I have a bunch of AD-joined Windows servers who updates through WSUS. You can see the specific WSUS GPO here: http://imgur.com/a/LHjll
In June an update (KB3159398) was installed that caused problems, so this particular update was declined in WSUS. So far so good.
Since then, I have seen this update beeing installed on multiple servers afterwards, even though this particular update is still blocked in WSUS. According to the Update Services Change.log, the update was blocked and hasn't been installed since.
The update was installed by the SYSTEM-user, so it is not a admininistrator who installed the update.
According to the WindowsUpdate.log from the server, the server didn't register with the WSUS server on this specific day, and the update was downloaded online and not through WSUS:
Agent * WSUS server: NULL
Agent * WSUS status server: NULL
Agent * Target group: (Unassigned Computers)
Agent * Windows Update access disabled: No
How do I debug this further in order to stop this update ever being installed again?
After several hints and pointers from different comments, I narrowed in the problem and found a solution. I have updated the question with relevant information.
The WindowsUpdate.log showed that the server didn't register correctly with WSUS, and then did a Windows Update around the WSUS server.
The solution was to block Windows Update, so servers would never update around WSUS. This was done through a Group Policy:
User Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows update features
If you explicitly blocked the update in WSUS it shouldn't be downloaded from the WSUS server. In the WindowsUpdate.log log do you actually see that the client is connecting to you WSUS server (and not someplace entirely different, like the internet) and downloading the problem update? If the update is not being downloaded but still being installed, it is possible that the update is stuck in the update cache. Try clearing the cache with the following commands: