*UPDATE 2024-10-15*
The specific KB might not be the only or the specific reason this is happening to some users. According to this blog post we can see that the issue can/might be related to expedited updates.
In my own test case i can confirm that I had configured expedited policies, but I also found an device from June that had the same issues, both the KB and expedited updates was present during this time also. There have also been reports of users having the “Set by Group Policy” issue coming back, this points me to that it might be the expedited updates policy that are the main issue.
I was about to release 24H2 to some of my test clients when I noticed they where not receiving the update even if it was set in feature updates in Intune.
So I enrolled a new test device to investigate the issue and to my surprise I found that after running the initial Windows Update the updates where suddenly set to paused, my update rings and feature updates policies in Intune where not paused, weird. I checked the updates being installed and found KB4023057, right after this was installed the updates where set to paused.
After some digging I found that for some reason my feature updates was set to be managed by Group Policy my finding and solution is what this blog post is about.
This is not affecting everyone and might be a combination of policies causing the issue, if you have the issue please comment what OS Build you are running in the comments. The video also shows 3 other KB’s being installed, hopefully I did not jump to conclusions on this based on what the update contained.
- Confirming the issue
- Registry values affected by the update
- Before the KB4023057
- After KB4023057 installs
- How to fix it
- Detection Script
- Remediation Script
- Extra all registry values affected after the update
Confirming the issue
I have included a video showing the issue and image below.
You can check if you have the issue on your clients manually by going to:
Settings – Windows Update – Advanced options – Configured update policies.
How it should look like if your device is managed by Intune.
Registry values affected by the update
Device managed by GPO your Windows update policies are in:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Device is managed by Intune your Windows update policies are in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy
You can verify that your update rings and feature update policies are correctly set by checking the following registry locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
And
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
Before the KB4023057
Before KB4023057 is installed we can see that we do not have the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
(Unless your device is managed by GPO and not Intune)
The image above displays the correct values set in Intune for my device, all good.
After KB4023057 installs
- Suddenly our Windows Update gets paused.
- Gets Created: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- Our MDM policies gets overwritten by GPO settings applied.
Remember this registry should not exist at all on our device if its managed by Intune only.
Our values from our update rings etc. gets updated.
Well this was no fun, at least I know why my devices are not receiving 24H2 and are not respecting the policies set my Intune.
How to fix it
I created a simple remediation script that checks for 1 or two things depending on your needs.
Checks if:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Exist, as this should not exist if you are managing updates from Intune
Extra check included (you need to comment this out for it check for this to)
Checks if: FeatureUpdatePausePeriodInDays is in our MDM policy and set to 35 days
I check for this because I can see this being set to 35 days always during my tests, however if you have configure your Feature updates to be paused for 35 days then don’t use this part, you can also improve/update the detection script to fit your environment.
The remediation script will delete the registry values created and initiate a new re-sync for the device, your registry values will then be automatically set to what you configured in Intune as it should be.
Sync part in script I used from: oofhours.com
Detection Script
# Define the registry paths and value
$gpoRegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$mdmRegistryPath = "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState"
$keyName = "FeatureUpdatePausePeriodInDays"
$expectedValue = 23
# Check if the Group Policy registry key exists
if (Test-Path $gpoRegistryPath) {
Write-Output "Registry key exists."
# Optional: Uncomment the following block if you want to check for FeatureUpdatePausePeriodInDays
# if (Test-Path $mdmRegistryPath) {
# $value = Get-ItemProperty -Path $mdmRegistryPath -Name $keyName -ErrorAction SilentlyContinue
# if ($value.$keyName -eq $expectedValue) {
# Write-Output "FeatureUpdatePausePeriodInDays is 23."
# exit 1
# } else {
# Write-Output "FeatureUpdatePausePeriodInDays is not 23."
# exit 0
# }
# }
exit 1
}
else {
Write-Output "Registry key does not exist."
exit 0
}
Remediation Script
# Define the registry paths
$gpoRegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$mdmRegistryPath = "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy"
try {
# Check and remove Group Policy registry key (if it exists)
if (Test-Path $gpoRegistryPath) {
Remove-Item -Path $gpoRegistryPath -Recurse -Force
Write-Output "Group Policy registry key deleted."
} else {
Write-Output "Group Policy registry key does not exist, no action taken."
}
# Check and remove MDM Update Policy registry key (if it exists)
if (Test-Path $mdmRegistryPath) {
Remove-Item -Path $mdmRegistryPath -Recurse -Force
Write-Output "MDM Update Policy registry key deleted."
} else {
Write-Output "MDM Update Policy registry key does not exist, no action taken."
}
# Start MDM Sync after registry keys are removed
try {
[Windows.Management.MdmSessionManager, Windows.Management, ContentType = WindowsRuntime]
$session = [Windows.Management.MdmSessionManager]::TryCreateSession()
$session.StartAsync() | Out-Null
Write-Output "MDM sync initiated."
}
catch {
Write-Output "Failed to initiate MDM sync: $($_.Exception.Message)"
}
# Exit with 0 to indicate successful remediation
exit 0
}
catch {
# If an error occurs, output the error message and exit with 1 to indicate failure
Write-Output "Failed to delete the registry key(s): $($_.Exception.Message)"
exit 1
}
Extra all registry values affected after the update
This depends on your update ring settings.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
Created: FeatureUpdatePausePeriodInDays (35 days)
Updated: FeatureUpdatesDeferralInDays (11 days)
Updated: FeatureUpdatesPaused: From 0 to 1
Created: PauseFeatureUpdatesEndTime
Created: PauseFeatureUpdatesStartTime
Updated: PolicySources: From 4 to 2
Updated: QualityUpdatesDeferralInDays: From 5 to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
Created: PausedFeatureDate
Updated: PausedFeatureStatus: From 0 to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Entire key WindowsUpdate created containg the following registry values
ConfigureDeadlineForFeatureUpdates (30 days)
ConfigureDeadlineForQualityUpdates (0 days)
ConfigureDeadlineGracePeriod ( 1 day)
DeferFeatureUpdates: 1
DeferFeatureUpdatesPeriodInDays (11 days)
DeferQualityUpdates: 1
DeferQualityUpdatesPeriodInDays: (0 days)
NonSecurityRelease: (1099)
NonSecurityRelease_Date: (1db17d4a7ea0900)
PauseFeatureUpdatesStartTime: (2024-10-06)
PauseQualityUpdatesStartTime (no value)
SetComplianceDeadline ( 1 )
