@Bill Fry
Thank you for posting in Microsoft Q&A forum and you are in the right place.
You may check if you have configured any group policy of WUfB? The WUfB setting will enable our clients to also reach out to Microsoft Update online to fetch update bypassing our WSUS/SCCM end-point. And check if your "Do not allow update deferral policies to cause scans against Windows Update" policy have enabled.
For more details, you may refer to below link:
https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.