locked
Windows 10 machines not picking up any patches from WSUS on SUP? RRS feed

  • Question

  • We're running WSUS service on a software update point (SUP) on SCCM server.

    And this is our configuration:

    Product category:

    windows 10
    windows 10 LTSB
    windows 10, version 1903 and later

    Patch Classification:

    Critical
    Security

    Windows 10 machines check the updates from WSUS running under SUP on SCCM, and say no patch missing or applicable in the logs.
    Although, there are many patches which are not installed, so there's a conflict.

    And we're able to deploy patches for office using this setup, so communication and configuration is all good at the server and client end.

    Now, my question is do we need to enable "Update Rollups" as well in Classifications for WSUS or what could possibly the reason behind for patches not getting qualified for installation while it says that patch is for that particular OS on windows update catalog?
    Maybe that's why the new patches are not getting eligible for installation.
    Friday, November 29, 2019 11:39 AM

All replies

  • Hi RokTek,
       

    Note that the problem you are facing is in Configuration Manager, so the experience of WSUS may not help.
    Provide an article for some basic troubleshooting in an environment using SUP: "SCCM Configmgr Troubleshooting Client software update issues". This mainly includes the following aspects:
       

    1. Client-side troubleshooting. Does it include any necessary services? Has the WSUS server address information been applied to the registry?
    2. Troubleshooting of SCCM. Including the setting of some schemes of the update point, and parameter configuration.
    3. Troubleshoot with logs.
         

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 2, 2019 7:19 AM
  • Yes, the WSUS address information is applied to registry.

    SCCM doesn't seem to have issue because we're perfectly able to deploy office patches to client systems.

    Its just that, maybe, I'm not sure, due to modern cumulative (rollups and all) update strategy clients are not picking up any updates, they behave as if they are fully patched, but actually they are not.

    so is it cuz of SSU (servicing stack updates) or any other prerequisite patch that prevents clients from taking new patches.

    Monday, December 2, 2019 11:44 AM
  • so is it cuz of SSU (servicing stack updates) or any other prerequisite patch that prevents clients from taking new patches.

    From the perspective of classification, SSU also belong to "Security Updates", which you have selected. For monthly rollup updates, indeed installing a newer SSU is a necessary prerequisite. If the status of the SSU is reported as "required" in your SCCM, deployment is recommended.
        

    Regards,
    Yic


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 3, 2019 1:45 AM
  • Hi RokTek,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 5:51 AM
  • Hi Yic,

    I appreciate your help, but this is still unresolved and I'm trying to dig deeper to find the root cause.

    Wednesday, December 11, 2019 10:34 AM
  • Are the machines even reporting to WSUS properly?

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    If they are, follow that page down - it has troubleshooting steps.

    Are you performing the proper WSUS maintenance including but not limited to running the Server Cleanup Wizard (SCW), declining superseded updates, running the SQL Indexing script, etc.?

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

    Even with SCCM/MEMCM installed you still need to be taking care of WSUS's maintenance.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, December 16, 2019 1:11 AM
  • Hi Aj,

    Yes, they are reporting we have set the group policy to point them to the correct server, I think it has to do with the patch model of windows 10, because I found other OS are picking up patches.

    Wednesday, December 18, 2019 1:34 PM
  • Are you doing the required maintenance?

    https://www.ajtek.ca/blog/how-often-should-i-run-wsus-maintenance/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, December 18, 2019 3:46 PM