search

puppetlabs / puppetlabs-wsus_client

puppetlabs - wsus_client module
Apache License 2.0
10 stars 32 forks source link

Ensure that online 'dual scan' is mitigated #198

Open canihavethisone opened 1 year ago

canihavethisone commented 1 year ago

Use Case

As per https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ (assuming this is still a known issue), Windows has a potential to perform dual-scan for updates even when a WSUS server is defined

Describe the Solution You Would Like

Mitigation in place if this is still an issue

Describe Alternatives You've Considered

As I manage a range of registry keys in a private module (based on CIS), I use the following overrides to mitigate the issue. This may serve as an example with affected registry keys

  # Disable setting of registry keys that result in 'dual scan', reaching out to Windows Update as well as WSUS
  # https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays' |> { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates' |>             { ensure => absent }
  Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays' |> { ensure => absent }
  # Settings below are required to avoid 'dual scan', but prevent v1909 from contacting WSUS 
  unless $facts['os']['windows']['release_id'] == '1909' {
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' |>            { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuildsPolicyValue' |> { ensure => absent }
    Registry_value <| title == 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel' |>           { ensure => absent }
  }

Additional Context

Not limiting update source purely to a defined WSUS server is probably undesirable

brajjan commented 5 months ago

This is a big problem for us. As we use the wsus_client module with the purge_values => true (to remove all the settings from different GPOs) and the disable_windows_update_access => true. The clients with Dual Scan enabled can not get any updates from WSUS on certain clients.

I will look through some other settings applied to the clients and see if I can find another solution but the provided solution below should be ok to implement to the module now without any breaking changes

Before disabling Dual Scan

PS C:\> Get-WUServiceManager

ServiceID                            IsManaged IsDefault Name
---------                            --------- --------- ----
7971f918-a847-4430-9279-4a52d1efe18d False     False     Microsoft Update
8b24b027-1dee-babb-9a95-3517dfb9c552 False     False     DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False     False     Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True      False     Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False     True      Windows Update

No updates at all are found when searching for new updates.

When disabling Dual Scan

New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name DisableDualScan -PropertyType dword -Value 1

PS C:\> Get-WUServiceManager

ServiceID                            IsManaged IsDefault Name
---------                            --------- --------- ----
7971f918-a847-4430-9279-4a52d1efe18d False     False     Microsoft Update
8b24b027-1dee-babb-9a95-3517dfb9c552 False     False     DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False     False     Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True      True      Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False     False     Windows Update

Updates are found when searching for updates

All settings set by puppet below

Title                                                                                                                      Value
-----                                                                                                                      -----
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer                                                          1
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer                                  https://internal.wsus.server:8531/
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer                            https://internal.wsus.server:8531/
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions                                                            4
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts                                         False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates                                           True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency                                                   2
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess                                           True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins                                                    False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers                                    False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate                                                     False
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootRelaunchTimeout                                               15
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeout                                                 5
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTime                                                  30
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay                                                  6
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime                                                 4
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup                                                       InternalServers
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTime                                   True
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTimeMinutes                              15

Solution

The soulution for me would be to update the module with a parameter for DisableDualScan that defaults to undef

brajjan commented 5 months ago

Some more information. Seems like the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache folders keeps a Cache for Windows Update Client Settings. The values were set by a previous applied GPO in CacheSet001 and the puppet applied settings in CacheSet002. As the CacheSet001 had settings for Deferal they were also applied to the machine (even though the GPO was gone and the machine was restarted). They were not set in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key - only in the cache.

So the solution would be to either remove the GPCache-key and restart wuauserv ( it gets recreated with the correct values ) - or preferrably set the DisableDualScan to 1

I will post a pull request for setting that value as a parameter