6

We changed some policies on our webfilter and now we see that some clients are trying to access ctldl.windowsupdate.com but are being blocked.

Since we are using a WSUS server I was under the impression that this was the only place computers would look for updates.

Should client pc's be able to access ctldl.windowsupdate.com ?

heartfailure
  • 101
  • 1
  • 2
  • 3

2 Answers2

10

It's expected behavior that computers will automatically contact the public Windows Server Update Service, even when there's a specified intranet update location, unless the computer policy "Do not connect to any Windows Update Internet Locations" located at Computer Configuration\Administrative Templates\Windows Components\Windows Update is set to enabled. Please read the documentation to see if that's appropriate for your environment, especially since this can break the Windows Store. (Sorry, there's no id for the section of interest, so you'll have to either scroll down or use ctrl+f.)

It's also expected behavior that Windows 6+ machines will automatically contact ctldl.windowsupdate.com to update their certificate revocation lists. See An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. So, if you aren't managing the updates of the CRLs on your machines by some other method, I'd highly recommend removing the block to ctldl.windowsupdate.com from your webfilter.

Lastly, unless you set the user policy "Remove access to use all Windows Update features" located at User Configuration\Administrative Templates\Windows Components\Windows Update, then users will still be able to manually access the public Windows Server Update Service. Again, please read the documentation to see if that's appropriate for your environment.

austinian
  • 1,729
  • 2
  • 15
  • 30
  • 1
    On the policy "Remove access to use all Windows Update features": `> This setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.` Looks like a dealbreaker. – heartfailure Aug 19 '15 at 09:47
  • Blocking windows updates at the webfilter also breaks this functionality, if you don't have the drivers available on your WSUS server. If the drivers are available on WSUS, then the hardware wizard will be able to search for drivers there. This **will** take up a lot of storage space, however, and may affect DB performance and "checking for updates" times, as well. – austinian Aug 24 '15 at 19:12
  • Hm, so the VERY SAME addresses used for Windows Updates are also used for certificate management. That's VERY interesting - and disturbing. Given Microsoft's current stance where many feel they're using their Windows Update "foot in the door" to push unwanted software into systems, this leaves admins with a dilemma... To allow these addresses or NOT to allow these addresses. – NoelC Feb 15 '16 at 17:17
  • Note the "if you aren't managing the updates of the CRLs on your machines by some other method" clause of the second paragraph. There are other methods besides using ctldl.windowsupdate.com that you can set up to update the CRLs on your machines, but this is beyond the scope of this question. – austinian Feb 15 '16 at 20:03
-2

No the computers can still look for updates from the windows update website.

To disable this you need to change the group policy. Enable the Policy "Remove access to use all Windows Update features" under User configuration-administrative template-windows component-windows update.

Russell
  • 1
  • Where do you see this policy? I'm looking at the *Computer Configuration > Administrative Templates > Windows Components > Windows Update* Group Policy templates now and I'm seeing "Do not connect to any Windows Update Internet Locations". Is this the one you meant? What version/language of this template are you using? – austinian Aug 17 '15 at 16:13
  • Its under user configuration not computer configuration. User config-Policies-Administrative Templates-Windows Components- Windows update. You enable the 'Remove access to use all Windows update features. – Russell Aug 18 '15 at 08:41
  • This isn't the only use for the ctldl.windowsupdate.com domain, it's also used by, at least, the Windows Store and the CRL updater in Vista/7, and probably 8/8.1/10 as well. – austinian Aug 18 '15 at 20:11