This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

WSUS 3.0 server reporting not applicable for all updates for 2016 servers

Question
0

Sign in to vote

WSUS 3.0 server reporting updates are not applicable for 2016 servers although patches have been downloaded and installed on 2016 servers.

Windows 2016 WindowsUpdate.log server log shows many of the below errors.

1600/12/31 16:00:00.0000000 336   4360   Unknown( 20): GUID=aa07f95d-91be-3f47-51b3-717e4c7ddc98 (No Format Information found).

Other log information is available as seen below.

2018/09/10 11:01:34.7825710 336   3776 Agent           Windows Update access disabled: No
2018/09/10 11:01:34.7884881 336   3776 Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
2018/09/10 11:01:34.9205997 336   4612 Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
2018/09/10 11:01:34.9206100 336   4612 Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
2018/09/10 11:01:34.9206200 336   4612 Shared          Power status changed
2018/09/10 11:01:34.9358876 336   3776 Agent           Initializing Windows Update Agent
2018/09/10 11:01:34.9373960 336   3776 DownloadManager Download manager restoring 0 downloads
2018/09/10 11:01:34.9398053 336   3776 Agent           CPersistentTimeoutScheduler | GetTimer, returned hr = 0x00000000
2018/09/10 11:01:37.4730121 336   1592 DownloadManager PurgeExpiredFiles::Found 3 expired files to delete.
2018/09/10 11:01:37.4730293 336   1592 DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\bd0d73364bf854970f570a2cf51388b435720e6d.
2018/09/10 11:01:37.4776616 336   1592 DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\48174db2b72cce60c7969dc197020c8ca58c9045.
2018/09/10 11:01:37.4831928 336   1592 DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\9dcadf092f9e4cca339b5f98a160086902733280.
2018/09/10 11:01:37.5496229 336   1592 DownloadManager PurgeExpiredUpdates::Found 374 non expired updates.
2018/09/10 11:01:37.6491746 336   1592 DownloadManager PurgeExpiredUpdates::Found 3 expired updates.
2018/09/10 11:01:37.7071502 336   1592 DownloadManager PurgeContentForPatchUpdate::Deleting update content at C:\Windows\SoftwareDistribution\Download\898f9fe4b16d1628e7699c9bf1d04700.
2018/09/10 11:01:37.7330569 336   1592 Shared          Effective power state: AC
2018/09/10 11:01:37.7330597 336   1592 DownloadManager Power state change detected. Source now: AC
2018/09/10 11:12:41.8143733 336   3772 Agent           Earliest future timer found:
2018/09/10 11:12:41.8143912 336   3772 Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
2018/09/10 11:12:42.8306986 336   4612 Agent           Earliest future timer found:
2018/09/10 11:12:42.8307130 336   4612 Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
2018/09/10 11:12:42.8343566 336   4612 Misc            CreateSessionStateChangeTrigger, TYPE:2, Enable:No
2018/09/10 11:12:42.8343620 336   4612 Misc            CreateSessionStateChangeTrigger, TYPE:4, Enable:No
2018/09/10 11:12:42.8776383 336   4612 Handler         CUHCbsHandler::CancelDownloadRequest called
2018/09/10 11:12:42.9330548 336   4612 Shared          * END * Service exit Exit code = 0x240001

An attempt was made to use the Microsoft's public symbol server with no success.

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

This is consistent throughout the Windows 2016 platform. Windows 2008 ad 2012 systems report correctly.

Monday, September 10, 2018 9:07 PM

All replies

0

Sign in to vote
Hi,

Installed/Not Applicable means update is not required by the client or already installed. You can check the client whether installed the updates.

If it is needed in the client, you can rename the SoftwareDistiribution folder, and approve the update again.

Best regards,
Johnson

=====================
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Johnson ZDH Tuesday, September 11, 2018 5:22 AM
Tuesday, September 11, 2018 5:22 AM
0

Sign in to vote

Hi Johnson,

This is true, however patches are applicable and have been installed, though the WSUS server is reporting the patch not applicable.

Below is the history for one of the 2016 servers and I'm working with KB4343887. You can see the patch was required and installed on 8/22/2018. However, the WSUS server is reporting it is not applicable. In face, the WSUS server is reporting the patch is not applicable for all 2016 servers.

Tuesday, September 11, 2018 5:54 PM
0

Sign in to vote

Tuesday, September 11, 2018 5:56 PM
0

Sign in to vote

Tuesday, September 11, 2018 5:58 PM
0

Sign in to vote

Tuesday, September 11, 2018 5:59 PM
0

Sign in to vote
Hi,

When the updates have been installed on the clients, after installation, it reports "Not Applicable". It's normal since installed updates will not been installed again on clients, so the updates will be marked as not applicable

If the clients do not install the updaets, and still report "Not Applicable". Then, you should check the whether the clients have installed the updates which replaced them.

Besides, you may run Server Cleanup Wizard on the WSUS server, and run command: wusuclt/reportnow, to check if it could help.

Best regards,
Johnson
=====================
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Johnson ZDH Thursday, September 13, 2018 8:03 AM
Wednesday, September 12, 2018 6:45 AM
0

Sign in to vote

Hi Johnson,

When updates have been installed it should report as installed, otherwise how can you be confident it's been applied to applicable system. I checked 2008 and 2012 servers and patches which have been installed report as installed.

I'm already using Adam J's cleanup script on the WSUS server.

Thanks,
Patrick

Wednesday, September 12, 2018 5:36 PM
0

Sign in to vote

Hi Johnson,

When updates have been installed it should report as installed, otherwise how can you be confident it's been applied to applicable system. I checked 2008 and 2012 servers and patches which have been installed report as installed.

I'm already using Adam J's cleanup script on the WSUS server.

Thanks,
Patrick

Just as an FYI: https://www.ajtek.ca/wam/previous-wsus-automated-maintenance-wam-users/

Can you zoom in on the computer object report on a 2016 server, for Any Classification, Any Product, and Installed\Not Applicable and look to see if it is reporting ANY of the updates as installed?

The next thing I'll ask is can you run the WSUS Console from a Windows 10 system using RSAT, or from a Windows Server 2016 system using RSAT and still get the same results?
Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

Wednesday, September 12, 2018 6:44 PM
0

Sign in to vote

Hi Adam,

We have (2) WSUS servers, one on the east coast and one on the west coast and they are reporting the same way. I used RSAT on the WC WSUS server to connect to the EC WSUS server and vice versa and they both report the same. All 2016 patches are not applicable.

- Patrick

Friday, September 14, 2018 4:48 PM
0

Sign in to vote

Windows 10 clients seem to be reporting correctly. I viewed several system reports and reports are showing pending and failed patches.

Window 2016 servers still have the same issue.

Monday, September 17, 2018 9:42 PM
0

Sign in to vote

Anyone have any ideas?

Wednesday, September 19, 2018 5:00 PM
0

Sign in to vote

We just went through and patched the servers which had pending patches, but WSUS is still reporting as not applicable.

Anyone else having the same issue?

Saturday, September 22, 2018 2:33 PM
0

Sign in to vote

Hey Guys,

Any assistance with this would be much appreciated.

- Patrick

Monday, September 24, 2018 5:41 PM
0

Sign in to vote

Try install KB4132216 as prerequisite. Read this link: https://support.microsoft.com/en-us/help/4457131/windows-10-update-kb4457131

Thursday, September 27, 2018 11:39 AM
0

Sign in to vote

Already did that. Patch is installed.

Friday, October 5, 2018 5:58 PM
0

Sign in to vote

Anyone else have any suggestions?

Thursday, November 1, 2018 6:47 PM
0

Sign in to vote

Yes, I have a suggestion, as I was facing the same issue. All network machines configured to use WSUS exclusively, including Windows 10 (1803) workstations and Windows 2016 (1607) servers. Windows Update settings were applied with group policy. All W10 workstations worked perfectly with WSUS, including approving Windows updates and updates to other products. But, while the Windows 2016 servers successfully reported to WSUS and even identified needed patches from other products (-e.g. Malicious Software Removal Tool), all cumulative and other Windows Server 2016 updates were always listed as "Not Applicable." This is even true of updates that were installed manually on the server.

The answer for me came in the following old article from MS: https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

Because of my paranoia, when configuring Windows Update in group policy I had enabled the "Select when Feature Updates are received" and "Select when Quality Updates are received" settings in GP under Admin Templates\Windows Components\Windows Update\Windows Update for Business section of GP. I also noticed that in the Windows Update logs on the affected servers, the following entry was present when WU was doing a scan against the WSUS server: "Blocking Windows content for WUfB."

According to this above article, setting the above WUfB deferral settings along with the GP setting "Specify intranet Microsoft update service location" sets the WU client to use "dual-scan." Apparently, dual-scan has the WU client look to Windows Update for updates to Windows and WSUS for updates to everything else. It does this because the WUfB deferral is only available from WU online. The article goes on to say "anything on WSUS that resides in the “Windows” product family is ignored by the Dual Scan client." Of course, we completely turned off access to WU using the "Do not connect to any Windows Update Internet locations" GP setting, so updates were not coming from WU online. But, because "dual-scan" was enabled, the WU client was still ignoring Windows updates from WSUS.

For us, the answer was to turn off the two WUfB deferral settings in GP and reapply GP to the servers. Once this was done, my Windows 2016 servers began fully participating in WSUS. Installed and needed Windows Server 2016 updates began showing as such.

Of course, we'd never actually approve and install updates via WSUS & Automatic Update (the way we do with our workstations). But now, we can use WSUS to report on needed patches to our servers and install them manually as we see fit and can schedule server downtime. I hope this helps someone.

Tuesday, November 27, 2018 9:40 PM
0

Sign in to vote

Hi PHindall,

I reviewed your post and did go through the process of disabling "Do not connect to any Windows Update Internet locations", but it didn't resolve the issue. The WSUS server is not reporting installed or needed updates for all 2016 servers.

Monday, December 17, 2018 7:51 PM