locked
Windows 10 Clients do not install Creators Update 1703 RRS feed

  • Question

  • We run a WSUS server for our small company network. WSUS runs on Windows Server 2016 version 10.0.14393.0. All available Windows updates are installed on the server, the server receives the updates directly from Microsoft.

    In our company network we now have some Windows 10 computers in the version 1503 and 1607.

    Although the function update in version 1703 is provided by the WSUS server, most of the Windows 10 clients do not install the update. It only shows "no updates are available".

    How can I solve this problem?

    I allready have checked if the WSUS- und IIS-Server is able to provide the ESD-Files and added this application/octet-stream rule to the IIS-Server.

    I also have changed the Download Mode to Bypass. But it still not working.

    https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/

    • Edited by HyP3r_ Thursday, June 22, 2017 10:23 AM
    Wednesday, June 21, 2017 5:50 PM

All replies

  • Hi HyP3r_.

    1. According to the screenshot, there is one client report as "needing this update", then, could that computer download the upgrade file from the WSUS server;

    2. On the client that unable to detect the win10 upgrade, please check if they are fully patched, if not, please update the clients before upgrading;

    3. Test on one client to check if it could detect the win10 upgrade file from Microsoft Update Server;

    4. Try reset windows update components on the clients, check if it could help:

    https://support.microsoft.com/en-us/kb/971058

    5. If it still not work, please enable the IIS log for WSUS site, check the IIS log on the WSUS server and check the windows update log on the clients for further troubleshooting.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 23, 2017 6:16 AM
  • A snippit from my WSUS Setup guide.

    Upgrades from WSUS
    -------------------

    If you are going to handle upgrades from Windows 10 to Windows 10 latest streams in WSUS, there are 3 things you need to do.

    1. In Products/Classifications, make sure to check off the Upgrades box or Windows 10 Upgrades will not be available to approve.
    2. You also will need to add a MIME type for *.esd as application/octet-stream at the top level in IIS.
        To do this: Open IIS Manager > Select the server name > From the "IIS" section in the centre of IIS Manager, open "MIME Types" > Click "Add…" >
        File Mame Extention: = .esd
        MIME type: application/octet-stream
    3. Install KB3159706 which should come as a regular Windows update on the WSUS 2012 or 2012 R2 Server. Then you need to perform the extra manual steps that are well documented here: https://support.microsoft.com/en-us/help/3159706/ - Perform ALL OF THE STEPS including the ones for SSL (which is Microsoft's best practice anyways).

    Administrative Templates (.admx)
    -----------------
    You will want to get the latest Administrative Templates (.admx) for Windows 10 which, at the time of this writing, is located at:

    https://www.microsoft.com/en-us/download/details.aspx?id=55080

    Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller overwriting files as required. Don't worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.

    If you have all of this already setup, you may have a dirty database.

    Please connect to the SQL Database using SSMS As an Administrator, and run the following SQL Script

    /*
    ################################
    #  Adamj Dirty Database Check  #
    #          SQL Script          #
    #          Version 1.0         #
    #                              #
    #       By: Adam Marshall      #
    #     http://www.adamj.org     #
    ################################
    */
    USE SUSDB
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) OR ((FileName like '%.esd' and IsEncrypted = 0) and DecryptionKey is NOT NULL) OR ((FileName like '%.esd' and IsEncrypted = 0) AND (FileName not like '%10586%.esd'))
    

    If the answer is greater than 0, you have a dirty database. Let us know and we'll tell you how to fix it.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, June 24, 2017 3:16 AM
  • Hi HyP3r_,

    Just to check if the above reply could be of help? If yes, you may mark useful reply as answer, if not, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 28, 2017 8:11 AM
  • Hello Anne He,

    thanks for your quick reply. To your Points:

    1. Yes one of those Windows 10 Computers and Notebooks has really decided to install the update. I installed the update on this Computer and it was successful
    2. If I go into the Update Dialog in those Computers which is not wokring, under the System Settings, everything seems fine all Updates are installed. The System is up to Date. To make sure I have installed the Microsoft Baseline Security Analyzer 2.3 and checked if there are some Updates ready (see Screenshot and PDF)
    3. See (2.). The Microsoft Baseline Security Analyzer checks also for Updates online in at Microsoft. But I also disabled the Group Policy which is configuring Windows Update to make sure that the Computer is Connecting with Microsoft Update. Also with this configuration the update is not available
    4. I also tried to reset Microsoft Update with this Manual: https://support.microsoft.com/en-us/kb/971058
    5. If I take a look into the Windows Eventlog under Applications -> Microsoft -> Windows -> Windows Update Client and open the latest Entry I can see that there 13 (!) Updates were found. But they are NOT Displayed with the Updates Dialog.

    To conclude that: Our WSUS seems to work, some Devices are able to Update. But some are not working and seem to have still problems even with the direct Microsoft Update connection, witouth WSUS. But how can I fix or troubleshoot this problem?


    • Edited by HyP3r_ Wednesday, June 28, 2017 1:22 PM
    Wednesday, June 28, 2017 1:14 PM
  • Hello Adamj.org

    to your points:

    1. I have checked all nessercary Classifications inside the WSUS
    2. I also have added this esd MIME Filetype
    3. I have Windows Server 2016, I can't apply this Windows Update for my WSUS

    I also have checked with your Database Script and it returend 0. Seems ok. I allready work with the newest Administrative Templates.

    Wednesday, June 28, 2017 1:16 PM
  • Hello Anne,

    I will mark something as Answer if there is an Answer. Sorry I had a lot to do and was not able to answer.

    Wednesday, June 28, 2017 1:17 PM
  • Hi HyP3r_,

    It's OK, and do you get any progress now, please check if there are any registry settings block the update. Please check if add a registry key "AllowOSUpdate" =1 to the following location could work: 

    HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / WindowsUpdate / OSUpgrade 

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 3:01 AM
  • Hello Anne,

    I have added this Key, restarted the Computer and searched again for Updates, but it still does not work (tested on two Computers).

    Here the whole Registry Key Export from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate https://pastebin.com/3Yk5refe




    • Edited by HyP3r_ Wednesday, July 5, 2017 2:28 PM
    Wednesday, July 5, 2017 2:23 PM
  • Does someone has an Idea?
    Tuesday, July 18, 2017 4:57 PM
  • Post a screenshot of your WSUS GPO settings. I'm thinking something is in there that's either missing or preventing this from happening.

    According to your first screenshot, only 1 computer is 'needing' the upgrade. does this 1 computer get presented the update when you manually check for updates?


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, July 19, 2017 12:37 AM
  • Also post a gpresult /h gpos.html so that we can see what's actually happening from the client's perspective.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, July 19, 2017 12:37 AM
  • Hello Adamj.org,

    many thanks for the answer.

    Here the output of GPRESULT /H GPReport.html and GPRESULT /H GPReport.html /SCOPE COMPUTER.

    https://drive.google.com/file/d/0Bx_GGwXb0kaCcjdQLWhaWVJhVVk/view?usp=sharing

    https://drive.google.com/file/d/0Bx_GGwXb0kaCYWx1WHBON0h3ZjA/view?usp=sharing

    The single Computer which was able to install this update and was listed in the wsus console updated itself a few weeks ago.

    Best regards

    HyP3r_


    • Edited by HyP3r_ Monday, July 31, 2017 1:29 PM
    Monday, July 31, 2017 1:29 PM
  • According to Yan on

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8e18d834-14c0-47de-b072-c665e1ce20f4/feature-update-to-vs-upgrade-to-vs-windows-7-and-81-upgrade-to-whats-the-difference?forum=winserverwsus

    the update you've approved is the 'feature update' which does NOT apply to 1511 clients.

    You must go find the "Upgrade to Windows 10"


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Wednesday, August 2, 2017 1:43 AM Fixed reference
    Wednesday, August 2, 2017 1:29 AM
  • Hello Adamj.org,

    many thanks for the answer.

    The Computers which don't want to install Windows 1703 (Creators Update, 15063) have 1607 (Anniversary Update, 14393) installed.

    Best regards

    HyP3r_

    • Edited by HyP3r_ Wednesday, August 2, 2017 8:17 AM
    Wednesday, August 2, 2017 8:01 AM
  • What is the exact version number of an affected computer on 1607?

    Settings > System > About > OS Build


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, August 2, 2017 1:56 PM
  • Hello,

    the exact version number of an affected computer is 14393.1480.

    Best regards

    HyP3r_

    Wednesday, August 2, 2017 3:11 PM
  • Please run this on one of the affected clients from an Administrator Command Prompt. Does it help?

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "%WinDir%\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, August 2, 2017 11:04 PM
  • Hello,

    I wrote a bit more advanced script years ago following this Knowledge Base Article which also includes your commands:

    Link

    And I run this script more than one time on those computers and it was not working.

    Best regards

    HyP3r_


    Thursday, August 3, 2017 9:04 AM
  • Does someone has an Idea? #2
    Tuesday, August 8, 2017 7:16 AM