One of the scenarios we are often asked about at the events we support is "why are my Windows 10 clients going to Windows Update instead of WSUS?", and previously I've pointed people to the Demystifying "Dual Scan" post from the WSUS Product Team Blog. They've just put up a new post Improving Dual Scan on 1607 which is being released as part of the August cumulative update.
This update is also being rolled into 1703, and is already part of 1709. Right now the support is for Group Policy, with MDM support coming later this year. Jump to their blog post to get the full details of this update, but here's their description of how dual scan works with this policy...
In order for Dual Scan to be enabled, the Windows Update client now also requires that the "Do not allow update deferral policies to cause scans against Windows Update" is not configured. In other words, if this policy is enabled, then changing the deferral policies in a WSUS environment will not cause Dual-Scan behavior. This allows enterprise administrators to mark their machines as "Current Branch for Business," and to specify that feature updates should not be delivered before a certain amount of days, without worrying that their clients will start scanning Windows update unbidden. This means that usage of deferral policies is now supported in the on-premises environment. While the new policy (dubbed "Disable Dual Scan") is enabled, any deferral policies configured for that client will apply only to ad hoc scans against Windows Update, which are triggered by clicking "Check online for updates from Microsoft Update"
They then go on to discuss five of the common update management scenarios, and how they should be updated for use with this policy...
Windows updates from WU, non-Windows content from WSUS
Windows updates from WSUS, blocking WU access entirely
Windows updates from WU, not using WSUS at all
Windows updates from WSUS, supplemental updates from WU
Windows updates from Configuration Manager, supplemental updates from WU