SOLVED

SOLVED: Group Policy setting CSP

%3CLINGO-SUB%20id%3D%22lingo-sub-1391566%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20setting%20CSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391566%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108958%22%20target%3D%22_blank%22%3E%40Ambarish%20Haridathan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20look%20into%20using%26nbsp%3B%3CSPAN%3EMDMWinsOverGP%2C%20define%20your%20%3CSTRONG%3ESoftware%20updates%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWindows%2010%20update%20ring%3C%2FSTRONG%3E%20before%20making%20CSP%20changes%26nbsp%3Bas%20you%20will%20likely%20resolve%20some%20of%20the%20issues.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20you%20need%20more%20info%20on%20the%20Update%20CSP%20settings%2C%20check%20out%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-update%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20two%20settlings%20looks%20like%3B%3C%2FP%3E%3CP%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FUpdate%2FAllowAutoUpdate%3C%2FP%3E%3CP%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FUpdate%2FAllowNonMicrosoftSignedUpdate%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20about%20the%20third%2C%20however%20Update%20CSP%20has%20had%20a%20number%20of%20recent%20changes%20so%20this%20may%20not%20matter%20so%20much.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2CAndrew%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391894%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20setting%20CSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391894%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250456%22%20target%3D%22_blank%22%3E%40AndrewDawson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20already%20have%20the%20windows%20update%20rings%20policy%20set.%20My%20current%20update%20settings%20are%20as%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22GPO-I.png%22%20style%3D%22width%3A%20751px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191956iD8F0480F88CC4F2F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-I.png%22%20alt%3D%22GPO-I.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-II.png%22%20style%3D%22width%3A%20557px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191965i27AC8310BCF043F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-II.png%22%20alt%3D%22GPO-II.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-III.png%22%20style%3D%22width%3A%20631px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191971i6540F52060D148DE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-III.png%22%20alt%3D%22GPO-III.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20automatic%20update%20behavior%20set%20on%20Intune%20update%20ring%20is%26nbsp%3B%3CSPAN%3E%3CSTRONG%3EAuto%20install%20and%20restart%20at%20a%20scheduled%20time.%3C%2FSTRONG%3E%20I%20am%20assuming%20to%20honor%20this%20setting%20the%20corresponding%20CSP%20policy%20should%20be%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FUpdate%2FAllowAutoUpdate%20with%20the%20value%20of%26nbsp%3B%3CEM%3E%3CSTRONG%3E3%20%E2%80%93%20Auto%20install%20and%20restart%20at%20a%20specified%20time.%3C%2FSTRONG%3E%20The%20IT%20specifies%20the%20installation%20day%20and%20time.%20If%20no%20day%20and%20time%20are%20specified%2C%20the%20default%20is%203%20AM%20daily.%20Automatic%20installation%20happens%20at%20this%20time%20and%20device%20restart%20happens%20after%20a%2015-minute%20countdown.%20If%20the%20user%20is%20logged%20in%20when%20Windows%20is%20ready%20to%20restart%2C%20the%20user%20can%20interrupt%20the%2015-minute%20countdown%20to%20delay%20the%20restart.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391913%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20setting%20CSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391913%22%20slang%3D%22en-US%22%3E%3CP%3EI%20set%20both%20policies%20and%20the%20results%20are%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-IV.png%22%20style%3D%22width%3A%20819px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191976iDEDAAD7308C12F0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-IV.png%22%20alt%3D%22GPO-IV.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-V.png%22%20style%3D%22width%3A%20850px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191977i271A77DCB46EAC97%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-V.png%22%20alt%3D%22GPO-V.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ELooks%20like%20the%20policy%20is%20in%20conflict%20with%20my%20update%20ring%20policy%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-6.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191978i361CF866F51C7247%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-6.png%22%20alt%3D%22GPO-6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EI%20might%20need%20to%20set%20this%20to%20not%20configured%20and%20then%20use%20the%20CSP%20policy%20to%20apply%20this%20setting%20but%20I%20dont%20see%20an%20option%20to%20set%20this%20as%20%22Not%20configured%22%20on%20intune.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPO-7.png%22%20style%3D%22width%3A%20771px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191980iA195BADA8A9E0C79%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GPO-7.png%22%20alt%3D%22GPO-7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1416006%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20setting%20CSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1416006%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20was%20able%20to%20figure%20out%20the%20issue%20with%20the%20GP%20settings.%20Adding%20here%20for%20anyone%20to%20refer%20in%20the%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20some%20policies%20that%20even%20after%20you%20disable%2C%20stick%20around%20on%20the%20computer.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fgrouppolicy%2Fgp-policy-vs-preference-vs-gp-preferences%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fgrouppolicy%2Fgp-policy-vs-preference-vs-gp-preferences%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CSTRONG%3Etattoo%3C%2FSTRONG%3E.%20In%20other%20words%2C%20when%20a%20GPO%20goes%20out%20of%20scope%2C%20the%20preference%20value%20will%20remain%20in%20the%20registry.%20An%20administrator%20is%20responsible%20for%20making%20sure%20these%20values%20are%20set%20to%20disable%2C%20prior%20to%20the%20GPO%20going%20out%20of%20scope%2C%20if%20the%20administrator%20wants%20the%20preference%20setting%20removed.%20The%20preference%20setting%20will%20not%20be%20replaced%20with%20the%20original%20application%20configuration%20value.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EBased%20on%20this%2C%20I%20checked%20my%20registry%20and%20found%20the%20entry%26nbsp%3BHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%5CWindowsUpdate%5CAU%20as%26nbsp%3B%26nbsp%3BNoAutoUpdate%20%3A%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20changed%20the%20value%20to%20zero%20and%20my%20update%20settings%20are%20all%20now%20with%20MDM%20and%20I%20don't%20need%20any%20other%20CSP%20policies%20now!%20%3A)%3C%2Fimg%3E%20It%20was%20a%20good%20learning%20about%20the%20CSP%20policies%20though%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390619%22%20slang%3D%22en-US%22%3ESOLVED%3A%20Group%20Policy%20setting%20CSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390619%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20use%20Widows%20update%20rings%20on%20intune%20replacing%20our%20old%20group%20policy.%20Our%20machines%20were%20set%20with%20%22disable%20automatic%20updates%22%20via%20gpo.%20I%20have%20created%20update%20ring%20policy%20and%20feature%20update%20policy%20on%20intune%2C%20assigned%20to%20the%20device%20group%2C%20but%20there%20are%203%20policies%20that%20are%20still%20on%20GPO.%20I've%20already%20disabled%20the%20settings%20from%20GPO%2C%20had%20that%20reflected%20on%20the%20machine%20for%20a%20day.%20Next%20day%20those%203%20gp%20policies%20are%20back%20but%20the%20actual%20GPO%20policy%20is%20still%20set%20to%20not%20configured.%20Not%20sure%20where%20is%20this%20policy%20coming%20from%20now.%20Gpresult%20doesn't%20show%20these%20policies%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20alternate%20option%20I%20am%20thinking%20is%20to%20use%20the%20%3CSPAN%3EMDMWinsOverGP%3C%2FSPAN%3E%20csp%20policy%20but%20still%20couldn't%20figure%20out%20the%20alternate%20csp%20policy%20for%20the%20below%3A%3C%2FP%3E%3CUL%3E%3CLI%3EDisable%20Automatic%20Updates%3C%2FLI%3E%3CLI%3EGet%20Updates%20for%20other%20Microsoft%20Products%3C%2FLI%3E%3CLI%3ESet%20automatic%20update%20options%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAre%20there%20any%20methods%20to%20find%20out%20which%20group%20policy%20in%20specific%20is%20pushing%20these%203%20policies%20and%20what%20could%20be%20the%20alternate%20CSP%20policy%20that%20I%20could%20use%20on%20intune%20to%20override%20these%203%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1390619%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello,

 

I am trying to use Widows update rings on intune replacing our old group policy. Our machines were set with "disable automatic updates" via gpo. I have created update ring policy and feature update policy on intune, assigned to the device group, but there are 3 policies that are still on GPO. I've already disabled the settings from GPO, had that reflected on the machine for a day. Next day those 3 gp policies are back but the actual GPO policy is still set to not configured. Not sure where is this policy coming from now. Gpresult doesn't show these policies as well.

 

My alternate option I am thinking is to use the MDMWinsOverGP csp policy but still couldn't figure out the alternate csp policy for the below:

  • Disable Automatic Updates
  • Get Updates for other Microsoft Products
  • Set automatic update options

Are there any methods to find out which group policy in specific is pushing these 3 policies and what could be the alternate CSP policy that I could use on intune to override these 3?

 

 

4 Replies
Best Response confirmed by Ambarish Haridathan (Occasional Contributor)
Solution

Hi @Ambarish Haridathan 

 

Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.

 

If you need more info on the Update CSP settings, check out 

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update

 

The first two settlings looks like;

./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate

./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate

 

I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.

 

,Andrew

@AndrewDawson 

 

I already have the windows update rings policy set. My current update settings are as below:

 

 

GPO-I.png

 

GPO-II.png

GPO-III.png

 

The automatic update behavior set on Intune update ring is Auto install and restart at a scheduled time. I am assuming to honor this setting the corresponding CSP policy should be 

./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate with the value of 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

 

I set both policies and the results are:

GPO-IV.pngGPO-V.png

Looks like the policy is in conflict with my update ring policy

GPO-6.png

 

I might need to set this to not configured and then use the CSP policy to apply this setting but I dont see an option to set this as "Not configured" on intune.

GPO-7.png

 

 

 

So I was able to figure out the issue with the GP settings. Adding here for anyone to refer in the future.

 

There are some policies that even after you disable, stick around on the computer. https://docs.microsoft.com/en-us/archive/blogs/grouppolicy/gp-policy-vs-preference-vs-gp-preferences

 

  1. tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.

Based on this, I checked my registry and found the entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU as  NoAutoUpdate : 1

 

Just changed the value to zero and my update settings are all now with MDM and I don't need any other CSP policies now! :) It was a good learning about the CSP policies though