Call4Cloud | MMP-C | Autopilot | Device Preparation

Pause Update Rings: No Way Home

Patch My Pc | install & update thousands of apps

This blog will show you how to handle the issue where your device stops receiving updates due to the “Windows Updates Paused” setting, which limits updates for 35 days. Sometimes, even after this period, your device doesn’t automatically resume updates—a situation we definitely want to avoid. I’ll walk you through the steps to get updates back on track.

1. Introduction

Microsoft released some bad patches this month. Many organizations paused their Update rings to ensure devices wouldn’t receive those bad updates. When pausing the update ring, the targeted device would stop receiving updates for 35 days and resume updating after the maximum number of days had passed.

Windows Updates Paused. We are going to pause the feature update ring

Unfortunately, some devices still received those bad updates before receiving this “pause command.” Luckily, after a few days, Microsoft released some OOB updates to fix this issue. If you are interested in how you could deploy those OOB updates, please read my blog.

https://call4cloud.nl/2022/01/when-you-finish-saving-the-january-optional-updates

But for those devices that luckily didn’t receive the bad patch and had their updates paused, the IT admin needs to make sure those devices can resume updates. So they did! Because they didn’t want their devices to run behind some important Windows updates

pause and resume updates

But as mentioned in this old question on the TechCommunity, sometimes it doesn’t resume the updates as you would expect.

Resuming Quality updates in Intune – Microsoft Tech Community

Just like these people here, we also experienced this issue ourselves. So, let’s take a look at what was happening

2. Windows Update Settings

When you read my blog about those January Updates, you might have noticed that I showed you the registry key where those “Pause” settings reside.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update

So, let’s pause them all and look at what happened when we paused those Quality and Feature updates.

.

As shown below, some nice new registry settings will appear in the Update registry key :

  • Pausefeatureupdates
  • PauseFeatureUpdatesStartTime
  • PauseQualityUpdates
  • PauseQualityUpdatesStartTime
  • PauseQualityUpdatesStartTime_ProviderSet
  • PauseFeatureUpdatesStartTime_ProviderSet
“Pausefeatureupdates”, “PauseFeatureUpdatesStartTime”,”PauseQualityUpdates”, “PauseQualityUpdatesStartTime”, “PauseQualityUpdatesStartTime_ProviderSet” and “PauseFeatureUpdatesStartTime_ProviderSet” are configured

Those keys are making sure the Windows Updates are paused. When trying to search for updates, you will end up with this notification: “Your organization paused some update for this device”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

This is great when you want to make sure, those bad very bad updates aren’t going to be installed on your devices. But you should expect after resuming the updates, the device will start updating again.

Looking at the registry settings, when you “resumed” the updates, we would normally notice the “PauseFeatureupdates” will be changed from one to zero (disabled) and the start date will be removed from “PausefeatureupdatesStartTime”. Do not forget the PausefeatureupdatesStartTime_ProviderSet key; this one would normally be removed, as shown below.

pausefeatureupdatesstarttime

Besides the PauseFeatureUpdates and PauseQualityUpdates registry keys in the PolicyManager\current\device\Update registry key, we also need to check out the Pause Policy CSP and if this one is deployed to the device. We can find the PauseDeferrals key in the software\policies\microsoft\windows\windowsupdate registry key. If that key is configured, you need to delete it!

After those keys are removed, you can start updating Windows again.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

3. The Windows Updates Paused Issue

I guess I can be very quick about this paragraph because if you have read the question on the TechNet Community, you would know by now that sometimes clicking on “resume” doesn’t work as you expected.

Looking at the registry, you will notice that some keys have justn’t been removed. For example, this registry key, “PauseQualityUpdatesStartTime_ProviderSet,” seems to be stuck on devices experiencing update issues! And we all know if those registry keys aren’t removed, Windows Updates will still be paused! So, how do we fix this?

4. The PowerShell Fix

Like always, let’s cast a spell and fix it with PowerShell!

4 Spider-Man: No Way Home Gifs - Gif Abyss

Of course, we will ensure that this PowerShell script is deployed to your devices when it is needed!

This PowerShell script will detect if those bad registry keys still exist, and if they do, it will fire off the remediation to delete those registry keys

Detect.PS1

#########################
#detect.ps1            #
#########################

# Paths for registry keys
$keyUpdate = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$keyWindowsUpdate = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

# Load values from the Update registry path
$valUpdate = (Get-Item $keyUpdate)
$PauseQualityUpdatesStartTime = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseQualityUpdatesStartTime"
$PauseFeatureUpdatesStartTime = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime"
$PauseFeatureUpdatesStartTimeProvider = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseFeatureUpdatesStartTime_ProviderSet"
$PauseQualityUpdatesStartTimeProvider = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseQualityUpdatesStartTime_ProviderSet"
$PauseFeatureUpdates = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseFeatureUpdates"
$PauseQualityUpdates = (Get-Item $keyUpdate -EA Ignore).Property -contains "PauseQualityUpdates"

$PauseQualityUpdatesStartTimeValue = $valUpdate.GetValue("PauseQualityUpdatesStartTime", $null)
$PauseFeatureUpdatesStartTimeValue = $valUpdate.GetValue("PauseFeatureUpdatesStartTime", $null)
$PauseFeatureUpdatesValue = $valUpdate.GetValue("PauseFeatureUpdates", $null)
$PauseQualityUpdatesValue = $valUpdate.GetValue("PauseQualityUpdates", $null)

# Check for PauseDeferrals key in the Windows Update registry path
$PauseDeferrals = (Get-Item $keyWindowsUpdate -EA Ignore).Property -contains "PauseDeferrals"
$PauseDeferralsValue = (Get-ItemProperty -Path $keyWindowsUpdate -Name "PauseDeferrals" -ErrorAction SilentlyContinue).PauseDeferrals

# Check if PauseDeferrals is set
if ($PauseDeferrals -and $PauseDeferralsValue -eq 1) {
    Write-Host "PauseDeferrals is still configured!"
    Exit 1
}

# Existing checks for other pause settings
if (($PauseQualityUpdatesStartTimeValue -ne '') -and ($PauseQualityUpdatesStartTimeProvider -eq $true)) {
    Write-Host "Pause Quality Updates StartTime is still configured!"
    Exit 1
}
if (($PauseFeatureUpdatesStartTimeValue -ne '') -and ($PauseFeatureUpdatesStartTimeProvider -eq $true)) {
    Write-Host "Pause Feature Updates StartTime is still configured!"
    Exit 1
}
if (($PauseQualityUpdates -eq $true) -and ($PauseQualityUpdatesValue -eq '1')) {
    Write-Host "Pause Quality Updates is still configured!"
    Exit 1
}
if (($PauseFeatureUpdates -eq $true) -and ($PauseFeatureUpdatesValue -eq '1')) {
    Write-Host "Pause Feature Updates is still configured!"
    Exit 1
} else {
    Write-Host "Quality and Feature updates are not paused anymore"
    Exit 0
}

Remediation.ps1


#########################
#remediate.ps1         #
########################

# Paths for registry keys
$keyUpdate = "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update"
$keyWindowsUpdate = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

# Registry values to remove from the Update registry path
$propertiesToRemove = @(
    "PauseQualityUpdatesStartTime",
    "PauseFeatureUpdatesStartTime",
    "PauseFeatureUpdatesStartTime_ProviderSet",
    "PauseQualityUpdatesStartTime_ProviderSet",
    "PauseFeatureUpdatesStartTime_WinningProvider",
    "PauseQualityUpdatesStartTime_WinningProvider",
    "PauseQualityUpdates_WinningProvider",
    "PauseFeatureUpdates_WinningProvider"
)

# Remove specified registry values if they exist
foreach ($property in $propertiesToRemove) {
    try {
        if ((Get-ItemProperty -Path $keyUpdate -Name $property -ErrorAction SilentlyContinue) -ne $null) {
            Remove-ItemProperty -Path $keyUpdate -Name $property -ErrorAction Stop -Force
            Write-Host "$property has been removed from $keyUpdate."
        }
    } catch {
        Write-Host "Failed to remove $property. Error: $_"
    }
}

# Remove PauseDeferrals if it exists in the Windows Update registry path
try {
    if ((Get-ItemProperty -Path $keyWindowsUpdate -Name "PauseDeferrals" -ErrorAction SilentlyContinue) -ne $null) {
        Remove-ItemProperty -Path $keyWindowsUpdate -Name "PauseDeferrals" -ErrorAction Stop -Force
        Write-Host "PauseDeferrals has been removed from $keyWindowsUpdate."
    }
} catch {
    Write-Host "Failed to remove PauseDeferrals. Error: $_"
}

# Ensure PauseFeatureUpdates and PauseQualityUpdates are set to zero
try {
    Set-ItemProperty -Path $keyUpdate -Name "PauseFeatureUpdates" -Value 0 -ErrorAction Stop -Force
    Write-Host "PauseFeatureUpdates has been set to zero."
} catch {
    Write-Host "Failed to set PauseFeatureUpdates to zero. Error: $_"
}

try {
    Set-ItemProperty -Path $keyUpdate -Name "PauseQualityUpdates" -Value 0 -ErrorAction Stop -Force
    Write-Host "PauseQualityUpdates has been set to zero."
} catch {
    Write-Host "Failed to set PauseQualityUpdates to zero. Error: $_"
}

# Final check to confirm all specified keys are deleted and required values are zero
$missingProperties = @()
foreach ($property in $propertiesToRemove) {
    if ((Get-ItemProperty -Path $keyUpdate -Name $property -ErrorAction SilentlyContinue) -ne $null) {
        $missingProperties += $property
    }
}

$PauseFeatureUpdatesValue = (Get-ItemProperty -Path $keyUpdate -Name "PauseFeatureUpdates" -ErrorAction SilentlyContinue).PauseFeatureUpdates
$PauseQualityUpdatesValue = (Get-ItemProperty -Path $keyUpdate -Name "PauseQualityUpdates" -ErrorAction SilentlyContinue).PauseQualityUpdates

# Check if any required properties still exist or if PauseFeatureUpdates/PauseQualityUpdates are not zero
if ($missingProperties.Count -eq 0 -and $PauseFeatureUpdatesValue -eq 0 -and $PauseQualityUpdatesValue -eq 0) {
    Write-Host "Remediation successful: All specified keys are deleted, and PauseFeatureUpdates/PauseQualityUpdates are set to zero."
    # Exit 0 (success)
} else {
    Write-Host "Remediation failed: The following keys still exist or values are incorrect:"
    if ($missingProperties.Count -gt 0) {
        Write-Host " - Remaining properties: $missingProperties"
    }
    if ($PauseFeatureUpdatesValue -ne 0) {
        Write-Host " - PauseFeatureUpdates is not zero (current value: $PauseFeatureUpdatesValue)"
    }
    if ($PauseQualityUpdatesValue -ne 0) {
        Write-Host " - PauseQualityUpdates is not zero (current value: $PauseQualityUpdatesValue)"
    }
     Exit 1 (failure)
}

5. The Results

So, after we have created our ProActive remediations, as shown below, let’s wait some time to see what happens.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

In one of my blogs about the Wonderful feature: Proactive remediations, I already showed you how you could monitor it.

Deploy Intune LAPS with the use of Proactive Remediations (call4cloud.nl)

Now let’s take a look at what happened after a couple of hours

Looking at the CSV we could export, it will tell us the Problem is resolved by looking at the PostRemediationDetectionScriptOutput. Isn’t that great?

Of course, all the registry keys are deleted on the device itself! Even after a couple of hours, the proactive remediations will rerun and notify you that the issue is resolved!

Conclusion

There’s no discussion about whether you will need to pause the updates. When Microsoft releases a bad patch on Patch Tuesday, we need to pause those update rings! But sometimes, those registry keys stay stuck when you resume them. Hopefully, you will now know how to deal with it!

Bad Batch Bad Batch Tuesday GIF - Bad Batch Bad Batch Tuesday The Bad Batch  - Discover & Share GIFs

8 thoughts on “Pause Update Rings: No Way Home

  1. Great Article!
    Question I have is what about the scenario that you have paused updates due to troubleshooting BSOD’s on various systems in the environment. However, we are not sure if updates specifically are causing it, or any driver update that is included in the monthly updates and would like to further troubleshoot this but testing update installs manually. How would one go about circumventing the PAUSE and installing updates on specific systems? Use the same reg entry manually listed here? Would this break something long term? Or is there another solution I am missing? THANKS!

    1. Hi, Thanx.. Just to be sure.. You are using Windows hello for business and you also enabled the driver part I presume?

      1. we are using windows hello and in some cases our devices have facial cameras, others finger print and some just pin. I apologize, but may need clarification on what you mean “driver part”. We have HELLO working on devices. I assume if it were not the drivers would be missing?

  2. My organisation has tried this having paused our update rings due to the July rollup interacting badly with a half implemented Intune policy we had left over. it worked fine at first but some the same day after the reg entries were deleted, they seeming came back. For example, PauseQualityUpdatesStartTime would come back with the original pause date listed. Bit puzzled by it all. Any thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *

58  −  49  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.