locked
Recent Patches pushed using wsus not detecting in endpoints RRS feed

  • Question

  • I've been in a process of installing MS Updates in an environment which has never Patched till date.I use WSUS . Almost every time I'm successful except scenarios like below.

    Few of my Server 2008 R2 Sp1 Standard machines which has never Patched till Date. Few days back I pushed all available Patches from 2013 till May 2018. My problem is this, Machine is detecting all relevant Patches except the updates released after Jan 2018.

    So I had installed all detected updates and re-booted. Once Server has came up, I've given 'Check for Update' once again.But Server says 'Windows is up to date'.  

    I tried following so far.

    1. Created new folder in WSUS and moved Server into that and approved Patches from Jan18-May18 into that folder

    2. Given wuauclt /detectnow /reportnow  and re-booted multiple times

    Please help me to fix this

    NB: Only recent Patch detect is Malicious Tool'
    • Edited by PrajithK Wednesday, June 27, 2018 10:54 AM
    Wednesday, June 27, 2018 8:20 AM

Answers

  • Finally here is the solution!!!!!

    Root cause: Symantec Application or it’s orphaned files present in ‘C:\Program Files\Common Files\Symantec shared’  are  blocking latest Windows update.

    Following are the Steps
    Step 1 : Rename "C:\Program Files\Common Files\Symantec shared" to ‘Symantec shared. Old’. Do the same in "C:\Program Files(x86)….”
    Step 2 : Symantec Application has to be uninstalled if above renaming  isn’t working, then need to re-try .

    Try scanning. It should work.

    Following are optional 

    Step 3 : Stop Window Update Service
    Step 4 : Rename  C:\windows\SoftwareDistribution to Distribution. Old
    Step 5 : Start Window Update Service

    • Marked as answer by PrajithK Monday, September 17, 2018 3:59 PM
    Monday, September 17, 2018 3:58 PM

All replies

  • there is a registry entry it has to be set for updates to be detected.

    rgistry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat

    value: cadca5fe-87d3-4b96-b7fb-a231484277cc


    Cherif Benammar


    Wednesday, June 27, 2018 9:16 AM
  • Hi Karpra,

    Thanks for your information.

    Firstly, to avoid there is some problem of the update itself, let's download one update manually and install it.  
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897

    If the update can be installed, then we could check whether there are the firewall and antivirus software. Please turn off them and then you may detect the updates of 2018. 

    Hope this helps and if there is any question, feel free to contact me.

    Regards,
    Johnson

    ===============

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 28, 2018 6:10 AM
  • Thanks for the answer , but I don't see a folder with name 'QualityCompat' under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

     
    Thursday, June 28, 2018 7:02 PM
  • I am able to  install any update manually. If you think it's a firewall or  AV issue, I'll re-try the push after disabling them.

    • Edited by PrajithK Friday, June 29, 2018 1:17 PM
    Thursday, June 28, 2018 7:04 PM
  • Check windows update from microsoft online instead of from WSUS and look if there is any difference,

    AV is to log events of blocking anything like McAfee,

    That registry has to be set by the AV otherwise you won't be able to receive updates.

    Check your AV docs for that setting.


    Cherif Benammar

    Thursday, June 28, 2018 7:20 PM
  • I tried that already. It's not showing any Patches released after December 2017.
    Friday, June 29, 2018 1:15 PM
  • Hi Karpra, 

    According to the Microsoft official document description, the registry needs to set a specific key value to receive the security update of Jan 2018.
    https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software

    The key value should be set as below:

    Key="HKEY_LOCAL_MACHINE"

    You should create a new key "QualityCompat":
    Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"

    Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"
    Type="REG_DWORD"
    Data="0x00000000"

    Hope this helps and if there is any question, feel free to contact me.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, July 2, 2018 3:02 AM
  • Manually install the April 2018 cumulative update on your systems and they should return to normal. The April CU contains instructions to no longer check for the QualityCompat registry key as it contains all of the required updates for the Meltdown and Spectre fixes by this date.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, July 3, 2018 3:42 AM
  • Thank you all for  input, tried all of them. Still no luck.


    Tuesday, August 14, 2018 12:38 PM
  • Just an FYI

    /detectnow is deprecated and does not work in Windows 10. Windows 10 has replaced it with: PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() or UsoClient.exe StartScan

    /reportnow has a special use case and doesn't do anything at any other points in time unless it's within this use case (after /detectnow runs, there's a 20 minute 'cool down' period before it reports back to the WSUS Server. If /reportnow is run within this 20 minute period AND there is something flagged to report, it will report immediately. Otherwise, the detection process will report after 20 minutes regardless - so this is basically useless in almost all cases).

    Are you performing the proper WSUS maintenance including but not limited to running the Server Cleanup Wizard (SCW), declining superseded updates, running the SQL Indexing script, etc.?

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

    From an Administrative Command Prompt on an affected client, run the following:
    gpresult /h gpo.htm
    and share the result with your favourite method or pastebin it so that we can see it.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, August 20, 2018 1:40 AM
  • Hello,

     

    Have your issue been solved? If not, could you please tell us which AV software do you use?

     

    Look forward to your feedback.

     

    Best Regards,

    Ray Jia


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 21, 2018 5:47 AM
  • Not yet. Opened a case with Microsoft premium support and waiting for a solution

    Antivirus : MCaffe 

    Thursday, September 13, 2018 7:40 PM
  • Finally here is the solution!!!!!

    Root cause: Symantec Application or it’s orphaned files present in ‘C:\Program Files\Common Files\Symantec shared’  are  blocking latest Windows update.

    Following are the Steps
    Step 1 : Rename "C:\Program Files\Common Files\Symantec shared" to ‘Symantec shared. Old’. Do the same in "C:\Program Files(x86)….”
    Step 2 : Symantec Application has to be uninstalled if above renaming  isn’t working, then need to re-try .

    Try scanning. It should work.

    Following are optional 

    Step 3 : Stop Window Update Service
    Step 4 : Rename  C:\windows\SoftwareDistribution to Distribution. Old
    Step 5 : Start Window Update Service

    • Marked as answer by PrajithK Monday, September 17, 2018 3:59 PM
    Monday, September 17, 2018 3:58 PM