locked
clients connecting to windows update and ignoring WSUS ? RRS feed

  • Question

  • Hi

    We installed a wsus server and we applied the policy by GPO using registry , but we are monitoring  and  noticed that computers and connecting to IP's from Microsoft, still consuming bandwidth .

    We know that the policy is applied since we see the computers are shown in the WSUS and locally the windows update screen show the message that is managed by the system administrator .

    I understand ( if I'm right ) that if the computer connects to the server it shouldn't connect to the microsoft servers to search for updates.


    This is the .reg we are applying to the computers :


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
    "AcceptTrustedPublisherCerts"=dword:00000001 
    "ElevateNonAdmins"=dword:00000001 
    "TargetGroup"="Corporacion" 
    "TargetGroupEnabled"=dword:00000001 
    "WUServer"="http://internal-ip"; 
    "WUStatusServer"="internal-ip";

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
    "AUOptions"=dword:00000004 
    "AUPowerManagement"=dword:00000001 
    "AutoInstallMinorUpdates"=dword:00000001 
    "DetectionFrequency"=dword:0000000a 
    "DetectionFrequencyEnabled"=dword:00000001 
    "IncludeRecommendedUpdates"=dword:00000001 
    "NoAUAsDefaultShutdownOption"=dword:00000001 
    "NoAUShutdownOption"=dword:00000001 
    "NoAutoRebootWithLoggedOnUsers"=dword:00000001 
    "NoAutoUpdate"=dword:00000000 
    "RebootRelaunchTimeout"=dword:0000000f 
    "RebootRelaunchTimeoutEnabled"=dword:00000001 
    "RescheduleWaitTime"=dword:0000000a 
    "RescheduleWaitTimeEnabled"=dword:00000001 
    "ScheduledInstallDay"=dword:00000000 
    "ScheduledInstallTime"=dword:00000009 
    "UseWUServer"=dword:00000001

    Tuesday, June 16, 2015 3:14 PM

All replies

  • Is there a reason you're applying policies using a .reg file and direct Registry modifications, rather than the Windows Updates Group Policy Administrative templates?

    Additionally, is there a reason you are specifying a WSUS host with an IP address rather than a FQ host name?

    When you say, "we are monitoring  and  noticed that computers and connecting to IP's from Microsoft, still consuming bandwidth" - how is that monitoring being carried out, and how confident are you that you are looking at requests coming directly from a client computer that definitely has the policy applied? 

    Have you reviewed the Windows Update log on a client with policy applied?

    Have you done an RSOP to make sure the policy is definitely applied?

    Tuesday, June 16, 2015 4:32 PM
  • use RSOP to determine if the policy is actually applying

    I understand that the computers are showing up in WSUS but this only means the registry entry for the WSUS server is present, not that the policy for actually using it is present.

    Tuesday, June 16, 2015 5:10 PM
  • Using RSOP shows that the .reg it's been applied and rpresults shows the samething :

    Regedit.exe /s WSUS.REG Not configured OCSHQ

    Tuesday, June 16, 2015 6:45 PM
  • Is there a reason you're applying policies using a .reg file and direct Registry modifications, rather than the Windows Updates Group Policy Administrative templates?

    Additionally, is there a reason you are specifying a WSUS host with an IP address rather than a FQ host name?

    When you say, "we are monitoring  and  noticed that computers and connecting to IP's from Microsoft, still consuming bandwidth" - how is that monitoring being carried out, and how confident are you that you are looking at requests coming directly from a client computer that definitely has the policy applied? 

    Have you reviewed the Windows Update log on a client with policy applied?

    Have you done an RSOP to make sure the policy is definitely applied?

    1. I'm using .reg  to apply the policy to only one OU , we have about 8 deferents OU's and we need only apply this to one OU without using the computers container.

    2. No reason why I didn't use a host name, I should change it later as soon as I add the IP to  the DNS

    3. We use packetshaper to trace the clients and we see them connecting to microsoft .

    4. Will check the logs

    5. Yes, I see in the local computer that the policy that the .reg ,  maybe I'm missing something here , I guess with the registry added is enough .

    Thanks for the help


    Tuesday, June 16, 2015 6:55 PM
  • 1. Follow install and configuration guides. Do not do any experiments beyond the frames of standard setup. WSUS work fine, when you follow rules.

    2. Remember that WSUS processes are "long distance" ones. I mean, wait a bit. 

    3. You can group computers into OUs according to various parameters. Apply GPO to OU.

    4. I let up computer start in night (from BIOS), made updates and shutdowned all computers. Frequency was set to one update a day.

    5. For troubleshooting use reports from WSUS, windosupdate log and event viewer logs.

    6. Do not forget that you shold synchronize before you can finish configuration.

    7. Your imput info is not complete. Publish your GPO settings.

    Regards

    Milos

    Tuesday, June 16, 2015 7:13 PM