Hi GlenV-4078,
Thanks for your posting on Q&A.
First, I noticed that your client's reporting status was incorrect. To be sure, the updates detected by the client do not come from WSUS. We could check the client's default update source with the following script.
Open the PowerShell as an administrator and enter the following scripts:
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService
In addition, we could apply the following policy on the clients to prevent getting updates from Windows Update. After the client applies the below group policy, the client default update source is WSUS.
[Do not allow update deferral policies to cause scans against Windows Update]
(Location: Group Policy Management Editor\Policies\Administrative Templates\Windows Components\Windows Update)
Reference picture:
Here is a link about the dual scan for your reference:
https://learn.microsoft.com/en-us/archive/blogs/wsus/demystifying-dual-scan
Regards,
Rita