Prevent Online Windows Updates

All replies

• 

  

  0

  Sign in to vote

  Am 06.05.2016 schrieb Peter Guest:

  We have a number of domain computers that seem to download windows updates directly from Microsoft when they are off our local network i.e. Home Network or Mobile Networks.  We have deployed WSUS, and the relevant GPO's to ensure the machines are targeted in the policies.  Have also verified the wsus setting exist in registry etc,
  
  How can we make sure clients are unable to use Microsoft Updates directly?

  Can Users search Windows Updates by self? If yes, there is a User
  setting: Remove all Windows Update Functions. After you set this to
  true, Users can not search manually Windows Updates Online or in WSUS.

  Are this Clients W10 Clients?
  Winfried

  ---

  WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
  http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
  http://www.wsuswiki.com/Home

  Friday, May 6, 2016 12:52 PM
• 

  

  0

  Sign in to vote

  Hi,

  Users can search for updates from within Control Panel, however I am pretty certain it is not "initiated" by the user using this method.  It seems like it does it automatically in the background.  

  Regards
  Peter

  ---

  Office Server Addict

  Friday, May 6, 2016 1:18 PM
• 

  

  0

  Sign in to vote

  I forgot to add this seems to mostly happen on Windows 8/8.1.   We don't run any Windows 10 just yet.

  ---

  Office Server Addict

  Friday, May 6, 2016 1:29 PM
• 

  

  0

  Sign in to vote

  Am 06.05.2016 schrieb Peter Guest:

  Users can search for updates from within Control Panel, however I am pretty certain it is not "initiated" by the user using this method.  It seems like it does it automatically in the background.  

  I've never seen that WU searching automatically direct WU Online. Why
  you are so sure? Did you see in %windir%\WindowsUpdate.log some
  things?

  Winfried

  ---

  WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
  http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
  http://www.wsuswiki.com/Home

  Friday, May 6, 2016 5:31 PM
• 

  

  0

  Sign in to vote

  Hi Peter,

  As Winfried suggested, check windows update log to confirm if the clients really update online.

  Besides, check the registry key: HKLM>Software\Policies\Microsoft\Windows\WindowsUpdate\AU, if the key "UserWUServer" is set to "1".

  Best Regards,

  Anne

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

  Monday, May 9, 2016 6:20 AM
• 

  

  0

  Sign in to vote

  Hi,
  
  I have confirmed that the users reg key "UseWUServer" is set to "1".     Below is an extract from WindowsUpdate.log from the 2016-05-07.   The user did not connect to our VPN, so how does it download from our internal WSUS server?  I can also see on the users mobile data card that 250 MB was downloaded from bg.v4.db.dl.ws.microsoft.com using a reporting tool on our Mobiel Data APN.

  2016-05-07	19:11:52:248	 432	1640	Misc	===========  Logging initialized (build: 7.8.9200.17185, tz: +0200)  ===========
  2016-05-07	19:11:52:467	 432	1640	Misc	  = Process: C:\Windows\system32\svchost.exe
  2016-05-07	19:11:52:467	 432	1640	Misc	  = Module: c:\windows\system32\wuaueng.dll
  2016-05-07	19:11:52:232	 432	1640	Service	*************
  2016-05-07	19:11:52:467	 432	1640	Service	** START **  Service: Service startup
  2016-05-07	19:11:52:467	 432	1640	Service	*********
  2016-05-07	19:11:53:295	 432	1640	Agent	  * WU client version 7.8.9200.17185
  2016-05-07	19:11:53:545	 432	1640	Agent	  * Base directory: C:\Windows\SoftwareDistribution
  2016-05-07	19:11:53:545	 432	1640	Agent	  * Access type: No proxy
  2016-05-07	19:11:53:560	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
  2016-05-07	19:11:53:560	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 0.
  2016-05-07	19:11:53:560	 432	1640	Agent	  * Network state: Disconnected
  2016-05-07	19:11:53:670	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
  2016-05-07	19:11:53:670	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 0.
  2016-05-07	19:11:56:076	 432	1640	Agent	***********  Agent: Initializing global settings cache  ***********
  2016-05-07	19:11:56:076	 432	1640	Agent	  * Endpoint Provider: 00000000-0000-0000-0000-000000000000
  2016-05-07	19:11:56:076	 432	1640	Agent	  * WSUS server: http://cqsjnbapp02:8530
  2016-05-07	19:11:56:076	 432	1640	Agent	  * WSUS status server: http://cqsjnbapp02:8530
  2016-05-07	19:11:56:076	 432	1640	Agent	  * Target group: Domain Computers
  2016-05-07	19:11:56:076	 432	1640	Agent	  * Windows Update access disabled: Yes
  2016-05-07	19:11:56:342	 432	1640	WuTask	WuTaskManager delay initialize completed successfully..
  2016-05-07	19:11:56:545	 432	1640	Report	CWERReporter::Init succeeded
  2016-05-07	19:11:56:545	 432	1640	Agent	***********  Agent: Initializing Windows Update Agent  ***********
  2016-05-07	19:11:56:873	 432	1640	DnldMgr	Download manager restoring 0 downloads
  2016-05-07	19:11:56:982	 432	1640	DnldMgr	Retrieved 1 persisted download jobs
  2016-05-07	19:11:56:982	 432	1640	DnldMgr	***********  DnldMgr: Restoring download [no. 0]  ***********
  2016-05-07	19:11:56:982	 432	1640	DnldMgr	  * BITS JobId = {823DDE65-5773-4057-AF36-656B55128969}
  2016-05-07	19:11:56:982	 432	1640	DnldMgr	  * ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}
  2016-05-07	19:11:57:828	 432	1640	DnldMgr	  * UpdateId = {7CDEA067-ED33-4AE4-9AB3-7C2ED0AD12CB}.1
  2016-05-07	19:11:58:938	 432	1640	Report	***********  Report: Initializing static reporting data  ***********
  2016-05-07	19:11:58:938	 432	1640	Report	  * OS Version = 6.2.9200.0.0.65792
  2016-05-07	19:11:58:938	 432	1640	Report	  * OS Product Type = 0x00000030
  2016-05-07	19:11:58:953	 432	1640	Report	  * Computer Brand = Dell Inc.
  2016-05-07	19:11:58:953	 432	1640	Report	  * Computer Model = Latitude E5540
  2016-05-07	19:11:58:953	 432	1640	Report	  * Platform Role = 2
  2016-05-07	19:11:58:953	 432	1640	Report	  * AlwaysOn/AlwaysConnected (AOAC) = 0
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Revision = A13
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Name = A13
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Release Date = 2015-09-02T00:00:00
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Sku Number = 05E0
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Vendor = Dell Inc.
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Family unavailable.
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Major Release = 65
  2016-05-07	19:11:58:953	 432	1640	Report	  * Bios Minor Release = 13
  2016-05-07	19:11:58:953	 432	1640	Report	  * Locale ID = 1033
  2016-05-07	19:11:59:500	 432	1640	DnldMgr	Adding revision ID 1 for update 7CDEA067-ED33-4AE4-9AB3-7C2ED0AD12CB to the lock revision cache.
  2016-05-07	19:11:59:710	 432	1640	DnldMgr	  * Restored download job.
  2016-05-07	19:11:59:725	 432	1640	AU	###########  AU: Initializing Automatic Updates  ###########
  2016-05-07	19:11:59:741	 432	1640	AU	AU setting next detection timeout to 2016-05-07 17:11:59
  2016-05-07	19:11:59:757	 432	1640	AU	Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-install notify} added to AU services list
  2016-05-07	19:11:59:757	 432	1640	AU	AIR Mode is disabled
  2016-05-07	19:11:59:757	 432	1640	AU	  # Policy Driven Provider: http://cqsjnbapp02:8530
  2016-05-07	19:11:59:757	 432	1640	AU	  # Detection frequency: 22
  2016-05-07	19:11:59:757	 432	1640	AU	  # Target group: Domain Computers
  2016-05-07	19:11:59:757	 432	1640	AU	  # Approval type: Pre-install notify (Policy)
  2016-05-07	19:11:59:757	 432	1640	AU	  # Auto-install minor updates: No (Policy)
  2016-05-07	19:11:59:757	 432	1640	AU	  # ServiceTypeDefault: Service 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 Approval type: (Pre-install notify)
  2016-05-07	19:11:59:757	 432	1640	AU	  # Will interact with non-admins (Non-admins are elevated (Policy))
  2016-05-07	19:12:02:850	 432	1640	AU	WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x800704C6
  2016-05-07	19:12:02:975	 432	1640	AU	AU finished delayed initialization
  2016-05-07	19:12:03:257	 432	1640	AU	Obtained Post reboot hr from Agent:8024000c
  2016-05-07	19:12:03:335	 432	1640	AU	Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-install notify} added to AU services list
  2016-05-07	19:12:03:335	 432	1640	AU	Triggering Offline detection (non-interactive)
  2016-05-07	19:12:03:444	 432	1640	AU	#############
  2016-05-07	19:12:03:444	 432	1640	AU	## START ##  AU: Search for updates
  2016-05-07	19:12:03:444	 432	1640	AU	#########
  2016-05-07	19:12:03:444	 432	1640	AU	<<## SUBMITTED ## AU: Search for updates  [CallId = {AD0F6FA5-E40A-462B-9FDA-109B4BCC7B39} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
  2016-05-07	19:12:03:444	 432	1640	Agent	SkipSelfUpdateCheck search flag set for serverId: 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782
  2016-05-07	19:12:03:444	 432	1640	AU	<<## SUBMITTED ## AU: Search for updates  [CallId = {ADD28607-F8DF-46BC-B533-4ACF25331C1B} ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}]
  2016-05-07	19:12:04:382	 432	16ac	Agent	*************
  2016-05-07	19:12:04:382	 432	16ac	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
  2016-05-07	19:12:04:382	 432	16ac	Agent	*********
  2016-05-07	19:12:04:382	 432	16ac	Agent	  * Online = No; Ignore download priority = No
  2016-05-07	19:12:04:382	 432	16ac	Agent	  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
  2016-05-07	19:12:04:382	 432	16ac	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
  2016-05-07	19:12:04:382	 432	16ac	Agent	  * Search Scope = {Machine & All Users}
  2016-05-07	19:12:04:382	 432	16ac	Agent	  * Caller SID for Applicability: S-1-5-18
  2016-05-07	19:15:24:484	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 1.
  2016-05-07	19:15:24:500	 432	1640	Service	UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
  2016-05-07	19:15:35:638	 432	1640	Service	UpdateNetworkState Ipv6, cNetworkInterfaces = 2.
  2016-05-07	19:17:28:890	3144	1dd0	Misc	===========  Logging initialized (build: 7.8.9200.17185, tz: +0200)  ===========
  2016-05-07	19:17:28:890	3144	1dd0	Misc	  = Process: C:\Windows\System32\AutoUpdate.exe
  2016-05-07	19:17:28:890	3144	1dd0	Misc	  = Module: C:\Windows\System32\wuapi.dll
  2016-05-07	19:17:28:890	3144	1dd0	COMAPI	-------------
  2016-05-07	19:17:28:890	3144	1dd0	COMAPI	-- START --  COMAPI: Init Search [ClientId = UpgradeBootstrapper]

  Regards
  Peter

  ---

  Office Server Addict

  Monday, May 9, 2016 8:51 AM
• 

  

  0

  Sign in to vote

  Hi Peter,

  Could you do a test that disconnect the WSUS server and WSUS client. Then choose an update to uninstall, then rename the SoftwareDistribution folder, check if the WSUS client will re-download and re-install the update from Internet.

  Best Regards,

  Anne

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

  Tuesday, May 10, 2016 9:06 AM
• 

  

  0

  Sign in to vote

  Hi,

  That is a good idea.   Will get this tested an let you know the outcome...

  Regards
  Peter

  ---

  Office Server Addict

  Thursday, May 12, 2016 9:11 AM
• 

  

  0

  Sign in to vote

  your logfile shows an unexpected file:

  2016-05-07 19:17:28:890 3144 1dd0 Misc =========== Logging initialized (build: 7.8.9200.17185, tz: +0200)
  ===========
  2016-05-07 19:17:28:890 3144 1dd0 Misc =Process:C:\Windows\System32\AutoUpdate.exe
  

  I don't have this file, and I can't recall ever seeing it on any systems.

  a quick web search suggests that it isn't a Microsoft component. do you have some other software (or perhaps malware) there?

  ---

  Don [doesn't work for MSFT, and they're probably glad about that ;]

  
  

  • Edited by DonPick Thursday, May 12, 2016 9:49 AM
  • Proposed as answer by Anne HeMicrosoft contingent staff Wednesday, May 18, 2016 2:45 AM
  • Marked as answer by Anne HeMicrosoft contingent staff Friday, May 20, 2016 1:48 AM

  Thursday, May 12, 2016 9:48 AM
• 

  

  0

  Sign in to vote

  Hi Peter,

  In addition, I would also recommend resetting windows updates component on the computer:

  Reset Windows update component:

  https://support.microsoft.com/en-us/kb/971058

  Best Regards,

  Anne

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

  Friday, May 13, 2016 1:44 AM
• 

  

  0

  Sign in to vote

  Hi Peter,

  Have you got any progress with the issue? Welcome to feed back.

  Best Regards,

  Anne

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

  Monday, May 16, 2016 6:43 AM