locked
WSUS issue/question RRS feed

  • Question

  • I am running WSUS on a Windows 2008r2 server (I know, I know I plan to replace it with a Server 2016 soon) and I have an issue.

    I recently added the "Upgrades" classification and approved the Windows 10 version upgrades.  The one's like 1803, 1903, etc.

    The stupid thing keeps downloading the updates, deletes them and downloads them again.  Over and over again.  I did some research and found that WSUS running on server 2008r2 will not allow upgrades for newer softwares.  It seems you need to be running at least WSUS 4.  So I am trying to decline the upgrades, deselect upgrades from the classifications, etc anything to stop the server from downloading the updates over and over again.

    The only way I have found to stop the constant download is to stop the BITS service.  What can I do to reverse the problem I have caused?  I will be replacing the server with a newer 2016 server soon but it may be a few months.   I would like to continue using this one until I replace it.

    HELP!!

    Tuesday, May 12, 2020 10:22 PM

Answers

  • I believe now that I have cleared the "updates" and "upgrades" classification checkboxes and declined and removed the Win 10 feature updates my WSUS is no longer downloading and attempting install of these updates any longer.  I will not further pursue pushing out updates from this 2008r2 server any longer as I am in the process of replacing the 2008r2 server with a 2016 Server.  Thanks for your help.
    • Marked as answer by Poly Admin Wednesday, May 20, 2020 6:58 PM
    Wednesday, May 20, 2020 6:58 PM

All replies

  • Hi, 

    Thanks for your posting.

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.


    About "Upgrades" classification, you could refer to the following link: https://docs.microsoft.com/en-us/mem/configmgr/sum/get-started/configure-classifications-and-products

    Regards,
    Rita


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, May 13, 2020 7:55 AM
  • Hi Poly Admin,
     
    Thanks for your posting.
     
    For better analyze and resolve the issue, please provide the following information:

    1. Please confirm what file was downloaded in the screenshot below:

    The stupid thing keeps downloading the updates, deletes them and downloads them again.  Over and over again. 


    2. Please note that WSUS servers do not download data immediately when syncing data with Microsoft sites normally unless you uncheck the option -"Download updates files to this server only when updates are approved". Please confirm that the options in the following pictures are checked.
    Reference picture:

    Please note that this option is checked by default.
     
    If you have any updates, please keep us in touch.
     
    Regards,
    Rita


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Wednesday, May 13, 2020 9:51 AM
  • The options on my WSUS are set like in the picture.  Download only when approved.

    Here is an example of files being deleted after download.

    2020-05-11 19:56:23.635 UTC    Info    WsusService.9    CabUtilities.CheckCertificateSignature    File cert verification failed for d:\WSUS\WsusContent\05\65162F45583F38D53D01C5E5A64A69D1E73CC005.esd with 2148204547

    2020-05-11 19:56:23.885 UTC    Warning    WsusService.9    ContentSyncAgent.ProcessBITSNotificationQueue    Invalid file deleted: d:\WSUS\WsusContent\05\65162F45583F38D53D01C5E5A64A69D1E73CC005.esd
    Wednesday, May 13, 2020 2:17 PM
  • To troubleshoot connection failures, follow these steps:

    Verify that the Update Services service and the World Wide Web Publishing Service are running on the WSUS server.
    Verify that the default website or WSUS Administration website is running on the WSUS server.
    Review the IIS logs for the WSUS Administration website (c:\inetpub\logfiles), and check for errors.
    Wednesday, May 13, 2020 2:43 PM
  • Hi Poly Admin,
     
    Regards of the day. Thanks for your posting.
     
    This .esd file, is a Win10 upgrade payload. If you WSUS is running on Windows Server 2008R2 (WSUS v3) or earlier, you have incorrectly enabled the Windows 10 "Upgrades" classification. (WS2008R2 and earlier, cannot handle Win10 "Upgrades")
     
    It is recommended to refer to the following link to install related updates in WSUS server to handle this issue:
    https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
     
    If you have any other issues, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 14, 2020 11:03 AM
  • I was not aware of this.  I am reading the document now and will follow up later today or tomorrow with questions.
    Thursday, May 14, 2020 9:08 PM
  • The document you referenced,
    https://support.microsoft.com/en-us/help/4484071/windows-server-update-services-update-kb4484071
    says that "Adding SHA-2 support will not add support for Windows 10 feature updates on WSUS 3.0 SP2."  So I am wasting my time.

    I guess I need to figure out how to "turn off" the download (and attempted install) of these Windows 10 updates that fall under the the "Updates" and "Upgrades" classifications.

    From the Update Services console I made the following changes: 
    Unchecked "Updates" and "Upgrades" from classifications.
    Under Updates I declined all updates that were approved.
    Under Upgrades I declined all updates that were approved.

    Am I leaving something out?  What else do I need to do to STOP the WSUS from downloading these Windows 10 upgrades/updates?


    • Edited by Poly Admin Thursday, May 14, 2020 9:31 PM
    Thursday, May 14, 2020 9:30 PM
  • Hi Poly Admin,
     
    To resolve this issue faster, it is recommended to install the updates in the WSUS server: KB4490628  and KB4474419.
     
    This update is primarily intended to fix Windows Server 2008R2 signature-related updates related to SHA-2.  
     
    Thank you for your time. Have a nice weekend.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 15, 2020 1:09 AM
  • I am studying your comments now. 
    Don't I need KB4484071 since I am running WSUS 3.0 SP2?
    Friday, May 15, 2020 2:25 PM
  • After reading the thru the information I downloaded several updates and tried to install them.
    Below are the results.  3 categories.  Updates applied successfully, updates already on the computer, and updates not applicable to the computer system.

    Updates applied successfully
    wsus-kb4484071-amd64_c5e1a0da3281331cdca4c775795e5250e160f86e.exe

    This update is already installed on this computer
    windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
    windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu

    This update not applicable to your computer
    windows6.1-kb4489878-x64_ad02ba6500855333621fecf1b95cc15a8950f2e8.msu
    Friday, May 15, 2020 3:30 PM
  • Hi,
     
    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     
    Thank you for your cooperation, as always.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 18, 2020 12:32 AM
  • I have not resolved the issue yet.  I think the resolution is to speed up the transition to the Server 2016 system. 
    Monday, May 18, 2020 7:44 PM
  • Hi Poly,
     
    Regards of the day.
     
    Windows Server 2008 and Windows Server 2008 R2 reached the end of their support lifecycle on January 14, 2020. It is recommended to update to a higher version.
     
    As for the update you mentioned: KB4489878 above has been superseded by KB4493472. It is recommended that you check if the Windows Server 2008R2 client has KB4493472 installed.
     
    If you have any updates about this issue, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 19, 2020 8:15 AM
  • Yes, I realize that Server 2008r2 is at end of life. 
    I am in the process of building a replacement Server 2016 system.
    I downloaded and attempting install of the KB you referenced.  It said "this update is not applicable to your computer".

    Tuesday, May 19, 2020 2:52 PM
  • Hi Poly,

    Thanks for your posting.

    I previously suggested installing kb4490628 and kb4474419, as you described, the client has been installed correctly. This may be why the updates to display are not applicable.

    To avoid misunderstandings, Please consider assisting to confirm the following phenomenon whether have been resolved or not:

    2020-05-11 19:56:23.635 UTC    Info    WsusService.9    CabUtilities.CheckCertificateSignature    File cert verification failed for d:\WSUS\WsusContent\05\65162F45583F38D53D01C5E5A64A69D1E73CC005.esd with 2148204547


    2020-05-11 19:56:23.885 UTC    Warning    WsusService.9    ContentSyncAgent.ProcessBITSNotificationQueue    Invalid file deleted: d:\WSUS\WsusContent\05\65162F45583F38D53D01C5E5A64A69D1E73CC005.esd


    If you have any updates about this issue, please keep us in touch.

    Regards,
    Rita   


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 20, 2020 3:03 AM
  • I believe now that I have cleared the "updates" and "upgrades" classification checkboxes and declined and removed the Win 10 feature updates my WSUS is no longer downloading and attempting install of these updates any longer.  I will not further pursue pushing out updates from this 2008r2 server any longer as I am in the process of replacing the 2008r2 server with a 2016 Server.  Thanks for your help.
    • Marked as answer by Poly Admin Wednesday, May 20, 2020 6:58 PM
    Wednesday, May 20, 2020 6:58 PM
  • Hi Poly,
     
    I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum. 
     
    Best Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 21, 2020 8:02 AM