Windows 10 features on demand – How to deploy within a SCCM/WSUS restricted environment.

Many companies have some kind of lagacy deployment environment like SCCM, CAPA etc. with a backend WSUS server to deliver windows updates, features and drivers to their clients and access to Windows update  is restricted totally through group policy.

But when we talk about the update category FOD (Features on demand) for example new available language options like handwriting recognition, speech recognition etc. most companies will see that FOD fails when trying to install those features automatically if they use Windows 10 1709 or above. The users will also get a failed notice in the Windows 10 notification center quite often.

“Just let SCCM/WSUS handle this?” Well from Windows 10 version 1709, it cannot use Windows Server Update Services (WSUS) to host FOD. We need to get the FOD from Windows update directly. The way this is possible is to enable this group policy for Windows domain environments running WSUS or SCCM:

Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them.

Just have in mind that choosing Windows update as repair source, your firewall also must be configured to allow access to Windows Update in general and this policy also are depending on a little Windows update “backdoor”!.

Now back to the policy setting that allows the client to get an “backdoor” out to Windows update without messing up any update flow. SCCM/WSUS will still be the main provider of updates, only FOD updates will now flow through Windows update and down to the client.

The Windows update policy thats needs to be disabled or Not configured are:

Now the client should be able to get FOD directly from Windows update and still being Windows update restricted regarding the users ability to manuel update the client etc. This is because the WSUS settings still are enabled through group policy and WSUS then have first priority to deliver normal windows updates to the client.

Furthermore from Windows 10 1809 it’s possible to host FOD content on a local share if Windows update or internet access isn’t an option – because of intern company policy or security matters, but thats another talk for another day.

TIP: Don’t delete or reconfig any other policy settings for the client regarding Windows update, that may cause the client to bypass the WSUS for updates etc.

Go for it… 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *