Forum Discussion

Ambarish Haridathan's avatar
Ambarish Haridathan
Copper Contributor
May 14, 2020

SOLVED: Group Policy setting CSP

Hello,

 

I am trying to use Widows update rings on intune replacing our old group policy. Our machines were set with "disable automatic updates" via gpo. I have created update ring policy and feature update policy on intune, assigned to the device group, but there are 3 policies that are still on GPO. I've already disabled the settings from GPO, had that reflected on the machine for a day. Next day those 3 gp policies are back but the actual GPO policy is still set to not configured. Not sure where is this policy coming from now. Gpresult doesn't show these policies as well.

 

My alternate option I am thinking is to use the MDMWinsOverGP csp policy but still couldn't figure out the alternate csp policy for the below:

  • Disable Automatic Updates
  • Get Updates for other Microsoft Products
  • Set automatic update options

Are there any methods to find out which group policy in specific is pushing these 3 policies and what could be the alternate CSP policy that I could use on intune to override these 3?

 

 

  • Hi Ambarish Haridathan 

     

    Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.

     

    If you need more info on the Update CSP settings, check out 

    https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update

     

    The first two settlings looks like;

    ./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate

    ./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate

     

    I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.

     

    ,Andrew

  • AndrewDawson's avatar
    AndrewDawson
    Brass Contributor

    Hi Ambarish Haridathan 

     

    Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.

     

    If you need more info on the Update CSP settings, check out 

    https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update

     

    The first two settlings looks like;

    ./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate

    ./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate

     

    I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.

     

    ,Andrew

    • Ambarish Haridathan's avatar
      Ambarish Haridathan
      Copper Contributor

      AndrewDawson 

       

      I already have the windows update rings policy set. My current update settings are as below:

       

       

       

       

      The automatic update behavior set on Intune update ring is Auto install and restart at a scheduled time. I am assuming to honor this setting the corresponding CSP policy should be 

      ./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate with the value of 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

       

      • Ambarish Haridathan's avatar
        Ambarish Haridathan
        Copper Contributor

        I set both policies and the results are:

        Looks like the policy is in conflict with my update ring policy

         

        I might need to set this to not configured and then use the CSP policy to apply this setting but I dont see an option to set this as "Not configured" on intune.

         

         

         

Resources