We noticed a lot of outbound traffic at our various locations going to Microsoft. Upon closer investigation, we discovered that a number of machines throughout our organization are constantly searching for updates at Microsoft. We use SCCM for deploying updates and we have a GPO in place that enforces SCCM as the update server across all computers in our organization, so they shouldn't even be checking in with Microsoft.
Looking at the WindowsUpdate.log file revealed that these machines are finding over 25000 updates, then it continues to search for updates again, over and over in an endless loop. We can't figure out why this is happening. What is strange is that we've seen it stop when the user logs off. We have also seen it stop after a certain time, but it randomly seems to start again. Here's a snippet of the WindowsUpdate.log file from one of the machines:
2014-03-10 10:03:48:331 1000 e7c Agent * Added update {61D2328F-821B-4784-BE28-79F7C5B961EB}.105 to search result
2014-03-10 10:03:48:331 1000 e7c Agent * Added update {24FEEAB8-9A6A-41DB-A085-E8404A8BF81D}.105 to search result
2014-03-10 10:03:48:331 1000 e7c Agent * Added update {EB540A84-EC33-4EAC-9A43-EF12BBC7B393}.105 to search result
2014-03-10 10:03:48:331 1000 e7c Agent * Added update {16B796AE-17E7-4C4A-A33A-5F2A75D36599}.105 to search result
2014-03-10 10:03:48:331 1000 e7c Agent * Added update {3C84CC84-CD09-4ACF-9519-BD1BB32AEBBA}.105 to search result
(truncated log as there's thousands of lines regarding "Added update X to search result")
2014-03-10 10:03:48:502 1000 e7c Agent * Found 25782 updates and 16 categories in search; evaluated appl. rules of 26274 out of 27424 deployed entities
2014-03-10 10:03:57:097 1000 e7c Agent *********
2014-03-10 10:03:57:097 1000 e7c Agent ** END ** Agent: Finding updates [CallerId = CDM]
2014-03-10 10:03:57:097 1000 e7c Agent *************
2014-03-10 10:03:57:206 1000 e7c Report REPORT EVENT: {C3847C60-3126-4DA9-8024-47841BCCE279} 2014-03-10 10:03:48:502-0500 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 CDM Success Software Synchronization Windows Update Client successfully detected 25782 updates.
2014-03-10 10:03:57:206 1000 e7c Report CWERReporter finishing event handling. (00000000)
2014-03-10 10:03:57:206 1000 e7c Report CWERReporter finishing event handling. (00000000)
2014-03-10 10:03:57:206 1000 e7c Report CWERReporter finishing event handling. (00000000)
2014-03-10 10:03:57:206 1000 e7c Report CWERReporter finishing event handling. (00000000)
2014-03-10 10:03:57:206 1000 e7c Report CWERReporter finishing event handling. (00000000)
(truncated log as there's thousands of lines regarding "CWERReporter finishing event handling")
2014-03-10 10:04:03:430 1240 117c COMAPI - Updates found = 25782
2014-03-10 10:04:03:430 1240 117c COMAPI ---------
2014-03-10 10:04:03:430 1240 117c COMAPI -- END -- COMAPI: Search [ClientId = CDM]
2014-03-10 10:04:03:430 1240 117c COMAPI -------------
2014-03-10 10:04:04:288 1240 c28 CDM CDM: Download updated files succeeded
2014-03-10 10:04:17:110 1240 117c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0500) ===========
2014-03-10 10:04:17:110 1240 117c Misc = Process: C:\WINDOWS\System32\spoolsv.exe
2014-03-10 10:04:17:110 1240 117c Misc = Module: C:\WINDOWS\system32\wudriver.dll
2014-03-10 10:04:17:110 1240 117c CDM OpenCDMContextEx: Connect if not connected = Yes
2014-03-10 10:04:17:125 1240 117c COMAPI -------------
2014-03-10 10:04:17:125 1240 117c COMAPI -- START -- COMAPI: Search [ClientId = CDM]
2014-03-10 10:04:17:125 1240 117c COMAPI ---------
2014-03-10 10:04:17:125 1240 117c COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CDM]
2014-03-10 10:04:17:125 1000 e7c Agent *************
2014-03-10 10:04:17:125 1000 e7c Agent ** START ** Agent: Finding updates [CallerId = CDM]
2014-03-10 10:04:17:125 1000 e7c Agent *********
2014-03-10 10:04:17:125 1000 e7c Agent * Online = Yes; Ignore download priority = No
2014-03-10 10:04:17:125 1000 e7c Agent * Criteria = "Type = 'Driver' and DeploymentAction = 'Installation' and DriverClass = 'Printer' and DriverMatch = 'Catalog'"
2014-03-10 10:04:17:125 1000 e7c Agent * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
2014-03-10 10:04:17:125 1000 e7c Agent * Search Scope = {Machine}
2014-03-10 10:04:17:562 1000 e7c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-10 10:04:17:562 1000 e7c Misc Microsoft signed: Yes
2014-03-10 10:04:17:624 1000 e7c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-10 10:04:17:640 1000 e7c Misc Microsoft signed: Yes
2014-03-10 10:04:17:640 1000 e7c PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-03-10 10:04:17:640 1000 e7c PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-10 10:04:21:836 1000 e7c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-10 10:04:21:852 1000 e7c Misc Microsoft signed: Yes
2014-03-10 10:04:21:883 1000 e7c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-10 10:04:21:898 1000 e7c Misc Microsoft signed: Yes
2014-03-10 10:04:21:898 1000 e7c PT +++++++++++ PT: Synchronizing applicable printers +++++++++++
2014-03-10 10:04:21:898 1000 e7c PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmxHas anyone seen this before? I have not been successful in searching for an answer.
EDIT:
I should also note things we tried. We stopped the Windows Update service and deleted the "SoftwareDistribution" folder. We also ran a Microsoft Fixit tool located here: http://support.microsoft.com/kb/971058/en-us
(my account isn't verified so I can't post links - never received verification e-mail)
The tool detected missing or corrupt files but it did not say it fixed them. Unfortunately, the problem persists.
Also, I noticed in the log file the calling process is the print spooler service. That doesn't make any sense at all...