GPO: Block Dual Scan

less than 1 minute read


So many admins seem to be confused on how to block “Dual Scan Mode” in their environment. These settings stop WSUS clients from reaching out to the internet to get updates if the WSUS server doesn’t push them. These seem to be the settings you need to set to disable Dual Scan Mode.

To Resolve:

  1. Set the following:
    • Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update = all settings to Not Enabled except “Do not connect to any Windows Update Internet locations” to Enabled
    • Administrative Templates\System\Internet Communication Management\Internet Communication\ = Turn off access to all windows update features to Enabled


“Demystifying Dual Scan”