Solved

Users/Clients communicating with www.download.windowsupdate.com even though policy points them at WSUS server

Posted on 2012-03-15
6
1,053 Views
Last Modified: 2012-03-16
Recently we configured a new Sonicwall NSA device which allows us to monitor our Internet traffic in more detail.

One of the things I have noticed is that  quite frequently our users are communicating with the Windows update website at www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

We have in place a policy to force the clients to get updates from our local WSUS server, so I am not sure why this is happening.

Fortunatly the sonicwall device is blocking access to the website, but my concern is that the client PC's are attempting to connect/download/install the updates in the background when the user is not logged on.

(It is important that we control Windows updates ourselves)

example of sonicwall message
0
Comment
Question by:stalbansschool
  • 4
  • 2
6 Comments
 

Author Comment

by:stalbansschool
ID: 37724000
I think I have half answered this question myself with a little more research.

I now see that www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Points to Microsoft's Certificate Trust List.

Are people able to provide me with a bit more information about this file?  

What is envoking the download of this file?

Do my users need to access this link to download it?  (currently if I log on as a user and go directly to this link it is blocked by our sonicwall device)
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 37726827
this behavior can occur if the Update Root Certificates component is turned on and the computer cannot connect to the Windows Update server on the Internet. The Update Root Certificates component automatically updates trusted root-certificate authorities from the Microsoft Update server at regular intervals.

To resolve this behavior, you must connect to the Internet or turn off the Update Root Certificates component. To turn off the Update Root Certificates component, follow these steps:
In Control Panel, double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

Or, by using a GPO turn off the option.
Computer Configuration – Administrative Templates – System – Internet Communication Settings
"Turn off Automatic Root Certificates Update”
but consider the problems by not updating your CA's


WSUS do have (double check as my memory start to fade ) root cert update
Update for Root Certificates for Windows XP and windows 7  (KB931125) (2 seperate update)
0
 

Author Comment

by:stalbansschool
ID: 37728952
great, thank you for your comment.

So please can I just confirm, if I switch off this option using GPO, WSUS should handle the update?

WHat envokes this behaviour?  Is it when the user opens Internet Explorer?

Is there any harm in unblocking access to this website?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 36

Expert Comment

by:Jian An Lim
ID: 37728964
again, microsoft design it to download every couple of days just in case WSUS do not kicks in.
it is design to work even without WSUS.

so if you have WSUS, then that download become redundant because you always keep your root cert update to do (that means if you really did that)
0
 

Author Comment

by:stalbansschool
ID: 37728980
great answer, thank you very much
0
 

Author Closing Comment

by:stalbansschool
ID: 37728982
perfect answer, explained excellently
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMware vCloud Director - Automatic SNAT Creation 2 81
chrome tabs 3 72
Unable to get property 'initElement' of undefined or null reference 12 55
Enterprise Mode 4 28
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question