cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Accelerator: Microsoft Intune Suite
Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT)
Find out more
SOLVED

SOLVED: Group Policy setting CSP

Ambarish Haridathan
Occasional Contributor

‎May 14 2020 02:27 PM - edited ‎May 25 2020 05:02 AM

‎May 14 2020 02:27 PM - edited ‎May 25 2020 05:02 AM

SOLVED: Group Policy setting CSP

Hello,

 

I am trying to use Widows update rings on intune replacing our old group policy. Our machines were set with "disable automatic updates" via gpo. I have created update ring policy and feature update policy on intune, assigned to the device group, but there are 3 policies that are still on GPO. I've already disabled the settings from GPO, had that reflected on the machine for a day. Next day those 3 gp policies are back but the actual GPO policy is still set to not configured. Not sure where is this policy coming from now. Gpresult doesn't show these policies as well.

 

My alternate option I am thinking is to use the MDMWinsOverGP csp policy but still couldn't figure out the alternate csp policy for the below:

  • Disable Automatic Updates
  • Get Updates for other Microsoft Products
  • Set automatic update options

Are there any methods to find out which group policy in specific is pushing these 3 policies and what could be the alternate CSP policy that I could use on intune to override these 3?

 

 

Labels:
9,860 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by Ambarish Haridathan (Occasional Contributor)
AndrewDawson

‎May 14 2020 08:05 PM

‎May 14 2020 08:05 PM

Solution

Re: Group Policy setting CSP

Hi @Ambarish Haridathan 

 

Yes look into using MDMWinsOverGP, define your Software updates > Windows 10 update ring before making CSP changes as you will likely resolve some of the issues.

 

If you need more info on the Update CSP settings, check out 

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update

 

The first two settlings looks like;

./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate

./Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate

 

I am not sure about the third, however Update CSP has had a number of recent changes so this may not matter so much.

 

,Andrew

1 Like
Reply
Ambarish Haridathan

‎May 14 2020 10:38 PM

‎May 14 2020 10:38 PM

Re: Group Policy setting CSP

@AndrewDawson 

 

I already have the windows update rings policy set. My current update settings are as below:

 

 

GPO-I.png

 

GPO-II.png

GPO-III.png

 

The automatic update behavior set on Intune update ring is Auto install and restart at a scheduled time. I am assuming to honor this setting the corresponding CSP policy should be 

./Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate with the value of 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

 

0 Likes
Reply
Ambarish Haridathan

‎May 14 2020 11:01 PM - edited ‎May 14 2020 11:06 PM

‎May 14 2020 11:01 PM - edited ‎May 14 2020 11:06 PM

Re: Group Policy setting CSP

I set both policies and the results are:

GPO-IV.pngGPO-V.png

Looks like the policy is in conflict with my update ring policy

GPO-6.png

 

I might need to set this to not configured and then use the CSP policy to apply this setting but I dont see an option to set this as "Not configured" on intune.

GPO-7.png

 

 

 

0 Likes
Reply
Ambarish Haridathan

‎May 25 2020 05:02 AM

‎May 25 2020 05:02 AM

Re: Group Policy setting CSP

So I was able to figure out the issue with the GP settings. Adding here for anyone to refer in the future.

 

There are some policies that even after you disable, stick around on the computer. https://docs.microsoft.com/en-us/archive/blogs/grouppolicy/gp-policy-vs-preference-vs-gp-preferences

 

  1. tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.

Based on this, I checked my registry and found the entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU as  NoAutoUpdate : 1

 

Just changed the value to zero and my update settings are all now with MDM and I don't need any other CSP policies now! :) It was a good learning about the CSP policies though

0 Likes
Reply
Ankit7890

‎Mar 02 2021 06:52 PM

‎Mar 02 2021 06:52 PM

Re: Group Policy setting CSP

@Ambarish Haridathan Great work ! all CSP settings can also be found here https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update

1 Like
Reply