NEWSCCM / INTUNE updates and LOCAL GPO setting

H

hamid.azeez

Member
15
0
1
hello all, i am hoping to get some guidance here regarding an issue i am stuck on pertaining to co-managed devices with intune and SCCM and local GPO settings

our environment presently have SCCM with build 2211 recently upgraded from previous versions. we are in the process of migrating to INTUNE for windows patching and feature updates.

i have gone through the setup of SCCM and move my windows Updates workloads to INTUNE in my pilot setup. I can verify all my pilot endpoints are receiving my INTUNE RING policy and the CONFIGURATION MANAGER clients, their co-managed settings are changed accordingly to reflect the shift to INTUNE... no issues here!

where i am having difficulty, it seems that sccm when configured as SUP, it enables several local GPO settings. from the from my research done so far, it relates to "DUALSCAN". one in question...
  1. Do not allow deferral policies to cause scans against Windows Update- (DisableDualScan registry setting)
    With this setting enabled, i have verified the corresponding reg setting:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DISABLEDUALSCANis set to value 1.
    even if i then set this GPO setting back toNOT CONFIGURED, it does not make any difference in the registry setting but i am then able to receive updates from INTUNE.
I have confirmed this multiple times by setting the local GPO setting back to "Not Configured" and the computers with then receive updates there after or overnight.
my question and challenge,
how can i make this change to all my endpoints?
where in sccm are these settings so i can hopefully disable?
Hoping there are techs here who have come across this issue and are able to assist me.

thank you in advance!

Hamid
Sort by date Sort by votes
OP
H

hamid.azeez

Member
15
0
1
  • Thread Starter
  • #2
after further
hamid.azeez said:
hello all, i am hoping to get some guidance here regarding an issue i am stuck on pertaining to co-managed devices with intune and SCCM and local GPO settings

our environment presently have SCCM with build 2211 recently upgraded from previous versions. we are in the process of migrating to INTUNE for windows patching and feature updates.

i have gone through the setup of SCCM and move my windows Updates workloads to INTUNE in my pilot setup. I can verify all my pilot endpoints are receiving my INTUNE RING policy and the CONFIGURATION MANAGER clients, their co-managed settings are changed accordingly to reflect the shift to INTUNE... no issues here!

where i am having difficulty, it seems that sccm when configured as SUP, it enables several local GPO settings. from the from my research done so far, it relates to "DUALSCAN". one in question...
  1. Do not allow deferral policies to cause scans against Windows Update- (DisableDualScan registry setting)
    With this setting enabled, i have verified the corresponding reg setting:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DISABLEDUALSCANis set to value 1.
    even if i then set this GPO setting back toNOT CONFIGURED, it does not make any difference in the registry setting but i am then able to receive updates from INTUNE.
I have confirmed this multiple times by setting the local GPO setting back to "Not Configured" and the computers with then receive updates there after or overnight.
my question and challenge,
how can i make this change to all my endpoints?
where in sccm are these settings so i can hopefully disable?
Hoping there are techs here who have come across this issue and are able to assist me.

thank you in advance!

Hamid
Click to expand...
after further troubleshooting of this issue, i am convinced SCCM is actually setting the local policy on my endpoints. but in order to receive updates from INTUNE the "Do not allow deferral policies导致扫描对Windows乌利希期刊指南ate" has to be set to "Not Configured".
these are the 3 local GPO settings being set:
1.Do not allow deferral policies导致扫描对Windows乌利希期刊指南ate
2. Specify Intranet Microsoft update service location
3. Specify source service for specific classes of windows update...

my challenge, is how do i do this? done many many research so far.
where in SCCM are these settings being enable?
Is it in the WSUS part? if so, where?

hoping someone here can provide a clue.
thanks.
Upvote 0 Downvote
H

Hackmuss

Member
5
0
1
I have exactly the same issue as this and it has been causing us problems for weeks. The only way I have found to 'fix' it is to run gpedit.msc on each machine and change the two policies back to 'not configured' - but obviously that is hugely time consuming - I have hundreds of machines like this. If anyone has any insight on this I'd be very grateful...
Upvote 0 Downvote
OP
H

hamid.azeez

Member
15
0
1
  • Thread Starter
  • #4
Hi Hackmuss, sorry you are experiencing this issue. this was a hit an miss for me as some computers was able to revert on their own and others did not. i did not figure out a way to automate, so i reverted them one at a time. though, i also had hundreds of computers, i had a good amount we were able to manually revert.

if you have a GPO set for SCCM, please disable, if you haven't already.

wish i could provide with more to help.
Hamid
Upvote 0 Downvote
You must log in or register to reply here.

最新的文章

论坛统计

Threads
5,504
Messages
21,429
Members
11,798
Latest member
jmick007
Top Bottom