Windows Update will connect to Internet URLs even through we blocked it via GPO

Dilan Nanayakkara 1,111 Reputation points
2022-02-02T05:57:04.927+00:00

Hi All,

we have configured the below Settings on group policy and policy has been successfully applied on client devices, But our firewall team will continuously informing us that the client machines are still communicating to the Internet. according to them, the client machines are communicating with public IPs like 52.152.110.14, 20.54.89.106, and 52.242.101.226 etc.

GPO settings:

Windows Components/Windows Update:

  • Configure Automatic updates - Disabled
  • Do not allow update deferral policies to cause scans against Windows updates - Enabled
  • Specify Intranet Microsoft update service location - Enabled (https://<SCCM FQDN>:8530)

Windows Components/Delivery Optimization:

  • Download mode - Enabled (Simple(99))
  • Enable peer caching while the device connects to VPN - Disabled

System/Internet Communication Management/Internet Communication Settings:

  • Turn off access to all windows Update features - Enabled

Troubleshooting Steps so far:

  • checked the group policy settings has applied properly and according to rsop.msc result above GPO settings has applied properly.
    170451-image05.jpg
  • Logon to few client machines and run the Procmon.exe and according to that svchost.exe service is redirecting the traffic to one of IP mentioned by firewall team (52.152.110.14).

170424-image01.jpg

170426-image02.jpg

  • Go to task manager > services and check the service running by PID that belongs to the svchost.exe service. here, I have identified windows update service is utilized by svchost.exe. I have tried to killed the specific process and even restart the client machine, but svchost.exe will start the new process as soon as restart the PCs and again, I noticed that window update service is running.

170270-image03.jpg

  • Checked windows updates event logs and noticed that few event logs and error messages as well.

170427-image04.jpg

  • I have noticed the below request on windows update log that request going to slscr.update.microsoft.com and winhttp traffic blocked since it has blocked by Firewall. But we wanted to blocked these traffic reaching the Firewall.

170418-image05.jpg

I was wondering, even if we disabled windows update via GPO, is there any possibility of running windows update services. Please also note that we didn't deploy any patch updates via SCCM as well for the moment and we disabled all patch update policies in SCCM for the moment just to troubleshoot this issue.

appreciate the help on this.

thanks,
Dilan

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,762 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,279 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,777 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Reza-Ameri 16,836 Reputation points
    2022-02-02T16:51:40.8+00:00

    There is another policy which you have to set in the Windows Update in the Group Policy which is Do not connect to any Windows Update Internet locations and you have to enable this policy to prevent Windows Update from connecting to Microsoft Servers. However, enabling this policy will stop updates in the Microsoft Store too.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful