Windows 10/11: Using Windows Update for Business and WSUS together

Windows[German]Brief information for administrators in enterprise environments. Microsoft has published an article as of February 28, 2023 with notes on what has changed when scanning for updates on clients running Windows 10 and Windows 11 and how the machines scan for new patches using either Windows Update for Business (WUfB) and WSUS. DualScan is dead according to this and administrators need to watch what group policies are set.


The issue came to my attention in late February 2023 via the following tweet. Ariaupdated points out the update described in the article Use Windows Update for Business and WSUS together.

Use Windows Update for Business and WSUS together

New policy, the end of Dual Scan

Effective Sept. 1, 2021, KB5005101 introduced a scan source policy (WUfB, WSUS), but it applies to Windows 10 (2004 and later) and Windows 11 clients. The Windows Update Scan Source Policy allows administrators to choose whether clients scan the local WSUS server or the Windows Update Service (WUfB) when checking for updates. I noticed the following note in the article:

The policy Do not allow update deferral policies to cause scans against Windows Update, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update.

So Microsoft is retiring Dual Scan, which is no longer supported in Windows 11. On Windows 10, administrators need to watch out for Dual Scan being replaced by the new Windows Scan Source Policy. If both are configured on Windows 10, clients will no longer receive updates from Windows Update.

Configuring the scan source

The new "Specify Scan Source" policy allows administrators to specify whether a client obtains the following Windows update types from WSUS or from Windows Update:


  • Feature updates
  • Windows quality updates
  • Driver and firmware updates
  • Updates for other Microsoft products

Microsoft recommends using this policy when transitioning from a fully on-premises managed environment to a cloud-based environment. Whether administrators currently move only driver and firmware updates to the cloud, or move driver and quality updates and then the other workloads later, a phased approach can ease the transition, Microsoft writes.

How the client searches by default

In the support article, Microsoft explains how clients with Windows 10 and Windows 11 will behave during the update search in the future.

  • If no policy is configured, all updates come from Windows Update.
  • If only the WSUS server policy is configured, the following applies:
    • Under Windows 10: All updates come from WSUS.
    • On Windows 11: All updates continue to come from Windows Update unless the "Specify Scan Source" policy is configured.
  • If an administrator configures a WSUS server and deferral policies, the following applies: All your updates come from Windows Update unless the "Specify Scan Source" policy is configured.

The only two relevant policies for where your updates come from are the "Specify scan source" policy and whether or not a WSUS server is configured. Microsoft hopes to simplify configuration options this way.

If clients have been configured to get updates via WSUS and the policy for specifying the scan source for feature updates is not configured to get them via Windows Update, or if no policies have been set to offer Windows Update for Business, a user can select the "Check for updates online" option on the settings page. Then he may get the optional upgrade to Windows 11 displayed. Microsoft therefore recommends configuring the scan source policy or a Windows Update for Business policy to prevent this.

BTW: The policies may be found in the download from: Administrative Templates (.admx) for Windows 10 2022 Update (22H2)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *