Our Windows 10 Enterprise PCs were getting updates directly from the Internet saturating our pipe.
To stop this behavior we had to block a range of WindowsUpdate IP at the firewall but later just stopped the Windows Update service on every Windows 10 1607 PC.
We are using SCCM 1610 (WSUS installed same server) - Windows 7 PCs not a problem just Windows 10.
By doing an RSOP to a workstation, the Specify Intranet Microsoft Update Service Location points to http://server.contosto.com:8530, our GPOs are the following:
Administrative Templates/Windows Components/Windows Update/Defer Windows Update/Defer
Select when Feature Updates are received - Enabled - 180 days
Administrative Templates/Windows Components/Delivery Optimization
Download mode - bypass
Under Settings, Choose how updates are delivered - When this is turned on, your pc ... that settings is gray out, PCs on my local network and PCs on my local network and PCs on the Internet nothing (no option selected.)
How do you stop from Windows 10 1607 to get updates to the Internet? What am I missing? That shouldn't be the behavior, we like to control when updates are delivered.