WSUS causing me grief!

[m1ddy]

Hi Guys / Gals,

 

Having some problems with some of our machines and WSUS. We have a WSUS server setup and running on a 2008 R2 server. We tell our machines to use this by group policy. If I do a rsop on the clients, I can see they have picked up this policy. However, looking at our firewall logs I see a lot of clients going out to the net using "ms-update" (Its a Palo Alto firewall so it can identify traffic/apps regardless of destination port).

 

Looking at the WSUS console, it can see all the machines and has seen them all recently. It reports most of them are 99%. This is fine as I never expect to see them at 100%. Im just a bit confused as to why machines are going out to the net. Is there a difference between windows update and ms-update? I know Microsoft release updates for other vendors / drivers etc. Could this be what the clients are going outside for?

 

Any ideas?!?

[elsiegee40]

Hi Guys / Gals,

 

Having some problems with some of our machines and WSUS. We have a WSUS server setup and running on a 2008 R2 server. We tell our machines to use this by group policy. If I do a rsop on the clients, I can see they have picked up this policy. However, looking at our firewall logs I see a lot of clients going out to the net using "ms-update" (Its a Palo Alto firewall so it can identify traffic/apps regardless of destination port).

 

Looking at the WSUS console, it can see all the machines and has seen them all recently. It reports most of them are 99%. This is fine as I never expect to see them at 100%. Im just a bit confused as to why machines are going out to the net. Is there a difference between windows update and ms-update? I know Microsoft release updates for other vendors / drivers etc. Could this be what the clients are going outside for?

 

Any ideas?!?

 

Windows update is what it says- updates for Windows.

 

If you want updates for Office, Silverlight... then Microsoft Update is what's needed.

 

At home.

 

Your network PCs shouldn't be using either of them without an administrator sat in front of the screen doing it manually.

[Cache]

They aren't going out to get the root certificates update are they? I can't remember the exact url, but I know because our proxy needs auth that there are always failures in the event log because it can't contact it.

[m1ddy]

Windows update is what it says- updates for Windows.

 

If you want updates for Office, Silverlight... then Microsoft Update is what's needed.

 

At home.

 

Your network PCs shouldn't be using either of them without an administrator sat in front of the screen doing it manually.

 

Surely thats impractical if you have several hundred workstations?

[denon101]

No elsiegee40 means that you should only be using windows update at home. So use WSUS in an environment with many machines.

[chrbb]

Have you checked the windows updates logs on the individual machines? Do you have your wsus server setup to download and distribute all updates, service packs etc. mine get their office, windows defender and anything else microsoft from the wsus server.

Just a thought as I typed in the words windows defender, are they going online for windows defender updates?

Or are these laptops that are used at home with a local admin user?

[chrisbrown]

I'm at home and about to go to bed, but WSUS has an option to use it just for cataloguing and approving updates. When this is enabled, workstations will still download their updates from the internet whilst reporting back to your WSUS box. Perhaps check this? It's in options somewhere. You only need to configure it on your top-most server, replica servers will pull this down.

[chrisbrown]

This is the setting I was thinking of...Hopefully this helps with sorting your issue...

 

http://i53.tinypic.com/21l6a7n.png