This blog will show you how to ensure that your devices resume updates after you pause your Update Rings in Intune. Sometimes, your device doesn’t resume updates, which we definitely don’t want.
1. Introduction
Microsoft released some bad patches this month. Many organizations paused their Update rings to ensure devices wouldn’t receive those bad updates. When pausing the update ring, the targeted device would stop receiving updates for 35 days and resume updating after the maximum number of days had passed.
Unfortunately, some devices still received those bad updates before receiving this “pause command.” Luckily, after a few days, Microsoft released some OOB updates to fix this issue. If you are interested in how you could deploy those OOB updates, please read my blog.
But for those devices that luckily didn’t receive the bad patch and had their updates paused, the IT admin needs to make sure those devices could resume the updates. So they did! Because they didn’t want their devices to run behind some important Windows updates
But as mentioned in this old question on the TechCommunity, sometimes it doesn’t resume the updates as you would expect.
Resuming Quality updates in Intune – Microsoft Tech Community
Just like these people here, we also experienced this issue ourselves. So, let’s take a look at what was happening
2. Taking a better look at the settings
When you read my blog about those January Updates, you could have noticed I showed you the registry key where those “Pause” settings reside.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update
So, let’s pause them all and look at what happened when we paused those Quality and Feature updates.
.
As shown below, some nice new registry settings would appear in the Update registry key :
“Pausefeatureupdates”, “PauseFeatureUpdatesStartTime”,”PauseQualityUpdates”, “PauseQualityUpdatesStartTime”, “PauseQualityUpdatesStartTime_ProviderSet” and “PauseFeatureUpdatesStartTime_ProviderSet”
Those keys are making sure the Windows Updates are paused. When trying to search for updates, you will end up with this notification: “Your organization paused some update for this device”
This is great when you want to make sure, those bad very bad updates aren’t going to be installed on your devices. But you should expect after resuming the updates, the device will start updating again.
Looking at the registry settings, when you “resumed” the updates, we would normally notice the “PauseFeatureupdates” will be changed from one to zero (disabled) and the start date will be removed from “PausefeatureupdatesStartTime”. Not to forget the PausefeatureupdatesStartTime_ProviderSet key, this one would normally be removed, as shown below
After those keys are removed, you can start updating Windows again.
3. The Issue
I guess I can be very quick about this paragraph because if you have read the question on the TechNet Community, you would know by now that sometimes clicking on “resume” doesn’t work as you expected.
Looking at the registry, you will notice that some keys are justn’t removed. For example, this registry key, “PauseQualityUpdatesStartTime_ProviderSet,” seems to be stuck on devices experiencing update issues!
And we all know if those registry keys aren’t removed, Windows Updates will still be paused! So, how do we fix this?
4. The PowerShell Fix
Like always, let’s cast a spell and fix it with PowerShell!
Of course, we will ensure that this PowerShell script is deployed to your devices when it is needed!
This PowerShell script will detect if those bad registry keys still exist, and if they do, it will fire off the remediation to delete those registry keys
Detect.PS1
#########################
#detect.ps1 #
########################
$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$val = (Get-Item $key);
$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"
$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");
if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
Write-Host "Pause Quality Updates StartTime is still configured!"
Exit 1
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
Write-Host "Pause Feature Updates StartTime is still configured!"
Exit 1
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
Write-Host "Pause Quality Updates is still configured!"
Exit 1
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
Write-Host "Pause FeatureUpdates is still configured!"
Exit 1
}else{
Write-Host "Quality and Feature updates are not paused anymore"
Exit 0
}
Remediation.ps1
#########################
#remediate.ps1 #
########################
$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$val = (Get-Item $key);
$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"
$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");
if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime"
Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_ProviderSet"
Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_WinningProvider"
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime"
Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_ProviderSet"
Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_WinningProvider"
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
Remove-ItemProperty -Path $key -Name "PauseQualityUpdates"
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
Remove-ItemProperty -Path $key -Name "PauseFeatureUpdates"
}else{
Write-Host "Something Went wrong"
Exit 1
}
$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"
If (($PauseQualityUpdatesStartTime -eq $false) -and ($PauseFeatureUpdatesStartTime -eq $false) -and ($PauseFeatureUpdates -eq $false) -and ($PauseQualityUpdates -eq $false) -and ($PauseQualityUpdatesStartTimeProvider -eq $false) -and ($PauseFeatureUpdatesStartTimeProvider -eq $false) -eq $true)
{
write-host "Updates are not pauzed anymore"
exit 0
}else{
write-host "something went wrong"
exit 1
}
5. The Results
So after we have created our ProActive remediations as shown below, let’s wait some time to see what happens.
In one of my blogs about the Wonderful feature: Proactive remediations, I already showed you how you could monitor it.
Deploy Intune LAPS with the use of Proactive Remediations (call4cloud.nl)
Now let’s take a look at what happened after a couple of hours
Looking at the CSV we could export, it will tell us the Problem is resolved by looking at the PostRemediationDetectionScriptOutput. Isn’t that great?
Of course, all the registry keys are deleted on the device itself! Even after a couple of hours, the proactive remediations will rerun and notify you that the issue is resolved!
Conclusion
There’s no discussion that you will need to pause the updates. When Microsoft releases a bad patch on Patch Tuesday, we need to pause those update rings! But sometimes, those registry keys stay stuck when you resume them. Hopefully, you will now know how to deal with it!
Great Article!
Question I have is what about the scenario that you have paused updates due to troubleshooting BSOD’s on various systems in the environment. However, we are not sure if updates specifically are causing it, or any driver update that is included in the monthly updates and would like to further troubleshoot this but testing update installs manually. How would one go about circumventing the PAUSE and installing updates on specific systems? Use the same reg entry manually listed here? Would this break something long term? Or is there another solution I am missing? THANKS!
Hi, Thanx.. Just to be sure.. You are using Windows hello for business and you also enabled the driver part I presume?
we are using windows hello and in some cases our devices have facial cameras, others finger print and some just pin. I apologize, but may need clarification on what you mean “driver part”. We have HELLO working on devices. I assume if it were not the drivers would be missing?
My organisation has tried this having paused our update rings due to the July rollup interacting badly with a half implemented Intune policy we had left over. it worked fine at first but some the same day after the reg entries were deleted, they seeming came back. For example, PauseQualityUpdatesStartTime would come back with the original pause date listed. Bit puzzled by it all. Any thoughts?
i has same issue. Could you find any solution?
What about this key
PauseQualityUpdates_ProviderSet
I found this, set to 1, on my computer