locked
Windows 2019 WSUS - client computers not showing in groups RRS feed

  • Question

  • I have setup a new WSUS server. I removed the old WSUS server from the domain and renamed the new WSUS server to the old server's name and added it to the domain with the same IP address. Previously the new WSUS server was a down stream replica of the old WSUS - all the group names were auto created. I left the current WSUS GPO intact. 

    I ran a GPupdate /Force and then a GPresult /H wsus.html on two PC's both display successful for WSUS GPO applied. Running Windows update on both - displays "managed by your administrator" with updates ready to install. 

    I attempted to search a number of PC's within a WSUS group to manually add to the group but the computers were not found.

    I'm trying to determine what I am missing - its been 24 hours since the rename/add to domain and reboot of new WSUS server

    Thanks, 

    Milty


    milty60

    Saturday, March 2, 2019 12:54 PM

Answers

  • Try to download the WSUS iuident CAB file from the client machine.

    http://server.domain.local:8530/selfupdate/iuident.cab
    https://server.domain.local:8531/selfupdate/iuident.cab

    and then try to browse to:

    http://server.domain.local:8530/ClientWebService/client.asmx
    https://server.domain.local:8531/ClientWebService/client.asmx

    If you can download it and browse to it, that's the port/url to use in your GPO. If you can't, check firewall settings and port settings.

    Also look at:

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Monday, March 4, 2019 5:38 PM
  • First, did you upgrade from 2008 to 2012+ WSUS? If so, Port 80/443 was used on 2008, but 8530/8531 is now used on 2012+ versions of WSUS. This means you'll have to edit your GPO to include the port (:8530/:8531)

    See part 4 of my blog series that deals with creating the GPOs.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

    If that's not the reason:

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Saturday, March 2, 2019 8:54 PM
  • If your computers are not listed in WSUS, you can run wuauclt /detectnow on client PC's

    1. Ensure your WSUS Server is update.

    2. Ensure you have configured GPO and gave correct URL to get download the updates from your WSUS server to clients 

    3. Ensure your client PC got this GPO policy 

    4. Ensure you have selected needed Products and features only. 

    5. Share the error you are getting while attempting to check for updates. 

    Refer below . 

    https://support.microsoft.com/en-in/help/555974

    for Detailed deployment. 

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services


    Faris

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 5:46 PM
  • FYI:

    /detectnow is deprecated and does not work in Windows 10 and Server 2016+. Windows 10 and server 2016+ have replaced it with: PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() or UsoClient.exe StartScan

    All detailed in https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Sunday, March 3, 2019 7:46 PM Adjusted to add Server 2016+
    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 7:43 PM
  • Am 03.03.2019 schrieb Farispv:

    If your computers are not listed in WSUS, you can run wuauclt /detectnow on client PC's

    Only /detectnow is moved.

    wuauclt /resetauthorization /detectnow is working in W10 + W2016. But
    only in a admin Commandline.

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 8:29 PM
  • Am 03.03.2019 schrieb milten:

    Hi, 

    I updated the GPO to port 8530. The "unassigned" group now has 29 discovered devices - the count has gone up but still has many to go  - 220 or so in total. Not sure why the discovered number of client is so low.

    The Clients have to take the new GPO Settings, not so fast, clients
    need a little bit.

    The number of Windows updates varies from 30 or 40 to 400.

    The Clients wants so much updates?

    Not sure why on the previous WSUS server all clients were up to date and now*are showing a large number of updates needed*.

    Is there a different in products an Classifiations?

    Also, it appears, I will need to manually move the clients to the proper group although at this time the "*Change Membership*" option is grayed out.

    Options > Computers. Which option is checked?

    I have checked my PC and although Windows updates are waiting I have tried twice to update and have *received errors*. Please advise. 

    Which Error you got?

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 8:34 PM

All replies

  • First, did you upgrade from 2008 to 2012+ WSUS? If so, Port 80/443 was used on 2008, but 8530/8531 is now used on 2012+ versions of WSUS. This means you'll have to edit your GPO to include the port (:8530/:8531)

    See part 4 of my blog series that deals with creating the GPOs.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

    If that's not the reason:

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Saturday, March 2, 2019 8:54 PM
  • Ensure you have adequate GPO created and assigned your Computers into that OU

    Faris

    Saturday, March 2, 2019 9:00 PM
  • Hi, 

    I updated the GPO to port 8530. The "unassigned" group now has 29 discovered devices - the count has gone up but still has many to go  - 220 or so in total. Not sure why the discovered number of client is so low. The number of Windows updates varies from 30 or 40 to 400. Not sure why on the previous WSUS server all clients were up to date and now are showing a large number of updates needed. Also, it appears, I will need to manually move the clients to the proper group although at this time the "Change Membership" option is grayed out. I have checked my PC and although Windows updates are waiting I have tried twice to update and have received errors. Please advise. 

    Thanks, 

    Milty


    milty60

    Sunday, March 3, 2019 12:31 PM
  • If your computers are not listed in WSUS, you can run wuauclt /detectnow on client PC's

    1. Ensure your WSUS Server is update.

    2. Ensure you have configured GPO and gave correct URL to get download the updates from your WSUS server to clients 

    3. Ensure your client PC got this GPO policy 

    4. Ensure you have selected needed Products and features only. 

    5. Share the error you are getting while attempting to check for updates. 

    Refer below . 

    https://support.microsoft.com/en-in/help/555974

    for Detailed deployment. 

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services


    Faris

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 5:46 PM
  • FYI:

    /detectnow is deprecated and does not work in Windows 10 and Server 2016+. Windows 10 and server 2016+ have replaced it with: PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() or UsoClient.exe StartScan

    All detailed in https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Sunday, March 3, 2019 7:46 PM Adjusted to add Server 2016+
    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 7:43 PM
  • Am 03.03.2019 schrieb Farispv:

    If your computers are not listed in WSUS, you can run wuauclt /detectnow on client PC's

    Only /detectnow is moved.

    wuauclt /resetauthorization /detectnow is working in W10 + W2016. But
    only in a admin Commandline.

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 8:29 PM
  • Am 03.03.2019 schrieb milten:

    Hi, 

    I updated the GPO to port 8530. The "unassigned" group now has 29 discovered devices - the count has gone up but still has many to go  - 220 or so in total. Not sure why the discovered number of client is so low.

    The Clients have to take the new GPO Settings, not so fast, clients
    need a little bit.

    The number of Windows updates varies from 30 or 40 to 400.

    The Clients wants so much updates?

    Not sure why on the previous WSUS server all clients were up to date and now*are showing a large number of updates needed*.

    Is there a different in products an Classifiations?

    Also, it appears, I will need to manually move the clients to the proper group although at this time the "*Change Membership*" option is grayed out.

    Options > Computers. Which option is checked?

    I have checked my PC and although Windows updates are waiting I have tried twice to update and have *received errors*. Please advise. 

    Which Error you got?

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Sunday, March 3, 2019 8:34 PM
  • Clients are checking in after the GPO port update - I have two sites in AD (Forest) - both domains have AD servers - I updated the WSUS GPO at both sites for new port - the site/domain the WSUS server resides in is receiving client hits but the other domain's clients are not checking in. Thoughts? 

    Thanks, 

    Milty 


    milty60

    Monday, March 4, 2019 3:12 PM
  • Try to download the WSUS iuident CAB file from the client machine.

    http://server.domain.local:8530/selfupdate/iuident.cab
    https://server.domain.local:8531/selfupdate/iuident.cab

    and then try to browse to:

    http://server.domain.local:8530/ClientWebService/client.asmx
    https://server.domain.local:8531/ClientWebService/client.asmx

    If you can download it and browse to it, that's the port/url to use in your GPO. If you can't, check firewall settings and port settings.

    Also look at:

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by milten Monday, March 4, 2019 7:03 PM
    Monday, March 4, 2019 5:38 PM
  • Hi, 

    Appreciate everyone's help. The port was the main issue . An incorrect setting on WSUS was also an issue.  Almost all clients on both domains are checked in - monitoring now. 

    Thanks, 

    Milty




    • Edited by milten Monday, March 4, 2019 7:51 PM typo
    Monday, March 4, 2019 7:23 PM
  • Am 04.03.2019 schrieb milten:

    An incorrect setting on WSUS was also an issue. 

    Thanks for response. Pls, tell us what incorret setting was the
    problem, thanks.

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    Tuesday, March 5, 2019 5:54 AM
  • Follow-up: 

    Clients are checking in very slowly - approx 2 to 3 in a 24 hr period - don't know if that's expected behavior?

    Bigger issue - this is a brand new build of Windows 2019 VM with the Wsus feature installed - 6 times in the last two days I have received a disconnect message and fixed it via a "Start" on the IIS Application pool - very concerning for me that a new build would be behaving this way - I understand tweaking but I would assume it would work out of the box - only 210 clients. Thoughts? Suggested tweaks? 

    Also, I'm relatively new to WSUS - regarding the "Updates" menu - Critical and Security updates - respectively list updates in the thousands - do I need to individually approve/decline each update or does the system via communication with the client determine the required patches?  

    Screen shots attached Wsus disconnect , App pool stopped


    milty60

    Tuesday, March 5, 2019 1:57 PM
  • I had checked off GPO/registry to control group membership versus WSUS. 

    Thanks, 

    Milty 


    milty60

    Tuesday, March 5, 2019 2:05 PM
  • Am 05.03.2019 schrieb milten:

    Clients are checking in very slowly - approx 2 to 3 in a 24 hr period - don't know if that's expected behavior?

    If you delete %windir%\Softwaredistribution on each client, it can go
    a little faster.

    Bigger issue - this is a brand new build of Windows 2019 VM with the Wsus feature installed - 6 times in the last two days I have received a disconnect message and fixed it via a "Start" on the IIS Application pool - very concerning for me that a new build would be behaving this way - I understand tweaking but I would assume it would work out of the box - only 210 clients. Thoughts? Suggested tweaks? 

    Have a look:
    https://www.404techsupport.com/2016/03/21/iis-wsus-private-memory/ Set
    the Settings from this Article and restart the whole Server.

    Also, I'm relatively new to WSUS - regarding the "Updates" menu - Critical and Security updates - respectively list updates in the thousands - do I need to individually approve/decline each update or does the system via communication with the client determine the required patches?  

    You can approve daily this updates, the clients are want.
    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    Tuesday, March 5, 2019 2:21 PM
  • See my Guide here:

    https://www.ajtek.ca/wsus/wsus-system-requirements-what-should-i-plan-for/

    Perhaps also spend some time reading the content on my site.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, March 5, 2019 2:57 PM
  • Winfried, 

    Not sure what your stating. For example, the updates currently listed in "Critical Updates" are 911 updates of 2123 shown. In the Options "Products and Classifications" I have only selected OS updates. I can't imagine on a daily basis I will need to check the updates and approve/decline hundreds or thousands of updates. I only want clients to receive "critical" or "important" updates for their respective OS and possibly Office product updates.

    Thanks, 

    Milty  


    milty60

    Tuesday, March 5, 2019 3:07 PM
  • Am 05.03.2019 schrieb milten:

    Not sure what your stating. For example, the updates currently listed in "Critical Updates" are 911 updates of 2123 shown. In the Options "Products and Classifications" I have only selected OS updates. I can't imagine on a daily basis I will need to check the updates and approve/decline hundreds or thousands of updates. I only want clients to receive "critical" or "important" updates for their respective OS and possibly Office product updates.

    Clients will contact WSUS, see Updates and want to download and
    install alle approved updates. If you want to manually approve, you
    can do. You can do a automatic approval.

    You don't need to decline daily updates.

    Winfried


    WSUS Package Publisher:
    https://github.com/DCourtel/Wsus_Package_Publisher
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home
    GP-PACK - PRIVACY AND TELEMETRIE: http://www.gp-pack.com/

    Tuesday, March 5, 2019 8:05 PM
  • Hi all,

    Glad HIS problem was an incorrect Port

    But my problem is in WSUS Update Services (I have newest version) on 2012 Server R2, ONLY the XP and Windows 7 machines appear. The majority of my network are Windows 10 machines.

    Thursday, October 3, 2019 12:52 AM
  • Hi all,

    Glad HIS problem was an incorrect Port

    But my problem is in WSUS Update Services (I have newest version) on 2012 Server R2, ONLY the XP and Windows 7 machines appear. The majority of my network are Windows 10 machines.

    Delete all machines from WSUS and run the client side script on every client you have.

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Thursday, October 3, 2019 12:57 AM