Thank you for posting in Microsoft Q&A forum.
ConfigMgr uses local group policies to configure the Windows Update settings on all managed clients.
The "Specify intranet Microsoft update service location" will configured automatically when we configure SUP in SCCM, we do not need to configure it manually.
"Do not allow update deferral policies to cause scans against windows update: Enabled" Enable this policy will not allow update deferral policies to cause scans against windows update. So this policy is need.
And we need to disable automatic updates by configure "Configure Automatic Updates:Disabled", so the client will not be any automatic windows update process.
We also need "Turn off access to all Windows Update features = Enabled" to hide "Check online for updates from Microsoft update" to avoid the use trigger the windows update manually.
You may refer this article for more details:
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, @Dilan Nanayakkara
Thanks for the feedback.
The policy I mentioned will not stop Store apps to the internet.
For preventing apps from getting updates from the Internet, I'd suggest to post a new thread in Windows 10 forum, since this is a SCCM forum, you may get a better answer in Windows 10 forum.