Users/Clients communicating with www.download.windowsupdate.com even though policy points them at WSUS server

Recently we configured a new Sonicwall NSA device which allows us to monitor our Internet traffic in more detail.

One of the things I have noticed is that  quite frequently our users are communicating with the Windows update website at www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

We have in place a policy to force the clients to get updates from our local WSUS server, so I am not sure why this is happening.

Fortunatly the sonicwall device is blocking access to the website, but my concern is that the client PC's are attempting to connect/download/install the updates in the background when the user is not logged on.

(It is important that we control Windows updates ourselves)

example of sonicwall message
stalbansschoolAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stalbansschoolAuthor Commented:
I think I have half answered this question myself with a little more research.

I now see that www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Points to Microsoft's Certificate Trust List.

Are people able to provide me with a bit more information about this file?  

What is envoking the download of this file?

Do my users need to access this link to download it?  (currently if I log on as a user and go directly to this link it is blocked by our sonicwall device)
0
Jian An LimSolutions ArchitectCommented:
this behavior can occur if the Update Root Certificates component is turned on and the computer cannot connect to the Windows Update server on the Internet. The Update Root Certificates component automatically updates trusted root-certificate authorities from the Microsoft Update server at regular intervals.

To resolve this behavior, you must connect to the Internet or turn off the Update Root Certificates component. To turn off the Update Root Certificates component, follow these steps:
In Control Panel, double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

Or, by using a GPO turn off the option.
Computer Configuration – Administrative Templates – System – Internet Communication Settings
"Turn off Automatic Root Certificates Update”
but consider the problems by not updating your CA's


WSUS do have (double check as my memory start to fade ) root cert update
Update for Root Certificates for Windows XP and windows 7  (KB931125) (2 seperate update)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stalbansschoolAuthor Commented:
great, thank you for your comment.

So please can I just confirm, if I switch off this option using GPO, WSUS should handle the update?

WHat envokes this behaviour?  Is it when the user opens Internet Explorer?

Is there any harm in unblocking access to this website?
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Jian An LimSolutions ArchitectCommented:
again, microsoft design it to download every couple of days just in case WSUS do not kicks in.
it is design to work even without WSUS.

so if you have WSUS, then that download become redundant because you always keep your root cert update to do (that means if you really did that)
0
stalbansschoolAuthor Commented:
great answer, thank you very much
0
stalbansschoolAuthor Commented:
perfect answer, explained excellently
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.