question

PaD-7009 avatar image
0 Votes"
PaD-7009 asked saldana-msft edited

Cloud Management Gateway & block Windows Update

We know that when using CMG, we redirect the Software Updates to download from Microsoft Windows Updates from the internet, instead of using cloud DP to download the content to save cost.

On that note, our SCCM clients onprem (within our corporate network) scans and downloads updates from onprem SUP. All good here.

But users have the ability to scan the updates on their own and download it from Microsoft Windows Updates from internet. To stop this we want to deploy the GPO "Turn Off access to all Windows Update features". We know this will stop the users from downloading it from internet.

What we are not sure is whether, it will also stop CMG from downloading from Microsoft Windows Updates.

mem-cm-generalmem-cm-updates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT commented

Hi @PaD-7009,

Based on my understanding, if we deploy the GPO "Turn Off access to all Windows Update features", it will stop CMG from downloading from Microsoft Windows Updates. The updates come from Microsoft directly, using a CMG is just IBCM with the infrastructure in Azure.

Here is the similar post we could refer to:
https://social.technet.microsoft.com/Forums/en-US/a7d91202-da95-439e-bd7e-fc1044ad7e00/windows-updates-downloads-from-microsoft-via-cloud-management-gateway?forum=ConfigMgrCompliance



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I saw that post earlier, that post is not conclusive. Same person mentions 2 points that it will not affect,

1) I haven't tested with those policies explicitly though
2) but I would think they are irrelevant as it's not the WUA that downloads updates -- the ConfigMgr agent is responsible for this which does not care about WUA policies.

0 Votes 0 ·

Hello,

As far as I know, it will stop CMG from downloading from Microsoft Windows Updates when deploy the GPO "Turn Off access to all Windows Update features". We could test one client to check it.

Thanks for your understanding.

Best regards,
Amanda

0 Votes 0 ·

Is there a user Voice for ConfigMgr team? i can raise this in that forum.

0 Votes 0 ·
Show more comments