Forum Discussion

JulianAF2380's avatar
JulianAF2380
Brass Contributor
Feb 14, 2024

Computer only in Intune receive GPO for Windows Update causing blocking of update

Hello,

it's several hours i'm trying to found the origin of this problem. The first symptom i seen is the message in Windows Update "Your organization has turned off automatic update":

Windows 10 22h2

 

 

In advanced i can see Disable automatic updates Source Administrator Type Group Policy

 

In the registry i can see the key NoAutoUpdate to 1. If i switch it to 0, after reboot or after gpupdate, it's switching back to 1 ?!

 

Something change theses settings .

 

I already tried the MDMWinOverGP with success applying. But in fact in the documentation https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict we can see  :  Nor does it apply to the Update Policy CSP for managing Windows updates. 

It seems not affecting Windows Update.

 

Any idea? 

 

Thank you!

Julian

  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor
    MDMwinsoverGPO csp only supports policy csp. It does not support defender and windows updates csp. If you have windows update settings created in GPO, then you need to remove them in favor of management through Intune.
  • RathoreShakti's avatar
    RathoreShakti
    Copper Contributor
    Hi Julian
    It seems that you are facing a situation where a Group Policy Object (GPO) is still being applied to computers managed by Intune, causing issues with Windows Update.

    - Identify the Conflicting GPO: Use the gpresult command to identify the GPO that is causing the conflict. Look for the "Windows Components/Windows Update - Configure Automatic Updates" setting, which may be set to "Disabled" and preventing Intune from managing updates.

    Question: Is the device managed through both SCCM (System Center Configuration Manager) and Intune. When a device is co-managed, the policies pushed through MECM (Microsoft Endpoint Configuration Manager, formerly SCCM) will be displayed as Local Group Policy under the GPResult. Co-management allows for the management of Windows 10 devices with both Configuration Manager and Intune. The co-management dashboard in Configuration Manager can be used to review information about co-managed devices, including their status and enrollment. Additionally, Microsoft Intune provides features to monitor and manage device configuration policies, allowing users to check the status of a policy, view assigned devices, and troubleshoot any conflicts.
    • JulianAF2380's avatar
      JulianAF2380
      Brass Contributor
      Hello,
      the computer is outside the domain and gpresult is empty. It's why i don't found the origin of this 😞
      • jamesbertram's avatar
        jamesbertram
        Copper Contributor
        Our org is experiencing the exact same issue. Auto Updates disabled by Group Policy when we are not on a domain and are pure AAD/Intune.