cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Moving from ConfigMgr to WUfB and GPO cleanup

egoodman
Brass Contributor

‎Nov 19 2020 08:22 AM

‎Nov 19 2020 08:22 AM

Moving from ConfigMgr to WUfB and GPO cleanup

Hello!

We are co-managed and are in the process of testing out WUfB workloads.  We have a leftover GPO that is setting the "Configure Automatic Updates" policy to Disabled.  If I manually remove the corresponding reg key on a test workstation then WUfB seems to work as expected.  Can you confirm that removing this GPO/key is necessary for WUfB to work properly and also recommend any other GPOs/settings/reg keys that could conflict with the policy we're setting in Intune & proper WUfB operation? Also, would re-enabling/removing the "Configure Automatic Updates" policy have any other impact on our existing SCCM environment? (We do still want to use dual-scan to install third party patches via ConfigMgr).  Thanks!

2,660 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by egoodman (Brass Contributor)
Aria Carley

‎Nov 19 2020 09:22 AM

‎Nov 19 2020 09:22 AM

Solution

Re: Moving from ConfigMgr to WUfB and GPO cleanup

@egoodman disabling "Configure Automatic Updates" will result in WUfB not working given it will literally disable automatic updates for that device.  With WUfB less is actually more.

 

Configure: 

  • Some update offering policies to manage which updates are offered when
  • Compliance deadline for feature updates and quality updates and grace period

Honestly, that is it. That is all you really need to configure to have a great end user experience and keep devices compliant. 

 

Do Not Configure: 

  • Disable Configure Automatic Updates (honestly, I recommend not setting this policy at all given if you require the end user to take action via notify to download/install or schedule an install you are likely to slow down compliance of the device).
  • Disable end user access to Windows Update features (if you configure this policy the end user will not be able to schedule their reboots, prompt download/install for updates you push down, etc. providing a bad experience and hurting compliance). 
  • Display option for notifications to disabled (please only turn off notifications when a device is a kiosk device. If it is an end user device or multi-user device this is a terrible experience).
  • There are a bunch of other policies I would recommend not configuring and will likely put together a blog on such shortly. :) 

Finally, when you are using Configuration Manager with "do not allow deferrals to cause scans against Windows Update" you will not get any updates from Windows Update AND the native update stack / UX will not be in use. That means that all of the Windows Udpate policies pertaining to experience (including configure automatic updates) will not apply. Therefore for 100% ConfigMgr environments this should not be a problem. 

 

Please let me know if you have any more questions. :) 

1 Like
Reply
Vinod7

‎Apr 16 2021 02:17 PM

‎Apr 16 2021 02:17 PM

Re: Moving from ConfigMgr to WUfB and GPO cleanup

@Aria Carley

Thank you so much. We are in the same boat but still having issues. In our scenario we have the following GPO configured currently : 

Configure Automatic Updates - Set as Disabled from Domain GPO
Do not allow update deferral policies to cause scans against Windows Update - Set as Disabled from Local GPO (from SCCM)
Do not connect to any Windows Update Internet locations - Set as Enabled from Domain GPO
Specify intranet Microsoft update service location - Set as Enabled from Local GPO (from SCCM)

 

To manage from Intune we are planning to do the following

1. Add the device to Co-management
2. Modify the following GPO's
Configure Automatic Updates - Delete the Registry Entry and set as Not Configured in GPO
3. Create a new profile under "Windows 10 update rings" in Intune with the required settings and assign to the devices

Will that help us to move towards to WuFB  or do we need to do anything else ?

 

Thanks,

V

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by egoodman (Brass Contributor)
Aria Carley

‎Nov 19 2020 09:22 AM

‎Nov 19 2020 09:22 AM

Solution

Re: Moving from ConfigMgr to WUfB and GPO cleanup

@egoodman disabling "Configure Automatic Updates" will result in WUfB not working given it will literally disable automatic updates for that device.  With WUfB less is actually more.

 

Configure: 

  • Some update offering policies to manage which updates are offered when
  • Compliance deadline for feature updates and quality updates and grace period

Honestly, that is it. That is all you really need to configure to have a great end user experience and keep devices compliant. 

 

Do Not Configure: 

  • Disable Configure Automatic Updates (honestly, I recommend not setting this policy at all given if you require the end user to take action via notify to download/install or schedule an install you are likely to slow down compliance of the device).
  • Disable end user access to Windows Update features (if you configure this policy the end user will not be able to schedule their reboots, prompt download/install for updates you push down, etc. providing a bad experience and hurting compliance). 
  • Display option for notifications to disabled (please only turn off notifications when a device is a kiosk device. If it is an end user device or multi-user device this is a terrible experience).
  • There are a bunch of other policies I would recommend not configuring and will likely put together a blog on such shortly. :) 

Finally, when you are using Configuration Manager with "do not allow deferrals to cause scans against Windows Update" you will not get any updates from Windows Update AND the native update stack / UX will not be in use. That means that all of the Windows Udpate policies pertaining to experience (including configure automatic updates) will not apply. Therefore for 100% ConfigMgr environments this should not be a problem. 

 

Please let me know if you have any more questions. :) 

View solution in original post

1 Like
Reply