windows update vs wsus gpo

I enabled Windows 10/11 clients to use internal Wsus server for Windows update via gpo but now clients show neither "install now" button nor "check update" button. It's possible to show both again before to set wsus reference?

You have set a policy to remove access to view those buttons. When done properly, clients will see the check for updates button with an optional drop down for "check online" to query Windows Update servers directly, bypassing WSUS (default - removable with a specific group policy).

Review my 8 part blog series - part 4 are the GPO policies and part 5 is how to apply it for an inheritence setup.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-5-linking-your-gpos-inheritance-is-your-friend/

Does It exist way to unlink temporarily Windows 10/11 client (with administrator rights, of course) from WSUS to access directly to Microsoft Windows Update servers ?

Answered above (except it's not requiring Admin rights - any user will be able to do it).

Hello,

The behavior you are observing is likely due to a feature called "Dual Scan". Even when you configure a client to point to a WSUS server using the "Specify intranet Microsoft update service location" Group Policy Object (GPO), certain other policies can trigger the client to also scan Windows Update online.

This dual scanning is typically enabled automatically if you have configured any of the Windows Update for Business (WUfB) deferral policies, such as:

• Select when Quality Updates are received
• Select when Feature Updates are received

When Dual Scan is active, the Windows Update client will check both your internal WSUS server and the public Windows Update service for updates.

To ensure your client machines only get updates from your WSUS server and do not reach out to the internet, you have 2 options. 

Option 1: Disable Dual Scan Behavior

If you are using WUfB deferral policies alongside WSUS, you can explicitly disable dual scanning. This will force the client to only use your specified WSUS server.

1. Open the Group Policy Management Editor.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows Update.
3. Locate the policy named "Do not allow update deferral policies to cause scans against Windows Update".
4. Set this policy to Enabled.

By enabling this policy, you are telling the client not to scan Windows Update when deferral policies are configured, effectively stopping the dual scan behavior.

Option 2: Block All Connections to Windows Update Internet Locations

For a more stringent approach, you can block all communication to any external Windows Update services. This is a good option if you want to ensure no updates are ever pulled from the internet.

1. Open the Group Policy Management Editor.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows Update.
3. Find the policy "Do not connect to any Windows Update Internet locations".
4. Set this policy to Enabled.

Important Note: Enabling this policy may affect other functionalities that rely on connecting to public update services, such as the Microsoft Store.

After applying either of these GPO changes, remember to run gpupdate /force on the client machine and you may need to restart the Windows Update service for the changes to take immediate effect.

I hope this explanation and the provided solutions help you resolve the issue. Please let me know if you have any further questions.

If you find this information helpful, please "Accept Answer" to help other members of the community.