locked
Devices Looking to Internet for Windows Update Despite GPO RRS feed

  • Question

  • Hi all, 

    Our organization was experiencing widespread slowness (network) and with further investigation we discovered our bandwidth was pegged. It appeared our endpoints were going out to the internet for windows update when they should be pointed at our WSUS server (this is done via GPO). We have not made any changes to our GPOs. 

    This issue is impacting our VDI (Windows 7), physical (endpoints (Windows 7) and servers (2012 R2,  2008 R2, 2016) and is very widespread. 

    VDI even has the windows update service disabled. We confirmed this while the device was reaching out.

    Does anyone have any idea what would cause this?

    As a workaround, we implemented a firewall to block the traffic. 

    Wednesday, February 26, 2020 3:44 PM

All replies

  • Hi,
        

    Consider adjusting the configuration of the following Group Policies:
       

    • Turn off access to all Windows Update features
      (Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\)
         

    Enable this policy setting, all Windows Update features are removed. All subsequent updates will be completed via WSUS.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 27, 2020 6:30 AM
  • Thank you! 

    We do not have that enabled and are going to test. Do you know of any cons to doing this with the user of wsus? 

    Additionally, we have had the same GPO for years, why would the devices suddenly look to the internet? 

    Thursday, February 27, 2020 1:26 PM
  • Do you know of any cons to doing this with the user of wsus? 

    This includes blocking access to the Windows Update website at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
       

    Additionally, we have had the same GPO for years, why would the devices suddenly look to the internet? 

    I'm sorry I can't explain this. This is my guess, maybe the client itself is in a state where Windows Update can be used, the user's operating habits have changed and the online update has started. 
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 28, 2020 5:39 AM
  • Thank you! 

    We updated the GPO and the devices are still looking to the internet. We are seeing traffic hitting our firewall. 

    This is not just one device this is all of our devices. Servers and endpoints. The servers even have a different WSUS policy applied then the endpoints. Its extremely odd. 

    Tuesday, March 3, 2020 2:35 PM