locked
WSUS Synchronizing but not downloading any updates RRS feed

  • Question

  • I have a single WSUS server on Windows server 2012 R2 (Build 9600), and WSUS version is 6.3.9600.17477

    WSUS synchronizing with Microsoft successfully every day, but for a long time (two months) clients did not get any updates, and WSUS updates storage size did not change a bit (nothing new downloaded), 

    all clients are windows 10 1607 at leat and some of them upgraded to 1703 manually because WSUS did not deliver 1703 update.

    i verified that already KB3095113 and KB3159706 installed on the server.

    in Event Viewer there is lot of error like this:

    Content file download failed.
    Reason: File cert verification failure. 
    Source File: /c/msdownload/update/software/updt/2017/02/lp_3d69ce9a1dd46ae3b7bb22a217f972de0425eba2.cab 
    Destination File: C:\WSUS\WsusContent\A2\3D69CE9A1DD46AE3B7BB22A217F972DE0425EBA2.cab

    Question 1: how to check download progress for updates?

    Question 2: how to troubleshoot wsus download?


    Thursday, August 17, 2017 9:37 AM

All replies

  • Hi Sir,

    As for this issue , I'd suggest you first check the certificate in properties of that .cab file .

    Is there a healthy WSUS server to check that file ?

    Also , you may get detail error message in the widnows update log :

    %systemroot%\Windowsupdate.log

    In addition , please install latest windows update for WSUS server to see if the issue persists .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Sasan Gh Thursday, January 17, 2019 8:16 AM
    • Unproposed as answer by Sasan Gh Thursday, January 17, 2019 8:16 AM
    • Proposed as answer by Sasan Gh Thursday, January 17, 2019 8:16 AM
    • Unproposed as answer by Sasan Gh Thursday, January 17, 2019 8:16 AM
    Friday, August 18, 2017 8:58 AM
  • latest updates are installed on WSUS server,  WSUS server is healthy, 

    nothing useful inside  %systemroot%\Windowsupdate.log 


    i checked WSUS All Updates:

    Since 5/26/2017 all updates approved for install but all of them showing "The files for this update have not yet been downloaded"

    Sunday, August 20, 2017 5:05 AM
  • Windows 10 1607 RTM has a known issue that it will lose communication with any WSUS server. The fix for this is to install a Cumulative Update (CU) past September 2016 as it was fixed in the September CU. It will then re-establish communication with the WSUS server. Unfortunately, if the system is already Windows 10 1607 RTM, you have no choice but to use a 3rd party tool like PDQ Deploy or install the CU Manually on the machine.

    It's best to install the latest CU, but you can install any one past September and then WSUS will be able to communicate again with the machine.

    All your 1607 machines have not been receiving updates if this is the case and they are still on the 1607 RTM version.

    Also,

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, September 2, 2017 4:12 AM
  • hi Adam

    I confirm that WSUS is much faster now, and it was a very good clean up,

    there is an extra h in help examples: "Clean-WSUS -DirtyDatabaseChheck"   must be "Clean-WSUS -DirtyDatabaseCheck" 

    because of WSUS issue, we had to allow clients to download updates by themselves, 

    and right now "Do not connect to any Windows Update Internet Sites" is set to "Not Configured" 

    i will wait to see actual download after clean up and will post the results here.


    Sunday, September 3, 2017 4:40 AM
  • Alireza Salehi

    How are you?

    Some questions:

    1 - Did you check the free space in WSUS-DB drive? Is that ok?

    2 - Did you review the settings of "Update Files and Languages"?

    3 - Did you check if had changes about the internet connection from WSUS to the Updade Source (Microsoft Update or Upstream server?), like a new proxy server, or even ACLs on perimeter firewall denying access?

    Send us more information about these points.

    Best Regards,

    Renan


    Renan A. Rodrigues MCSA-MCITP-MCTS-CCNA-CCENT-ITIL (renanrodrigues.com)

    Sunday, September 3, 2017 10:46 AM
  • hi Adam

    there is an extra h in help examples: "Clean-WSUS -DirtyDatabaseChheck"   must be "Clean-WSUS -DirtyDatabaseCheck" 

    Thank you - I spell checked my script about 6 ways from Sunday, read it backwards to forwards and forwards to backwards, and still that slipped through. I've corrected it.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, September 3, 2017 12:57 PM
  • Alireza Salehi

    How are you?

    Some questions:

    1 - Did you check the free space in WSUS-DB drive? Is that ok?

    2 - Did you review the settings of "Update Files and Languages"?

    3 - Did you check if had changes about the internet connection from WSUS to the Updade Source (Microsoft Update or Upstream server?), like a new proxy server, or even ACLs on perimeter firewall denying access?

    Send us more information about these points.

    Best Regards,

    Renan


    Renan A. Rodrigues MCSA-MCITP-MCTS-CCNA-CCENT-ITIL (renanrodrigues.com)

    very well thank you,

    1. it had 150GB of free space, and after running Adam  script it has 500GB of free space!

    2. yes, it is like this:

    

    3. i checked firewall log and wsus has no issue, all requests pass through firewall with no error,

    i also opened firewall completely for wsus server (All Traffic/In/Out) and i can confirm that there is download traffic from WSUS server,

    but as i said above i cannot see actual downloaded updates in WSUS console , all of them are approved and waiting to download, it is wired...

    Sunday, September 3, 2017 2:26 PM
  • hi Adam

    there is an extra h in help examples: "Clean-WSUS -DirtyDatabaseChheck"   must be "Clean-WSUS -DirtyDatabaseCheck" 

    Thank you - I spell checked my script about 6 ways from Sunday, read it backwards to forwards and forwards to backwards, and still that slipped through. I've corrected it.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    thank you, it is a well written script
    Sunday, September 3, 2017 2:26 PM
  • Alireza Salehi

    Can you check the Application Event Log and looking for ID 364? The text usually shows you the reason for the download failure.

    What firewall do you have on server and perimeter? Do you have gateway AV?

    If I were you, I would spend a little bit more time on it... Can you download updates from Microsoft update via Windows Update? Do this test...

    Another last try, unselect Download express... option save and try again.

    Best Regards,

    Renan


    Renan A. Rodrigues MCSA-MCITP-MCTS-CCNA-CCENT-ITIL (renanrodrigues.com)

    Sunday, September 3, 2017 8:51 PM
  • its maybe for a GPO you linked to OU that contains your WSUS Server computer account

    do not apply the policies about Windows Update which you need to set to your clients, to your WSUS Server too.

    you may set the address of Intranet Update Server for your Clients, the address is the URL address of WSUS server. when you linked this GPO to OU of WSUS server. the server try to connect to Update Service and you said connect to WSUS server and it will be in a loop.





    • Edited by Sasan Gh Thursday, January 17, 2019 8:15 AM
    Thursday, January 17, 2019 8:12 AM