locked
Win 10 Clients Update via Internet - Despite WSUS configuration RRS feed

  • Question

  • Hi there,

    Yesterdays Cummulative Updates are getting installed on my Win10 Clients (1703 and 1607), I do have WSUS configured and after todays (!) Sync the Updates are available but are not approved.

    Why are the Clients still automatically receiving and installing the most current CU? Shouldn't they connect to WSUS first to See if the Update is available? Interesting side note, I did approve last months 2nd CU (14393.1378) which my Clients mostly ignored.

    I need to have at least some control over this. Any Help or suggestion is Welcome.

    Thanks,

     

     

    The Setup

    WSUS installed on Server 2012 R2

    Clients configured via GPO (Intranet Update Service set to: [myserver] Set alternate download Server [empty] Automatic Updates [enabled])

    Windows Components Delivery Optimization, download Mode Group, is in use



    • Edited by schlieber Wednesday, July 12, 2017 12:55 PM
    Wednesday, July 12, 2017 12:54 PM

All replies

  • Have you examined the WindowsUpdates.log on the client?  Maybe it can give us some clues.

    Also take a loot at the registry keys for Windows Updates

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 13, 2017 8:05 AM
  • Hi,

    thanks for your reply.

     

    I just looked at the Logfile. As far as I can tell, it does connect to the WSUS Instance and the Internet simultaneously. When it finds something online it just goes ahead and installs it.

    This is the first mention of the KB in the Logfile.

    2017.07.12 07:51:30.5107262 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:30.510 [agent]  Title = 2017-07 Kumulatives Update f??r Windows 10 Version 1703 f??r x64-basierte Systeme (KB4025342)
    2017.07.12 07:51:30.5107292 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:30.510 [agent]  UpdateId = 25ACAE93-40D4-4E62-814C-EFB2F29F1BCA.200
    2017.07.12 07:51:30.5107295 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:30.510 [agent]    Bundles 1 updates:
    2017.07.12 07:51:30.5107319 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:30.510 [agent]      DB5F0AA0-CC52-4067-9FA4-F42095A8FC31.200
    2017.07.12 07:51:30.5107703 10544 18316                 Unknown( 196): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:30.5285807 10544 18316                 Unknown( 196): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:30.5398927 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:30.539 [agent]Regulation Refresh Svc: {7971F918-A847-4430-9279-4A52D1EFE18D}
    2017.07.12 07:51:30.5401860 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:30.540 [agent]Contacting regulation server for 6 updates.
    2017.07.12 07:51:30.5401896 10544 18316 IdleTimer       [0]2930.478C::07/12/2017-07:51:30.540 [agent]WU operation (Regulator Refresh) started; operation # 136; does<NULL> use network; is<NULL> at background priority<NULL>
    2017.07.12 07:51:30.5613901 10544 18316 Misc            [0]2930.478C::07/12/2017-07:51:30.561 [endpointproviders]Failed to obtain 7971F918-A847-4430-9279-4A52D1EFE18D redir Regulation (Enhanced) URL, error = 0x80245002
    2017.07.12 07:51:30.5790968 10544 18316 Misc            [0]2930.478C::07/12/2017-07:51:30.579 [endpointproviders]Got 7971F918-A847-4430-9279-4A52D1EFE18D redir Regulation URL: https://fe2.update.microsoft.com/v6/UpdateRegulationService/UpdateRegulation.asmx""
    2017.07.12 07:51:30.5791704 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:30.579 [agent]Regulation server path: https://fe2.update.microsoft.com/v6/UpdateRegulationService/UpdateRegulation.asmx.
    2017.07.12 07:51:30.5976282 10544 18316 Misc            [0]2930.478C::07/12/2017-07:51:30.597 [endpointproviders]Got 7971F918-A847-4430-9279-4A52D1EFE18D redir Client/Server URL: https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx""
    2017.07.12 07:51:30.5977145 10544 18316 ProtocolTalker  [0]2930.478C::07/12/2017-07:51:30.597 [agent]OK to reuse existing configuration
    2017.07.12 07:51:30.5977166 10544 18316 ProtocolTalker  [0]2930.478C::07/12/2017-07:51:30.597 [agent]Existing cookie is valid, just use it
    2017.07.12 07:51:30.5977427 10544 18316 WebServices     [0]2930.478C::07/12/2017-07:51:30.597 [webserviceinfra]Auto proxy settings for this web service call.
    2017.07.12 07:51:31.0371277 10544 18316 IdleTimer       [0]2930.478C::07/12/2017-07:51:31.037 [agent]WU operation (Regulator Refresh, operation # 136) stopped; does<NULL> use network; is<NULL> at background priority<NULL>
    2017.07.12 07:51:31.0371349 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.037 [agent]  Refresh Interval: 76
    2017.07.12 07:51:31.0371355 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.037 [agent]  Global CDN property: NULL
    2017.07.12 07:51:31.0371373 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.037 [agent]  Low: 10000
    2017.07.12 07:51:31.0371379 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.037 [agent]  Normal: 10000
    2017.07.12 07:51:31.0371382 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.037 [agent]  High: 10000
    2017.07.12 07:51:31.0371562 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.037 [agent]Adding timer:
    2017.07.12 07:51:31.0371652 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.037 [agent]    Timer: 7971F918-A847-4430-9279-4A52D1EFE18D, Expires 2017-07-12 07:07:31, not idle-only, <NULL>network-only
    2017.07.12 07:51:31.0438972 10544 18316 DownloadManager [0]2930.478C::07/12/2017-07:51:31.043 [agent]Regulation call complete. 0x00000000
    2017.07.12 07:51:31.1038457 10544 18316                 Unknown( 151): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1293496 10544 18316                 Unknown( 65): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1301713 10544 18316                 Unknown( 180): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1524418 10544 18316                 Unknown( 65): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1531449 10544 18316                 Unknown( 180): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1776452 10544 18316                 Unknown( 65): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.1779180 10544 18316                 Unknown( 180): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2296682 10544 18316                 Unknown( 135): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2681493 10544 18316 Handler         [0]2930.478C::07/12/2017-07:51:31.268 [lib]Loaded state: cCompleteIterations: 0, pt: Unknown, nNextRequestID: 0.
    2017.07.12 07:51:31.2713358 10544 18316 Reporter        [0]2930.478C::07/12/2017-07:51:31.271 [reporting]Successfully combined bundle event with update event
    2017.07.12 07:51:31.2966957 10544 18316                 Unknown( 180): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2969607 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.296 [agent]Effective power state: AC; IsOnAC: Yes.
    2017.07.12 07:51:31.2969647 10544 18316 IdleTimer       [0]2930.478C::07/12/2017-07:51:31.296 [agent]WU operation (DL.UpdateOrchestrator, operation # 135) stopped; does<NULL> use network; is<NULL> at background priority<NULL>
    2017.07.12 07:51:31.2969674 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.296 [agent]Released network PDC reference for callId {B1E5F6A7-6900-45DF-93D1-2AF71CF091A4}; ActivationID: 135
    2017.07.12 07:51:31.2969716 10544 18316 IdleTimer       [0]2930.478C::07/12/2017-07:51:31.296 [agent]WU operation (DL.UpdateOrchestrator) started; operation # 137; does<NULL> use network; is<NULL> at background priority<NULL>
    2017.07.12 07:51:31.2969722 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.296 [agent]Obtained a network PDC reference for callID {B1E5F6A7-6900-45DF-93D1-2AF71CF091A4} with No-Progress-Timeout set to 4294967295; ActivationID: 137.
    2017.07.12 07:51:31.2971957 10544 12864 Agent           [0]2930.3240::07/12/2017-07:51:31.297 [agent]WU client calls back to download call {B1E5F6A7-6900-45DF-93D1-2AF71CF091A4} with code Call progress and error 0
    2017.07.12 07:51:31.2976756 10544 5248                  Unknown( 356): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2982395 10544 5248                  Unknown( 180): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2993708 10544 18316                 Unknown( 220): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.2993753 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.299 [agent]Effective power state: AC; IsOnAC: Yes.
    2017.07.12 07:51:31.2993801 10544 18316 IdleTimer       [0]2930.478C::07/12/2017-07:51:31.299 [agent]WU operation (DL.UpdateOrchestrator) started; operation # 138; does<NULL> use network; is<NULL> at background priority<NULL>
    2017.07.12 07:51:31.2993813 10544 18316 Agent           [0]2930.478C::07/12/2017-07:51:31.299 [agent]Obtained a network PDC reference for callID {C4CE363B-51D4-4741-918E-9B56A8010CF9} with No-Progress-Timeout set to 4294967295; ActivationID: 138.
    2017.07.12 07:51:31.3052913 10544 18316                 Unknown( 214): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.3052946 10544 18316                 Unknown( 215): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).
    2017.07.12 07:51:31.3052949 10544 18316                 Unknown( 216): GUID=088fe27a-0de7-3f2a-edcd-6d9a14ce6653 (No Format Information found).

    These are the settings in the Registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "WUServer"="http://server:8530"
    "WUStatusServer"="http:/server:8530"
    "UpdateServiceUrlAlternate"=""
    "SetActiveHours"=dword:00000001
    "ActiveHoursStart"=dword:00000007
    "ActiveHoursEnd"=dword:00000014
    "SetRestartWarningSchd"=dword:00000001
    "ScheduleRestartWarning"=dword:00000004
    "ScheduleImminentRestartWarning"=dword:0000001e
    "SetAutoRestartRequiredNotificationDismissal"=dword:00000001
    "AutoRestartRequiredNotificationDismissal"=dword:00000002
    "TargetGroupEnabled"=dword:00000001
    "TargetGroup"="Auto-Install"
    "SetAutoRestartNotificationConfig"=dword:00000001
    "AutoRestartNotificationStyle"=dword:00000001
    "AutoRestartNotificationSchedule"=dword:0000003c
    "DeferFeatureUpdates"=dword:00000001
    "BranchReadinessLevel"=dword:00000020
    "DeferFeatureUpdatesPeriodInDays"=dword:0000005a
    "PauseFeatureUpdatesStartTime"=""
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoRebootWithLoggedOnUsers"=dword:00000000
    "AUPowerManagement"=dword:00000001
    "UseWUServer"=dword:00000001
    "NoAutoUpdate"=dword:00000000
    "AUOptions"=dword:00000004
    "ScheduledInstallDay"=dword:00000004
    "ScheduledInstallTime"=dword:00000013
    "AllowMUUpdateService"=dword:00000001
    "DetectionFrequencyEnabled"=dword:00000001
    "DetectionFrequency"=dword:00000010
    "AutomaticMaintenanceEnabled"=dword:00000001

    Thursday, July 13, 2017 12:00 PM
  • If Clients configured via GPO, only when the user manual trigger updates,  the clients will connect to internet.

    You could use the following registry to block the access internet.

    WSUS registry keys for Internet Communication

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

    Entry name Data type Corresponding Group Policy Setting Values
    DisableWindowsUpdateAccess Reg_DWORD Turn off access to all Windows Update features 1 = Enabled. All Windows Update features are removed. This includes blocking access to the Windows Update website at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
    0 = Disabled or not configured. Users will be able to access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 14, 2017 2:25 AM