locked
Windows Server 2012 R2, WSUS, and Windows 10 LTSB 2016 CU Updates RRS feed

  • Question

  • Hello, I've just became aware of a potential update problem in my environment and thought I would post about it before calling Microsoft.  We run a single Windows 2012 R2 server with the WSUS role installed.  This server handles update "policy" for all of our Windows workstations and servers.  I say policy because it is configured not to stage any updates locally, but send the client to the public Windows update website for download.  Here is the version info from Help > About..

    This WSUS implementation has been working pretty well for managing updates companywide.  We primarily run Windows 7 Pro SP1, Windows 10 LTSB 2016 (1607 | Build 14393), Windows Server 2008 R2, and Windows Server 2012 R2.

    Right now WSUS reports that it is actively managing updates for about 400 machines, half of which approximately are running Windows 10 LTSB.

    So, the problem....  I just realized that our helpdesk person had been manually applying a Windows 10 CU update from June to fix a problem on a particular Lenovo hardware platform.  The problem it resolves really isn't important for this conversation.  What has me puzzled is the fact that a fix from a CU back in June hadn't already been applied to a Windows 10 LTSB machine that reports as fully patched on our network.  This was clue #1 that there might be a problem with CU updates on Windows 10 LTSB in our implementation of WSUS.

    Now that I was looking for this problem, clue #2 was that in review of pending unapproved WSUS updates, the latest Windows 10 update titled "2018-11 Cumulative Update for Widnows 10 Version 1607 for x64-based Systems (KB4467691)" reports that it only applies to 6 of our almost 200 Windows 10 LTSB computers.

    The update that our helpdesk person had been installing manually as needed is KB4284833, an update dated June 2018...  I even went as far as to manually import that update into our WSUS server which reports that no computers "need" this update.  Helpdesk also tells me that a "stack update" must be applied before the June CU will install successfully.  That's KB4132216 which as far as WSUS knows also does not apply to any systems on our network.

    So, it seems that WSUS is not applying CU updates to our Windows 10 LTSB computers.  Or more specifically stated, WSUS doesn't feel that CU updates for build 1607 apply to Windows 10 workstations in our environment running LTSB 2016.

    For my next step in troubleshooting, I plan to remove the GPO forcing WSUS as the only update resource for a few LTSB machines that report a CU is not needed.  It will be interesting to see what one of these affected systems will report for required updates when connecting to Windows Update directly without WSUS.

    Any other troubleshooting suggestions?

    Regards,
    Adam Tyler

    Thursday, November 15, 2018 3:29 PM

Answers

  • Hello, I've just became aware of a potential update problem in my environment and thought I would post about it before calling Microsoft.  We run a single Windows 2012 R2 server with the WSUS role installed.  This server handles update "policy" for all of our Windows workstations and servers.  I say policy because it is configured not to stage any updates locally, but send the client to the public Windows update website for download.  Here is the version info from Help > About..

    This WSUS implementation has been working pretty well for managing updates companywide.  We primarily run Windows 7 Pro SP1, Windows 10 LTSB 2016 (1607 | Build 14393), Windows Server 2008 R2, and Windows Server 2012 R2.

    Right now WSUS reports that it is actively managing updates for about 400 machines, half of which approximately are running Windows 10 LTSB.

    So, the problem....  I just realized that our helpdesk person had been manually applying a Windows 10 CU update from June to fix a problem on a particular Lenovo hardware platform.  The problem it resolves really isn't important for this conversation.  What has me puzzled is the fact that a fix from a CU back in June hadn't already been applied to a Windows 10 LTSB machine that reports as fully patched on our network.  This was clue #1 that there might be a problem with CU updates on Windows 10 LTSB in our implementation of WSUS.

    Now that I was looking for this problem, clue #2 was that in review of pending unapproved WSUS updates, the latest Windows 10 update titled "2018-11 Cumulative Update for Widnows 10 Version 1607 for x64-based Systems (KB4467691)" reports that it only applies to 6 of our almost 200 Windows 10 LTSB computers.

    The update that our helpdesk person had been installing manually as needed is KB4284833, an update dated June 2018...  I even went as far as to manually import that update into our WSUS server which reports that no computers "need" this update.  Helpdesk also tells me that a "stack update" must be applied before the June CU will install successfully.  That's KB4132216 which as far as WSUS knows also does not apply to any systems on our network.

    So, it seems that WSUS is not applying CU updates to our Windows 10 LTSB computers.  Or more specifically stated, WSUS doesn't feel that CU updates for build 1607 apply to Windows 10 workstations in our environment running LTSB 2016.

    For my next step in troubleshooting, I plan to remove the GPO forcing WSUS as the only update resource for a few LTSB machines that report a CU is not needed.  It will be interesting to see what one of these affected systems will report for required updates when connecting to Windows Update directly without WSUS.

    Any other troubleshooting suggestions?

    Regards,
    Adam Tyler

    It's a little early yet, but it appears that I have found a GPO setting that has resolved this problem.  It seems the only Windows 10 LTSB computers that were successfully updating in our environment had the following GPO setting applied and the other systems did not.

    “Do not allow update deferral policies to cause scans against Windows Update”

    Immediately after applying this setting to a test group of affected machines (gpupdate /force and WU rescan) the following update started installing.  After rebooting, the latest CU applied as we'd expect.

    

    Here is RSOP data from a system that is not working:

    Here is RSOP data from a system that updates normally, ie..  CU is detected and installed based on WSUS approval:

    Friday, November 16, 2018 9:18 PM

All replies

  • Hello Adam Tyler,
     
    1> KB4284833 has been replaced by subsequent cumulative updates. If clients have install a superseding update, the superseded one would not apply to clients.
     
    2> KB4467691 also has a prerequisite, the latest SSU KB4465659. You could check that if your clients have install it before KB4467691.
     
    3> If the latest SSU has been installed, well, we could check for updates online on the clients as you mentioned to check the results. Or we could download KB4467691 from Microsoft Update Catalog and try to install it manually.
     
    KB4467691
    https://support.microsoft.com/en-us/help/4467691/windows-10-update-kb4467691
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 16, 2018 3:21 AM
  • A thing to note - LTSB is NOT for general systems. Microsoft's stance on this is that if you have to install Office on the system, you should not be using LTSB. LTSB would be for specific systems (a computer running an ATM for example) where the 'usage' is specific.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, November 16, 2018 6:48 PM
  • Thank you..  I am aware of Microsoft's recommendation to limit the scope of LTSB deployment.  We've chosen to standardize on LTSB in our organization for a number of business and support reasons.

    Regards,
    Adam Tyler

    Friday, November 16, 2018 6:52 PM
  • Thanks for your reply,  I realize that KB4284833 is an outdated CU.  The latest CU should replace it.  However WSUS doesn't think that ANY CU updates are necessary for the bulk of our Windows 10 computers running the same Windows build.  This is the root of the problem I have reported.

    KB4467691 is available in WSUS, but the system seems to think that no clients qualify for install.  I'll attempt to install this update manually on one of the affected computers and see if WSUS starts to detect the latest CU as available.

    Regards,
    Adam Tyler


    Friday, November 16, 2018 6:57 PM
  • Windows 10 1607 RTM has a known issue that it will lose communication with any WSUS server. The fix for this is to install a Cumulative Update (CU) past September 2016 as it was fixed in the September CU. It will then re-establish communication with the WSUS server. Unfortunately, if the system is already Windows 10 1607 RTM, you have no choice but to use a 3rd party tool like PDQ Deploy or install the CU Manually on the machine.

    It's best to install the latest CU, but you can install any one past September and then WSUS will be able to communicate again with the machine.

    All your 1607 machines have not been receiving updates if this is the case and they are still on the 1607 RTM version.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, November 16, 2018 7:05 PM
  • Hello, I've just became aware of a potential update problem in my environment and thought I would post about it before calling Microsoft.  We run a single Windows 2012 R2 server with the WSUS role installed.  This server handles update "policy" for all of our Windows workstations and servers.  I say policy because it is configured not to stage any updates locally, but send the client to the public Windows update website for download.  Here is the version info from Help > About..

    This WSUS implementation has been working pretty well for managing updates companywide.  We primarily run Windows 7 Pro SP1, Windows 10 LTSB 2016 (1607 | Build 14393), Windows Server 2008 R2, and Windows Server 2012 R2.

    Right now WSUS reports that it is actively managing updates for about 400 machines, half of which approximately are running Windows 10 LTSB.

    So, the problem....  I just realized that our helpdesk person had been manually applying a Windows 10 CU update from June to fix a problem on a particular Lenovo hardware platform.  The problem it resolves really isn't important for this conversation.  What has me puzzled is the fact that a fix from a CU back in June hadn't already been applied to a Windows 10 LTSB machine that reports as fully patched on our network.  This was clue #1 that there might be a problem with CU updates on Windows 10 LTSB in our implementation of WSUS.

    Now that I was looking for this problem, clue #2 was that in review of pending unapproved WSUS updates, the latest Windows 10 update titled "2018-11 Cumulative Update for Widnows 10 Version 1607 for x64-based Systems (KB4467691)" reports that it only applies to 6 of our almost 200 Windows 10 LTSB computers.

    The update that our helpdesk person had been installing manually as needed is KB4284833, an update dated June 2018...  I even went as far as to manually import that update into our WSUS server which reports that no computers "need" this update.  Helpdesk also tells me that a "stack update" must be applied before the June CU will install successfully.  That's KB4132216 which as far as WSUS knows also does not apply to any systems on our network.

    So, it seems that WSUS is not applying CU updates to our Windows 10 LTSB computers.  Or more specifically stated, WSUS doesn't feel that CU updates for build 1607 apply to Windows 10 workstations in our environment running LTSB 2016.

    For my next step in troubleshooting, I plan to remove the GPO forcing WSUS as the only update resource for a few LTSB machines that report a CU is not needed.  It will be interesting to see what one of these affected systems will report for required updates when connecting to Windows Update directly without WSUS.

    Any other troubleshooting suggestions?

    Regards,
    Adam Tyler

    It's a little early yet, but it appears that I have found a GPO setting that has resolved this problem.  It seems the only Windows 10 LTSB computers that were successfully updating in our environment had the following GPO setting applied and the other systems did not.

    “Do not allow update deferral policies to cause scans against Windows Update”

    Immediately after applying this setting to a test group of affected machines (gpupdate /force and WU rescan) the following update started installing.  After rebooting, the latest CU applied as we'd expect.

    

    Here is RSOP data from a system that is not working:

    Here is RSOP data from a system that updates normally, ie..  CU is detected and installed based on WSUS approval:

    Friday, November 16, 2018 9:18 PM