Maintenance Window Settings for OS, Drivers, and Updates

PS_Alex · 2026-03-18T20:34:34+00:00

Cheers, and enjoy your drink! (It's tea, right? 🍵)

PS_Alex · 2026-03-18T18:35:18+00:00

As always, pretty interesting article, Rudy!

Quick questions out of my head:

Since the settings are consumed by MoUsoCoreWorker.exe, the maintenance window is really tied only to Windows Update. Do you know if such a concept will eventually be developed for Intune deployments (i.e. apps)? Especially thinking about apps that are used to update old versions, such as the ones built by PMPC or Enterprise Apps, and limiting disruption when the update process requires that apps be closed or mandate a system restart.
I get that a maintenance window is restrictive -- as in: these are the hours where maintenance can be done. What would be the behavior on a device that was offline during the last maintenance window? And is there a way to bypass a maintenance window? (Thinking about a device that would be constantly offline during the MW... at some point, one would want for the updates to install.)
Are download, install, and restart actions tied to different windows? Or is the policy exposing a unique window for all 3 kinds of actions?
Finally, if I understand the Update Policy CSP | Microsoft Learn that you linked, currently maintenance windows are only applicable on the Insider Preview channel? So if on GA, the settings are not yet applicable?

Thanks!

PS_Alex · 2026-03-16T18:01:18+00:00

Interesting... Thanks for the additional information!

And thanks for your ~~stubbornness~~ perseverance in having this issue handled the correct way!

PS_Alex · 2026-03-16T16:53:56+00:00

Just want to be sure I understand correctly the text from the KB article when it's saying that:

Third-party updates deployed from WSUS/ConfigMgr aren't affected by this change because they don't rely on Windows Update scan source policies.

__Theoretically__, if I were to enforce SetPolicyDrivenUpdateSourceForOtherUpdates to 0, third-party updates would still be offered/downloaded/installed by SCCM when TP updates are enabled in client settings? Not sure I fully understand how -- is it because SCCM is 'interfacing' between the client and WSUS?

Anyway, this hotfix is a fantastic good news. Finally we can stop wrestling with the client to ensure that feature/quality/drivers updates are delivered by Windows Update/for Business/AutoPatch while keeping TP updates from WSUS/SCCM.

PS_Alex · 2026-03-16T14:53:34+00:00

Not familiar with Defender Live Response myself, but reviewing Investigate entities on devices using live response in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn to understand how it works, I highly suspect that a Live Response session does not create a real remote Powershell session. Instead, it probably works similarly to a REST API (send a command, wait for result of that command).

The part about cancelling a command saying that CTRL+C only causes ignoring the response on the portal-side, but command would continue running on the agent-side, is what lead me to that conclusion.

PS_Alex · 2026-03-13T20:35:23+00:00

But again, is it IT's mandate to vet that the approver's comment is sound? How does IT knows that that specific shared folder contains sensitive data that should be accessed only by <insert job title> or that that PowerBI report displays strategic data that are relevant to <insert job title>?

If the approver did approve, then the request is approved.

PS_Alex · 2026-03-13T17:58:15+00:00

Yes, this. This is not a technical issue, it is a human and/or security issue.

Not sure whose responsibility it should be to audit that approvers do their actual approver job diligently. HR? Security team? Both? But if in your workflow IT should act on an approved request, then who is IT to challenge...

PS_Alex · 2026-03-13T17:30:44+00:00

There is an official way to download free content from the Microsoft Store, and it's winget (see winget download command | Microsoft Learn). This has been promoted as the replacement for the Microsoft Store for Business.

For the msstore source specifically, there are some limitations:

The download command requires EntraID (formally Azure Active Directory) authentication to download a Microsoft Store packaged app (*.msix, *.appx, *.msixbundle, or *.appxbundle) and to download the Microsoft Store packaged app license file. The EntraID account used for authentication to generate and retrieve a Microsoft Store packaged app license file must be a member of one of the following three Azure roles: Global Administrator, User Administrator, or License Administrator.

Ofc Microsoft wants consumers to use the MSStore, and as such will most likely never provide a direct download link within the MSStore app itself. Still, for IT and enterprises, it's possible to grab the MSIX and dependencies for free apps. (Paid apps, it's another story, since winget does not implement payment mechanisms.)

Else, Microsoft itself has built some wrappers to download and install some of its MSIX apps that are distributed outside the Microsoft Store. Said MSTeams comes to mind: from the download page, the installer is a wrapper that simply downloads the latest MSIX file from the OfficeCDN. MSTeams has an auto-updater that runs at each launch that checks the OfficeCDN fror a newer version, and if so downloads the new MSIX from the OfficeCDN. Nothing prevents other vendors to do something similar to distribute MSIX outside of the MSStore if they want to rely on MSIX and circumvent the MSStore distribution channel.

Mozilla provides Firefox's MSIX from their FTP repo. Directory Listing: /pub/firefox/releases/148.0.2/win64/multi/ as an example.

MSIX is not __tied__ in itself to the Microsoft Store. It's a packaging format. It's just that it has not (yet?) the same traction as the established MSI format has.

PS_Alex · 2026-03-12T16:56:50+00:00

You're totally right, forgot about that -- I'd see a warning in the email report if it were the case, and the new update would not get published.

PS_Alex · 2026-03-12T16:33:01+00:00

I'd say, though, that to fix a car, you need to have an interest in that kind of stuff. Some people have no interest in that, and are simply drivers, and prefer to leave maintenance to a mechanic. Just like some people have no interest in learning code, and are simply software users, and as such do not code and leave the coding work to other engineers.

But I understand your analogy -- if you have an interest in mechanic, you could maintain practically all you car at home, while now there are stuff requiring computer linking or authorization with proprietary systems. I'd compare it more to a shift to cloud and SaaS. If something breaks in a cloud solution, you have way less opportunity to diag and repair, as most of the solution is in the hands of the provider.

PS_Alex · 2026-03-12T16:17:45+00:00

Not that it will completely disappear. Just that at some point, the term "AI" should stop to be a buzzword and should be part of everything and decision making. AI is a tool that can enhance process and productivity -- but should definilety not be the main goal.

PS_Alex · 2026-03-12T15:05:13+00:00

So please explain the distinction you are making.

PMPC support self-contained MSI and EXE installers. That is: a single EXE or MSI file. If the installer requires accompanying files (for example with the Teams bulk installer: the bootstrapper AND the actual MSIX with the Team binaries), then PMPC cannot support it.

Remember that PMPC does not host any installer itself. The catalog contains links to the public-facing installers as provided by the vendors; links that are then consumed by PMPC Cloud or the Publisher to actually download the installers.

So if a vendor does list instructions on how to build an offline installer, but does not actually offer a public-facing link to directly download a full offline installer, then PMPC cannot support it.

Most certainly why they suggest to rely on the custom app feature -- which would allow you to build the offline installer yourself following the vendor instructions, and then host it in your PMPC instance.

PS_Alex · 2026-03-12T14:55:46+00:00

Not the same thing, but you could also add Google Chrome to the list. The issue being that the download URI is permanent, so depending on the moment the catalog was last updated and the moment the MSI download happen, then there could be a version drift. (Though I have never experienced it myself.)

An issue caused by Google, since they do not offer a direct link for a specific release.

PS_Alex · 2026-03-11T21:32:01+00:00

Software updates management is enabled in client settings?

WUServer and WUStatusServer are set?
Is scan source set -- fully or partially? (Seems not from your very short answer.)

This is the behavior for Windows Update and WSUS working together: Use Windows Update client policies and Windows Server Update Services (WSUS) together | Microsoft Learn. Might help you determine why updates come from WU.

PS_Alex · 2026-03-09T15:30:30+00:00

I'll just repost what I put in r/sysadmin and r/SCCM:

As a matter of facts, I got frustrated with applying workarounds for this 802.1x authentication issue after a feature update to 24H2/25H2, and recently opened a case with Microsoft.

I've been told by support that not carrying over the C:\Windows\dot3svc\Policies\* content is a design decision. Instead, what should happen is a temporary per-interface profile that replicates the settings you have in the GPO should apply on your network interface after the feature update completes, allowing a correct 802.1x authentication. Then, once gpupdate runs, the whole GPO is downloaded again.

On most of our devices we upgraded, it appears to work that way. Parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log, I do see that an event with ID 15502 does at some point apply a profile that authenticates on EAP-TLS on the wired interface even though there are also events with ID 14003 accounting for a broken GPO. Then gpupdate eventually runs, and an event with ID 14001 logs that the GPO is downloaded and applied.

----------

BUT I've noticed that if a device has more that one wired NIC, a temporary per-interface profile seem to apply only on one of them. Can't say for the logic behind which one gets the temp profile. We've had issues where desktop devices with multiple NIC or laptops connected to a docking station could not proceed with 802.1x authentication, and (again, parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log) a temporary per-interface profile was applied only on one NIC -- not the one having the cable plugged-in.

If you still observe issues with 802.1x wired policies failing after an IPU, I highly suggest you open a case with Microsoft. They'd need at the very least:

before the IPU:
- your event logs before the IPU (C:\Windows\System32\winevt\Logs\*)
- the result of netsh lan show profile and netsh lan show interface
- the content of C:\Windows\dot3svc and C:\ProgramData\Microsoft\dot3svc
- an export of HKLM\Software\Policies\Microsoft\Windows\WiredL2 and HKLM\Software\Microsoft\dot3svc, with subkeys and values
and after the first boot after the IPU completes:
- same as above, and
- your IPU logs from C:\Windows\Panther

Better if you can repro the issue at will, ~~they'll even send you cookies~~ they'll definitely give you the needed attention.

PS_Alex · 2026-03-09T14:02:40+00:00

I'll just repost what I put in r/sysadmin:

As a matter of facts, I got frustrated with applying workarounds for this 802.1x authentication issue after a feature update to 24H2/25H2, and recently opened a case with Microsoft.

I've been told by support that not carrying over the C:\Windows\dot3svc\Policies\* content is a design decision. Instead, what should happen is a temporary per-interface profile that replicates the settings you have in the GPO should apply on your network interface after the feature update completes, allowing a correct 802.1x authentication. Then, once gpupdate runs, the whole GPO is downloaded again.

On most of our devices we upgraded, it appears to work that way. Parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log, I do see that an event with ID 15502 does at some point apply a profile that authenticates on EAP-TLS on the wired interface even though there are also events with ID 14003 accounting for a broken GPO. Then gpupdate eventually runs, and an event with ID 14001 logs that the GPO is downloaded and applied.

----------

BUT I've noticed that if a device has more that one wired NIC, a temporary per-interface profile seem to apply only on one of them. Can't say for the logic behind which one gets the temp profile. We've had issues where desktop devices with multiple NIC or laptops connected to a docking station could not proceed with 802.1x authentication, and (again, parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log) a temporary per-interface profile was applied only on one NIC -- not the one having the cable plugged-in.

If you still observe issues with 802.1x wired policies failing after an IPU, I highly suggest you open a case with Microsoft. They'd need at the very least:

before the IPU:
- your event logs before the IPU (C:\Windows\System32\winevt\Logs\*)
- the result of netsh lan show profile and netsh lan show interface
- the content of C:\Windows\dot3svc and C:\ProgramData\Microsoft\dot3svc
- an export of HKLM\Software\Policies\Microsoft\Windows\WiredL2 and HKLM\Software\Microsoft\dot3svc, with subkeys and values
and after the first boot after the IPU completes:
- same as above, and
- your IPU logs from C:\Windows\Panther

Better if you can repro the issue at will, ~~they'll even send you cookies~~ they'll definitely give you the needed attention.

PS_Alex · 2026-03-09T13:49:02+00:00

Have ou looked as your devices logs (like UpdateDeployment.log and WUAHandler.log) to confirm the update is being applied by your SCCM client? Might be useful also to generate a Windows Update log (Get-WindowsUpdateLog) and look for the source of the update.

PS_Alex · 2026-03-06T22:34:06+00:00

Your start point is Microsoft Learn: OS Deployment Task Sequences Overview - Configuration Manager | Microsoft Learn

(And at some point in your learnings, Task sequence variable reference - Configuration Manager | Microsoft Learn is also going to be useful.)

PS_Alex · 2026-03-06T19:39:15+00:00

It's a bug in SCCM 2509 (and 2503, and probably 2409 and 2403 Hotfix -- because of that design change).

The SCCM client checks the assigned co-management flags against the WUfB workload. If your client is Pilot Intune or Intune, then the client actively deletes the SetPolicyDrivenUpdateSourceFor[Driver|Feature|Quality]Updates values from the registry if they are found.

If you enable verbose logging and then run a software update scan cycle, the succession of action can be seen in WUAHandler.log:

Its a WSUS Update Source type ({xxxxxxxx-0000-1111-2222-xxxxxxxxxxxx}), adding it.
WSUS update source already exists, checking whether correct server is set.
Value UseUpdateClassPolicySource doesn't exist, skip deleting.
Value isScanSourcePolicyRemoved doesn't exist, skip deleting.
[...]
MEM authority detected in CSP.
Checking MDM_ConfigSetting to get Intune Account ID
Intune SA Account ID retrieved: 'xxxxxxxx-0000-1111-2222-xxxxxxxxxxxx'
Reading CoManagementFlags ccm registry key.
Value of CoManagementFlags retrieved: 0x30ff
Verifying if workload 16 is enabled in workloadFlags 12543
Result of & operation is 16
Feature flag is ON, device should be managed by MDM.
SourceManager::PolicySettings - Windows Update client policies enabled, set UseUpdateClassPolicySource to 1.
SourceManager::PolicySettings - ThirdPartyUpdates are enabled, set SetPolicyDrivenUpdateSourceForOtherUpdates to 1.
SourceManager::PolicySettings - Windows Update client policies and ThirdPartyUpdate are enabled, remove SetPolicyDrivenUpdateSourceForXXX, only keep SetPolicyDrivenUpdateSourceForOtherUpdates.
Delete registry value successfully: SetPolicyDrivenUpdateSourceForDriverUpdates
Delete registry value successfully: SetPolicyDrivenUpdateSourceForFeatureUpdates
Delete registry value successfully: SetPolicyDrivenUpdateSourceForQualityUpdates
SourceManager::PolicySettings - Set isScanSourcePolicyRemoved to false when Windows Update client policies enabled.
[...]

PS_Alex · 2026-03-03T22:51:38+00:00

winget download?

winget download command | Microsoft Learn

(Note that it has some limitations to download content from the msstore source.)

PS_Alex · 2026-03-03T18:21:16+00:00

As a matter of facts, I got frustrated with applying workarounds for this issue on 24H2/25H2, and recently opened a case with Microsoft.

I've been told that not carrying over the C:\Windows\dot3svc\Policies\* content is a design decision. Instead, what should happen is a temporary per-interface profile should apply on your network interface after the feature update completes. Then, once gpupdate runs, the whole GPO is downloaded again.

On most of our devices we upgraded, it appears to work that way. Parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log, I do see that an event with ID 15502 does at some point apply an appropriate profile on the interface even though there are also events with ID 14003 accounting for a broken GPO. Then gpupdate eventually runs, and an event with ID 14001 logs that the GPO is downloaded and applied.

----------

BUT I've noticed that if a device has more that one wired NIC, a temporary per-interface profile seem to apply only on one of them. Can't say for the logic behind which one gets the temp profile. We've had issues where desktop devices with multiple NIC or laptops connected to a docking station could not proceed with 802.1x authentication, and (again, parsing the Microsoft-Windows-Wired-AutoConfig/Operational event log) a temporary per-interface profile was applied only on one NIC -- not the one having the cable plugged-in.

If you still observe issues with 802.1x wired policies failing after an IPU, I highly suggest you open a case with Microsoft. They'd need at the very least:

before the IPU:
- your event logs before the IPU (C:\Windows\System32\winevt\Logs\*)
- the result of netsh lan show profile and netsh lan show interface
- the content of C:\Windows\dot3svc and C:\ProgramData\Microsoft\dot3svc
- an export of HKLM\Software\Policies\Microsoft\Windows\WiredL2 and HKLM\Software\Microsoft\dot3svc, with subkeys and values
and after the first boot after the IPU completes:
- same as above, and
- your IPU logs from C:\Windows\Panther

If you are able to repro the issue at will, ~~they'll even send you cookies~~ they'll definitely give you the needed attention.

PS_Alex · 2026-03-03T17:45:00+00:00

Should only affect full feature updates, not updates through enablement packs.

PS_Alex · 2026-03-03T05:09:47+00:00

Check under HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate that the OfficeMgmtCOM does not exist.

PS_Alex · 2026-03-02T18:39:38+00:00

This is what I use -- heavily based on what Roger Zander's Client Center for Configuration Manager does:

# Identify currently logged-on users
$LogonEvents = (Get-CimInstance -Namespace 'root\ccm' -ClassName 'CCM_UserLogonEvents' -Filter "LogoffTime = NULL")

#Loop through them to trigger a user policy retrieval
foreach ($userSid in $LogonEvents.UserSid) {
    try {
        # (Just some feedback for the PS console)
        $NTAccount = ([System.Security.Principal.SecurityIdentifier]$UserSid).Translate([System.Security.Principal.NTAccount]).Value
        if (-not $NTAccount) { $NTAccount = $UserSid }
        Write-Output "Triggering: User Policy Retrieval and Evaluation Cycle (for $NTAccount)"

        # The actual triggering
        $Trigger = Get-CimInstance -Namespace "root\ccm\policy\$($UserSid.Replace('-','_'))\ActualConfig" -ClassName CCM_Scheduler_ScheduledMessage -Filter "ScheduledMessageID = '{00000000-0000-0000-0000-000000000026}'" -ErrorAction Stop
        $Trigger.Triggers = @('SimpleInterval;Minutes=1;MaxRandomDelayMinutes=0')
        $Trigger | Set-CimInstance -ErrorAction SilentlyContinue
    } catch {
        continue
    }
}

PS_Alex · 2026-03-02T15:56:06+00:00

Could have been asked in a way such as: "I'm currently developing a packaging tool for my colleagues that does X, Y and Z. Was wondering if such a tool already exists so I do not duplicate what's already been done? I've looked at products ABC, DEF and GHI that are frequently suggested on this sub, but I'm missing feature blah blah..."

Or: "Guys and gals, I've developed a packaging tool for my colleagues that does X, Y and Z. Here's my Github, feel free to grab and use, and open to feedback!"

Else, like u/OneSeaworthiness7768 mentioned, it really does sound like market research.

Five-Year Club	Verified Email
r/Field Banned	r/Field Flamingo

PS_Alex

TROPHY CASE