locked
Prevent Online Windows Updates RRS feed

  • Question

  • Hi,

    We have a number of domain computers that seem to download windows updates directly from Microsoft when they are off our local network i.e. Home Network or Mobile Networks.  We have deployed WSUS, and the relevant GPO's to ensure the machines are targeted in the policies.  Have also verified the wsus setting exist in registry etc,

    How can we make sure clients are unable to use Microsoft Updates directly?

    Regards
    Peter Guest


    Office Server Addict

    Friday, May 6, 2016 10:39 AM

Answers

  • your logfile shows an unexpected file:

    2016-05-07 19:17:28:890 3144 1dd0 Misc =========== Logging initialized (build: 7.8.9200.17185, tz: +0200)
    ===========
    2016-05-07 19:17:28:890 3144 1dd0 Misc =Process:C:\Windows\System32\AutoUpdate.exe

    I don't have this file, and I can't recall ever seeing it on any systems.

    a quick web search suggests that it isn't a Microsoft component. do you have some other software (or perhaps malware) there?


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Thursday, May 12, 2016 9:48 AM

All replies

  • Am 06.05.2016 schrieb Peter Guest:

    We have a number of domain computers that seem to download windows updates directly from Microsoft when they are off our local network i.e. Home Network or Mobile Networks.  We have deployed WSUS, and the relevant GPO's to ensure the machines are targeted in the policies.  Have also verified the wsus setting exist in registry etc,

    How can we make sure clients are unable to use Microsoft Updates directly?

    Can Users search Windows Updates by self? If yes, there is a User
    setting: Remove all Windows Update Functions. After you set this to
    true, Users can not search manually Windows Updates Online or in WSUS.

    Are this Clients W10 Clients?
    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Friday, May 6, 2016 12:52 PM
  • Hi,

    Users can search for updates from within Control Panel, however I am pretty certain it is not "initiated" by the user using this method.  It seems like it does it automatically in the background.  

    Regards
    Peter


    Office Server Addict

    Friday, May 6, 2016 1:18 PM
  • I forgot to add this seems to mostly happen on Windows 8/8.1.   We don't run any Windows 10 just yet.

    Office Server Addict

    Friday, May 6, 2016 1:29 PM
  • Am 06.05.2016 schrieb Peter Guest:

    Users can search for updates from within Control Panel, however I am pretty certain it is not "initiated" by the user using this method.  It seems like it does it automatically in the background.  

    I've never seen that WU searching automatically direct WU Online. Why
    you are so sure? Did you see in %windir%\WindowsUpdate.log some
    things?

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Friday, May 6, 2016 5:31 PM
  • Hi Peter,

    As Winfried suggested, check windows update log to confirm if the clients really update online.

    Besides, check the registry key: HKLM>Software\Policies\Microsoft\Windows\WindowsUpdate\AU, if the key "UserWUServer" is set to "1".

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, May 9, 2016 6:20 AM
  • Hi,

    I have confirmed that the users reg key "UseWUServer" is set to "1".     Below is an extract from WindowsUpdate.log from the 2016-05-07.   The user did not connect to our VPN, so how does it download from our internal WSUS server?  I can also see on the users mobile data card that 250 MB was downloaded from bg.v4.db.dl.ws.microsoft.com using a reporting tool on our Mobiel Data APN.

    2016-05-07	19:11:52:248	 432	1640	Misc	===========  Logging initialized (build: 7.8.9200.17185, tz: +0200)  ===========
    2016-05-07	19:11:52:467	 432	1640	Misc	  = Process: C:\Windows\system32\svchost.exe
    2016-05-07	19:11:52:467	 432	1640	Misc	  = Module: c:\windows\system32\wuaueng.dll
    2016-05-07	19:11:52:232	 432	1640	Service	*************
    2016-05-07	19:11:52:467	 432	1640	Service	** START **  Service: Service startup
    2016-05-07	19:11:52:467	 432	1640	Service	*********
    2016-05-07	19:11:53:295	 432	1640	Agent	  * WU client version 7.8.9200.17185
    2016-05-07	19:11:53:545	 432	1640	Agent	  * Base directory: C:\Windows\SoftwareDistribution
    2016-05-07	19:11:53:545	 432	1640	Agent	  * Access type: No proxy
    2016-05-07	19:11:53:560	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
    2016-05-07	19:11:53:560	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 0.
    2016-05-07	19:11:53:560	 432	1640	Agent	  * Network state: Disconnected
    2016-05-07	19:11:53:670	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
    2016-05-07	19:11:53:670	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 0.
    2016-05-07	19:11:56:076	 432	1640	Agent	***********  Agent: Initializing global settings cache  ***********
    2016-05-07	19:11:56:076	 432	1640	Agent	  * Endpoint Provider: 00000000-0000-0000-0000-000000000000
    2016-05-07	19:11:56:076	 432	1640	Agent	  * WSUS server: http://cqsjnbapp02:8530
    2016-05-07	19:11:56:076	 432	1640	Agent	  * WSUS status server: http://cqsjnbapp02:8530
    2016-05-07	19:11:56:076	 432	1640	Agent	  * Target group: Domain Computers
    2016-05-07	19:11:56:076	 432	1640	Agent	  * Windows Update access disabled: Yes
    2016-05-07	19:11:56:342	 432	1640	WuTask	WuTaskManager delay initialize completed successfully..
    2016-05-07	19:11:56:545	 432	1640	Report	CWERReporter::Init succeeded
    2016-05-07	19:11:56:545	 432	1640	Agent	***********  Agent: Initializing Windows Update Agent  ***********
    2016-05-07	19:11:56:873	 432	1640	DnldMgr	Download manager restoring 0 downloads
    2016-05-07	19:11:56:982	 432	1640	DnldMgr	Retrieved 1 persisted download jobs
    2016-05-07	19:11:56:982	 432	1640	DnldMgr	***********  DnldMgr: Restoring download [no. 0]  ***********
    2016-05-07	19:11:56:982	 432	1640	DnldMgr	  * BITS JobId = {823DDE65-5773-4057-AF36-656B55128969}
    2016-05-07	19:11:56:982	 432	1640	DnldMgr	  * ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}
    2016-05-07	19:11:57:828	 432	1640	DnldMgr	  * UpdateId = {7CDEA067-ED33-4AE4-9AB3-7C2ED0AD12CB}.1
    2016-05-07	19:11:58:938	 432	1640	Report	***********  Report: Initializing static reporting data  ***********
    2016-05-07	19:11:58:938	 432	1640	Report	  * OS Version = 6.2.9200.0.0.65792
    2016-05-07	19:11:58:938	 432	1640	Report	  * OS Product Type = 0x00000030
    2016-05-07	19:11:58:953	 432	1640	Report	  * Computer Brand = Dell Inc.
    2016-05-07	19:11:58:953	 432	1640	Report	  * Computer Model = Latitude E5540
    2016-05-07	19:11:58:953	 432	1640	Report	  * Platform Role = 2
    2016-05-07	19:11:58:953	 432	1640	Report	  * AlwaysOn/AlwaysConnected (AOAC) = 0
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Revision = A13
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Name = A13
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Release Date = 2015-09-02T00:00:00
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Sku Number = 05E0
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Vendor = Dell Inc.
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Family unavailable.
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Major Release = 65
    2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Minor Release = 13
    2016-05-07	19:11:58:953	 432	1640	Report	  * Locale ID = 1033
    2016-05-07	19:11:59:500	 432	1640	DnldMgr	Adding revision ID 1 for update 7CDEA067-ED33-4AE4-9AB3-7C2ED0AD12CB to the lock revision cache.
    2016-05-07	19:11:59:710	 432	1640	DnldMgr	  * Restored download job.
    2016-05-07	19:11:59:725	 432	1640	AU	###########  AU: Initializing Automatic Updates  ###########
    2016-05-07	19:11:59:741	 432	1640	AU	AU setting next detection timeout to 2016-05-07 17:11:59
    2016-05-07	19:11:59:757	 432	1640	AU	Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-install notify} added to AU services list
    2016-05-07	19:11:59:757	 432	1640	AU	AIR Mode is disabled
    2016-05-07	19:11:59:757	 432	1640	AU	  # Policy Driven Provider: http://cqsjnbapp02:8530
    2016-05-07	19:11:59:757	 432	1640	AU	  # Detection frequency: 22
    2016-05-07	19:11:59:757	 432	1640	AU	  # Target group: Domain Computers
    2016-05-07	19:11:59:757	 432	1640	AU	  # Approval type: Pre-install notify (Policy)
    2016-05-07	19:11:59:757	 432	1640	AU	  # Auto-install minor updates: No (Policy)
    2016-05-07	19:11:59:757	 432	1640	AU	  # ServiceTypeDefault: Service 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 Approval type: (Pre-install notify)
    2016-05-07	19:11:59:757	 432	1640	AU	  # Will interact with non-admins (Non-admins are elevated (Policy))
    2016-05-07	19:12:02:850	 432	1640	AU	WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x800704C6
    2016-05-07	19:12:02:975	 432	1640	AU	AU finished delayed initialization
    2016-05-07	19:12:03:257	 432	1640	AU	Obtained Post reboot hr from Agent:8024000c
    2016-05-07	19:12:03:335	 432	1640	AU	Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-install notify} added to AU services list
    2016-05-07	19:12:03:335	 432	1640	AU	Triggering Offline detection (non-interactive)
    2016-05-07	19:12:03:444	 432	1640	AU	#############
    2016-05-07	19:12:03:444	 432	1640	AU	## START ##  AU: Search for updates
    2016-05-07	19:12:03:444	 432	1640	AU	#########
    2016-05-07	19:12:03:444	 432	1640	AU	<<## SUBMITTED ## AU: Search for updates  [CallId = {AD0F6FA5-E40A-462B-9FDA-109B4BCC7B39} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
    2016-05-07	19:12:03:444	 432	1640	Agent	SkipSelfUpdateCheck search flag set for serverId: 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782
    2016-05-07	19:12:03:444	 432	1640	AU	<<## SUBMITTED ## AU: Search for updates  [CallId = {ADD28607-F8DF-46BC-B533-4ACF25331C1B} ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}]
    2016-05-07	19:12:04:382	 432	16ac	Agent	*************
    2016-05-07	19:12:04:382	 432	16ac	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2016-05-07	19:12:04:382	 432	16ac	Agent	*********
    2016-05-07	19:12:04:382	 432	16ac	Agent	  * Online = No; Ignore download priority = No
    2016-05-07	19:12:04:382	 432	16ac	Agent	  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2016-05-07	19:12:04:382	 432	16ac	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2016-05-07	19:12:04:382	 432	16ac	Agent	  * Search Scope = {Machine & All Users}
    2016-05-07	19:12:04:382	 432	16ac	Agent	  * Caller SID for Applicability: S-1-5-18
    2016-05-07	19:15:24:484	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 1.
    2016-05-07	19:15:24:500	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
    2016-05-07	19:15:35:638	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 2.
    2016-05-07	19:17:28:890	3144	1dd0	Misc	===========  Logging initialized (build: 7.8.9200.17185, tz: +0200)  ===========
    2016-05-07	19:17:28:890	3144	1dd0	Misc	  = Process: C:\Windows\System32\AutoUpdate.exe
    2016-05-07	19:17:28:890	3144	1dd0	Misc	  = Module: C:\Windows\System32\wuapi.dll
    2016-05-07	19:17:28:890	3144	1dd0	COMAPI	-------------
    2016-05-07	19:17:28:890	3144	1dd0	COMAPI	-- START --  COMAPI: Init Search [ClientId = UpgradeBootstrapper]

    Regards
    Peter


    Office Server Addict

    Monday, May 9, 2016 8:51 AM
  • Hi Peter,

    Could you do a test that disconnect the WSUS server and WSUS client. Then choose an update to uninstall, then rename the SoftwareDistribution folder, check if the WSUS client will re-download and re-install the update from Internet.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 10, 2016 9:06 AM
  • Hi,

    That is a good idea.   Will get this tested an let you know the outcome...

    Regards
    Peter


    Office Server Addict

    Thursday, May 12, 2016 9:11 AM
  • your logfile shows an unexpected file:

    2016-05-07 19:17:28:890 3144 1dd0 Misc =========== Logging initialized (build: 7.8.9200.17185, tz: +0200)
    ===========
    2016-05-07 19:17:28:890 3144 1dd0 Misc =Process:C:\Windows\System32\AutoUpdate.exe

    I don't have this file, and I can't recall ever seeing it on any systems.

    a quick web search suggests that it isn't a Microsoft component. do you have some other software (or perhaps malware) there?


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Thursday, May 12, 2016 9:48 AM
  • Hi Peter,

    In addition, I would also recommend resetting windows updates component on the computer:

    Reset Windows update component:

    https://support.microsoft.com/en-us/kb/971058

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, May 13, 2016 1:44 AM
  • Hi Peter,

    Have you got any progress with the issue? Welcome to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, May 16, 2016 6:43 AM