Do not connect to any Windows Update Internet locations SCCM
|
Hi, Show I am using SCCM CB setup with WSUS for Windows updates. I'm wanting all computers to receive approved updates strictly via SCCM and NOT Microsoft Update. I require that updates are NOT automatically downloaded/installed in the background from Microsoft Update, and that users can NOT click 'Check online for updates from Microsoft Online' in settings. From what I can see, SCCM sets the local policies for 'Specify intranet Microsoft update location' (to the SCCM server) and 'Do not allow update deferral policies to cause scans against Windows update' (I've read that this disables dual scan?). For some unknown reason too, computers have the 'Do not connect to any Windows Update Internet locations' policy enabled, which is stopping users from downloading apps in the Microsoft Store - I need them to be able to use the store. I've read about the following and these policies sounds like they might be what I need: Configure Automatic Updates - Disable Do Not Connect to any Windows Update Internet Locations - Disable (Is currently enabled, don't know why - there's no existing GPO for this set and it's stopping store from working). Turn off access to all windows update features - Enable I've also checked on some computers and they say 'WSUS - True, Windows Update - False' as the update source. I've spent ages looking through forums and read a lot of pages regarding this, but cannot get a definitive answer for my requirements. I'm hoping that some people can shed some light on what GPOs I need to set. Why oh why is this so complicated to get right? Am I overthinking things in that there shouldn't be any GPOs set if SCCM does what it needs to locally? In essence - I need no updates from Microsoft Update and ONLY SCCM/WSUS, Users cannot get updates manually themselves from Microsoft Update (by clicking 'Check online for updates' in settings) and the store needs to be able to download apps. Any assistance is appreciated, thanks! EDIT: I've been reading further about the following policy, is this better to use than 'Turn off access to all windows update features? Remove access to use all windows update features
I hope this is the right place to ask this question - Question #1: In a scenario where Windows updates are managed on-premise via WSUS, is there an alternative combination of group policies that could be applied to provide the security that "Do not connect to any Windows Update Internet locations" provides, without breaking updates to Windows Store apps that have been deployed by SCCM? I'm looking for a solution to keep store apps updated automatically, while continuing to manage Windows updates via WSUS. Keeping apps updated manually because they can't update from the store is not scalable with this GPO enabled is not scalable in an enterprise. Question #2: When updates are configured to come from WSUS, if "Do not connect to any Windows Update Internet locations" is enabled, does it actually prevent download and install of updates from Windows Update? The description of this GPO only states the
following: "Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Thanks. checkBest Answer One of the articles I referenced in my post,
https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-r..., recommends enabling the "Do not connect to any Windows Update Internet locations" policy setting. That's what we've done (in addition to the other policy settings it recommends) and we've found clients
no longer attempt to contact MS servers. Previously we had tried enabling this setting without the additional policy settings recommended in that article and it caused Windows Update to fail on clients altogether. I suspect that's what happened with user mahen001 above. Was this post helpful? thumb_up thumb_down What does do not connect to Windows Update location?Use Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations to enable this policy.
How do I block Internet access for Windows updates?Open the policy.. Navigate to Computer Configuration - Administrative Templates - Windows Components - Windows Updates.. Double click Do not connect to any Windows Update Internet locations.. Set to Enabled and click OK.. Do not include drivers with Windows updates?To stop Windows Update downloading drivers, enable Do not include drivers with Windows Updates under Computer Configuration > Administrative Templates > Windows Components > Windows Update. If you want to change the setting in local policy, open the Group Policy Object Editor by typing gpedit.
How do I turn off dual scan Windows 10?In the Search Box search for Dual Scan. Select the Disable Dual Scan for Windows Update script and Install. Run the script from the Automation Calendar against targeted Windows 10 Kernel devices.
|
