How to Configure Signed Updates from an Intranet Microsoft Update Service Location

Enable it to ensure updates are installed from the internal network

Reading time icon 4 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Allow signed updates from an intranet Microsoft update security

Signed updates are important as they verify the authenticity and source of updates before being installed on devices.

For companies with internal networks, managing updates via an intranet Microsoft update service location provides security benefits and control over the update distribution process. Let’s learn more about it.

What is the Intranet Microsoft Update Service Location?

An intranet Microsoft update service location is a centralized server within an organization’s internal network that hosts and distributes Microsoft updates. It allows companies to manage and control the deployment of updates independently of external servers.

The Allow signed updates from an intranet Microsoft update service location policy specifies whether the automatic updates will allow installation of updates signed by entities other than Microsoft, specifically when these updates are to be installed from an intranet Microsoft update service location. The policy is still supported on Windows operating systems under the Microsoft Product Support Lifecycle.

How does the policy work?

The Allow signed updates from an intranet Microsoft update service location policy setting enables administrators to manage whether Automatic updates allow updates signed by any entity other than Microsoft when those updates are located on an intranet Microsoft update service location.

It is important to note that updates from sources except the intranet Microsoft update service must always be signed by Microsoft. Also, remember this policy doesn’t support Windows RT therefore, it will not affect any Windows RT computer.

How can I enable the policy?

  1. Press Windows + R to open the Run window.GPEDIT MSC RUN - allow signed updates from an intranet microsoft update service location
  2. Type gpedit.msc and click OK to open the Group Policy Editor.
  3. Navigate to this path: Computer Configuration\Administrative Templates\Windows Components\Windows update\Manage updates offered from Windows Server Update Service\Allow signed updates from an intranet Microsoft update service location
  4. Double-click the Allow signed updates from an intranet Microsoft update service location policy to open its properties.allow signed updates from an intranet microsoft update service location
  5. If you click on Enabled, the automatic updates allow updates to be received via an intranet Microsoft update service location.Enabled -
  6. However, if you disable or don’t configure this policy setting, the updates from an intranet Microsoft update service location must be signed by Microsoft.

Here is the table from Microsoft Learn defining the meaning of the options available within the policy:

Policy setting stateBehavior
Not ConfiguredSpecifies that updates from an intranet Microsoft update service location must be signed by Microsoft.
EnabledSpecifies that automatic updates accept updates received through an intranet Microsoft update service location if they’re signed by a certificate found in the local computer’s Trusted Publishers certificate store.
DisabledSpecifies that updates from an intranet Microsoft update service location must be signed by Microsoft.

What are the best practices for managing signed updates from an intranet Microsoft update service location?

  • Maintain update repository integrity – Update regularly and secure the intranet server hosting Microsoft updates to avoid unauthorized access.
  • Policy review and updates – Review and update your update policies periodically to adhere to the current security and regulatory requirements.
  • Testing and deployment – Always test the updates in a controlled environment to avoid potential issues while deploying them to production environments.

To conclude, the Allow signed updates from an intranet Microsoft update service location policy helps organizations maintain control over update distribution and safeguard against potential security threats due to unauthorized updates.

If you encounter any issues while applying a policy in Group Policy Editor, here is a quick guide to help you fix the problem.

Also, in case you are getting this program blocked by a Group Policy error, you need to fix it by disabling the software restriction policy; read this guide to learn more.

If you have any questions or suggestions about the policy, please mention them in the comments section below.

More about the topics: windows 10, Windows 11

User forum

0 messages