Should clients be able to access ctldl.windowsupdate.com when using WSUS?

We changed some policies on our webfilter and now we see that some clients are trying to access ctldl.windowsupdate.com but are being blocked.

Since we are using a WSUS server I was under the impression that this was the only place computers would look for updates.

Should client pc's be able to access ctldl.windowsupdate.com ?

It's expected behavior that computers will automatically contact the public Windows Server Update Service, even when there's a specified intranet update location, unless the computer policy "Do not connect to any Windows Update Internet Locations" located at Computer Configuration\Administrative Templates\Windows Components\Windows Update is set to enabled. Please read the documentation to see if that's appropriate for your environment, especially since this can break the Windows Store. (Sorry, there's no id for the section of interest, so you'll have to either scroll down or use ctrl+f.)

It's also expected behavior that Windows 6+ machines will automatically contact ctldl.windowsupdate.com to update their certificate revocation lists. See An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. So, if you aren't managing the updates of the CRLs on your machines by some other method, I'd highly recommend removing the block to ctldl.windowsupdate.com from your webfilter.

Lastly, unless you set the user policy "Remove access to use all Windows Update features" located at User Configuration\Administrative Templates\Windows Components\Windows Update, then users will still be able to manually access the public Windows Server Update Service. Again, please read the documentation to see if that's appropriate for your environment.