How do I disable Specify intranet Microsoft update service location?

During my task sequence I disable ' Specify intranet Microsoft Update service location ' in local group policy because I want to get updates from MS. Once the OS deployment is done, I see that it is disabled, which is what I want. However, after a couple of hours later, the setting is changed to 'Enabled' and it has our WSUS information in it. I thought it was pushed through GP but I cannot find it. I am in a domain environment, the workstation is domain joined during the TS.

Do you have any idea why the setting is getting updated to 'Enabled'? If it is coming from GP where do I look for? If not, how is it updated automatically? This is making me nuts.


Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.

If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.

If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.

The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.

The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.

Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.

Note: If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.

Note: The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.

Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.

To ensure the highest level of security, Microsoft recommends securing WSUS with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. If a proxy is required, we recommend configuring system proxy. To ensure highest levels of security, additionally leverage WSUS TLS certificate pinning on all devices.

In order to keep clients inherently secure, we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents, you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails".

Detection for updates against intranet servers will fail when user proxy is needed as a fallback and the alternate proxy behavior is not configured.

Supported on: At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3, excluding Windows RT

Enable policy:

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value Name UseWUServer
Value Type REG_DWORD
Value 1

Disable Policy:

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value Name UseWUServer
Value Type REG_DWORD
Value 0


Set the intranet update service for detecting updates:

How do I disable Specify intranet Microsoft update service location?

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate
Value Name WUServer
Value Type REG_SZ
Default Value

Set the intranet statistics server:

How do I disable Specify intranet Microsoft update service location?

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate
Value Name WUStatusServer
Value Type REG_SZ
Default Value

Set the alternate download server:

How do I disable Specify intranet Microsoft update service location?

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate
Value Name UpdateServiceUrlAlternate
Value Type REG_SZ
Default Value

(example: https://IntranetUpd01)

How do I disable Specify intranet Microsoft update service location?
Download files with no Url in the metadata if alternate download server is set.

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value Name UseWUServer
Value Type REG_DWORD
Default Value 0
True Value 1
False Value 0

How do I disable Specify intranet Microsoft update service location?
Do not enforce TLS certificate pinning for Windows Update client for detecting updates.

Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value Name UseWUServer
Value Type REG_DWORD
Default Value 0
True Value 1
False Value 0

Select the proxy behavior for Windows Update client for detecting updates:

How do I disable Specify intranet Microsoft update service location?

  1. Only use system proxy for detecting updates (default)
    Registry Hive HKEY_LOCAL_MACHINE
    Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate
    Value Name SetProxyBehaviorForUpdateDetection
    Value Type REG_DWORD
    Value 0
  2. Allow user proxy to be used as a fallback if detection using system proxy fails
    Registry Hive HKEY_LOCAL_MACHINE
    Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate
    Value Name SetProxyBehaviorForUpdateDetection
    Value Type REG_DWORD
    Value 1

windowsupdate.admx

How do I change Specify intranet Microsoft Update service location?

Specify intranet Microsoft Update service location.
In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update..
In the details pane, click Specify Intranet Microsoft update service location..
Click OK..

How do I turn off Windows Server Update Service?

To disable the Automatic Updates for Windows Servers and Workstations manually, follow the steps given below:.
Click start>Settings>Control Panel>System..
Select the Automatic Updates tab..
Click Turn off Automatic Updates..
Click Apply..
Click OK..

How do I opt out of Microsoft updates?

To stop using the Microsoft Update Web site and start using the Windows Update Web site, follow these steps: On the Microsoft Update site, click Change Settings. Scroll down the page, click to select the Disable Microsoft Update software and let me use Windows Update only check box, and then click Apply changes now.

How do I change my WSUS Update location?

To change the location of local WSUS update storage.
Open a command shell..
Navigate to the directory that contains WSUSutil.exe: cd WSUSInstallationDirectory**\Tools**..
Type the following command: wsusutil.exe movecontent contentpath logfile [-skipcopy] For example, type: wsusutil.exe movecontent D:\WSUS1\ D:\move.log..