🟑 Medium   ⏱ 5–30 min  Last verified: 05 June 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Servers enrolled with both Intune and on-premises WSUS report scan failures and skip approved updates.

Environment & Reproduction

Reproduces when Intune update ring policy and legacy WSUS GPO are both applied to the same Windows Server 2012 R2 host.

Get-MpPreference
Get-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate'

Root Cause Analysis

Conflicting policies leave the update agent uncertain which source to use, resulting in cancelled scans and reporting drift.

Quick Triage

Audit applied MDM and GPO update policies on the affected device.

Get-WUSettings
Get-MpComputerStatus

Step-by-Step Diagnosis

Inspect WindowsUpdateClient operational log for policy conflict events.

Get-WinEvent -LogName 'Microsoft-Windows-WindowsUpdateClient/Operational' -MaxEvents 50
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
Diagnostic output for packaging/wufb-enrollment-conflict β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Choose a single update authority by removing the conflicting policy and forcing a fresh detection cycle.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

# Remove WSUS settings from GPO or Intune profile
Remove-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate' WUServer
Restart-Service wuauserv
usoclient StartScan
Illustrative mockup for windows-server-2012-r2 β€” update_history
Resolution for packaging/wufb-enrollment-conflict β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use the WUfB Group Policy CSP exclusively when migrating off WSUS gradually.

# Configure SetPolicyDrivenUpdateSourceForFeatureUpdates

Verification & Acceptance Criteria

Get-WUHistory shows successful scans against the chosen authority only.

Get-WUHistory -Last 10

Rollback Plan

Reapply WSUS GPO link if the WUfB-only path causes outages during transition.

# Re-link WSUS GPO to OU

Prevention & Hardening

Document a single update authority per OU and use deployment tools to enforce one source.

gpresult /scope:computer /v

Related: dual-scan deprecation, Configuration Manager co-management drift, and dashboard compliance gaps.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn guidance on Windows Update for Business and migration from WSUS.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.