XP Clients updating from MS despite SUS

[Tom Penharston]

This scenario includes client computers (Windows XP Pro SP 2) and a
server (Windows 2000 Server). The server is running AD, DNS SUS, and
IIS.

The policies are managed via Group Policy, Computer Configuration,
Administrative Templates, Windows Update. I'll export the policies and
paste the text:

----------
Setting State
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box
Not configured
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box
Not configured
Configure Automatic Updates
Enabled (option #3)
Specify intranet Microsoft update service location
Enabled (http://111.111.111.111 correct ip address)
Enable client-side targeting
Not configured
Reschedule Automatic Updates scheduled installations
Not configured
No auto-restart for scheduled Automatic Updates installations
Not configured
Automatic Updates detection frequency
Not configured
Allow Automatic Updates immediate installation
Not configured
Delay Restart for scheduled installations
Not configured
Re-prompt for restart with scheduled installations
Not configured
----------

As you can see, only two policies are enabled: Configure Automatic
Updates and Specify intranet Microsoft update service location.

My clients download updates from MS regardless of my SUS approval list.
Therefore, my SUS Server is not providing a useful service.

Please advise. My clients should obtain updates only from the SUS.

 

[JeffG]

As you can see, only two policies are enabled: Configure Automatic

Updates and Specify intranet Microsoft update service location.

SUS should wth your settings automatically download updates and notify
the logged on user that updates have been downloaded and are ready to
install. However,

My clients download updates from MS regardless of my SUS approval list.

Adding SUS and the policy objects pointing to the SUS server do not
prevent your end users from clicking "Windows Update" and thereby
being directed to the MS website. The approval list does not apply
when a client does visit the website. The "Windows Update" icon on
control panel, start menu, IE, etc. will still point to the MS
website.

Please advise. My clients should obtain updates only from the SUS.

In that case, you should remove their access to the MS Website using a
policy to block access to Windows Update features. There are two
places to do so (user/admin/windows/windows update and
user/admin/windows/startmenuandtaskbar), and these are user
configuration settings, not machines.

Now, if your issue is not that clients are clicking the Windows Update
icon and your machines are still being redirected by SUS, have a look
at the Windows Update.log file(s) in the Windows or WINNT folder for
errors, I understand there are certain conditions in which even a SUS
AU procedure can be mysteriously redirected to the Internet site - if
that is the case, there is a hotfix available, and you can find the
inforamtion on the web.

HTH
JeffG

 

[Tom Penharston]

I'm happy to get your detailed response. Although it will take
sometime to access the machines, review the logs, and research the
hotfix... at this point I'm just content with the articulate feedback.

 

[Lawrence Garvin]

Tom.. I'm also curious about your selection of IP Address.

You've placed the server at 111.111.111.111, which is actually in a Class B
public address space.

Is your entire internal network configured on the IP Network of 111.111.0.0,
or some subnet thereof?

If not, and the clients are configured on another IP network, then the
clients will not be able to talk to a server configured on an IP Address in
a different subnet without some kind of internal routing also configured.

 

[Mohammed Athif Khaleel [MVP - SUS / WSUS]]

Hi Tom,
To add what JeffG & Lawrence has said;

SUS will not support all these options'
<quote>
----------
Setting State
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box
Not configured
Do not adjust default option to 'Install Updates and Shut Down' in Shut

Down Windows dialog box
Not configured
Configure Automatic Updates
Enabled (option #3)
Specify intranet Microsoft update service location
Enabled (http://111.111.111.111 correct ip address)
Enable client-side targeting
Not configured
Reschedule Automatic Updates scheduled installations
Not configured
No auto-restart for scheduled Automatic Updates installations
Not configured
Automatic Updates detection frequency
Not configured
Allow Automatic Updates immediate installation
Not configured
Delay Restart for scheduled installations
Not configured
Re-prompt for restart with scheduled installations
Not configured
----------
</quote>

It will support only those 3 options.

A) AU OPTION 2 = Notify before downloading any updates and notify again
before installing them.

B) AU OPTION 3 = (Default setting) Download the updates automatically
and notify when they are ready to be installed

C) AU OPTION 4 = Automatically download updates and install them on the
schedule specified below.

Along with;
Reschedule Automatic Updates scheduled installations
No auto-restart for scheduled Automatic Updates installations

Good day,
Mohammed Athif Khaleel
MVP - SUS / WSUS
Windows Server Update Services Wiki
http://www.wsuswiki.com/Athifs
Tutorial: Patch Management with Microsoft Software Update Services
(SUS) - Part I & Part II
http://www.2000trainers.com/section.aspx?sectionID=20&tab=articles

 

[Tom Penharston]

Lawrence,
The number '1' was meant to be arbitrary. The only significance is
that I am using an IP address rather than a fully qualified name for
the server. I wrote out a random IP address to avoid a whole
discussion of fully qualified names and DNS.

I'm on a ten dot lan/intranet. When I built the SUS I could ran
several IP utilies on the client and server to proove that updates were
in fact delivered from the client to the server. Things have changed
since then.
-Tom

 

[Lawrence Garvin]

Thanks Tom. It was a bit misleading... something like <IP_Address_Of_Server>
or some other formatting that makes it perfectly clear that the data
presented is not real might be useful.

Now that I'm not distracted by the IP Addresses.. I see one item missing
from your list, but it should be in the registry based on your reported
settings.

Double check HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU for
the value "UseWUServer" and make sure it is set to dword:0x1.

The "Configure Automatic Updates" policy setting should set that value, but
I've seen it get deleted or disabled on a couple of occasions. If that value
is set to dword:0x0, then the AU client will always go to Windows Update
regardless of any other settings in the policy.