The devices which are connected to SCCM / Configuration should be contacting the WSUS server to get the updates if Software Update point is installed. However, if we wanted to make sure that the Software Update scanning should be done only against WSUS but not through Windows Update / Microsoft Update, we need to disable the option Check online for updates from Microsoft Update.
Check online for updates from Microsoft Update -setting
You can see this option when you navigate to Settings > Update & Security > Windows Update.
The reason for disabling this options comes because we don’t want user to apply software update which are not approved by administrators who are managing the patches either through WSUS or Configuration Manager (in both case WSUS is always be used for scanning )
Group Policy to disable remove “Check online for updates” option
We are here trying to achieve not to contact to Windows Update, and just rely upon WSUS. Under Group Policy Management (gpmc.msc) , create or edit existing policy and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Legacy Policies and enable “Do not allow update deferral policies to cause scans against Windows Update”
The impact of this setting is related to Registry Value name DisableDualScan which will be located under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
If this policy is missing (not configured) or Disabled, Windows Update client can initiate automatic scans against WU (Windows Update). The policy is only applicable when “Specify intranet Microsoft update service location” policy is set.
This policy can be identified as WUServer & WUStatusServer registry keys. These keys are created automatically as part of SCCM Software Update Role and when Software Updates Client Settings are enabled. Once SCCM Software Update point is used, it will also have UseWUServer set to 1 registry key as well under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
GPO to remove access to Windows Update
There is another policy which is also important, navigate to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication settings. Enable the setting Turn off access to all Windows Update Features.
This policy setting will block access to Windows update site ie. http://windowsupdate.microsoft.com and completely block getting updates from Microsoft.
This setting will also stops you to access Microsoft Windows store and will not at all work because we have disabled Microsoft online services and just relying on WSUS / Configuration manager to deploy patches.
Registry key associated with this setting is DisableWindowsUpdateAccess under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Note: Once again, this policy will only be applied for the devices if we have following setting in place “Specify intranet Microsoft update service location”
These settings will also help related to deploying Windows Update for Business (WUfB) policies.