Updates Rings: No Way Home

This blog will show you how you could make sure your devices will resume updates after you paused your Update Rings in Intune. Sometimes your device doesn’t resume updates and that is something we definitely don’t want.

I will divide this blog into multiple parts

  1. Introduction
  2. Taking a better look
  3. The Issue
  4. The PowerShell Fix
  5. The Results

Microsoft released some bad patches this month. To be sure devices wouldn’t receive those bad updates, a lot of organizations made sure they paused their Update rings. When pausing the update ring, the targeted device would stop receiving updates for 35 days and would resume updating after the maximum days have passed.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

But unfortunately, some devices still received those bad updates before they could receive this “pause command”. Luckily after a few days, Microsoft released some OOB updates to fix this issue. If you are interested in how you could deploy those OOB updates, please read my blog.

But for those devices that luckily didn’t receive the bad patch and had their updates paused, the IT admin needs to make sure those devices could resume the updates. So they did! Because they didn’t want their devices to run behind some important Windows updates

But just like mentioned in this old question on the TechCommunity, sometimes it just doesn’t resume the updates like you would expect.

Resuming Quality updates in Intune – Microsoft Tech Community

Just like these people here, we also experienced this issue ourselves. So let’s take a look at what was happening

When you have read my blog about those January Updates, you could have noticed I showed you the registry key where those “Pause” settings reside

HKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagercurrentdeviceUpdate

So let’s pause them all and take a look at what happened when we paused those Quality and Feature updates.

.

As shown below, some nice new registry settings would appear in the Update registry key :

“Pausefeatureupdates”, “PauseFeatureUpdatesStartTime”,”PauseQualityUpdates”, “PauseQualityUpdatesStartTime”, “PauseQualityUpdatesStartTime_ProviderSet” and “PauseFeatureUpdatesStartTime_ProviderSet”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Those keys are making sure the Windows Updates are paused. When trying to search for updates, you will end up with this notification: “Your organization paused some update for this device”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

This is great when you want to make sure, those bad very bad updates aren’t going to be installed on your devices. But you should expect after resuming the updates, the device would start updating again?

Looking at the registry settings, when you “resumed” the updates, we would normally notice the “PauseFeatureupdates” will be changed from one to zero (disabled) and the start date will be removed from “PausefeatureupdatesStartTime”. Not to forget the PausefeatureupdatesStartTime_ProviderSet key, this one would normally be removed, like shown below

Afbeelding met tafel  Automatisch gegenereerde beschrijving

After those keys are removed, you could start updating Windows again.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

I guess I can be very quick about this paragraph because If you have read the question on the TechNet Community you would know by now, that sometimes clicking on “resume” doesn’t work as you expected.

Looking at the registry you will notice that some keys, just aren’t removed. As an example, this registry key “PauseQualityUpdatesStartTime_ProviderSet” seems to be stuck on those devices that are experiencing update issues!

And we all know if those registry keys aren’t removed, Windows Updates will still be paused! So how to fix this?

Like always, let’s fix it with PowerShell and of course, we are going to make sure this PowerShell script will be deployed to your devices when it needs to be deployed!

This PowerShell script will detect if those bad registry keys still exist and if they do it will fire off the remediation to delete those registry keys

Detect.PS1

#########################
#detect.ps1         #
########################
$key = "HKLM:SOFTWAREMicrosoftPolicyManagercurrentdeviceUpdate"
$val = (Get-Item $key);

$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"

$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");


if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
    Write-Host "Pause Quality Updates StartTime is still configured!"
    Exit 1
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
    Write-Host "Pause Feature Updates StartTime is still configured!"
    Exit 1
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
    Write-Host "Pause Quality Updates is still configured!"
    Exit 1
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
    Write-Host "Pause FeatureUpdates is still configured!"
    Exit 1
}else{
    Write-Host "Quality and Feature updates are not paused anymore"
    Exit 0
}

Remediation.ps1


#########################
#remediate.ps1         #
########################

$key = "HKLM:SOFTWAREMicrosoftPolicyManagercurrentdeviceUpdate"
$val = (Get-Item $key);

$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"

$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");


if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime"
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_ProviderSet" 
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_WinningProvider" 
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime"
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_ProviderSet" 
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_WinningProvider"
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
    Remove-ItemProperty -Path $key -Name "PauseQualityUpdates" 
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
    Remove-ItemProperty -Path $key -Name "PauseFeatureUpdates"
}else{
    Write-Host "Something Went wrong"
    Exit 1
}


$key = "HKLM:SOFTWAREMicrosoftPolicyManagercurrentdeviceUpdate"
$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"


If (($PauseQualityUpdatesStartTime -eq $false) -and ($PauseFeatureUpdatesStartTime -eq $false) -and ($PauseFeatureUpdates -eq $false) -and ($PauseQualityUpdates -eq $false) -and ($PauseQualityUpdatesStartTimeProvider -eq $false) -and ($PauseFeatureUpdatesStartTimeProvider -eq $false) -eq $true)
{
write-host "Updates are not pauzed anymore"
     exit 0
}else{
write-host "something went wrong"
     exit 1
}

So after we have created our ProActive remediations as shown below let’s wait some time to see what happens

Afbeelding met tekst  Automatisch gegenereerde beschrijving

In one of my blogs about the Wonderful feature: Proactive remediations, I already showed you how you could monitor it.

Deploy Intune LAPS with the use of Proactive Remediations (call4cloud.nl)

Now let’s take a look at what happened after a couple of hours

Looking at the CSV we could export, it will tell us the Problem is resolved by looking at the PostRemediationDetectionScriptOutput. Isn’t that great?

And of course, on the device itself all the registry keys are deleted! Even after a couple of hours the proactive remediations will rerun and will notify the issue is resolved!

It’s no discussion you will need to pause the updates, when Microsoft releases a bad patch on patch Tuesday we need to pause those update rings! But sometimes those registry keys just stay stuck when you resume them. Hopefully, you will now know how to deal with it!

Bad Batch Bad Batch Tuesday GIF - Bad Batch Bad Batch Tuesday The Bad Batch  - Discover & Share GIFs
avatar
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

6,065FollowersFollow
5,929FollowersFollow

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles