Forum Discussion

SirDesktop's avatar
SirDesktop
Copper Contributor
Dec 23, 2019

Enable Microsoft Store while keeping WSUS pointed at our internal SCCM server

I saw a similar post from a couple of years ago, but wanted to see if anything has changed since then. We use WSUS features of SCCM to push monthly patches to all workstations, so we have specifie...
jsimon_1's avatar
jsimon_1
Copper Contributor
Feb 27, 2023

SirDesktop HotCakeX 

 

Hi there,

 

have you both found any way to make this work?

We are currently facing the exact same problem in our Windows environment.

 

Thanks in advance!

  • dsixsmith's avatar
    dsixsmith
    Copper Contributor
    Feb 27, 2023

    jsimon_1 We actually created a simple workaround that temporarily disables our internal WSUS settings to allow Microsoft Store apps, and then reverts back to our internal settings when you're done with the MS Store.

    There are two .reg files to turn the Windows Update internal settings on/off:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000000

     The 0 dword value will ignore any other WSUS registry customizations for accessing an internal server. Our other .reg file is the same thing, but dword value of 1 to change back to using internal WSUS settings.

    Then we have a batch file to stop the Windows Update service, change the registry keys, and restart the service.

    CLS
@ECHO OFF
color E0
net stop "Windows Update"
REGEDIT /S "%~dp0ExternalWSUS.reg"
net start "Windows Update"
CLS
ECHO.
ECHO Windows update settings have been unlocked
ECHO ------------------------------------------
ECHO You can now check for Microsoft Windows Updates and/or use the Microsoft App Store.
ECHO Un-Pause to reset.
ECHO.
PAUSE
CLS
color A0
net stop "Windows Update"
REGEDIT /S "%~dp0InternalWSUS.reg"
net start "Windows Update"
CLS
ECHO.
ECHO Windows update settings have been reset
ECHO ---------------------------------------
ECHO.
PAUSE

    It's an extra step to remember or train users on, but we weren't able to find any other way to allow both internal WSUS -and- Microsoft Store at the same time.

    • jsimon_1's avatar
      jsimon_1
      Copper Contributor
      Feb 27, 2023

      dsixsmith 

       

      Hi, thank you very much for your quick (and unexpected) in-depth reply.

      I'll be working on implementing this workaround in our environment aswell.

       

      I wonder if Microsoft is aware of this dilemma of companies wanting to use the Microsoft Store while at the same time hosting monthly Windows-Updates on-prem. There has to be an easy solution to this, right? Like a policy to "Allow the Microsoft Store to bypass WSUS group policies and download apps and updates from internet sources".

  • Aaron_Kennedy's avatar
    Aaron_Kennedy
    Copper Contributor
    Jun 10, 2023

    jsimon_1 I'm chiming in a little bit late, but I can confirm that this does work on a domain-joined Windows 11 machine that lives behind a WSUS server, and after the batch file has completed, the workstation is once again happily protected by the WSUS server.

     

    It let me update all of the Microsoft store apps without having to disjoin the workstation from the domain in order to run the Microsoft Store updates.

     

    Thanks for the tip (and for providing the batch file template).

Resources