locked
WSUS - problems with approved updates on different groups RRS feed

  • Question

  • Hello

    I have a problem with groups and approved updated for Win10 desktops.

    My WSUS server have two groups : "IT" "workstations". IT group was created few months ago and computer from this group reports today that are 10.0.14393.1532 when from workstation 10.0.14393.351 and in needed updated there is only one waiting for reboot and upgrade to 1703 (not approved).

    According to link (I know that today is patching Tuesday) latest build is 14393.1715. Why IT is around 4 weeks behind? Why Workstations are few months behinds latest build?


    Second question

    According to link latest Cumulative Update for Windows 10 Version 1607: August 2, 2016 - I Tryed to find "3176929" or "kb3176929"  in my WSUS -without success. Synchornization reports all in green. What is going on?

    Regards

    Slawek



    Tuesday, September 12, 2017 6:53 PM

All replies

  • So 14393 is Windows 10 1607. The RTM Version of 1607 had an issue with being able to communicate with WSUS and applying a cumulative update past September 2016 would fix this issue. According to your version numbers, .351 is KB3197954 which is October's CU. If this is the case, it's entirely possible that something else is wrong. There are 2 things I recommend to anyone having these types of issues. First, run my script as it fixes multiple issues with WSUS and usually brings back life into every system that's not updating/reporting properly.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    The second thing that I recommend doing is that if it's still not working, run the following script on every client that's having an issue.

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "%WinDir%\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow

    Don't worry about errors with the above script - it takes into account many scenarios and most don't have all 4 registry entries. Wait for 30 minutes after running the above and see what happens with either reporting or if it finds new updates.

    Let us know what happens.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, September 13, 2017 12:38 AM
  • Hi Slawek,

    >>According to link (I know that today is patching Tuesday) latest build is 14393.1715. Why IT is around 4 weeks behind? Why Workstations are few months behinds latest build?

    Have you approved the latest CU (or same updates ) for computers which reside in both groups ?

     

    As for Second question , I'm facing same behavior .

    Because , windows catalog still doesn't contain that update .  

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 13, 2017 9:56 AM
  • Hello Adam

    I will do that on monday because I'm on business trip ... Thx for tips

    Wednesday, September 13, 2017 3:44 PM
  • Hello Elton


    I have automatic approval for critical  definition and security updates. I verified that "4038782" is approved on all my groups yesterday. Today I see:

    - on IT group conputer with 14393.1670 (small progress but I expected 14393.1715

    - on Worsktation computer with 14393.1670 and 14393.1715 (again - small progress but still one step behind latest build)

    Do I missed something ? Do I need to approve something more?

    I enabled option "download express instalation files" in "Update files and languages" but I dont see any changes in downloading updates on workstations.

    Regards

    Slawek

    Wednesday, September 13, 2017 3:55 PM
  • Hi Sir,

    >>Do I missed something ? Do I need to approve something more?

    No , you just need to wait the report of client computers .

    There should be some delay of the report operation .

    You may check the "Last status report" for that client :

    Also , you may check whether the update "4038782" has been installed on client computer .

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Elton_Ji Thursday, September 28, 2017 9:34 AM
    Friday, September 15, 2017 2:00 AM
  • Hi Sir,

    Is there any update ?

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 17, 2017 3:38 PM
  • Hello

    I'd like to get back to this topic .. I know that I should do this few weeks ago... but better now than never ;)

    I runned Adam's script with option -FirstTime and next -DirtyDatabaseCheck

    I reclaimed 260GB of free space!!! and during synchronisation after DatabaseCheck my WSUS detect 48 new updated and 14 expired. We will see what will my computer gets.

    I will update this topic on monday.

    Regards

    Slawek

    Friday, November 24, 2017 4:59 PM
  • First report after 15h ...

    I can't find any update for build 1607 (latest or never one). Please take a look into pinctures

    What's going on?

    Regards

    Slawek

    Saturday, November 25, 2017 9:45 AM