locked
Servers not getting windows updates from WSUS (Mostly web servers) RRS feed

  • Question

  • Hi,

    After in-place upgrade of servers from 2008 r2 to 2012r2 windows updates gets struck at checking for updates forever (only some upgraded servers not all the servers mostly they are web servers that we are having issues), left it for 3 to 4 days and still no joy. As soon as the server checks for updates it stops reporting to WSUS. Even if I download a standalone patch as a test i.e. single patch I cannot even install, it gets struck at searching for updates on this computer.I cannot download the updates from internet as these servers don't have internet access the only option is wsus.

    On the 2012r2 servers that are are causing issues if i revert to 2008R2 snapshot the windows updates downloads fine from wsus and also the reporting works fine with no issues.

    I have tried the windows update on new build (Built from 2012R2 Template) and that server has downloaded the updates from WSUS server with no issues and the version of windows update agent on that server is 7.9.960018696.Below are the troubleshooting steps I have tried so far on the servers. Could you please let me know on how i could resolve the issue and this is getting desperate for us to resolve this issue.We had to go for in-place upgrade and not for new build because of the applications that are installed on these servers.

    • Reset windows updates components
    • Renamed Software distribution folder
    • Deleted record from DNS and reregistered it
    • Deleted from WSUS
    • Rebooted server few times
    • Removed from Domain and Joined to the Domain
    • Ran Chkdsk C: /f /r
    • Ran DISM /Online tool with scan health and restore health switches
    • Ran SFC /Scannow

    Saturday, October 7, 2017 5:06 PM

All replies

  • Hello,

    I suggest you try steps below:

    .Stop the windows update service 

    .Delete the SUSclientID reg key

    HKLM\Software\Microsoft\Windows\CurrentVersion\Windows Update

    .Restart the windows update service

    You can run below powershell script on the client to reset windows update:

    $AutoUpdates = New-Object -ComObject "Microsoft.Update.AutoUpdate" $AutoUpdates.DetectNow()

    You may also run server cleanup wizard in WSUS server. 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    • Edited by Yan Li_ Monday, October 9, 2017 2:20 AM
    Monday, October 9, 2017 2:14 AM
  • Tried the deletion of susclientid on one of the servers and didn't made any difference.What i have noticed is the client contacts the WSUS Server but doesn't report and doesn't download the updates
    Monday, October 9, 2017 10:35 AM
  • Would you please check the Windowsupdate.log on the client?

    We may get more details for troubleshooting with the log. 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 10, 2017 8:30 AM
  • You need my script. It fixes problems like these (don't take my word for it, read all the comments!)

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    If after you run my script and the issue still persists after a 48 hour period, run the following from an Admin command prompt on the affected machines:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by Yan Li_ Tuesday, October 31, 2017 8:50 AM
    Friday, October 13, 2017 3:41 AM