Update Rings: No Way Home

Last Updated on January 31, 2022 by rudyooms

This blog will show you how you could make sure your devices will resume updates after you paused your Update Rings in Intune. Sometimes your device doesn’t resume updates and that is something we definitely don’t want.

I will divide this blog into multiple parts

  1. Introduction
  2. Taking a better look
  3. The Issue
  4. The PowerShell Fix
  5. The Results

1.Introduction

Microsoft released some bad patches this month. To be sure devices wouldn’t receive those bad updates, a lot of organizations made sure they paused their Update rings. When pausing the update ring, the targeted device would stop receiving updates for 35 days and would resume updating after the maximum days have passed.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

But unfortunately, some devices still received those bad updates before they could receive this “pause command”. Luckily after a few days, Microsoft released some OOB updates to fix this issue. If you are interested in how you could deploy those OOB updates, please read my blog.

But for those devices that luckily didn’t receive the bad patch and had their updates paused, the IT admin needs to make sure those devices could resume the updates. So they did! Because they didn’t want their devices to run behind some important Windows updates

But just like mentioned in this old question on the TechCommunity, sometimes it just doesn’t resume the updates like you would expect.

Resuming Quality updates in Intune – Microsoft Tech Community

Just like these people here, we also experienced this issue ourselves. So let’s take a look at what was happening

2.Taking a better look at the settings

When you have read my blog about those January Updates, you could have noticed I showed you the registry key where those “Pause” settings reside

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update

So let’s pause them all and take a look at what happened when we paused those Quality and Feature updates.

.

As shown below, some nice new registry settings would appear in the Update registry key :

“Pausefeatureupdates”, “PauseFeatureUpdatesStartTime”,”PauseQualityUpdates”, “PauseQualityUpdatesStartTime”, “PauseQualityUpdatesStartTime_ProviderSet” and “PauseFeatureUpdatesStartTime_ProviderSet”

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Those keys are making sure the Windows Updates are paused. When trying to search for updates, you will end up with this notification: “Your organization paused some update for this device”

Afbeelding met tekst

Automatisch gegenereerde beschrijving

This is great when you want to make sure, those bad very bad updates aren’t going to be installed on your devices. But you should expect after resuming the updates, the device would start updating again?

Looking at the registry settings, when you “resumed” the updates, we would normally notice the “PauseFeatureupdates” will be changed from one to zero (disabled) and the start date will be removed from “PausefeatureupdatesStartTime”. Not to forget the PausefeatureupdatesStartTime_ProviderSet key, this one would normally be removed, like shown below

Afbeelding met tafel

Automatisch gegenereerde beschrijving

After those keys are removed, you could start updating Windows again.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

3.The Issue

I guess I can be very quick about this paragraph because If you have read the question on the TechNet Community you would know by now, that sometimes clicking on “resume” doesn’t work as you expected.

Looking at the registry you will notice that some keys, just aren’t removed. As an example, this registry key “PauseQualityUpdatesStartTime_ProviderSet” seems to be stuck on those devices that are experiencing update issues!

And we all know if those registry keys aren’t removed, Windows Updates will still be paused! So how to fix this?

4.The PowerShell Fix

Like always, let’s cast a spell and fix it with PowerShell!

4 Spider-Man: No Way Home Gifs - Gif Abyss

Of course, we are going to make sure this PowerShell script will be deployed to your devices when it needs to be deployed!

This PowerShell script will detect if those bad registry keys still exist and if they do it will fire off the remediation to delete those registry keys

Detect.PS1

#########################
#detect.ps1         #
########################
$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$val = (Get-Item $key);

$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"

$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");


if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
    Write-Host "Pause Quality Updates StartTime is still configured!"
    Exit 1
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
    Write-Host "Pause Feature Updates StartTime is still configured!"
    Exit 1
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
    Write-Host "Pause Quality Updates is still configured!"
    Exit 1
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
    Write-Host "Pause FeatureUpdates is still configured!"
    Exit 1
}else{
    Write-Host "Quality and Feature updates are not paused anymore"
    Exit 0
}

Remediation.ps1


#########################
#remediate.ps1         #
########################

$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$val = (Get-Item $key);

$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"

$PauseQualityUpdatesStartTimeValue = $val.GetValue("PauseQualityUpdatesStartTime");
$PauseFeatureUpdatesStartTimeValue = $val.GetValue("PauseFeatureUpdatesStartTime");
$PauseFeatureUpdatesValue = $val.GetValue("PauseFeatureUpdates");
$PauseQualityUpdatesValue = $val.GetValue("PauseQualityUpdates");


if (($PauseQualityUpdatesStartTimevalue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true))
{
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime"
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_ProviderSet" 
  Remove-ItemProperty -Path $key -Name "PauseQualityUpdatesStartTime_WinningProvider" 
}
if (($PauseFeatureUpdatesStartTimevalue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true))
{
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime"
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_ProviderSet" 
  Remove-ItemProperty -Path $key -Name "PauseFeatureUpdatesStartTime_WinningProvider"
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesvalue -eq '1'))
{
    Remove-ItemProperty -Path $key -Name "PauseQualityUpdates" 
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesvalue -eq '1'))
{
    Remove-ItemProperty -Path $key -Name "PauseFeatureUpdates"
}else{
    Write-Host "Something Went wrong"
    Exit 1
}


$key = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$PauseQualityUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $key -EA Ignore).Property -contains "PauseQualityUpdates"


If (($PauseQualityUpdatesStartTime -eq $false) -and ($PauseFeatureUpdatesStartTime -eq $false) -and ($PauseFeatureUpdates -eq $false) -and ($PauseQualityUpdates -eq $false) -and ($PauseQualityUpdatesStartTimeProvider -eq $false) -and ($PauseFeatureUpdatesStartTimeProvider -eq $false) -eq $true)
{
write-host "Updates are not pauzed anymore"
     exit 0
}else{
write-host "something went wrong"
     exit 1
}

5.The Results

So after we have created our ProActive remediations as shown below let’s wait some time to see what happens

Afbeelding met tekst

Automatisch gegenereerde beschrijving

In one of my blogs about the Wonderful feature: Proactive remediations, I already showed you how you could monitor it.

Deploy Intune LAPS with the use of Proactive Remediations (call4cloud.nl)

Now let’s take a look at what happened after a couple of hours

Looking at the CSV we could export, it will tell us the Problem is resolved by looking at the PostRemediationDetectionScriptOutput. Isn’t that great?

And of course, on the device itself all the registry keys are deleted! Even after a couple of hours the proactive remediations will rerun and will notify the issue is resolved!

Conclusion

It’s no discussion you will need to pause the updates, when Microsoft releases a bad patch on patch Tuesday we need to pause those update rings! But sometimes those registry keys just stay stuck when you resume them. Hopefully, you will now know how to deal with it!

Bad Batch Bad Batch Tuesday GIF - Bad Batch Bad Batch Tuesday The Bad Batch  - Discover & Share GIFs

5 thoughts on “Update Rings: No Way Home

  1. Great Article!
    Question I have is what about the scenario that you have paused updates due to troubleshooting BSOD’s on various systems in the environment. However, we are not sure if updates specifically are causing it, or any driver update that is included in the monthly updates and would like to further troubleshoot this but testing update installs manually. How would one go about circumventing the PAUSE and installing updates on specific systems? Use the same reg entry manually listed here? Would this break something long term? Or is there another solution I am missing? THANKS!

    1. Hi, Thanx.. Just to be sure.. You are using Windows hello for business and you also enabled the driver part I presume?

      1. we are using windows hello and in some cases our devices have facial cameras, others finger print and some just pin. I apologize, but may need clarification on what you mean “driver part”. We have HELLO working on devices. I assume if it were not the drivers would be missing?

  2. My organisation has tried this having paused our update rings due to the July rollup interacting badly with a half implemented Intune policy we had left over. it worked fine at first but some the same day after the reg entries were deleted, they seeming came back. For example, PauseQualityUpdatesStartTime would come back with the original pause date listed. Bit puzzled by it all. Any thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *

16  +    =  23