MicrosoftI've been trying to figure this out as well. We use WSUS and have a strict rule in our company that we need to approve all updates through WSUS and cannot have them connect to Microsoft's Update services. No matter what settings I choose, any time I push out an upgrade it will always try to reach out to these endpoints. I validated this by checking the C:\$WINDOWS.~BT\Sources\Panther\setupact.log and see attempts going out to these endpoints - EVEN IF I have Dynamic Updates in WSUS marked as approved. This is a no go for us as we don't allow our workstations to reach out to these endpoints through our corporate proxy, so as a result the Upgrades always fail to install.
I've also tried setting the "Do not connect to any Windows Update Internet locations" in group policy, and it still won't respect this setting.
The only option I have had is to disable Dynamic Updates on the workstation itself before running the upgrade by creating a Setupconfig.ini file (documented here: https://www.asquaredozen.com/2019/08/25/windows-10-feature-updates-using-setupconfig-ini-to-manage-feature-updates-in-the-enterprise/)...This isn't ideal as it makes more work for me to create these files every time I need to push a new feature upgrade for Win 10. There needs to be a clearly documented way to override this behavior. I notice in this article the author writes "For Windows 10, version 1809 and later, there is no approval required in WSUS. Instead, by default, the client device receives all content from the following HTTPS endpoints" -- That by default would imply there is a way to override the behavior...so how do we do it MS???
