Forum Discussion
SOLVED: Group Policy setting CSP
Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.
If you need more info on the Update CSP settings, check out
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update
The first two settlings looks like;
./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate
./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate
I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.
,Andrew
Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.
If you need more info on the Update CSP settings, check out
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update
The first two settlings looks like;
./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate
./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate
I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.
,Andrew
I already have the windows update rings policy set. My current update settings are as below:
The automatic update behavior set on Intune update ring is Auto install and restart at a scheduled time. I am assuming to honor this setting the corresponding CSP policy should be
./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate with the value of 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
I set both policies and the results are:
Looks like the policy is in conflict with my update ring policy
I might need to set this to not configured and then use the CSP policy to apply this setting but I dont see an option to set this as "Not configured" on intune.
So I was able to figure out the issue with the GP settings. Adding here for anyone to refer in the future.
There are some policies that even after you disable, stick around on the computer. https://docs.microsoft.com/en-us/archive/blogs/grouppolicy/gp-policy-vs-preference-vs-gp-preferences
- tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.
Based on this, I checked my registry and found the entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU as NoAutoUpdate : 1
Just changed the value to zero and my update settings are all now with MDM and I don't need any other CSP policies now! 🙂 It was a good learning about the CSP policies though
- Hi Ambarish,
What are all the steps and policies you have created to resolve this?
We are experiencing the exact same issue!
Thanks!