locked
WSUS 3.0 server reporting not applicable for all updates for 2016 servers RRS feed

  • Question

  • WSUS 3.0 server reporting updates are not applicable for 2016 servers although patches have been downloaded and installed on 2016 servers.

    Windows 2016 WindowsUpdate.log server log shows many of the below errors.

    1600/12/31 16:00:00.0000000 336   4360   Unknown( 20): GUID=aa07f95d-91be-3f47-51b3-717e4c7ddc98 (No Format Information found).

    Other log information is available as seen below.

    2018/09/10 11:01:34.7825710 336   3776  Agent           Windows Update access disabled: No
    2018/09/10 11:01:34.7884881 336   3776  Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
    2018/09/10 11:01:34.9205997 336   4612  Shared          UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
    2018/09/10 11:01:34.9206100 336   4612  Shared          UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
    2018/09/10 11:01:34.9206200 336   4612  Shared          Power status changed
    2018/09/10 11:01:34.9358876 336   3776  Agent           Initializing Windows Update Agent
    2018/09/10 11:01:34.9373960 336   3776  DownloadManager Download manager restoring 0 downloads
    2018/09/10 11:01:34.9398053 336   3776  Agent           CPersistentTimeoutScheduler | GetTimer, returned hr = 0x00000000
    2018/09/10 11:01:37.4730121 336   1592  DownloadManager PurgeExpiredFiles::Found 3 expired files to delete.
    2018/09/10 11:01:37.4730293 336   1592  DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\bd0d73364bf854970f570a2cf51388b435720e6d.
    2018/09/10 11:01:37.4776616 336   1592  DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\48174db2b72cce60c7969dc197020c8ca58c9045.
    2018/09/10 11:01:37.4831928 336   1592  DownloadManager PurgeExpiredFiles::Deleting expired file at C:\Windows\SoftwareDistribution\Download\9dcadf092f9e4cca339b5f98a160086902733280.
    2018/09/10 11:01:37.5496229 336   1592  DownloadManager PurgeExpiredUpdates::Found 374 non expired updates.
    2018/09/10 11:01:37.6491746 336   1592  DownloadManager PurgeExpiredUpdates::Found 3 expired updates.
    2018/09/10 11:01:37.7071502 336   1592  DownloadManager PurgeContentForPatchUpdate::Deleting update content at C:\Windows\SoftwareDistribution\Download\898f9fe4b16d1628e7699c9bf1d04700.
    2018/09/10 11:01:37.7330569 336   1592  Shared          Effective power state: AC
    2018/09/10 11:01:37.7330597 336   1592  DownloadManager Power state change detected. Source now: AC
    2018/09/10 11:12:41.8143733 336   3772  Agent           Earliest future timer found:
    2018/09/10 11:12:41.8143912 336   3772  Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
    2018/09/10 11:12:42.8306986 336   4612  Agent           Earliest future timer found:
    2018/09/10 11:12:42.8307130 336   4612  Agent               Timer: 29A863E7-8609-4D1E-B7CD-5668F857F1DB, Expires 2018-09-10 22:19:19, not idle-only, not network-only
    2018/09/10 11:12:42.8343566 336   4612  Misc            CreateSessionStateChangeTrigger, TYPE:2, Enable:No
    2018/09/10 11:12:42.8343620 336   4612  Misc            CreateSessionStateChangeTrigger, TYPE:4, Enable:No
    2018/09/10 11:12:42.8776383 336   4612  Handler         CUHCbsHandler::CancelDownloadRequest called
    2018/09/10 11:12:42.9330548 336   4612  Shared          * END * Service exit Exit code = 0x240001

    An attempt was made to use the Microsoft's public symbol server with no success.

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

    This is consistent throughout the Windows 2016 platform. Windows 2008 ad 2012 systems report correctly.

    Monday, September 10, 2018 9:07 PM

All replies

  • Hi,

    Installed/Not Applicable means update is not required by the client or already installed. You can check the client whether installed the updates.

    If it is needed in the client, you can rename the SoftwareDistiribution folder, and approve the update again.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Johnson ZDH Tuesday, September 11, 2018 5:22 AM
    Tuesday, September 11, 2018 5:22 AM
  • Hi Johnson,

    This is true, however patches are applicable and have been installed, though the WSUS server is reporting the patch not applicable.

    Below is the history for one of the 2016 servers and I'm working with KB4343887. You can see the patch was required and installed on 8/22/2018. However, the WSUS server is reporting it is not applicable. In face, the WSUS server is reporting the patch is not applicable for all 2016 servers.

    Tuesday, September 11, 2018 5:54 PM

  • Tuesday, September 11, 2018 5:56 PM

  • Tuesday, September 11, 2018 5:58 PM
  • Tuesday, September 11, 2018 5:59 PM
  • Hi,

    When the updates have been installed on the clients, after installation, it reports "Not Applicable". It's normal since installed updates will not been installed again on clients, so the updates will be marked as not applicable

    If the clients do not install the updaets, and still report "Not Applicable". Then, you should check the whether the clients have installed the updates which replaced them. 

    Besides, you may run Server Cleanup Wizard on the WSUS server, and run command: wusuclt/reportnow, to check if it could help. 

    Best regards,
    Johnson
    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Johnson ZDH Thursday, September 13, 2018 8:03 AM
    Wednesday, September 12, 2018 6:45 AM
  • Hi Johnson,

    When updates have been installed it should report as installed, otherwise how can you be confident it's been applied to applicable system. I checked 2008 and 2012 servers and patches which have been installed report as installed.

    I'm already using Adam J's cleanup script on the WSUS server.

    Thanks,
    Patrick

    Wednesday, September 12, 2018 5:36 PM
  • Hi Johnson,

    When updates have been installed it should report as installed, otherwise how can you be confident it's been applied to applicable system. I checked 2008 and 2012 servers and patches which have been installed report as installed.

    I'm already using Adam J's cleanup script on the WSUS server.

    Thanks,
    Patrick

    Just as an FYI: https://www.ajtek.ca/wam/previous-wsus-automated-maintenance-wam-users/

    Can you zoom in on the computer object report on a 2016 server, for Any Classification, Any Product, and Installed\Not Applicable and look to see if it is reporting ANY of the updates as installed?

    The next thing I'll ask is can you run the WSUS Console from a Windows 10 system using RSAT, or from a Windows Server 2016 system using RSAT and still get the same results?


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, September 12, 2018 6:44 PM
  • Hi Adam,

    We have (2) WSUS servers, one on the east coast and one on the west coast and they are reporting the same way. I used RSAT on the WC WSUS server to connect to the EC WSUS server and vice versa and they both report the same. All 2016 patches are not applicable.

    - Patrick

    Friday, September 14, 2018 4:48 PM
  • Windows 10 clients seem to be reporting correctly. I viewed several system reports and reports are showing pending and failed patches.

    Window 2016 servers still have the same issue.

    Monday, September 17, 2018 9:42 PM
  • Anyone have any ideas?
    Wednesday, September 19, 2018 5:00 PM
  • We just went through and patched the servers which had pending patches, but WSUS is still reporting as not applicable.

    Anyone else having the same issue?

    Saturday, September 22, 2018 2:33 PM
  • Hey Guys,

    Any assistance with this would be much appreciated.

    - Patrick

    Monday, September 24, 2018 5:41 PM
  • Try install KB4132216 as prerequisite. Read this link: https://support.microsoft.com/en-us/help/4457131/windows-10-update-kb4457131

    Thursday, September 27, 2018 11:39 AM
  • Already did that. Patch is installed.
    Friday, October 5, 2018 5:58 PM
  • Anyone else have any suggestions?
    Thursday, November 1, 2018 6:47 PM
  • Yes, I have a suggestion, as I was facing the same issue.  All network machines configured to use WSUS exclusively, including Windows 10 (1803) workstations and Windows 2016 (1607) servers.  Windows Update settings were applied with group policy.  All W10 workstations worked perfectly with WSUS, including approving Windows updates and updates to other products.  But, while the Windows 2016 servers successfully reported to WSUS and even identified needed patches from other products (-e.g. Malicious Software Removal Tool), all cumulative and other Windows Server 2016 updates were always listed as "Not Applicable."  This is even true of updates that were installed manually on the server.

    The answer for me came in the following old article from MS: https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

    Because of my paranoia, when configuring Windows Update in group policy I had enabled the "Select when Feature Updates are received" and "Select when Quality Updates are received" settings in GP under Admin Templates\Windows Components\Windows Update\Windows Update for Business section of GP.  I also noticed that in the Windows Update logs on the affected servers, the following entry was present when WU was doing a scan against the WSUS server: "Blocking Windows content for WUfB."

    According to this above article, setting the above WUfB deferral settings along with the GP setting "Specify intranet Microsoft update service location" sets the WU client to use "dual-scan." Apparently, dual-scan has the WU client look to Windows Update for updates to Windows and WSUS for updates to everything else.  It does this because the WUfB deferral is only available from WU online.  The article goes on to say "anything on WSUS that resides in the “Windows” product family is ignored by the Dual Scan client."  Of course, we completely turned off access to WU using the "Do not connect to any Windows Update Internet locations" GP setting, so updates were not coming from WU online.  But, because "dual-scan" was enabled, the WU client was still ignoring  Windows updates from WSUS.

    For us, the answer was to turn off the two WUfB deferral settings in GP and reapply GP to the servers.  Once this was done, my Windows 2016 servers began fully participating in WSUS.  Installed and needed Windows Server 2016 updates began showing as such.

    Of course, we'd never actually approve and install updates via WSUS & Automatic Update (the way we do with our workstations).  But now, we can use WSUS to report on needed patches to our servers and install them manually as we see fit and can schedule server downtime.  I hope this helps someone.

    Tuesday, November 27, 2018 9:40 PM
  • Hi PHindall,

    I reviewed your post and did go through the process of disabling "Do not connect to any Windows Update Internet locations", but it didn't resolve the issue. The WSUS server is not reporting installed or needed updates for all 2016 servers.

    Monday, December 17, 2018 7:51 PM