locked
WSUS errors on servers 2008 R2 and 2012 R2 RRS feed

  • Question

  • Hello,

    We are deploying security updates for a hundred Windows Server through WSUS. However, there is a problem: some of our servers don’t install all the updates (KB) we put in the WSUS. Looking more in detail, these servers don’t have some updates because WSUS considers that they are not applicable for these servers. However, these updates can be applied by installing them by hand.

    We observe that servers running Windows Server 2012 R2 receive much better updates than servers running Windows Server 2008 R2. Also, servers don’t receive all the same updates, so we know that the problem is not an incompatibility of an update but rather a bad distribution of updates. Obviously, we created two GPO, one for the 2008 R2 and one for the 2012 R2. WSUS is installed on a server running Windows Server 2012 R2. The version of WSUS is 6.3.9600.18694.

     

    Do you have any idea?

    Thanks in advance for your help.

    Tuesday, July 17, 2018 8:19 AM

All replies

  • hi,

    it's normal behavior,.

    Best Regards

    Tuesday, July 17, 2018 11:13 AM
  • Hi,

    Thanks for your answer.

    Tell me if I’m wrong but you’re saying that we can’t update our servers automatically with WSUS right?

    Tuesday, July 17, 2018 1:53 PM
  • Hi Lilou,

    Thanks for your information.

    The most common reasons for "not applicable" are shown in the following article:
    "The update is not applicable to your computer" error when you install Windows updates
    https://support.microsoft.com/en-us/help/3057448/the-update-is-not-applicable-to-your-computer-error-when-you-install-w

    Please checking in to see if the information is helpful. let me know if there is more problem.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Wednesday, July 18, 2018 2:19 AM
  • Hi,

    Firstly, thanks for your answer.

    I already looked at this article and checked the causes and the solutions proposed. The problem is still there. When I open WSUS, I check the report of updates. There, WSUS determines if the updates are applicable or not for the servers, but I don’t know how… Maybe the problem comes from the absence of a registry key, what do you think of that?

    Best regards

    Wednesday, July 18, 2018 1:38 PM
  • Hi,

    To avoid the misunderstanding, I need to confirm the problem is that client detectes all relevant Patches except the updates released after Jan 2018.
    if yes, then we should create key value: 

    Key="HKEY_LOCAL_MACHINE"

    You should create a new key "QualityCompat":
    Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

    Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"
    Type="REG_DWORD"
    Data="0x00000000"

    The detailed information you can read:
    https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software


    If not, please take consideration on the registry key:HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\BranchReadinessLevel.

    The former setting represents Current Branch for Business, and this setting is intended for use with Windows Update for Business (and not WSUS,) so everything gets reported as "not applicable" in WSUS.
    For more details, please refer to the following link:
    https://community.spiceworks.com/topic/2072278-all-win10-wsus-updates-showing-as-not-applicable-if-upgraded-to-creators


    Hope it helps.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, July 19, 2018 7:28 AM
  • Hi, 

    Thanks for the solutions proposed. We have already created the new key "Quality Compat" and after few updates were distribued in some servers. However, we still have issues with the rest of the updates...

    And for your second idea, it can't work in our case because we don't work with Windows 10... The Key doesn't exist on servers running Windows Server 2008 R2 and 2012 R2.

    Best regards 

    Thursday, July 19, 2018 8:06 AM
  • Hi,

    Could you please provide several updates which are not applicable. Then I can do the test in my own lab.

    Best regards,
    Johnson
    Thursday, July 19, 2018 8:45 AM
  • For example, 

    for a Windows server 2008 r2 :

    KB4041681

    KB4012212

    KB4022722

    KB3205394

    KB4025337

    KB4038779

    KB4019263

    KB4041678

    KB4093108

    KB4088878

    KB4074587

    KB4230450

    These updates are approved but we know that there are new ones. Yet, these last are not approved.

    Best regards

    Thursday, July 19, 2018 9:00 AM
  • Hi, 

    According to our discussion, I approve the updates to the windows server 2008r2 in my own lab. I can see that some are installed such as KB4012212, and some not applicable are replaced by the another one such as KB4041681. It shows all updates work normal here.  

    I recommand to restart the clients and server. Then, in the client side, we can detect the updates by using the command: wuauclt /resetauthorization /detectnow and install them. After that, we could check the status report in console. 

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Friday, July 20, 2018 8:49 AM
  • Hi, 

    Thank you for your work to help us !

    We already tried this command, without success...

    We restarted the clients and server and we don't have anything new...

    Moreover, we only approved about 20 updates per system so logically they should be displayed.

    As we said previously, the updates are approved for the good version of Windows, but the state for some server is displayed "Not applicable".

    Best regards

    Monday, July 23, 2018 3:02 PM
  • Hi, 

    The last I can suggest that you could check whether the update match the client computer. For example, KB4012212 is for windows server 2008r2, it is not applicable for server 2012r2. 


    Hope my answer could help you. 

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 27, 2018 7:44 AM
  • Hi, 

    It's already done...

    If we take this example, some servers running Windows Server 2008 r2 have the status "Not Applicable" for the update KB4012212. 

    Best regards

    Friday, July 27, 2018 8:13 AM