This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 74%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
My organization has recently begun piloting Intune. Currently our devices are co-managed and we have set our sliders to Intune for devices in the test collection. My question comes in the form of the local group policy management that happens when the SCCM client checks in. An enabled local GPO (Computer > Admin templates > Windows Components > Windows Update > Specify intranet Microsoft update service location) causes an error when checking for updates through Intune (WUfB). The only way updates come through reliably are if that local policy is disabled, or we make a registry change to allow connection to Windows Update internet locations.
I have been searching online to see if there is a way to disable that local policy from being set on the devices in our test collection. I'm coming up with answers that point to no. Can anyone provide insight on what a best practice would be in this case or share workarounds?
Thanks
Sorry, I'm a bit confused. What exactly is your intent here for updates? Using ConfigMgr or using WUfB?
If WUfB, then the local group policy created by ConfigMgr does not in any way interfere with this. However, if you want to use WUfB, you must open access to the Internet by the clients as that's the entire point of WUfB.
Thanks for the reply. I'll clarify - we want to use WUfB, however the clients that we are piloting Intune on are co-managed and still check in with ConfigMgr. SCCM appears to be setting the local group policy and corresponding registry setting Do not connect to any Windows Update Internet locations. With this enabled, WUfB fails. Is there another way to circumvent this aside from uninstalling the SCCM client? We have other clients that still are receive updates exclusively from WSUS and I don't want to break that functionality for the other clients by changing any task sequence settings.
Hi,
Please run the gpresult command on the problem client to check which policy win on the Windows Update settings. Refer to:
gpresult
Walkthrough: Use Group Policy to configure Windows Update for Business
Best regards,
Simon
SCCM appears to be setting the local group policy and corresponding registry setting Do not connect to any Windows Update Internet locations
ConfigMgr does not do this. If this is configured in your environment, it is not coming from ConfigMgr. You need to find whatever is setting this and adjust accordingly.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 93%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Config Manager does make these changes. Our company has the same issue. I found ccm logs that show where the setting is changed.
We are also looking to see if when a device is put into the co-managed container, if sccm will clear the settings on the endpoints.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 74%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
ConfigMgr absolutely does do this, when the SCCM client is removed from an endpoint, the local policy changes mentioned immediately remove, and reappear when the client is reinstalled
You're adding information to a post from ~4 years ago and as things are always subject to change, this has. I don't know exactly when we added this, but it is relatively new (within the last 2ish years).
I must be the one who is confused then. When setting ConfigMgr client settings and the option 'Enable software updates on clients' is Yes, does it not apply local group policy to enable an intranet site for SCCM updates?
Yes, it does, but as noted, it does not configure the setting you've called out that blocks access to Windows Update Internet locations.
What does the co-management capability say for the endpoint? Also, what is the dual scan status value in the registry of the endpoint? Are you certain that the Windows Update work load is switching to Intune?
Shifting the workload doesn't change ConfigMgr setting the local group policy for Windows Updates because ConfigMgr is and can still be used for non-Windows updates.
It does. Local policy “Do not allow update deferral policies to cause scan against Windows Update” changes from Enabled to Disabled. This state will allow the device to go over the Internet to fetch the MU content.
Right, as this allows dual-scan to be enabled if (and only if) you have any deferral policies configured as well. It has nothing to do with the setting noted previously by the OP.
It's certainly worth checking but based on what the OP noted, there are other policies in play set by something else, like group policy.
Also note this isn't for all of Microsoft Update, it's only for Windows updates and it's not just for content for includes the entire update process for Windows updates.
Right, so I think we have established that Dual scan is something worth checking. I agree that there maybe other GPOs in play here. Over to @Tyler Horton to provide an update.