locked
WSUS won't offer Windows 10 CU 1703 updates. RRS feed

  • Question

  • I have a Windows 2012 R2 server running WSUS. Connected to it are a dozen PCs with a range of Windows 7 and 10 OS's.

    All PCs except those with Windows 10 are getting updates.

    On My PC which is windows 10 CU, WSUS says that it has not reported status for over a week, even though I have the group policy pointed at the WSUS server. I've run wuauclt /reportnow and wuauclt /detectnow, which doesn't help.

    I have all of the Windows 10 products ticked in WSUS's product classifications.

    On my test PC, which is reporting to WSUS properly, it too gets no updates, even though I know there are updates for it (I've just installed Windows 10 clean and have not applied any updates to it yet). WSUS sees that PC, but still won't find any updates for it.

    When I manually check for updates from my PC, it takes about 25 minutes and then tells me there was an error 0x80070426

    I don't have Windows Defender installed on any of my Windows 10 PCs. I use 3rd party tools. So when I use powershell to retrieve the windows update log(s), it fails telling me it cannot find the Windows Defender's symsrv.dll

    Any ideas?

    thanks

    Thursday, September 14, 2017 1:48 AM

All replies

  • You need my script. Seriously. It will fix your issue.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    If after running my script and then forcing the check for updates from the client there still exists issues, on those systems, run the following:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "%WinDir%\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, September 14, 2017 3:12 AM
  • Also, FYI, after running my Cleanup script, your times for Windows clients to check for updates will drop to probably under 30 seconds. Mine are usually around 20 seconds.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, September 14, 2017 3:18 AM
  • Hi ,

    For troubleshooting , I'd suggest you only select "critical updates" and "security updates" for windows 10 .

    Then run "server cleanup wizard" .

    If the issue still persists , please try to reset client ID for one of windows 10 computers :

    https://gallery.technet.microsoft.com/scriptcenter/Reset-WSUS-Authorization-2e26d1b0

    As for win 10 computer , the command "wuauclt" doesn't work , please try this cmdlet :

    (new-object -Comobject Microsoft.Update.AutoUpdate).detectnow()
    
    https://michlstechblog.info/blog/windows-10-trigger-detecting-updates-from-command-line/

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 18, 2017 7:13 AM
  • You need my script. Seriously. It will fix your issue.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    If after running my script and then forcing the check for updates from the client there still exists issues, on those systems, run the following:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "%WinDir%\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Hi, sorry for the long delay in responding. Been away.

    Ok, the script ran for 00:03:37. No errors I could see in the log file.

    On the server..

    There are now only 4 Win 2012R2 updates I have not approved and the Win 10 Cumulative update 4038788 which refuses to download. It's been in downloading status for 24 hours now.

    On my Windows 10 PC..

    BITS and WU services were not running (the first is set to manual, and the latter, Automatic, trigger start).

    The first three registry keys did not exist, the last was successfully deleted.

    The check for updates still takes around 20 minutes, and still fails with error code 0x80070426

    Of course, attempts to view Windows Update Logs still does not work with Get-WindowsUpdateLog because Windows Defender is not installed on any Windows 10 PC.

    On another Windows 10 PC (installed from the same  modified ESD image), it check for updates in a matter of 60 seconds and reports that there are no updates (Which would be correct as 4038788 refuses to download).

    On ALL PCs downloading the last two cumulative updates and attempting to install them manually also fails. They appear to install, the PC reboots and then says "Windows was unable to install the updates..." then rolls back the changes.

    Wednesday, September 27, 2017 9:21 AM
  • Hi ,

    For troubleshooting , I'd suggest you only select "critical updates" and "security updates" for windows 10 .

    Then run "server cleanup wizard" .

    If the issue still persists , please try to reset client ID for one of windows 10 computers :

    https://gallery.technet.microsoft.com/scriptcenter/Reset-WSUS-Authorization-2e26d1b0

    As for win 10 computer , the command "wuauclt" doesn't work , please try this cmdlet :

    (new-object -Comobject Microsoft.Update.AutoUpdate).detectnow()
    https://michlstechblog.info/blog/windows-10-trigger-detecting-updates-from-command-line/

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks for that.

    This fails with an error.. 0x8024A10B.

    At line:1 char:1
    + (new-object -Comobject Microsoft.Update.AutoUpdate).detectnow()

    Wednesday, September 27, 2017 9:27 AM
  • I managed to acquire symsrv.dll and can now convert update logs.

    First, manually attempting to install the latest cumulative update from windows catalog (4040724), fails with 800f0922. Here is the last part of the update log file.

    Following that, I tried the forced check against the WSUS server, which died after 20 minutes with 80070426. Log file for that also included.

    The WSUS server won't download 4038788. It sits at 0%. It hasn't even heard of 4040724 (I've run a couple of manual synchronizations).

    I tried to post more complete logs but kept getting an error that the post was too long

    -----------

    4040724
    -----------

    2017/09/27 21:43:53.4232798 1236  4756  Reporter        [0]04D4.1294::09/27/2017-21:43:53.423 [reporting]REPORT EVENT: {CC0F2C46-46E7-45EB-8E81-6F6BDB7F81B0}    2017-09-27 21:43:48:391+1000    1    182 [AGENT_INSTALLING_FAILED]    101    {94322E06-B7F6-4244-BD6B-3BB9AD942675}    501    800f0922    wusa    Failure    Content Install    Installation Failure: Windows failed to install the following update with error 0x800f0922: Update for Windows (KB4040724).

    ----------------

    0x80070426
    ----------------

    2017/09/27 21:53:00.2645807 1236  4756  Reporter        [0]04D4.1294::09/27/2017-21:53:00.264 [reporting]REPORT EVENT: {D012A9D5-B780-4010-88EF-7A6081736AD2}    2017-09-27 21:52:55:479+1000    1    148 [AGENT_DETECTION_FAILED]    101    {00000000-0000-0000-0000-000000000000}    0    80070426    UpdateOrchestrator    Failure    Software Synchronization    Windows Update Client failed to detect with error 0x80070426.


    For the sake of clarity.. It's only WIndows 10 patches that won't download. Windows 2012 R2, Windows 7 and MS Office patches all download and install perfectly fine.
    • Edited by TanyaC0205 Friday, September 29, 2017 12:49 AM
    Wednesday, September 27, 2017 12:08 PM
  • For the install issue directly on the client - if it's not installing the update manually by downloading it from the catalog, then there's definitely something wrong with the client.

    For the downloading issue... I wonder. I was trying to help someone on Spiceworks for something unrelated, but kind of related (permissions) and they eventually got help with Microsoft and they said:

    https://community.spiceworks.com/topic/2050184-wsus-access-denied-error?page=1#entry-7254617

    JayH-SCPA Sep 28, 2017 at 2:05 PM

    Microsoft had me try these steps. It didn't do anything for my issue but if anybody wants to try it.

    o Give local group Administrators Full Control over this key HKLM\SOFTWARE\Classes\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} (only for doing next steps)

    o Open Dcomcnfg, Component Services> Computers > My Computer > DCOM Config, and modify WSUSCertServer security settings:

    o Launch and Activation permissions => give Local Launch and Local Activation rights to WSUS administrators group

    o Access permissions => give Local Access rights to WSUS administrators group

    o Add required users to local admins and wsus admins groups


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by Elton_Ji Tuesday, October 10, 2017 3:02 AM
    • Unproposed as answer by TanyaC0205 Saturday, October 14, 2017 11:48 PM
    Saturday, September 30, 2017 2:09 AM
  • This did not work.

    I'm going to start a new thread. The landscape has changed so much since I created this thread.

    Saturday, October 14, 2017 11:49 PM