none
Updates not showing in Software Centre for some computers RRS feed

  • Question

  • Hi,

    We have around 1000 computers in SCCM (configured with WSUS) with a mix of 1703, 1709, 1803 & 1809 (planning on updating all to 1809 in near future).

    Some computers receive updates in Software Centre and install them fine, however the majority of them have none show in Software Centre. They are definitely in the correct collections for their Windows versions and updates are definitely deployed to them. This is causing our update compliance to show at max 10%.

    When looking at WUAhandler.log on some affected computers I've seen, it mentions 'Unable to read existing WUA Group Policy Object, error 0x80004005 (and sometimes 0x80070057)'. I've read that this is caused due to a corrupt local group policy file, and deleting the registry.pol file has fixed this for some. For some others, the updates still don't appear after deleting registry.pol and doing gpupdate /force. In the monitoring tab for the deployments, the affected computers show as 'Client check passed/active'. Not sure what's caused corrupt these local group policy files....

    There are some domain GPOs set regarding Windows updates and Windows update settings, eg: 'Specify Intranet Microsoft Update Service Location' is set to the SCCM server. I've read that there shouldn't be any Windows update GPOs set if SCCM is used to do Windows Updates as this is set through local group policy and the SCCM client? Not sure if this could be causing the issue above?

    I'm looking for some information on how to fix the issue with multiple computers stuck as 'Client check passed/active' and updates not showing in Software Centre, as well as if any domain GPOs should be set regarding Windows updates and WSUS.

    Thank you

    Thursday, December 5, 2019 11:36 AM

All replies

  • After deleting registry.pol on these systems and rebooting (IME a reboot is necessary and not just a gpupdate after deleting this file), did you check wuahandler.log again?

    Also "Client check passed/active" is not a state of the client, it's a status of two things not specifically related to your issue: the client passed it's nightly health check performed by ccmeval and the client has communicated with the site in the last 7 days. Thus passed/active is exactly what should be reported for a healthy client and is not anything the client is stuck on.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, December 5, 2019 1:58 PM
  • Hi,

    >>as well as if any domain GPOs should be set regarding Windows updates and WSUS.

    It is not recommended to set any domain GPO. ConfigMgr uses local group policies to configure the Windows Update settings on all managed clients. If you set any domain group policy, it will overwrite the ConfigMgr settings and may cause some issues.

    Here is also a link for your reference.
    ConfigMgr Software Update Management and Group Policy

    Best Regards,
    Tina




    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 7:53 AM
  • Hi,
     
    How are things going? 
     
    I just checked in to see if there are any updates. Please feel free to feedback and if any reply is helpful, please kindly click “Mark as answer”. It would make the reply to the top and easier to be found for other people who has the similar question.
     
    Thank you for your kindly support.
     
    Best Regards,
    Tina

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 10, 2019 7:01 AM
  • I sometimes get similar issues with corrupt registry.pol in my environment.

    Take a look at the last couple of updates to the post below. It shows how to create a Configuration Item to check if this is happening. You can then create a Baseline to remediate the machines (by deleting the registry.pol and running a gpupdate /force and a software update scan). I have done this in our enviroment and it works very well and I no longer have to worry about doing these manually.

    https://social.technet.microsoft.com/Forums/en-US/cb676fe7-365b-49a6-80df-88d19ac9a1ca/create-collection-based-on-software-update-scan-status-last-error-code?forum=ConfigMgrCompliance#7b63ae4d-ef9f-48db-80bf-95e29a8b9cad


    Thursday, December 12, 2019 5:14 PM
  • Thanks for your reply.

    I have removed all windows update settings from our domain group policies as a start.

    I'm needing all computers updating only from sccm/software centre, so therefore need to turn off the ability for Windows to get updates from Microsoft, as well as stopping users from being able to check for updates themselves via Windows update in the settings app. 'Do not connect to windows update internet locations' is set without a GPO in windows already somehow, so the store is unable to download apps. Users need to be able to download apps.

    I am looking at setting the following GPOs to configure these update settings. From my quick testing, it looks like they're working as they should. I was unable to download updates from windows and was able to download apps from the store when the following GPOs were set.

    *Do not connect to Windows update internet locations - Disabled. (When set as 'not configured' this was stopping the store from working.)

    *Configure automatic updates - Disabled

    *Turn off access to all Windows update features - Enabled

    Any further information is appreciated. Thanks!

    Thursday, December 19, 2019 10:12 AM