After deploying the ConfigMgr agent to new clients, the client will begin downloading updates from Microsoft almost immediately after installation is complete. At bandwidth-constrained sites, this will saturate the WAN circuit and negatively impact production. (We know this because our network monitoring tools show the clients downloading from known CDNs used for Microsoft/Windows Updates)
We only have one Automatic Deployment rule enabled currently which deploys SCEP/FEP to all clients. No other updates are deployed right now. The SCEP deployment package is distributed to all DPs, and downloads of applications and packages seem to come from local DPs as intended with the configuration of our boundaries and boundary groups.
The environment is as follows:
Single primary site with the Site Server holding the Software Update Point role and running the corresponding WSUS server.
Distribution points at every branch office, with local offices subnets added as boundaries, boundaries to boundary groups, and boundary groups restricted to the local DP.
Configuration Manager 2012 R2 with CU2, with all site systems running Windows Server 2012 R2 or Windows Server 2008 R2.
There is a GPO disabling Windows Updates so updates will only come from ConfigMgr Software Updates
All clients on Windows 7 Professional x64 with SP1
I need to figure out what (presumably SCEP definitions) is being downloaded by new clients, why, and how to stop it so we may complete the deployment of new clients without any new issues. Any ideas?