Usually, when you want to control the Windows Update settings, you create a GPO to manage the settings or tweak some registry entries. Both methods alter the registry values in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Code language: plaintext (plaintext)
To reset any custom Windows Update settings, I nuke out that registry key or reverse the GPO or both, and restart the Windows Update service, and everything would be good. However, that process stopped working consistently.
At some point, Microsoft tweaked something, and now there’s a scheduled task named Refresh Group Policy Cache. It’s unclear which update added this to systems, but it impacts Windows 10, Windows 11, and Windows Servers.
What is Refresh Group Policy Cache?
The Refresh Group Policy Cache is a scheduled task in the task scheduler under Microsoft > Windows > WindowsUpdates. It seems to be a custom scheduled task that uses the DLL %systemRoot%\system32\updatepolicy.dll
.
I don’t know everything the DLL does but what I do know is that it is a Microsoft DLL, and its internal name is Update Policy Reader. I tried to find more information about it, but there isn’t much, and I’m not good at decompiling DLLs.
I did find the MUI file for the DLL. The MUI has a list of strings that provide an idea of the DLL’s purpose.
100 None
101 Set branch readiness level
102 Set period to defer Feature Update
103 Set period to defer Quality Update
104 Enable Update Pause
105 Branch readiness level
106 Enable Quality Update deferral
107 Quality Update deferral period
108 Enable Feature Update deferral
109 Feature Update deferral period
110 Pause Feature Updates
111 Pause Quality Updates
112 Exclude drivers from Windows Quality Updates
113 Start date for pausing Quality Updates
114 Start date for pausing Feature Updates
115 End date for pausing Quality Updates
116 End date for pausing Feature Updates
117 Enable Auto Restart deadline
118 Auto Restart deadline
119 Auto Restart deadline for Feature Updates
120 Disable check for updates by user
121 Enable Active Hours maximum range
122 Active Hours maximum range
123 Enable the method by which the auto restart required notifications are dismissed
124 Dismissal method for auto restart required notifications
125 Configures Auto Restart reminder schedule
127 Time period for displaying Auto Restart reminder notification
128 Turn off Auto Restart notification
129 Configure Auto Restart deadline warning notifications schedule
130 Time period for displaying Auto Restart deadline reminder notification
131 Time period for displaying Auto Restart deadline warning notification
133 Enable Auto - restart to Engaged restart transition schedule
134 Auto restart to Engaged restart transition schedule
135 Engaged restart snooze schedule
136 Engaged restart deadline
137 Auto restart to Engaged restart transition schedule for Feature Updates
138 Engaged restart snooze schedule for Feature Updates
139 Engaged restart deadline for Feature Updates
140 Enable skipping battery checks for EDU devices
141 Allow updates to be downloaded automatically over metered connections
142 Do not allow update deferral policies to cause scans against Windows Update
143 Disable Pause updates by user
144 Enable automatic wake up to install scheduled updates
145 Display options for update notifications
146 Specifies the number of days before Quality Updates are installed on a device automatically
147 Specifies the number of days before Feature Updates are installed on a device automatically
148 Allows device to have an additional grace period until restarts occur automatically for Quality Update installation
149 Do not attempt to auto reboot device outside of active hours before the deadline is reached
150 Target Version for Feature Updates
151 This setting specifies that a device that is configured with DeferFeatureUpdatesPeriodInDays or BranchReadinessLevel policies to skip safeguards.
152 Allows device to have an additional grace period until restarts occur automatically for Feature Update installation
1000 Microsoft Corporation.
1001 This task is used to refresh group policy cache in Windows Update
Code language: Basic (basic)
By playing around, I think I have a basic idea of what the scheduled task is doing. It seems that the Refresh Group Policy Cache scheduled task queries the values in the registry key
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Code language: plaintext (plaintext)
and duplicates them to a cache location of CacheSet001
or CacheSet002
in the registry key
HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache
Code language: plaintext (plaintext)
What it takes to trigger that scheduled task, I’m not sure.
In my testing, there can only be two cache sets, and only one can be active. The value that controls which cache set is active is the REG_DWORD
named ActiveCache
. The number defined in the data value indicates which cache will be used.
The Issue
The problem with Refresh Group Policy Cache is that sometimes Windows Updates ignores the settings defined in
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Code language: Ada (ada)
and instead honors the settings of the active cache in
HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache
Code language: plaintext (plaintext)
This issue can impact any system with custom Windows Update settings. Also, it impacts systems imaged with ConfigMgr (Microsoft Configuration Manager aka SCCM (System Center Configuration Manager)) task sequences.
With ConfigMgr, there seems to be a bug that after imaging a system with a task sequence, the system will fail to run Windows Updates normally and cause issues with updates in the Microsoft Store.
What I think is happening is that when ConfigMgr runs a task sequence, it tweaks the Windows Update settings to ensure everything works as it wants. One of the task sequence’s tweaks enables the Windows Update setting DoNotConnectToWindowsUpdateInternetLocations
.
Once the task sequence is completed, ConfigMgr removes the custom settings. However, sometimes the Refresh Group Policy Cache has already run, and the task sequence custom Windows Update settings are now stored in the GPCache.
For whatever reason, Windows Updates will ignore the actual settings and honors the settings stored in GPCache. Even rebooting the system or GPUpdate
does not trigger the Refresh Group Policy Cache scheduled task to run, and Windows Updates keeps using the settings defined in GPCache.
An example is the two screenshots above. They are from the same system, and that system is failing Windows Updates and Microsoft Store updates.
The issue is due to the Windows Update setting such as DoNotConnectToWindowsUpdateInternetLocations
being left active, and the only location where they are active is in the GPCache.
Even if you delete the entire registry key
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Code language: plaintext (plaintext)
Windows Updates will still honor the settings defined in
HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache
Code language: plaintext (plaintext)
Although the issue is more apparent with the ConfigMgr task sequence bug however, this problem is not limited to systems in ConfigMgr. I’ve run into the issue of Windows Updates holding onto the wrong settings on systems that have never touched ConfigMgr.
The Fix
The way I see it, there are two fixes.
First Fix
Delete the GPCache registry key, forcing Windows Updates to listen to the real settings. The absence of the GPCache will force Windows Updates to honor the settings defined in
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Code language: plaintext (plaintext)
and you can just let GPCache figure life out. When it does trigger, it will copy the settings you actually want.
The command to do that would be
Remove-Item HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache -Recurse
Code language: PowerShell (powershell)
Second Fix
Manually trigger the Refresh Group Policy Cache scheduled task to run and hope that everything is copied over correctly. I’m hesitant to use this option as I don’t know exactly how the Refresh Group Policy Cache schedule task works.
The command to do that would be
schtasks /run /TN "\Microsoft\Windows\WindowsUpdate\Refresh Group Policy Cache"
Code language: PowerShell (powershell)