Hi Joseph.JJK,
Why you think these machines are still looking to MS for updates?
To verify whether these updates are download from Microsoft or WSUS server, we could v Open the windowsupdate.log and search the exact KB number to check it.
Here is an example for your reference, this KB3109103 is download from my WSUS server(10.157.58:8530)

If they do download from Microsoft, we could check the current Update server in the registry settings.
Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\

Please change the value data to the WSUS server’s IP address to have a try.
Also, please backup the registry key before we made any modifications to it.

In addition, for
WSUS issue, we could also contact to our WSUS server forum for help.
They are more familiar with WSUS, I believe they have more resource to help you.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverwsus
Best regards.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.