SCCM clients straightway communicating with Internet for Windows Updates

Dilan Nanayakkara 1,111 Reputation points
2022-01-27T17:36:17.227+00:00

Hi All,

Our Firewall team notify us, some of SCCM managed client is trying to communicate with the Internet to get windows updates. According to them clients are trying to communicate with IP 222.165.168.201 and when I did the nslookup for this IP, it has resolved to download.windowsupdate.com (refer image01).

Below are our GPO settings for the Windows updates and as per the GPO we have already redirect the traffic to our SCCM server. Further I have checked the WUAHandeler.log for one of client, which try to communicate with Internet (refer image02).

GPO settings:
Configure Automatic updates: Enabled
Specify intranet Microsoft update service location: <SCCMServerFQDN>:8530
Do not allow update deferral policies to cause scans against windows update: Enabled

Appreciate the help just to find out possibility of communicate clients with the Internet directly even though we have already setup GPOs to redirect traffics to SCCM server and What should I do to block internet traffic completely and get updates only from SCCM server?

Image01:
169144-image01.jpg

Image02:
169172-iamge02.jpg

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. AllenLiu-MSFT 41,691 Reputation points Microsoft Vendor
    2022-01-28T06:20:06.697+00:00

    Hi, @Dilan Nanayakkara

    Thank you for posting in Microsoft Q&A forum.

    ConfigMgr uses local group policies to configure the Windows Update settings on all managed clients.
    The "Specify intranet Microsoft update service location" will configured automatically when we configure SUP in SCCM, we do not need to configure it manually.

    "Do not allow update deferral policies to cause scans against windows update: Enabled" Enable this policy will not allow update deferral policies to cause scans against windows update. So this policy is need.

    And we need to disable automatic updates by configure "Configure Automatic Updates:Disabled", so the client will not be any automatic windows update process.

    We also need "Turn off access to all Windows Update features = Enabled" to hide "Check online for updates from Microsoft update" to avoid the use trigger the windows update manually.

    You may refer this article for more details:
    https://eskonr.com/2020/12/managing-windows-updates-using-configuration-manager-and-group-policy/
    (Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-01-27T19:11:34.643+00:00

    Not all traffic that goes to Windows Update is for downloading Windows Updates. Root CA updates, global certificate revocation, and Windows Store app updates are just a few of the built-in components and processes that use the Windows Update download URL and services. Blocking all outbound traffic to Windows Update is not a good idea as it will impact or break these other important processes.