What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

SOLVED SCCM / INTUNE updates and LOCAL GPO setting

Status
Not open for further replies.
H

hamid.azeez

Member
Messages
16
Reaction score
0
Points
1
hello all, i am hoping to get some guidance here regarding an issue i am stuck on pertaining to co-managed devices with intune and SCCM and local GPO settings

our environment presently have SCCM with build 2211 recently upgraded from previous versions. we are in the process of migrating to INTUNE for windows patching and feature updates.

i have gone through the setup of SCCM and move my windows Updates workloads to INTUNE in my pilot setup. I can verify all my pilot endpoints are receiving my INTUNE RING policy and the CONFIGURATION MANAGER clients, their co-managed settings are changed accordingly to reflect the shift to INTUNE... no issues here!

where i am having difficulty, it seems that sccm when configured as SUP, it enables several local GPO settings. from the from my research done so far, it relates to "DUALSCAN". one in question...
  1. Do not allow deferral policies to cause scans against Windows Update - (DisableDualScan registry setting)
    With this setting enabled, i have verified the corresponding reg setting:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DISABLEDUALSCAN is set to value 1.
    even if i then set this GPO setting back to NOT CONFIGURED, it does not make any difference in the registry setting but i am then able to receive updates from INTUNE.
I have confirmed this multiple times by setting the local GPO setting back to "Not Configured" and the computers with then receive updates there after or overnight.
my question and challenge,
how can i make this change to all my endpoints?
where in sccm are these settings so i can hopefully disable?
Hoping there are techs here who have come across this issue and are able to assist me.

thank you in advance!

Hamid
 
Solution
K
I believe I was able to resolve this by creating a new Custom Client Device Settings profile in SCCM that disables Software Updates and deploy it to my pilot group. Once I did this the local policies were removed and the Config Mangager Software Updates Agent was disabled.
1747923142338.png
Sort by date Sort by votes
after further
hamid.azeez said:
hello all, i am hoping to get some guidance here regarding an issue i am stuck on pertaining to co-managed devices with intune and SCCM and local GPO settings

our environment presently have SCCM with build 2211 recently upgraded from previous versions. we are in the process of migrating to INTUNE for windows patching and feature updates.

i have gone through the setup of SCCM and move my windows Updates workloads to INTUNE in my pilot setup. I can verify all my pilot endpoints are receiving my INTUNE RING policy and the CONFIGURATION MANAGER clients, their co-managed settings are changed accordingly to reflect the shift to INTUNE... no issues here!

where i am having difficulty, it seems that sccm when configured as SUP, it enables several local GPO settings. from the from my research done so far, it relates to "DUALSCAN". one in question...
  1. Do not allow deferral policies to cause scans against Windows Update - (DisableDualScan registry setting)
    With this setting enabled, i have verified the corresponding reg setting:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DISABLEDUALSCAN is set to value 1.
    even if i then set this GPO setting back to NOT CONFIGURED, it does not make any difference in the registry setting but i am then able to receive updates from INTUNE.
I have confirmed this multiple times by setting the local GPO setting back to "Not Configured" and the computers with then receive updates there after or overnight.
my question and challenge,
how can i make this change to all my endpoints?
where in sccm are these settings so i can hopefully disable?
Hoping there are techs here who have come across this issue and are able to assist me.

thank you in advance!

Hamid
Click to expand...
after further troubleshooting of this issue, i am convinced SCCM is actually setting the local policy on my endpoints. but in order to receive updates from INTUNE the "Do not allow deferral policies to cause scans against Windows Update" has to be set to "Not Configured".
these are the 3 local GPO settings being set:
1. Do not allow deferral policies to cause scans against Windows Update
2. Specify Intranet Microsoft update service location
3. Specify source service for specific classes of windows update...

my challenge, is how do i do this? done many many research so far.
where in SCCM are these settings being enable?
Is it in the WSUS part? if so, where?

hoping someone here can provide a clue.
thanks.
 
Upvote 0 Downvote
I have exactly the same issue as this and it has been causing us problems for weeks. The only way I have found to 'fix' it is to run gpedit.msc on each machine and change the two policies back to 'not configured' - but obviously that is hugely time consuming - I have hundreds of machines like this. If anyone has any insight on this I'd be very grateful...
 
Upvote 0 Downvote
Hi Hackmuss, sorry you are experiencing this issue. this was a hit an miss for me as some computers was able to revert on their own and others did not. i did not figure out a way to automate, so i reverted them one at a time. though, i also had hundreds of computers, i had a good amount we were able to manually revert.

if you have a GPO set for SCCM, please disable, if you haven't already.

wish i could provide with more to help.
Hamid
 
Upvote 0 Downvote
Hi SaqibMalik, as per my previous response post. we resolved issues by fixing one by one. although, since, we are slowly abandoning SCCM and moving towards intune. it is such a beast to manage especially when you don't have to proper expertise or are limited.

there are so many hops one have to take to get things working. and if you change settings, it messes up you complete environment and having to spend so much time fixing.

hope someone in this forum can offer guidance.
 
Upvote 0 Downvote
I believe I was able to resolve this by creating a new Custom Client Device Settings profile in SCCM that disables Software Updates and deploy it to my pilot group. Once I did this the local policies were removed and the Config Mangager Software Updates Agent was disabled.
1747923142338.png
 
Upvote 1 Downvote
Solution
kmorning said:
I believe I was able to resolve this by creating a new Custom Client Device Settings profile in SCCM that disables Software Updates and deploy it to my pilot group. Once I did this the local policies were removed and the Config Mangager Software Updates Agent was disabled.
View attachment 7275
Click to expand...
Yes, I can verify that this is the correct plan of action. Not well documented.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

  • PENDING Updates for Sharepoint Server 2019 are not being downloaded by SUP
  • SOLVED SUP Role configuration for Windows 11 Upgrade
  • PENDING Have ConfigMgr server set to sync to WSUS server fails to sync
  • PENDING Code 6 for CCMSetup during PXE Task Sequence deployment
  • PENDING SCCM Server IP Change

    • Forum statistics

    Threads
    7,028
    Messages
    27,501
    Members
    17,685
    Latest member
    Termad

    Latest posts

    Trending content
    Back
    Top