locked
Windows 10 machines not pulling approved updates RRS feed

  • Question

  • I have a brand new 2019 WSUS server deployed but my Windows 10 machines are not pulling updates

    A manual check for updates reports "You're up to date" while WSUS reports the machine has 290+ updates needed.

    Machines are registering to WSUS just fine, and seem to be reporting in, but they can't seem to identify that there are patches available for them.

    WSUS Setting

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "DoNotConnectToWindowsUpdateInternetLocations"=dword:00000000
    "DisableWindowsUpdateAccess"=dword:00000000
    "DisableDualScan"=dword:00000001
    "WUServer"="http://wsus2019:8530"
    "WUStatusServer"="http://wsus2019:8530"
    "UpdateServiceUrlAlternate"="http://wsus2019:8530"
    "TargetGroupEnabled"=dword:00000001
    "TargetGroup"="Computers"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoRebootWithLoggedOnUsers"=dword:00000001
    "RebootRelaunchTimeoutEnabled"=dword:00000001
    "RebootRelaunchTimeout"=dword:000001b8
    "RebootWarningTimeoutEnabled"=dword:00000001
    "RebootWarningTimeout"=dword:0000001e
    "AutoInstallMinorUpdates"=dword:00000000
    "UseWUServer"=dword:00000001
    "DetectionFrequencyEnabled"=dword:00000001
    "DetectionFrequency"=dword:0000000c
    "NoAutoUpdate"=dword:00000000

    2019/12/14 10:45:37.0474453 5804  11408 ComApi          * START *   Federated Search ClientId = UpdateOrchestrator (cV: nRDIbm1v0k2E3P2d.1.1.0)
    2019/12/14 10:45:37.0507151 11588 12228 IdleTimer       WU operation (SR.UpdateOrchestrator ID 5) started; operation # 20; does use network; is not at background priority
    2019/12/14 10:45:37.0535179 11588 11940 IdleTimer       WU operation (SR.UpdateOrchestrator ID 5, operation # 20) stopped; does use network; is not at background priority
    2019/12/14 10:45:37.0541495 5804  4264  ComApi          Federated Search: Starting search against 1 service(s) (cV = nRDIbm1v0k2E3P2d.1.1.0)
    2019/12/14 10:45:37.0543877 5804  4264  ComApi          * START *   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7, Flags: 0X40010410 (cV = nRDIbm1v0k2E3P2d.1.1.0.0)
    2019/12/14 10:45:37.0571995 11588 1432  IdleTimer       WU operation (CSearchCall::Init ID 6) started; operation # 23; does use network; is not at background priority
    2019/12/14 10:45:37.0654719 11588 1432  Agent           * START * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 6]
    2019/12/14 10:45:37.0654986 11588 1432  Agent           Removing service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 from sequential scan list
    2019/12/14 10:45:37.0655099 11588 1432  Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is not in sequential scan list
    2019/12/14 10:45:37.0655208 11588 1432  Agent           Added service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 to sequential scan list
    2019/12/14 10:45:37.0656967 11588 11820 Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is in sequential scan list
    2019/12/14 10:45:37.0700457 11588 10868 Agent           * END * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 6]
    2019/12/14 10:45:37.0751100 11588 10868 Agent           * START * Finding updates CallerId = UpdateOrchestrator  Id = 6 (cV = nRDIbm1v0k2E3P2d.1.1.0.0.2)
    2019/12/14 10:45:37.0751253 11588 10868 Agent           Online = Yes; Interactive = Yes; AllowCachedResults = No; Ignore download priority = No
    2019/12/14 10:45:37.0751354 11588 10868 Agent           Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsInstalled=0 and DeploymentAction='OptionalInstallation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""
    2019/12/14 10:45:37.0751442 11588 10868 Agent           ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2019/12/14 10:45:37.0751477 11588 10868 Agent           Search Scope = {Machine}
    2019/12/14 10:45:37.0751602 11588 10868 Agent           Caller SID for Applicability: S-1-5-21-3156452373-2460497579-2355296147-500
    2019/12/14 10:45:37.0751628 11588 10868 Agent           ProcessDriverDeferrals is set
    2019/12/14 10:45:37.2100562 11588 10868 Misc            Got WSUS Client/Server URL: http://wsus2019:8530/ClientWebService/client.asmx""
    2019/12/14 10:45:37.2188540 11588 10868 Driver          Skipping printer driver 5 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]
    2019/12/14 10:45:38.0594723 11588 10868 ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://wsus2019:8530/ClientWebService/client.asmx
    2019/12/14 10:45:38.0598619 11588 10868 ProtocolTalker  OK to reuse existing configuration
    2019/12/14 10:45:38.0598950 11588 10868 ProtocolTalker  Existing cookie is valid, just use it
    2019/12/14 10:45:38.0599029 11588 10868 ProtocolTalker  PTInfo: Server requested registration
    2019/12/14 10:45:39.8280010 4016  5472  Misc            *FAILED* [80010106] ReadPolicy: failed
    2019/12/14 10:45:48.2159840 11588 10868 Misc            Update B32E464F-2E4A-4109-9018-33583A079A8A is sticky.
    2019/12/14 10:45:48.3850582 11588 10868 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 24; does use network; is at background priority
    2019/12/14 10:45:48.3851510 11588 10868 WebServices     Auto proxy settings for this web service call.
    2019/12/14 10:45:48.7734683 11588 10868 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 24) stopped; does use network; is at background priority
    2019/12/14 10:45:48.8932102 11588 10868 Misc            Update B32E464F-2E4A-4109-9018-33583A079A8A is sticky.
    2019/12/14 10:45:49.0357711 11588 10868 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 25; does use network; is at background priority
    2019/12/14 10:45:49.0886584 11588 10868 IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 25) stopped; does use network; is at background priority
    2019/12/14 10:45:49.0886866 11588 10868 ProtocolTalker  SyncUpdates round trips: 2
    2019/12/14 10:47:28.2021201 11588 10868 Agent           Found 0 updates and 102 categories in search; evaluated appl. rules of 3966 out of 5580 deployed entities
    2019/12/14 10:47:28.2236935 11588 10868 Agent           * END * Finding updates CallerId = UpdateOrchestrator, Id = 6, Exit code = 0x00000000 (cV = nRDIbm1v0k2E3P2d.1.1.0.0.2)


    • Edited by DarkAlman Saturday, December 14, 2019 5:04 PM
    Saturday, December 14, 2019 5:03 PM

All replies

  • "TargetGroupEnabled"=dword:00000001
    "TargetGroup"="Computers"

    First notice that you have configured the relevant key value of the client target group, please ensure that it is also configured to "use group policy or registry settings on computers."
       

       
    Then check that the client computer is already in the correct computer group, and approve the update to the correct computer group.
    Reply back with the results would be happy to help.
          

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 16, 2019 6:30 AM
  • That setting is already in place.

    Client side targeting is working fine, the workstations are registering to WSUS and reporting in.

    The problem is when I run Windows Update it says the machine is 'up to date' but WSUS reports that patches are missing.

    In this machines case 293 updates are needed, but running Windows Update doesn't pull any of them.

    Screenshot


    • Edited by DarkAlman Monday, December 16, 2019 3:45 PM
    Monday, December 16, 2019 3:44 PM
  • Hi DarkAlman,
       

    Thank you for your reply.
    After analyzing the information you provided, I suggest that you first consider decline the updates that have been replaced among the 253 required updates, which can reduce unnecessary update approval. Specific reference to the method of this article: "How to identify and decline superseded updates in WSUS."
       
    * Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
       
    After that, please approve the required updates based on your actual situation. When you configure the update to be stored on the WSUS server, the client can obtain it only after the update is downloaded. You may consider adding a "File Status" column to the update view of the WSUS console for checking.
       

         
    Reply back with the results would be happy to help.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 17, 2019 5:38 AM
  • That has reduced the number of Updates needed from 260+ to 69

    But the same issue persists

    The computer states that it is up to date

    But WSUS says there are 69 updates pending

    Is it possible I have a prerequisite update that isn't approved? How can I determine which one?

    We are only permitted to deploy a list of approved patches for these machines due to limitations imposed by a vendor. So unfortunately I can't just deploy all patches carte blanche.

    Tuesday, December 17, 2019 10:09 PM
  • Is it possible I have a prerequisite update that isn't approved? How can I determine which one?

    It's hard to say, but if there is a service stack update in the required update, please consider approval, usually the service stack update will be a prerequisite for some updates and monthly cumulative updates.
       

    Regards,
    Yic


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 18, 2019 5:34 AM
  • One of the pending patches listed was a patch for Office 2016

    I ran the patch manually and performed a rescan

    WSUS now shows 67 patches required (was 69 before) but when I run a Windows Update it still says "Up to date"

    So WSUS sees that there are patches missing on the workstation, but the machine will still not pull patches from WSUS.
    Wednesday, December 18, 2019 5:10 PM
  • Hi,
      

    Please try to approve these required updates by adding a deadline and setting the deadline time to an elapsed time. The client then checks to see if the update will be installed.
       

        

    Reply back with the results would be happy to help.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 19, 2019 5:55 AM
  • Hi Everyone,
       

    Since this thread has not been updated for a long time, the following thread summary is provided for reference during subsequent follow-up.
      

    • Issue Symptom
      Windows 10 clients do not have the updates required to pass WSUS approved prompts.
         
    • Possible Cause
      Client and WSUS server synchronization issues.
        
    • Troubleshooting Steps so far
      Direct connection issues are currently ruled out.
      The client reports normally that the update has been cleaned up in WSUS. Currently waiting to add test results of whether Deadline updates can be installed.
        
    • Next Step
      Waiting for reply.
          

    Regards,
    Yic


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 31, 2019 6:11 AM