locked
Client systems are not checking for updates after setting the GPO from Windows Server 2016 RRS feed

  • Question

  • Hi,

    I'm struggling to figure out why my wsus clients aren't reporting in on a regular basis. They seem to only report in if I execute a manual check for updates on the device itself. I have the following GPO set, I'm not sure what else I'm missing.

    Computer Configuration/Policies/Administrative Templates/Windows Components/Windows updates/Policy

    - Automatic Updates detection frequency --> 22hours

    - Configure Automatic Updates --> 3 - Auto download and notify for install

    - Specify intranet Microsoft update service location

       - Set the intranet update service for detecting updates (http://[internalwsus]:8530)

       - Set the intranet statistics server (http://[internalwsus]:8530)

    I know my intranet settings are valid since the servers to register initially but for whatever reason none of them check within the 22 hour interval. I've left some devices go for several days with no update so I don't think it's a matter of me not letting WSUS do it's thing....

    Client: Windows 2016

    WSUS Server: Windows 2016

    Any advice would be appreciated!


    • Edited by guilly08 Wednesday, April 10, 2019 10:36 AM Corrected the client version
    Saturday, April 6, 2019 11:15 AM

Answers

  • Hi,
      

    Let's try to check it out from these Windows 2016 clients.
      

    1. To use CMD as an administrator, enter the following command:
      >
      gpresult /h c:\gpo.htmThis will generate a report named gpo.htm under the C: partition. Open gpo.htm and check the 'Windows Components / Windows Updates' section to see if the applied policy is correct.
       
    2. Use a browser on the client to access the following address:
       - http://<yourservername>:8530/selfupdate/iuident.cab - http://<yourservername>:8530/selfupdate/wuident.cabIf the above two files are not available, check the IIS server for a virtual site with selfupdate and open anonymous access.
        

    Reply back with the results would be happy to help.
      

    Regards,
    Yic


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by guilly08 Wednesday, April 17, 2019 12:05 AM
    Tuesday, April 16, 2019 5:41 AM

All replies

  • Hi,
     

    Thank you for posting here.
    Analyze your situation, please try the following steps to troubleshoot:
     

    1. First, confirm whether the required language and product and update classification are configured in WSUS. Also, related updates have been approved to the client for installation.
    2. Read the following article to compare the differences in the configuration process: 'Configure WSUS'.
    3. Any error when the affected clients check update from the WSUS server? Check WindowsUpdate.log on the client side in C:\Windows\WindowsUpdate.log.
       

    Hope the above can help you.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 8, 2019 2:16 AM
  • Hi,
     

    Thank you for posting here.
    Analyze your situation, please try the following steps to troubleshoot:
     

    1. First, confirm whether the required language and product and update classification are configured in WSUS. Also, related updates have been approved to the client for installation.
    2. Read the following article to compare the differences in the configuration process: 'Configure WSUS'.
    3. Any error when the affected clients check update from the WSUS server? Check WindowsUpdate.log on the client side in C:\Windows\WindowsUpdate.log.
       

    Hope the above can help you.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hi,

    1. Language is set to 'English' only. Products are set and I've approved the recommended updates to the targeted group that I've set in GPO.

    2. I've verified everything is configured properly and can confirm by doing a manual refresh. The device will check in with WSUS and download but not install the updates as per policy.

    3. I don't see any issues in the logs either.

    The main issue I'm having is that none of the devices are checking in with WSUS based on the 22 hour interval set. This is what's puzzling.... I'm either missing a setting or I don't understand how WSUS should work. Am I correct on assuming clients should be reporting on a daily basis ? 

    Thanks,

    Monday, April 8, 2019 8:18 PM
  • Hi,
      

    Thank you for your response.
    If you need the client to automatically install an approved update at a specific time, adjust the following Group Policy objects:
      

    • [Configure automatic updating] - 4 - Auto download and schedule the install
      And adjust 'Scheduled install day' and 'Scheduled install time' according to your needs.
    • [Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates] - Enabled  
        

    Regularly check again after the client synchronizes the modified GPO.
    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 9, 2019 1:57 AM
  • Hi,
      

    Thank you for your response.
    If you need the client to automatically install an approved update at a specific time, adjust the following Group Policy objects:
      

    • [Configure automatic updating] - 4 - Auto download and schedule the install
      And adjust 'Scheduled install day' and 'Scheduled install time' according to your needs.
    • [Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates] - Enabled  
        

    Regularly check again after the client synchronizes the modified GPO.
    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    My goal isn't to schedule the install. I've assigned the settings according to what my policies are (Auto Download & Notify of install). The problem I'm having is that there are updates available that have been approved but the clients aren't downloading the updates. The client's aren't even checking in within the 22 hour interval.

    The only way I can trigger the download is to log onto the machine and trigger a check using the Windows Update option in settings.

    Tuesday, April 9, 2019 1:04 PM
  • My goal isn't to schedule the install. 

    Reread your original post, I may have misunderstood your intentions.
     

    Since the user who uses the client is not necessarily an administrator, adjust the following group policies:
     

    • [Allow non-administrators to receive update notifications] - Set Enabled
    • [Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates] - Set Enabled
       

    Then work with other policies, which should allow the client to detect updates at the specified frequency.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 10, 2019 5:52 AM
  • I will try that today... I have to make a correction as well though :). The clients are in fact Windows Server 2016 as well. So I'm not sure if these settings will have any impact but no harm on setting it them.

    Wednesday, April 10, 2019 10:35 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 15, 2019 8:04 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Good morning,

    Unfortunately the issue still persists.....  

    Monday, April 15, 2019 12:43 PM
  • Hi,
      

    Let's try to check it out from these Windows 2016 clients.
      

    1. To use CMD as an administrator, enter the following command:
      >
      gpresult /h c:\gpo.htmThis will generate a report named gpo.htm under the C: partition. Open gpo.htm and check the 'Windows Components / Windows Updates' section to see if the applied policy is correct.
       
    2. Use a browser on the client to access the following address:
       - http://<yourservername>:8530/selfupdate/iuident.cab - http://<yourservername>:8530/selfupdate/wuident.cabIf the above two files are not available, check the IIS server for a virtual site with selfupdate and open anonymous access.
        

    Reply back with the results would be happy to help.
      

    Regards,
    Yic


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by guilly08 Wednesday, April 17, 2019 12:05 AM
    Tuesday, April 16, 2019 5:41 AM
  • Hi,

    Well I'm embarrassed to say but the problem ended up being a GPO. I ran a gpresult and noticed that the Configure Automatic Updates setting was set to Disabled even though I had it set to Enabled in our servers policy :-/....

    After changing the problematic policy back to Not Configured the settings were properly set and clients have started checking in.

    Thank you for your help

    Wednesday, April 17, 2019 12:05 AM