locked
Windows updates on all OS looking to microsoft for updates and not at WSUS set by GPO RRS feed

  • Question

  • Hi, all of our desktops and servers (windows 7, windows 10, server 2008 - 2016) are trying to check for updates causing our internet connection to have no bandwidth.  The entire environment is run from WSUS and are set by GPO.  We have a large VDI and XenApp infrastructure and the windows update service is disabled and turned off. We are seeing these windows OS's trying to check for updates as well, we can tell this by looking at our firewall logs source and destination.  We have tried disabling all updates via reg keys and this also has not stopped the OS from trying to reach out to the internet for updates. 

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
            Key: DisableWindowsUpdateAccess
    HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication
            Key: DisableWindowsUpdateAccess
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            Key: NoAutoUpdate

    Wondering if anyone can help?

    Thanks

    Scott

    Tuesday, March 3, 2020 3:03 PM

All replies

  • Hi Scott,
        

    First, the client's update source can be determined by the following Powershell script:
        

    $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
    $MUSM.Services | select Name, IsDefaultAUService


    When the update source is not WSUS (Windows Server Update Service), I suggest to check from the relevant client configuration of WSUS, are thoes WSUS-related Group Policy correctly applied to the client? In my tests, if the client did not apply WSUS-related group policies, even if "Turn off access to all Windows Update features" was enabled, the Windows 10 client would still update through Windows Update.
       

    Reply back with the results would be happy to help.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 4, 2020 2:10 AM
  • Hi,
    Thanks for your reply.  The server I have been testing with is a Citrix Virtual Apps server which had its windows update service disabled and turned off.  however the firewall logs indicate it was trying to get out to the Microsoft update service on the web.  When I ran the command with the service disabled it returned nothing.  I turned on the service and got this result:

    Name                                                                                                 IsDefaultAUService
    ----                                                                                                 ------------------
    Windows Store                                                                                                     False
    Windows Server Update Service                                                                                      True
    Windows Update                                                                                                    False

    We have run RSOP's and believe that the OS's are in fact getting the GPOs applied according to the reports generated.

    The strangest part about some servers have the windows update service turned off yet still are trying to get out to the web.

    Thanks for the help.

    Scott

    Wednesday, March 4, 2020 2:57 AM
  • Hi Scott,
       

    This does not seem to be a mistake, WSUS is already your default update source.
    I can't yet tell if this is related to WSUS. Have you observed that when the server accesses Microsoft Update, is there any operation in progress from the update view of the operating system? It's just like checking for updates? Or what updates are installed? Is it also possible that Windows Defender is updating the profile? 
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 5, 2020 5:22 AM
  • Hi Scott,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 13, 2020 5:11 AM
  • Hi,
      

    Since this thread has not received any progress for a long time, the following summary is provided for future follow-up reference:
      

    • Issue Symptom
      The user observed that the WSUS client was not updated by the correct update source.
        
    • Troubleshooting Steps so far
      The impact of the dual scan function has been eliminated.
      Check the update source through the script is OK.
      Not sure if there are other reasons.
         
    • Next Step
      What is happening during the update is being confirmed in other directions.
        
    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 23, 2020 6:26 AM