GPO: Block Dual Scan

less than 1 minute read

Description:

So many admins seem to be confused on how to block “Dual Scan Mode” in their environment. These settings stop WSUS clients from reaching out to the internet to get updates if the WSUS server doesn’t push them. These seem to be the settings you need to set to disable Dual Scan Mode.

To Resolve:

  1. Set the following:
    ComputerConfiguration\Policies\AdministrativeTemplates\WindowsComponents\WindowsUpdate\
    ALL SETTINGS = NOT ENABLED

Administrative Templates\System\Internet Communication Management\Internet Communication\
“Turn off access to all windows update features.” = Enabled

Computer Configuration\Policies\Administrative templates\Windows Components\Windows Update
“Do not connect to any Windows Update Internet locations” = Enabled

Reference:

https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/