Solved

Users/Clients communicating with www.download.windowsupdate.com even though policy points them at WSUS server

Posted on 2012-03-15
6
1,066 Views
Last Modified: 2012-03-16
Recently we configured a new Sonicwall NSA device which allows us to monitor our Internet traffic in more detail.

One of the things I have noticed is that  quite frequently our users are communicating with the Windows update website at www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

We have in place a policy to force the clients to get updates from our local WSUS server, so I am not sure why this is happening.

Fortunatly the sonicwall device is blocking access to the website, but my concern is that the client PC's are attempting to connect/download/install the updates in the background when the user is not logged on.

(It is important that we control Windows updates ourselves)

example of sonicwall message
0
Comment
Question by:stalbansschool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 

Author Comment

by:stalbansschool
ID: 37724000
I think I have half answered this question myself with a little more research.

I now see that www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Points to Microsoft's Certificate Trust List.

Are people able to provide me with a bit more information about this file?  

What is envoking the download of this file?

Do my users need to access this link to download it?  (currently if I log on as a user and go directly to this link it is blocked by our sonicwall device)
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 37726827
this behavior can occur if the Update Root Certificates component is turned on and the computer cannot connect to the Windows Update server on the Internet. The Update Root Certificates component automatically updates trusted root-certificate authorities from the Microsoft Update server at regular intervals.

To resolve this behavior, you must connect to the Internet or turn off the Update Root Certificates component. To turn off the Update Root Certificates component, follow these steps:
In Control Panel, double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

Or, by using a GPO turn off the option.
Computer Configuration – Administrative Templates – System – Internet Communication Settings
"Turn off Automatic Root Certificates Update”
but consider the problems by not updating your CA's


WSUS do have (double check as my memory start to fade ) root cert update
Update for Root Certificates for Windows XP and windows 7  (KB931125) (2 seperate update)
0
 

Author Comment

by:stalbansschool
ID: 37728952
great, thank you for your comment.

So please can I just confirm, if I switch off this option using GPO, WSUS should handle the update?

WHat envokes this behaviour?  Is it when the user opens Internet Explorer?

Is there any harm in unblocking access to this website?
0
To Patch or not to Patch? That is the question!

Don't get caught out like thousands of others around the world in the recent Ransomware Fiasco!
Discuss..
- Why it's not a good idea to wait before Patching
- Sensible approaches to Patching discussed
- Add your feedback, comments and suggestions

 
LVL 37

Expert Comment

by:Jian An Lim
ID: 37728964
again, microsoft design it to download every couple of days just in case WSUS do not kicks in.
it is design to work even without WSUS.

so if you have WSUS, then that download become redundant because you always keep your root cert update to do (that means if you really did that)
0
 

Author Comment

by:stalbansschool
ID: 37728980
great answer, thank you very much
0
 

Author Closing Comment

by:stalbansschool
ID: 37728982
perfect answer, explained excellently
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question