Use Windows Update for Business and WSUS together

Looking for consumer information? See Windows Update: FAQ

The Windows update scan source policy enables you to choose what types of updates to get from either WSUS or Windows Update for Business service.

We added the scan source policy starting with the September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.

Important

The policy Do not allow update deferral policies to cause scans against Windows Update, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update.

About the scan source policy

The specify scan source policy enables you to specify whether your device gets the following Windows update types form WSUS or from Windows Update:

  • Feature updates
  • Windows quality updates
  • Driver and firmware updates
  • Updates for other Microsoft products

We recommend using this policy on your transition from fully on-premises managed environment to a cloud supported one. Whether you move only drivers to the cloud today or drivers and quality updates and then later move your other workloads, taking a step-by-step approach might ease the transition.

Default scan behavior

To help you better understand the scan source policy, see the default scan behavior below and how we can change it:

  • If no policies are configured: All of your updates will come from Windows Update.

  • If you configure only the WSUS server policy:

    • On Windows 10: All of your updates will come from WSUS.
    • On Windows 11: All of your updates will still come from WSUS unless you configure the specify scan source policy.
  • If you configure a WSUS server and deferral policies on Windows 10: All of your updates will come from Windows Update unless you specify the scan source policy or have disabled dual scan.

  • If you configure a WSUS server and the scan source policy: All of your updates will come from the source chosen in the scan source policy.

Tip

The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options.

Note

If you have devices configured for WSUS and do not configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such.

Configure the scan sources

The policy can be configured using the following two methods:

  1. Group Policy: Specify source service for specific classes of Windows Updates

    • Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\

    Screenshot of the Group Policy for specifiying sources for update types

  2. Configuration Service Provider (CSP) Policies: SetPolicyDrivenUpdateSourceFor<Update Type>:

Note

  • You should configure all of these policies if you are using CSPs.
  • Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the UseUpdateClassPolicySource registry key too, or the scan source won't be altered.
  • If you're also using the Specify settings for optional component installation and component repair policy to enable content for FoDs and language packs, see How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager to verify your policy configuration.