News

Microsoft Issuing Patch This Month for Windows 10 Version 1607 'Dual-Scan' Issue

• By Kurt Mackie
• 08/07/2017

Microsoft announced on Friday that an update will be arriving this month to address a Windows 10 "dual-scan" update problem for users of Windows Server Update Services (WSUS).

The update, KB4025334 (it's incorrectly referred to as "KB4022723" in the announcement), was first released on July 18 but it also will be included in the Aug. 8 Windows 10 cumulative update release, arriving on "Update Tuesday." Update 8/9/17: Microsoft changed its announcement late yesterday, which now indicates that it's KB4034658 (not KB4025334) that's delivering the change.

However, this update only will address the dual-scan issue associated with Windows 10 version 1607 when using WSUS. This update brings an optional Windows Update policy setting, called "Do not allow update deferral policies to cause scans against Windows Update." When this optional policy is enabled, it will prevent the dual-scan behavior for users of WSUS.

The update will only affect Group Policy configurations. For those using ADMX templates to set Group Policy, the updated version with this new option will be arriving "with the next feature update release, whose exact date is not yet public knowledge," explained Steve Henry, a program manager for WSUS, in the comments section of Microsoft's Friday announcement.

Microsoft also is working on a similar update for Windows 10 version 1703, but it's not ready right now. In response to a question, Henry said that this update could arrive when Windows 10 version 1709 gets released. Possibly, that means in September or October.

Microsoft uses a two-digit year/month format for "current channel" (a.k.a. "current branch") releases of Windows 10, but it's often dated a month later than what the numerals may suggest. For instance, Windows 10 version "1703" current channel got released in April of 2017 (not March). For examples, see Microsoft's release history page.

Microsoft plans to deliver the same sort of dual-scan fix for its mobile device management policies, but that will be happening "later this year."

Flaw or Feature?
The dual-scan behavior was seen as a problem for organizations that was associated with the use of WSUS and System Center Configuration Manager (SCCM). While organizations typically use those management systems to control the timing of Windows updates to client devices, it turned out that those client devices were getting updated when certain "Defer" settings were used. In January, Microsoft had explained that the "dual-scan" behavior happened because the Defer settings were actually Windows Update for Business settings. Microsoft had designed Windows Update for Business, a new client update scheme, to always deliver the most current updates to Windows 10 clients.

Microsoft now indicates that the dual-scan behavior was designed to be a helpful feature of Windows 10.

In a May 5 "Demystifying 'Dual Scan'" blog post, Henry explained that Microsoft intentionally created the dual-scan behavior, starting with Windows 10 version 1607, so that organizations could set up Windows Update deliveries separately from other content deliveries that were controlled by WSUS. What is getting fixed with update KB4034658 is a scenario in which merely checking Windows Update would deliver updates to clients.

Henry downplayed Microsoft's explanation back in January. In the May 5 post's comments section, he stated in response to a question about the January guidance, "Please treat this post [the May 5 post] as the latest authoritative guidance on the dual-scan scenario."

In Friday's announcement, Henry indicated that update KB4034658 will actually be bringing the ability for WSUS users to defer Windows 10 1607 updates without getting tripped up by the dual-scan behavior. Here's how he put it:

This [update and configuration] allows enterprise administrators to mark their machines as "Current Branch for Business," and to specify that feature updates should not be delivered before a certain amount of days, without worrying that their clients will start scanning Windows update unbidden. This means that usage of deferral policies is now supported in the on-premises environment.

By "current branch for business," Henry is referring to the "semi-annual channel." In other words, he's referring to the two major Windows 10 updates that arrive each year, approximately in March and September. Last month, Microsoft changed its naming lingo in which "branches" are now called "channels." Semi-annual channel releases are the ones that Microsoft recommends for production environment deployments, after testing with end users.

Is SCCM Affected?
The dual-scan problem early on was described as affecting users of SCCM, too. In the May 5 post Henry said that "with feature updates being offered on WU, there is now a possibility that a client managed through WSUS or Configuration Manager can receive a feature update that was not approved by its administrator."

However, Henry doesn't mention SCCM in the Friday announcement. In response to a direct question about whether SCCM were affected, a spokesperson for Microsoft stated via e-mail that "all the info you're seeking is in there [the Friday post] and we have nothing more to add."