am highlighting that Dual Scan is no longer supported for Windows 10 and Windows 11. Why I didn’t highlight this at first place?
The reason is, it is still worth understanding the Dual scan feature as this will be the biggest hurdle in organization which might give you unexpected results such as updates are getting blocked from Microsoft site, non-approved updates are getting applied hence loosing the controlled behaviour what WSUS / SCCM has to offer in terms of approving / deploying the updates. I have covered insight on all policies, registry settings related to it.
Though these settings works absolutely fine, but with recent change from Microsoft, they no longer support Dual scan behaviour ie. no longer supporting Do not allow update deferral policies to cause scans against Windows Update. They are replacing this setting with new Windows scan source policy which is located under following group policy location:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service > Specify source service for specific classes of Windows Updates.
This gives a better option of controlling the updates as we can choose between Windows Update vs WSUS for following kinds of updates:
- Feature Updates
- Quality Updates
- Driver Updates
- Other Updates
It is not recommended to use this policy with Dual Scan. Better not to use dual scan policy at all if you wanted to use this policy as updates might not get downloaded from Microsoft update.
Conclusion
Dual Scan behaviour only comes into picture when WSUS is configured. It has no impact without having WSUS configured, which means updates will always get from Windows Update if no other policies are blocking the access.
When WSUS is configured, set dual scan behaviour depending upon your needs. If you wanted to have full control of WSUS to approve updates or to deploy updates from configuration manager, in both scenarios simply disable dual scan by using methods described above.
However, if you wanted a flexible control to use Windows update for business using SCCM co-management capability and 3rd party updates (or Office 365 updates) using WSUS, then enable dual scan wisely based upon your needs.
Important Links
Demystifying “Dual Scan” | Microsoft Docs
