How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy

Let’s discuss how to Control Public Update Service and Microsoft Store Access with WSUS via the Intune Settings Catalog Policy. The “Allow Update Service” setting is in the Windows Update for Business category.

It lets you control whether devices can use Microsoft’s update services to download and install updates. This setting helps ensure devices stay updated while allowing administrators to manage how updates are delivered.

This setting controls whether a device can use services like Microsoft Update, WSUS (Windows Server Update Services), or the Microsoft Store. Even if the device is set to get updates from an intranet update service, it occasionally connects to the public Windows Update service to ensure future updates and services work.

This post explains how to manage access to public update services and the Microsoft Store using WSUS, which is configured through the Intune Settings Catalog Policy. It provides all the details you need to control these services effectively.

Patch My PC

Manage Updates Offered by Windows Server Update Service

The AllowUpdateService Windows CSP controls whether a device can use Microsoft Update, WSUS, or the Microsoft Store. Even when updates are managed through an intranet service, the device may connect to the public Windows Update service to support future updates and services.

  • Windows CSP policies help you manage settings on Windows 10 and newer devices through MDM tools like Intune. These settings are applied using OMA-URI.

./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService

Adaptiva
Property NameProperty Value
Formatint
Access TypeAdd, Delete, Get, Replace
Default Value1
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Table 1
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.1
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.1

Control Public Update Service and Microsoft Store Access

If you enable this policy, the device will not connect to public services like the Microsoft Store, which might cause those services to stop working. Note: This policy only applies if the device is set to use an intranet update service through the “Specify intranet Microsoft update service location” policy.

  • Log in to Microsoft Intune and set up a Configuration Profile.
  • Navigate to Devices > Windows > Configuration Profiles, then select Create Profile.
  • Choose Windows 10 and later as the platform and Settings Catalog as the profile type.
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.2
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.2

Allow Update Service

Here, you need to provide the policy name and description. The policy is Allow Update Service, and the description is How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy.

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.3
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.3

Windows Update for Business

Navigate to the Configuration settings and click +Add settings. Use the search bar to find Windows Update for Business and select it from the list. This category contains 77 settings related to Windows updates. To block the Allow Update Service policy, check the box next to its name, as shown in the screenshot below.

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.4
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.4

Block Allow Update Service

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update and other services like Microsoft Update or the Microsoft Store.

Enabling this policy will disable that functionality and may cause connections to public services, such as the Microsoft Store, to stop working. This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy.

Policy NameAllowBlock
Allow Update ServiceToggle the pane to the Right sideToggle the pane to the Left side
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Table 2
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.5
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.5

Scope Tag and Assignments Tab

In Intune, a Scope Tag helps organize and manage devices, apps, or policies by grouping them based on your organisation’s teams, regions, or departments. The Assignment Tab allows you to assign a policy, app, or configuration to specific users or devices.

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.6
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.6

Review + Create Tab

The Review + Create tab in Intune is the last step in setting up a policy, app, or configuration. It provides a summary of all the settings you have configured. If everything looks correct, click Create to finalise.

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.7
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.7

Policy Created

The Allow Update Service policy was successfully created, as confirmed by the notification in the screenshot below. The Device and User Check-in Status shows that one device has successfully applied the policy.

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.8
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.8

Client Side Verification

Event IDs 813 and 814 indicate the successful application of string or integer policies, like Block Allow Update Service, in Windows Update for Business. To verify this, navigate to the Event log path: Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin.

MDM PolicyManager: Set policy int, Policy: (AllowUpdateService), Area: (Update), EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).

How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy - Fig.9
How to Control Public Update Service and Microsoft Store Access with WSUS via Intune Settings Catalog Policy – Fig.9

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.