none
Windows 10 updates won't download, but all other OS versions and products will Win 2012 R2

    Question

  • Hi

    I originally started a thread several months ago re WSUS not offering updates for Windows 10 clients.

    However, the situation has changed considerably so I have started a new thread here.

    As it stands now;

    • Windows Clients getting Error 0x80070426- Resolved (I reinstalled Windows from scratch)
    • Windows Clients not detecting updates - Resolved - Because even though WSUS is detecting them and they are approved - they are not downloading.
    • Cannot read WindowsUpdate.log - Resolved - I don't have Defender installed and the Powershell applet requires the SYMSRV.DLL file from Defender to convert the logs. Acquired the DLL and I can now convert logs.
    • WSUS not offering updates to Windows 10 clients - Sort of resolved. Clients now report to WSUS and WSUS detects what updates are needed, I approve them and then they fail to download.

    Updates for all other OS versions and other Microsoft products do download and install. It's *ONLY* Windows 10 updates that won't download via WSUS.

    I've run the clean up script, I tried various combinations of Windows 10 products, and I've updated permissions per other solutions offered on various other forums.

    I've checked event logs, and various WSUS logs. There are no errors that I can see at all.

    thanks



    • Edited by TanyaC0205 Sunday, October 15, 2017 6:11 AM grammar
    Saturday, October 14, 2017 11:58 PM

All replies

  • Hello,

    What is your Windows 10 version? 1511, 1607 or 1703?

    Have you checked the Windowsupdate.log on those machine? Any error information related?


    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 16, 2017 5:22 AM
    Moderator
  • Thanks for your reply.

    Windows 10 1703. All up to date minus the latest "patch Tuesday" update.

    Windowsupdate.log has no errors, and detects no updates, which of course is correct, because the WSUS server won't download the update. Until it's downloaded, the client won't detect it.

    Monday, October 16, 2017 8:36 AM
  • Hello,

    Could you tell which KB are you trying to install? Can you manually download it and install it? 

    Regards,

    Yan


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 16, 2017 9:59 AM
    Moderator
  • Yes I can tell what update - it's sitting in WSUS with a status of "Downloading" where it has been for the last week. it's update KB4041676.

    Yes I can download it manually and I can install it manually.

    But that's exactly why I'm using WSUS. So I don't have to visit 10 PCs every time Microsoft issues a cumulative update for Windows 10.

    This was the same for the last two updates.... I've had to visit every PC and do manual installs.

    What I'm asking for is how to fix this issue. Not how to work around it.



    • Edited by TanyaC0205 Tuesday, October 17, 2017 1:41 AM
    Tuesday, October 17, 2017 1:39 AM
  • Hello,

    It seems like that this is a known issue when you install this update through WSUS, and here is an article about it, please refer to it for more details:

    https://support.microsoft.com/en-us/help/4049094/windows-devices-may-fail-to-boot-after-installing-october-10-version-o

    Regards,

    Yan


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 17, 2017 3:15 AM
    Moderator
  • Well, that's just wonderful :(

    My sync on that date was actually 2:43 after the 4pm PDT time they say the publishing error was rectified, but anyway...

    I declined the update, then using powershell, removed the declined update from the WSUS DB, and ran a sync. Of course, the update is now not being offered at all, despite the fact that clients have reported and are needing this update....

    I'm still no closer to getting this issue resolved,


    • Edited by TanyaC0205 Thursday, October 19, 2017 10:29 AM
    Thursday, October 19, 2017 10:28 AM
  • Well, that's just wonderful :(

    My sync on that date was actually 2:43 after the 4pm PDT time they say the publishing error was rectified, but anyway...

    I declined the update, then using powershell, removed the declined update from the WSUS DB, and ran a sync. Of course, the update is now not being offered at all, despite the fact that clients have reported and are needing this update....

    I'm still no closer to getting this issue resolved,


    Re-import it using the Import from Catalog option in WSUS. It will re-import properly and you can then approve it.

    This is behaving as designed (after removing the declined update via the powershell command)


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, October 20, 2017 3:31 AM
  • oh, <blush> Sorry.

    I click on Import updates it takes me to Microsoft Update Catalog. I search for KB4041676. I can download it as an MSU file, which I cannot import using WSUSUTIL.

    How do I import if from MUC? There is no "Add to Basket" function. I tried using Firefox and Internet Explorer.

    These are the instructions I found...

    1. the WSUS admin console, navigate to the Update Services/WSUSSERVER/Updates tree, right-click and click "Import Updates...".
    2. Search and find the update.
    3. Add to basket.
    4. View basket.
    5. Check Import directly into Windows Server Updates Services
    6. Click Import.
    7. The ActiveX performs the API calls to import the metadata and the update to the WSUS installation.

    Where to from here?

    Saturday, October 21, 2017 10:01 AM
  • Hello,

    Did you follow the instructions? On the WSUS console, click "Import Updates", it will redirect you to Windows update catalog webpage, and then search the update you want, and then click "Add".

    I tried on my WSUS server, it works fine:


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 25, 2017 7:51 AM
    Moderator
  • Yes, I followed them exactly.

    I'm happy for you that it works on your WSUS server, but not one PC here, including the server, has any basket functionality.




    • Edited by TanyaC0205 Monday, October 30, 2017 11:13 AM
    Monday, October 30, 2017 10:09 AM
  • Yes, I followed them exactly.

    I'm happy for you that it works on your WSUS server, but not one PC here, including the server, has any basket functionality.





    Looks like Firefox is the browser. It only works with Internet Explorer as the default browser for the import into WSUS.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Tuesday, October 31, 2017 12:33 AM
  • Looks like Firefox is the browser. It only works with Internet Explorer as the default browser for the import into WSUS.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Yes, I prefer Firefox. Actually, I'd prefer two cans with a string to IE, but in any case, I uninstalled Firefox and set IE as the default (seeing as how I had previously tried IE with Firefox installed.

    I still do not have any basket functionality.



    • Edited by TanyaC0205 Thursday, November 02, 2017 12:35 AM
    Thursday, November 02, 2017 12:34 AM
  • Hello,

    I noticed the difference between us, the link in your screenshot is https://www.catalog...

    Mine is http://catalog.update...

    Whether you were redirect to this page by clicking "Import Updates"?

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 02, 2017 2:43 AM
    Moderator
  • I have reinstalled Win 2012 R2.

    I have set IE 11 as the default

    When I click import updates it asks to install Microsoft Catalog. I was not seeing that before. I must have done something to block it.

    So, now I have the update in WSUS, and it says it's needed by ZERO computers, despite it not being installed on any Windows 10 machines. Manual update checks didn't pick it up either.

    Friday, November 03, 2017 1:37 AM
  • KB4049370 replaces KB4041676. If your systems have KB4049370 installed, they will not see the item as needed.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, November 03, 2017 2:01 AM
  • KB4049370 is not installed on any system. It's not even being detected as needed by any PC and is not showing up in WSUS (Even as needed by 0 computers) - This goes all the way back to my original post where I asked why new patches that had been released were not showing up in WSUS - This one is exactly the same.

    After 24 hours WSUS has detected that KB4041676 is needed by 1 of 3 computers.

    A second computer, despite being pointed at the WSUS server, decided to download it directly from Microsoft (If I set the group policy "Do not connect to any Windows Update Internet Locations" I get an error).

    The 3rd PC just says my PC is up to date.

    Approved KB4041676. My Internet connection receive went up to about 6MB/s for about 3 minutes (That would be roughly 1GB, which is not far off the size of the patch. Then the network returned to its typical 40kb spike every 10 seconds or so.

    The folder \WSUS\Content\CC has a file of around 975MB with today's date - that's got to be the file... It's sitting there with a file name of BIT83F8.TMP

    Now, after 24 hours and no internet traffic it's still sitting in a "Downloading" Status... Exactly as it was 3 weeks ago before I went through all the above steps.






    • Edited by TanyaC0205 Wednesday, November 08, 2017 10:59 AM
    Saturday, November 04, 2017 12:24 PM
  • I should also probably add, when I installed WSUS I found an article talking about a patch required for decryption of Windows 10 cumulative and feature updates. That update wouldn't install through Windows update, or manually, and had to be installed using DISM.

    As described here.... https://support.microsoft.com/en-au/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012

    Th pre-req's were installed and the post installation tasks were completed.

    And the DISM method for install...

    https://social.technet.microsoft.com/Forums/en-US/fd13792a-205c-43bb-b95c-8cbcb85db0ac/problems-installing-kb3159706-on-windows-server-2012-r2?forum=winserverwsus

    hth

    Thursday, November 09, 2017 8:58 PM
  • I should also probably add, when I installed WSUS I found an article talking about a patch required for decryption of Windows 10 cumulative and feature updates. That update wouldn't install through Windows update, or manually, and had to be installed using DISM.

    As described here.... https://support.microsoft.com/en-au/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012

    Th pre-req's were installed and the post installation tasks were completed.

    And the DISM method for install...

    https://social.technet.microsoft.com/Forums/en-US/fd13792a-205c-43bb-b95c-8cbcb85db0ac/problems-installing-kb3159706-on-windows-server-2012-r2?forum=winserverwsus

    hth

    I'd suggest running my script with the -DirtyDatabaseCheck switch.

    Adamj Dirty Database Check Stream
    -----------------------------------------------------
    
    From a similar phrase from the movie 'Sleeping With Other People', I coined this stream the
    Dirty Database Check. This stream will run a SQL Query that originally came from Microsoft but has been
    expanded by me to include all future upgrades of Windows 10. This SQL query checks to see if your
    database is 'in a bad state' which is Microsoft's wording but mine sounds a whole lot more fun :)
    
    In addition to checking to see if you have a dirty database, it will fully fix your database
    automatically if it is found to be dirty. This again follows Microsoft's methods, but expanded
    by me to include all future upgrades of Windows 10.
    
    If your upgrades for Windows 10 are not installing properly and have been approved on your WSUS
    server, run this check to see if you have a dirty database and subsequently fix it.
    

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, November 10, 2017 3:37 AM
  • Thanks for your reply.

    Running the script did not resolve this issue.

    The patch is still in a downloading state.

    So what's happening is the file is downloading, but staying with the .TMP filename and not finalizing.

    And as I've said before, this is happening ONLY with windows 10 updates. Everything else is working perfectly.


    I'm adding a new disk drive to the sever at the moment, so I'll run the help-me option later.
    • Edited by TanyaC0205 Friday, November 10, 2017 8:19 AM
    Friday, November 10, 2017 8:17 AM
  • Thanks for your reply.

    Running the script did not resolve this issue.

    The patch is still in a downloading state.

    So what's happening is the file is downloading, but staying with the .TMP filename and not finalizing.

    And as I've said before, this is happening ONLY with windows 10 updates. Everything else is working perfectly.


    I'm adding a new disk drive to the sever at the moment, so I'll run the help-me option later.

    Were there any errors in the running of my script? Did you run -FirstRun Too? If you did, in the bottom Server Cleanup Wizard section, are there numbers on every line or just the last 2 (if only the last 2, then it timed out and needs to be re-run with -FirstRun again).

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, November 10, 2017 4:21 PM
  • Did -Firstrun several months ago when this problem started (Well, I;ve NEVER actually had a working WSUS server with Windows 10 updates - I was on Win 2008 R2 before and upgraded only because of Windows 10).

    IIRC, the -firstrun only took about 4 minutes, but then Windows/WSUS had only been installed for a few weeks at that stage).

    You script creates a task which runs daily on my server.

    Since then, I recall running it one other time when you suggested it might resolve the issue, then again a couple of days ago.

    I am still moving data around after adding a 10TB drive. Once that completed, I'll run it again as instructed

    Saturday, November 11, 2017 6:30 AM
  • So 2 things. First, download the latest version (3.2) as it contains a bug fix for what I'm about to suggest you do.

    Second, Run -FirstRun and make sure that there are numbers (can be 0's) on every single line of the Server Cleanup Wizard section. This means that the script ran successfully. Also make sure there are no errors in the Driver's cleanup section specifically, or anywhere else in the log. Third, run .\Clean-WSUS.ps1 -DirtyDatabaseCheck

    On an affected Win10 client, run from an Admin cmd prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    PowerShell (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()


    I'd be very surprised if this combination of events doesn't fix your issue.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, November 12, 2017 1:24 AM
  • Sorry, I have just seen your post after having completed the steps from your previous post. I'll post the results anyway, as they may be relevant.

    There are 3 PCs with Windows 10, 6 with Windows 7 and 1 with Win 2012 R2. This problem refers only to Windows 10 PCs.

    I ran the script with the -dirty option and it said that there was a problem. It was with KB4041676, the update that's been causing all these nightmares. Well, actually, ALL windows 10 updates have been having this problem, it's just that I ended up manually installing them. I've stopped doing that.

    It removed the update. I imported it again from Microsoft Update Catalog, and when PCs reported in 1 of 3 said it needed the update. I approved it. The download proceeded to download the content for the update placing it in K:\WSUS\WSUSContent\CC. However, once the download of the patch finished the file is left with the name BITS8378.TMP. It seems the processing that occurs once the data is received does not occur (Which is why I mentioned the KB3159706 update, in case I was asked if I'd previously installed it).

    So, again we are sitting here with the download sitting in a downloading state, that's not actually downloading as the content has been downloaded :)

    Now, WSUS says my PC needs the update.

    My Test PC which I did a fresh install of yesterday I set the "Do not download from any Microsoft Update locations" in group policy. This of course results in error 8024500C. Upon changing that in group policy, the PC downloaded the update directly from Microsoft despite being pointed at the WSUS server.

    All Windows 10 PCs are built from the same image. All have the same group policy settings. None use a proxy and this is set to "Automatically detect settings".

    And lastly, no updates that have been released since KB4041676 are being detected as needed by any Windows 10 PC, even the one that automatically downloaded from Microsoft. They likewise are not showing up in WSUS as needed by 0 computers.

    Below is the output of the -Helpme run of your script as requested. All the steps your mentioned in your most recent post have been done, several times, but I will go and do them again as described above with the latest version of your script.

    **********************
    Windows PowerShell transcript start
    Start time: 20171112190716
    Username: SERVER\Administrator
    RunAs User: SERVER\Administrator
    Machine: SERVER (Microsoft Windows NT 6.3.9600.0)
    Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass
    Process ID: 8728
    **********************
    Transcript started, output file is 2017.11.12-19.07.16-HelpMe.txt
    VERBOSE: Set the script's current working directory path
    VERBOSE: $AdamjScriptPath = C:\Users\Administrator
    VERBOSE: Testing to see if you are running this from an Elevated PowerShell Prompt.
    VERBOSE: Done. You are running this from an Elevated PowerShell Prompt
    VERBOSE: Zone.Identifier not found. The file is already unblocked
    =============================
      Clean-WSUS HelpMe Stream
    =============================
    
    This is the HelpMe Section for troubleshooting
    Please provide this information to get support
    
    Starting the connection to the SQL database and WSUS services. Please wait...
    VERBOSE: $AdamjSQLServer has not been specified. Starting autodetection for SQL Instance
    VERBOSE: Autodetected $AdamjSQLServerName as MICROSOFT##WID
    VERBOSE: Setting $AdamjSQLServer for Server 2012+ Windows Internal Database.
    VERBOSE: Now test that there is a SUSDB database on 'np:\\.\pipe\MICROSOFT##WID\tsql\query' and that we can connect to it.
    VERBOSE: Initiating SQL Connection Testing to 'np:\\.\pipe\MICROSOFT##WID\tsql\query' with a timeout of 60 seconds
    VERBOSE: Connected. Setting $SqlConnectionResult to True
    VERBOSE: SQL Server test succeeded. Continuing on.
    VERBOSE: Do we really need to connect to the WSUS Server? If we do, connect.
    VERBOSE: We have a reason to connect. Connecting...
    VERBOSE: Load .NET assembly
    VERBOSE: Connect to WSUS Server: server
    Connected to the WSUS server server
    VERBOSE: Setup the array variables from the user configuration
    VERBOSE: Create the array from all of the objects
    VERBOSE: All pre-defined routines (-FirstRun, -DailyRun, -MonthlyRun, -QuarterlyRun, -ScheduledRun) were not specified
    VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'className' = Win32_OperatingSystem'.
    VERBOSE: Operation 'Enumerate CimInstances' complete.
    OS Name                 : Microsoft Windows Server 2012 R2 Standard
    OS Architecture         : 64-bit
    Version                 : 6.3.9600
    ServicePackMajorVersion : 0
    ServicePackMinorVersion : 0
    PowerShell Version: 4.0
    WSUS Version: 6.3.9600.18694
    Replica Server: False
    The path to the WSUS Content folder is: K:\WSUS\WsusContent
    Free Space on the WSUS Content folder Volume is: 123.3G
    All Volumes on the WSUS Server:
    Name  : SERVER
    Vol   : C:
    Size  : 96G
    Used  : 17.6G
    Avail : 78.5G
    Use%  : 18
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : D:
    Size  : 252.4G
    Used  : 1.6G
    Avail : 250.8G
    Use%  : 1
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : E:
    Size  : 3.1T
    Used  : 1T
    Avail : 2.1T
    Use%  : 32
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : F:
    Size  : 512G
    Used  : 196.3G
    Avail : 315.7G
    Use%  : 38
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : G:
    Size  : 9.1T
    Used  : 5.8T
    Avail : 3.3T
    Use%  : 64
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : H:
    Size  : 7.3T
    Used  : 3.6T
    Avail : 3.7T
    Use%  : 49
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : I:
    Size  : 3.6T
    Used  : 296.2M
    Avail : 3.6T
    Use%  : 0
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : J:
    Size  : 1.5T
    Used  : 505.3G
    Avail : 1T
    Use%  : 33
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : K:
    Size  : 128G
    Used  : 4.7G
    Avail : 123.3G
    Use%  : 4
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : L:
    Size  : 384G
    Used  : 181.1G
    Avail : 202.9G
    Use%  : 47
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : M:
    Size  : 3.6T
    Used  : 1.6T
    Avail : 2.1T
    Use%  : 44
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : N:
    Size  : 1.5T
    Used  : 313.5G
    Avail : 1.2T
    Use%  : 20
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : O:
    Size  : 3.6T
    Used  : 2.5T
    Avail : 1.1T
    Use%  : 70
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : P:
    Size  : 1T
    Used  : 343G
    Avail : 681G
    Use%  : 33
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : Q:
    Size  : 263.7G
    Used  : 83.4G
    Avail : 180.4G
    Use%  : 32
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : R:
    Size  : 256G
    Used  : 11.1G
    Avail : 244.9G
    Use%  : 4
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : S:
    Size  : 256G
    Used  : 2.6G
    Avail : 253.4G
    Use%  : 1
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : T:
    Size  : 5.5T
    Used  : 2.6T
    Avail : 2.8T
    Use%  : 48
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : U:
    Size  : 5.5T
    Used  : 1.9T
    Avail : 3.6T
    Use%  : 35
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : V:
    Size  : 3T
    Used  : 778.4G
    Avail : 2.2T
    Use%  : 25
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : W:
    Size  : 256G
    Used  : 76.8G
    Avail : 179.2G
    Use%  : 30
    FS    : NTFS
    Type  : Local Fixed Disk
    
    Name  : SERVER
    Vol   : X:
    Size  : 512G
    Used  : 116.1G
    Avail : 395.9G
    Use%  : 23
    FS    : NTFS
    Type  : Local Fixed Disk
    .NET Installed Versions
    PSChildName                      Version
    -----------                      -------
    v2.0.50727                       2.0.50727.4927
    v3.0                             3.0.30729.4926
    Windows Communication Foundation 3.0.4506.4926
    Windows Presentation Foundation  3.0.6920.4902
    v3.5                             3.5.30729.4926
    Client                           4.7.02053
    Full                             4.7.02053
    Client                           4.0.0.0
    =============================
    All My Functions
    =============================
    
    CommandType Name
    ----------- ----
       Function AdamjScriptDifferenceInTime
       Function ApplicationPoolMemory
       Function CleanUpWSUSSynchronizationLogs
       Function CompressUpdateRevisions
       Function ComputerObjectCleanup
       Function Connect-WSUSServer
       Function CreateAdamjFooter
       Function CreateAdamjHeader
       Function CreateBodyHTML
       Function CreateBodyTXT
       Function DeclineMultipleTypesOfUpdates
       Function DirtyDatabaseCheck
       Function Get-DiskFree
       Function HelpMe
       Function Install-Task
       Function MailReport
       Function RemoveDeclinedWSUSUpdates
       Function RemoveObsoleteUpdates
       Function RemoveWSUSDrivers
       Function SaveReport
       Function Show-MyFunctions
       Function Show-MyVariables
       Function Test-Administrator
       Function Test-IfBlocked
       Function Test-RegistryValue
       Function Test-SQLConnection
       Function WSUSDBMaintenance
       Function WSUSIndexOptimization
       Function WSUSServerCleanupWizard
    
    =============================
    All My Variables
    =============================
    
    Name                                                 Value
    ----                                                 -----
    _
    AdamjBodyFooterHTML                                      <table style="height: 0px; width: 0px;" border="0">...
    AdamjBodyFooterTXT                                   ...
    AdamjBodyHeaderHTML                                      <table style="height: 0px; width: 0px;" border="0">...
    AdamjBodyHeaderTXT                                   ################################...
    AdamjBodyHTML                                        ...
    AdamjBodyTXT                                         ...
    AdamjCleanUpWSUSSynchronizationLogsAll               False
    AdamjCleanUpWSUSSynchronizationLogsConsistencyNumber 2
    AdamjCleanUpWSUSSynchronizationLogsConsistencyTime   Month
    AdamjComputerObjectCleanup                           True
    AdamjComputerObjectCleanupSearchDays                 60
    AdamjConnectedHTML                                   <i>Connected to the WSUS server server @ 2017.11.12 07:07:17 PM...
    AdamjConnectedTime                                   12/11/2017 19:07:17
    AdamjConnectedTXT                                    Connected to the WSUS server server @ 2017.11.12 07:07:17 PM +1...
    AdamjCSSStyling                                      <style type="text/css">...
    AdamjCurrentSystemFunctions                          {A:, B:, C:, cd.....}
    AdamjCurrentSystemVariables                          {System.Management.Automation.PSVariable, System.Management.Aut...
    AdamjDeclineMultipleTypesOfUpdatesList               {IE9, Itanium, LanguagePacks, Beta...}
    AdamjInstallScheduledTask                            True
    AdamjMailReport                                      False
    AdamjMailReportEmailFromAddress                      WSUS@domain.com
    AdamjMailReportEmailSubject                          WSUS Cleanup Results
    AdamjMailReportEmailToAddress                        firstname.lastname@domain.com
    AdamjMailReportSMTPPort                              25
    AdamjMailReportSMTPServer                            mail.domain.com
    AdamjMailReportSMTPServerEnableSSL                   False
    AdamjMailReportSMTPServerPassword
    AdamjMailReportSMTPServerUsername
    AdamjMailReportType                                  HTML
    AdamjOldVerbose                                      SilentlyContinue
    AdamjRemoveWSUSDriversInFirstRun                     True
    AdamjRemoveWSUSDriversInRoutines                     True
    AdamjSaveReport                                      True
    AdamjSaveReportType                                  TXT
    AdamjScheduledRunQuarterlyMonths                     1,4,7,10
    AdamjScheduledRunStreamsDay                          1
    AdamjScheduledTaskTime                               1:00pm
    AdamjScriptDifferenceInTime                          00:00:00.1093511
    AdamjScriptPath                                      C:\Users\Administrator
    AdamjScriptTime                                      12/11/2017 19:07:16
    AdamjScriptVersion                                   3.0
    AdamjSCWExpiredUpdatesDeclined                       True
    AdamjSCWObsoleteComputersDeleted                     False
    AdamjSCWObsoleteUpdatesDeleted                       True
    AdamjSCWSupersededUpdatesDeclined                    True
    AdamjSCWUnneededContentFiles                         True
    AdamjSCWUpdatesCompressed                            True
    AdamjSQLConnectCommand                               sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query
    AdamJSQLServer                                       np:\\.\pipe\MICROSOFT##WID\tsql\query
    AdamjSQLServerName                                   MICROSOFT##WID
    AdamjWID2008                                         np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
    AdamjWID2012Plus                                     np:\\.\pipe\MICROSOFT##WID\tsql\query
    AdamjWSUSServer                                      server
    AdamjWSUSServerAdminProxy                            Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
    AdamjWSUSServerPortNumber                            8530
    AdamjWSUSServerUseSecureConnection                   False
    args                                                 {}
    Beta                                                 System.Object
    CleanUpWSUSSynchronizationLogs                       False
    CompressUpdateRevisions                              False
    ComputerObjectCleanup                                False
    ComputerUpdates32bit                                 System.Object
    DailyRun                                             False
    DeclineMultipleTypesOfUpdates                        False
    DirtyDatabaseCheck                                   False
    DisplayApplicationPoolMemory                         False
    Embedded                                             System.Object
    Expired                                              System.Object
    FirstRun                                             False
    HelpMe                                               True
    HelpMeHeader                                         =============================...
    IE10                                                 System.Object
    IE7                                                  System.Object
    IE8                                                  System.Object
    IE9                                                  System.Object
    input                                                System.Collections.ArrayList+ArrayListEnumeratorSimple
    InstallTask                                          False
    Itanium                                              System.Object
    LanguagePacks                                        System.Object
    Matches                                              {0}
    MaximumAliasCount                                    4096
    MaximumDriveCount                                    4096
    MaximumErrorCount                                    256
    MaximumFunctionCount                                 4096
    MaximumVariableCount                                 4096
    MonthlyRun                                           False
    MyInvocation                                         System.Management.Automation.InvocationInfo
    NonEnglishUpdates                                    System.Object
    Preview                                              System.Object
    PSBoundParameters                                    {}
    PSCmdlet                                             System.Management.Automation.PSScriptCmdlet
    PSCommandPath                                        C:\Users\Administrator\Clean-WSUS.ps1
    PSItem
    PSScriptRoot                                         C:\Users\Administrator
    QuarterlyRun                                         False
    RemoveDeclinedWSUSUpdates                            False
    RemoveObsoleteUpdates                                False
    RemoveWSUSDriversPS                                  False
    RemoveWSUSDriversSQL                                 False
    ScheduledRun                                         False
    SharepointUpdates                                    System.Object
    Superseded                                           System.Object
    TypesList                                            {System.Object, System.Object, System.Object, System.Object...}
    VerbosePreference                                    continue
    WinXP                                                System.Object
    WSUSAdminProxy                                       Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
    WSUSDBMaintenance                                    False
    WSUSIndexOptimization                                False
    WSUSServerCleanupWizard                              False
    
    
    =============================
     End of HelpMe Stream
    =============================
    VERBOSE: Just before setting the application memory $SetApplicationPoolMemory is -1
    **********************
    Windows PowerShell transcript end
    End time: 20171112190719
    **********************
    

    Monday, November 13, 2017 2:44 AM
  • Ok, Here are the results of the actions you requested in your last post.

    The -Firstrun output (Abridged as full post is too long)

    damj Remove WSUS Drivers:
    
    Changed database context to 'SUSDB'.
    
     Delete records from tbrevisionlanguage: 0
    
     Delete records from tbProperty: 0
    
     Delete records from tbLocalizedPropertyForRevision: 0
    
     Delete records from tbFileForRevision: 0
    
     Delete records from tbInstalledUpdateSufficientForPrerequisite: 0
    
     Delete records from tbPreRequisite: 0
    
     Delete records from tbDeployment: 0
    
     Delete records from tbXml: 0
    
     Delete records from tbPreComputedLocalizedProperty: 0
    
     Delete records from tbDriver: 0
    
     Delete records from tbFlattenedRevisionInCategory: 0
    
     Delete records from tbRevisionInCategory: 0
    
     Delete records from tbMoreInfoURLForRevision: 0
    
     Delete records from tbRevision: 0
    
     Delete records from tbUpdateSummaryForAllComputers: 0
    
      This is the last query and this is really what we came here for.
    
     Delete records from tbUpdate: 0
    
    Remove WSUS Drivers Stream Duration: 00:00:00:01

    Adamj WSUS Server Cleanup Wizard:
    
    server
    Version: 6.3.9600.18694
    SupersededUpdatesDeclined: 0
    ExpiredUpdatesDeclined: 0
    ObsoleteUpdatesDeleted: 0
    UpdatesCompressed: 0
    ObsoleteComputersDeleted: 0
    DiskSpaceFreed (MB): 501.24
    DiskSpaceFreed (GB): 0.49
    WSUS Server Cleanup Wizard Duration: 00:00:00:03
    
    Adamj Clean-WSUS Scheduled Task Installation:
    
    TaskName : Adamj Clean-WSUS
    State    : Ready
    
    Clean-WSUS Script Duration: 00:00:00:27
    

    The results of the -DirtyDatabaseCheck

    PS C:\Users\Administrator> .\Clean-WSUS.ps1 -DirtyDatabaseCheck
    Starting the connection to the SQL database and WSUS services. Please wait...
    Connected to the WSUS server server
    Executing DirtyDatabaseCheck
    
    Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
    --     ----            -------------   -----         -----------     --------             -------
    21     Job21           BackgroundJob   Completed     True            localhost            sqlcmd -S np:\\.\pipe\...
    You have a dirty database. Please see: https://support.microsoft.com/en-us/help/3194588 for more information about it.
    First we need to install the WSUS Index Optimization so that this doesn't take as long.
    23     Job23           BackgroundJob   Completed     True            localhost            sqlcmd -S np:\\.\pipe\...
    Adamj WSUS Index Optimization:
    
    Changed database context to 'SUSDB'.
     Adamj_IX_TargetGroupTypeID_LastChangeNumber_UpdateType on [dbo].[tbDeadDeployment] already created. No changes made.
     Adamj_IX_RevisionID_ActionID_DeploymentStatus___UpdateType on [dbo].[tbDeployment] already created. No changes made.
     Adamj_IX_ActualState on [dbo].[tbFileOnServer] already created. No changes made.
     Adamj_IX_LocalizedPropertyID on [dbo].[tbLocalizedProperty] already created. No changes made.
     Adamj_IX_LocalizedPropertyID on [dbo].[tbLocalizedPropertyForRevision] already created. No changes made.
     Adamj_IX_RowID_RevisionID on [dbo].[tbRevision] already created. No changes made.
     Adamj_IX_SupersededUpdateID on [dbo].[tbRevisionSupersedesUpdate] already created. No changes made.
    Adamj WSUS Index Optimization Stream Duration: 00:00:00:00
    
    
    Now we need to run the WSUS DB Maintenance on the database to make sure we're starting with an optimized database.
    25     Job25           BackgroundJob   Completed     True            localhost            sqlcmd -S np:\\.\pipe\...
    Done. Now let's begin cleansing your database.
    Attempting to fix your database by the methods Microsoft recommends but augmented for future-proofing...
    27     Job27           BackgroundJob   Completed     True            localhost            sqlcmd -S np:\\.\pipe\...
    Changed database context to 'SUSDB'.
    
    (142 rows affected)
    
    (142 rows affected)
    
    (142 rows affected)
    Your WSUS server has been fixed. A synchronization has been initialized. Please wait while it finishes. You can monitor
    it through the WSUS Console.

    and the results of the steps on my PC

    C:\Users\Tanya\Desktop>net stop bits
    The Background Intelligent Transfer Service service is not started.
    
    More help is available by typing NET HELPMSG 3521.
    
    
    C:\Users\Tanya\Desktop>net stop wuauserv
    The Windows Update service is not started.
    
    More help is available by typing NET HELPMSG 3521.
    
    
    C:\Users\Tanya\Desktop>reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    ERROR: The system was unable to find the specified registry key or value.
    
    C:\Users\Tanya\Desktop>reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    ERROR: The system was unable to find the specified registry key or value.
    
    C:\Users\Tanya\Desktop>reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    The operation completed successfully.
    
    C:\Users\Tanya\Desktop>reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    The operation completed successfully.
    
    C:\Users\Tanya\Desktop>rd /s /q "C:\WINDOWS\SoftwareDistribution"
    
    C:\Users\Tanya\Desktop>net start bits
    The Background Intelligent Transfer Service service is starting.
    The Background Intelligent Transfer Service service was started successfully.
    
    
    C:\Users\Tanya\Desktop>net start wuauserv
    The Windows Update service is starting.
    The Windows Update service was started successfully.
    
    
    C:\Users\Tanya\Desktop>wuauclt /resetauthorization /detectnow
    
    C:\Users\Tanya\Desktop>PowerShell (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
    
    C:\Users\Tanya\Desktop>

    hth

    Monday, November 13, 2017 4:30 AM
  • OK, that's GREAT! -FirstRun was successful along with the Remove Drivers section and finally -DirtyDatabaseCheck was successful.

    Please give it 48-72 hours. Don't do anymore with it. Leave it alone, don't monitor progress, just put it in the back of your mind and come back in 2-3 days and see what's happening. I look forward to an update.

    If you want to be totally sure before giving it the 48-72 hours, run -DirtyDatabaseCheck again and it should report that you have a clean database.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, November 13, 2017 4:48 AM
  • Lol, I couldn't help myself. When I got home from work, I noticed a second PC had downloaded 4041676 from Microsoft and not from WSUS, even though it's pointed at the WSUS server.

    Anyway, will report back in a couple of days.

    Monday, November 13, 2017 12:20 PM
  • Lol, I couldn't help myself. When I got home from work, I noticed a second PC had downloaded 4041676 from Microsoft and not from WSUS, even though it's pointed at the WSUS server.

    Anyway, will report back in a couple of days.


    On that computer - run a gpresult /h gpo.html and pastebin the contents and link it here. I'm wondering if your Group policies have Dual Scan setup or defer updates - both of which would cause a client to communicate directly with MS for updates.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, November 13, 2017 2:44 PM
  • Ok, it's been three days. This is the current state;

    1. All PCs restored to state before KB4041676 was downloaded from Microsoft
    2. I have not manually imported KB4041676
    3. Update KB4041676 is not detected as needed by any PC by WSUS.
    4. Two of the three PCs have downloaded KB4041676 directly from Microsoft.
    5. The third continues to state it is up to date.
    6. November updates KB40489534 (15063.726), and KB4049370 (15063.675), are not being detected as needed despite not being installed on any PC.
    7. I noted that of the 3 PCs that downloaded from Microsoft, 2 had their download mode set to Bypass delivery optimization - Use BITS (100). Whereas the PC that is "always up to date" is set to HTTP Only (0). This PC also has "Do not download from any Microsoft Internet locations" but does not suffer the error 0x8024500C as do the others.

    I'll align the settings per point 7 and see what transpires.

    I'll look at posting the gpresults output shortly.





    • Edited by TanyaC0205 Thursday, November 16, 2017 2:39 AM
    Thursday, November 16, 2017 12:45 AM
  • Here you go...

    https://pastebin.com/9GJzijQj

    Also, I now have a 23mb Win 2012 R2 patch that has been in a download state for 10 hours. Seems this downloads not completing problem is not just limited to Windows 10 patches.

    I now have all 3 PCs with the same settings. My PC is not generating a 0x8024500C on manual checks but the other two are. Once I allow Microsoft Internet locations" those machines download the updates from Microsoft. WSUS is not even registering the patches at all.

    Thursday, November 16, 2017 12:46 PM
  • Settings that may impact updates:

    Do not allow the computer to act as a BITS Peercaching client
    Do not allow the computer to act as a BITS Peercaching server
    Turn off access to the Store
    Disable all apps from Windows Store
    Turn off Automatic Download and Install of updates
    Turn off the offer to update to the latest version of Windows
    Turn off the Store application


    (Side note - these don't apply to your system of the ones I looked at and should be switched to not configured)

    Turn off desktop gadgets
    Turn off Windows Location Provider
    Turn off Windows Calendar
    Automatically send memory dumps for OS-generated error reports
    Display Error Notification
    Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, November 17, 2017 1:46 AM
  • Ok, Restored all Windows 10 PCs to prior to KB4041676 being installed.

    Reverted all 13 of those settings.

    Everything is exactly as it was before. None of those settings change anything that I can see, behavior and symptom-wise.

    1. Any PC that allows access to Microsoft Internet update locations will download from Microsoft and not the WSUS server. 2 of the three PCs will get 0x8024500C if access to internet servers is blocked, my PC doesn't seem to care one way or the other.

    2. The above settings don't address the issue with the server - it doesn't complete the downloading updates process. There were about a dozen updates downloaded for Office, Windows 7 and .NET. The last one I approved, was the Win 2012 R2 update which downloaded, but remains with the .TMP filename and WSUS says still downloading.

    As an Aside, not counting the Windows 10 only policy settings (Store, peercaching etc), the rest are set on every PC here. Specifically, Windows 7, and updates download and install without problems.

    I'm going to reinstall Windows 10 again from scratch. I'll start with an untouched group policy and see what happens. Though, this cannot be allowed on any production machine, at least it will determine if the policy settings are the issue.

    If I can't disable all store apps, access to the store, and updates to store apps via group policy, then how else can this be achieved?

    Location, according to gpedit, is "at least Windows 7". Location is a massive part of Windows 10 tracking and telemetry. Wouldn't this setting still apply 10 Windows 10, or is it ignored? Location tracking seems to be disabled, because sometimes when I go to a website it opens a japanese or other language site.

    Saturday, November 18, 2017 9:03 AM
  • Approved a bunch of updates for .NET, Windows 7, Windows 10, Office and Windows 2012 R2.

    I now have 2 updates stuck in downloading state.

    The Test PC detected 1 update (KB4049011), and it also downloaded and installed on all other Windows 10 PCs. This is without making any changes to the server, either WSUS or group policy, and on 2 machines that have the original group policy, and one with a group policy with only two settings changed (WSUS server name and don't download drivers from Microsoft), suggesting that the group policy is not the issue.

    KB4041676 has been superseded twice. If I understand cumulative updates, they are independent of each other. But instead of WSUS offering the latest cumulative update (KB4049370), it offered its predecessor KB4048958, which is stuck in a download state, along with the Win 2012 R2 update KB4049061.

    Sunday, November 19, 2017 4:07 AM