WSUS 3.0 Client getting updates from WSUS Server and MicrosoftUpdates

We have a WSUS 3.0 server up and running and we use group policy to
set clients to use our internal WSUS server. We have a few clients
that are getting updates from our internal WSUS server AND Microsoft
Update. We've compared settings with machines that are affected and
that aren't affected and so far we have not been able to figure out
why some of them are downloading updates from MS. They are
downloading optional udpates from the MS site, which is causing
problems (.NET Framework 3.0).


We have the WUServer and WUStatusServer set to our WSUS server.
AUOptions is set to 4, AutoInstallMinorUpdates,
NoAutoRebootWithLoggedOnUsers and use WUServer are set to 1.

bret.collins@gmail.com wrote:

> We have a WSUS 3.0 server up and running and we use group policy to
> set clients to use our internal WSUS server. We have a few clients
> that are getting updates from our internal WSUS server AND Microsoft
> Update. We've compared settings with machines that are affected and
> that aren't affected and so far we have not been able to figure out
> why some of them are downloading updates from MS.

The odds are that this is happening because the person sitting in front of the
computer is visiting the Microsoft Update web site. Do your end users have
administrative privilege to their computers?

Harry.

On Feb 11, 2:22*pm, "Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz>
wrote:
> bret.coll...@gmail.com wrote:
> > We have a WSUS 3.0 server up and running and we use group policy to
> > set clients to use our internal WSUS server. *We have a few clients
> > that are getting updates from our internal WSUS server AND Microsoft
> > Update. *We've compared settings with machines that are affected and
> > that aren't affected and so far we have not been able to figure out
> > why some of them are downloading updates from MS.
>
> The odds are that this is happening because the person sitting in front ofthe
> computer is visiting the Microsoft Update web site. *Do your end users have
> administrative privilege to their computers?
>
> * *Harry.

Users are not administrators or power users. In doing further
research using our Internet filtering reports we found that the
computers involved show no records of actually visiting
windowsupdate. If you look at the WSUS server .NET framework 3.0 is
not allowed and if you run a report on the update it shows the update
has been attempted on 0 computers, failed on 0 computers, etc. I
can't explain how these updates got applied, the computer shows no
history of visting the website, the WSUS server says it didn't push
the update, users don't have rights to do it but the updates got
installed.

bret.collins@gmail.com wrote:

> Users are not administrators or power users. In doing further
> research using our Internet filtering reports we found that the
> computers involved show no records of actually visiting
> windowsupdate. If you look at the WSUS server .NET framework 3.0 is
> not allowed and if you run a report on the update it shows the update
> has been attempted on 0 computers, failed on 0 computers, etc. I
> can't explain how these updates got applied, the computer shows no
> history of visting the website, the WSUS server says it didn't push
> the update, users don't have rights to do it but the updates got
> installed.

Perhaps it was included in some other software install for which it was a
prerequisite?

If automatic updates was responsible (either via WSUS or Microsoft) it would
show up in both WindowsUpdate.log and the event logs on the machines in
question. Have you checked these logs?

You should be able to tell what time .NET was installed by looking at the
creation time on the \windows\microsoft.net\framework\v3.0 directory, which
should help narrow down your search through the logs.

Is the .NET 3.0 update downloaded to the WSUS server, perhaps approved to some
other group? You might have a group targeting issue.

Harry.

On Feb 18, 10:14*pm, "Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz>
wrote:
> bret.coll...@gmail.com wrote:
> > Users are not administrators or power users. *In doing further
> > research using our Internet filtering reports we found that the
> > computers involved show no records of actually visiting
> > windowsupdate. *If you look at the WSUS server .NET framework 3.0 is
> > not allowed and if you run a report on the update it shows the update
> > has been attempted on 0 computers, failed on 0 computers, etc. *I
> > can't explain how these updates got applied, the computer shows no
> > history of visting the website, the WSUS server says it didn't push
> > the update, users don't have rights to do it but the updates got
> > installed.
>
> Perhaps it was included in some other software install for which it was a
> prerequisite?
>
> If automatic updates was responsible (either via WSUS or Microsoft) it would
> show up in both WindowsUpdate.log and the event logs on the machines in
> question. *Have you checked these logs?
>
> You should be able to tell what time .NET was installed by looking at the
> creation time on the \windows\microsoft.net\framework\v3.0 directory, which
> should help narrow down your search through the logs.
>
> Is the .NET 3.0 update downloaded to the WSUS server, perhaps approved to some
> other group? *You might have a group targeting issue.
>
> * *Harry.

I have experienced the same issue with WSUS 2.0:

New group
All updates set to in our WSUS environment set to detect only for the
group
Newly imaged system without .Net Framework 3.0
Approved selected patches not including .Net Framework 3.0
.Net Framework 3.0 is one of the first patches installed via Windows
Update according to the System Event Log.
When looking at the system's status in the WSUS console it lists .Net
Framework 3.0 with Approval of Detect Only but also Not Needed as the
Status.

I would appreciate any insight on this.

KMB

kmbrighton@gmail.com wrote:

> New group
> All updates set to in our WSUS environment set to detect only for the
> group

Perhaps WSUS is not placing the client in the correct group?

Was .NET 3.0 approved for installation in the All Computers group?

> Newly imaged system without .Net Framework 3.0
> Approved selected patches not including .Net Framework 3.0
> .Net Framework 3.0 is one of the first patches installed via Windows
> Update according to the System Event Log.
> When looking at the system's status in the WSUS console it lists .Net
> Framework 3.0 with Approval of Detect Only but also Not Needed as the
> Status.

Please post the contents of WindowsUpdate.log from the client up to (and
including) the point at which .NET 3.0 was installed.

Can you reproduce this consistently? If so, you should try configuring the
client to detect but not install updates. Once it is detecting that .NET 3.0 is
needed, get a computer report from the WSUS server. This might make it
clearer what is happening.

Harry.

On Feb 20, 5:56*pm, "Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz>
wrote:
> kmbrigh...@gmail.com wrote:
> > New group
> > All updates set to in our WSUS environment set to detect only for the
> > group
>
> Perhaps WSUS is not placing the client in the correct group?
>
> Was .NET 3.0 approved for installation in the All Computers group?
>
> > Newly imaged system without .Net Framework 3.0
> > Approved selected patches not including .Net Framework 3.0
> > .Net Framework 3.0 is one of the first patches installed via Windows
> > Update according to the System Event Log.
> > When looking at the system's status in the WSUS console it lists .Net
> > Framework 3.0 with Approval of Detect Only but also Not Needed as the
> > Status.
>
> Please post the contents of WindowsUpdate.log from the client up to (and
> including) the point at which .NET 3.0 was installed.
>
> Can you reproduce this consistently? *If so, you should try configuring the
> client to detect but not install updates. *Once it is detecting that .NET 3.0 is
> * needed, get a computer report from the WSUS server. *This might makeit
> clearer what is happening.
>
> * *Harry.

We are only using the default All Computer group. We have approx 400
machines and this is happening to approx 20 of them. All 400 are
using the same group policy for WSUS configuration.