Getting random windows updates despite we have WSUS

Ali.B 0 Reputation points
2024-04-10T17:05:00.13+00:00

Hi All,

We have a WSUS server in our network, and our manager approves updates once a month. However, despite having WSUS, we still get some updates that we don't know where they come from.

For example, we approved the update one month ago but received the update below on our devices, which caused some issues.

Image

We haven't approved any updates, but they are still on our company's devices. For instance, we don't have Office 2016 for a long time and don't know where they came from.

Does anyone have any idea what we have missed in the WSUS configuration?

Additional info - we have on perm AD and Azure (if it helps)

User's image

Thanks for your comments in advance

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,053 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Wesley Li 8,780 Reputation points
    2024-04-11T05:55:34.4633333+00:00

    Hello

    It sounds like there may be a few potential issues causing updates to bypass your WSUS server:

    Here’s a brief explanation of the updates you mentioned:

    KB2267602: This update could not be found in the recent updates, it might be an older update.

    KB5037036: This is a cumulative update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2.

    KB5036892: This is a mandatory Windows 10 cumulative update that adds two new features and contains Microsoft’s April 2024 Patch Tuesday security updates.

    KB5002340: This is an update for Microsoft Office 2016 that was released on April 2, 2024.

    KB5002572: This is also an update for Microsoft Office 2016 that was released on April 2, 2024.

    For the Office 2016 updates, even though you mentioned that you don’t have Office 2016 for a long time, it’s possible that some components or remnants of Office 2016 are still present on your devices, which could be why they’re receiving updates for Office 2016.

    As for the WSUS configuration, here are a few things you could check:

    Group Policy settings: Ensure that your Group Policy settings are correctly configured to point your devices to the WSUS server for updates.

    Dual Scan: If dual-scan is enabled, devices can bypass WSUS and receive updates directly from Windows Update.

    WSUS Server: Check the WSUS server to ensure it’s functioning correctly and that updates are being synchronized properly.


  2. Adam J. Marshall 9,381 Reputation points MVP
    2024-04-11T22:02:04.61+00:00

    You 100% have Dual Scan enabled on the devices because you have configured WUfB policies

    https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

    Don't just enable "Do not allow update deferral policies to cause scans against..."

    This masks the situation - it doesn't fix it.

    Also, Setup the scan source policy to be WSUS for all items.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/


  3. Adam J. Marshall 9,381 Reputation points MVP
    2024-04-11T22:02:53.2433333+00:00

    Also, another link to help troubleshoot client issues - (but your screenshots already identify Dual Scan):

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.