Remove From My Forums

WSUS Clients are not getting updates

Question
0

Sign in to vote

Hello all,

So we have new issue in our little group.

WSUS server is reporting that W10 client need some updates but client is not getting any, even after "forcing" the update by "check for updates" (Client is reporting that he has all updates).

Software Distribution, catroot2 folders were deleted, Windows update / BITS / Cryptsvc / MSIserver services were stopped and ran again, all of them are configured "Start = auto" and registry keys such as "AccountDomainSid, PingID, SuSClientId, SuSClientIDValidation" were deleted also.

We ran WSUS clean script already, without any help.

We ran new WSUS server on Windows 2016 server with same results (originally running on 2012 R2).

Some client are getting updates without any issues and reporting to WSUS correctly.

We pushed the 04 Cum update via 3rd party software (KB from Microsoft catalog) and client was updated correctly but still not getting updates from WSUS.

Windows update troubleshooter wont help.

On event log of impacted client is status: WindowsUpdateFailure3

Thanks for answering,

Ondrej

Tuesday, April 24, 2018 6:59 AM

All replies

0

Sign in to vote

When you ran the WSUS Clean script - are you talking about WSUS Automated Maintenance or another? Did you run it with -FirstRun? Did you modify the config or kept the defaults?

When you say W10 clients need updates - can you be more specific - specific KB's, what the current W10 version is (taken from Settings > System > About - include the complete OS Build number)
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Wednesday, April 25, 2018 4:13 AM
0

Sign in to vote

Yes, I ran it with -Firstrun and kept defaults.

Problem clients are 1709 Win 10.

They are not getting any updates, seems like first issue was around 01 cum update (maybe after faĺl creator?). Thats what thrilling my mind, all clients were OK and all were updated same way and some are working / some are not.

Wednesday, April 25, 2018 5:21 AM
0

Sign in to vote

Hi,

Did you refer to these link for troubleshooting?

https://serverfault.com/questions/656562/wsus-clients-cant-find-updates

https://community.spiceworks.com/topic/1795095-error-80072efe-when-searching-for-updates-for-windows-server
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, April 25, 2018 7:17 AM
0

Sign in to vote

Yes, I think I tried everything.

I think that issue will be with that clients, not server or any settings... like, they got some kind of "bad" update and now their Windows update files/services are stuck and stopping / reseting etc. is not helping.

At the moment I am trying to reinstall Fall Creator update with saving apps and files so I do not have to do clean install but so far it seems without any changes.

Wednesday, April 25, 2018 11:13 AM

Run the following on an affected client system in an Admin Command Prompt:

net stop bits
net stop wuauserv
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
rd /s /q "C:\WINDOWS\SoftwareDistribution"
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

This should fix it.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Wednesday, April 25, 2018 12:37 PM

This won't help, I even made similar script by myself...

net stop wuauserv
net stop bits
net stop cryptsvc
net stop msiserver
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
RD /s /q %windir%\SoftwareDistribution
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start bits
net start msiserver
net start cryptsvc
SC config wuauserv start= auto
SC config bits start= auto
SC config cryptsvc start= auto
SC config trustedinstaller start= auto
wuauclt /resetauthorization /detectnow
wuauclt /reportnow

I am so desperate, I am dealing with this issue like for two weeks now and this is big pain in my a*s

Edited by xDuff Thursday, April 26, 2018 8:10 AM Edit

Thursday, April 26, 2018 7:58 AM

0

Sign in to vote

Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, April 26, 2018 1:26 PM
0

Sign in to vote

If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?
Cherif Benammar

Thursday, April 26, 2018 3:38 PM
0

Sign in to vote

If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

Cherif Benammar

WSUS is a repository for updates and associated files. It is not a true deployment tool. Windows clients check in with the WSUS server using the Windows Update client and ask if there are any updates that are applicable to them, and if there are, the Windows Update policy will take over.

Now, in saying that, is the computer object a part of the WSUS group that is getting the updates approved - either directly or by way of inheritance?
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, April 26, 2018 3:49 PM
0

Sign in to vote

Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Yes I did, and also I tried that on multiple clients

Friday, April 27, 2018 7:30 AM
0

Sign in to vote

If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

Cherif Benammar

No, they are not. All clients are in same group (All computers > Unassigned computers)

Friday, April 27, 2018 7:31 AM
0

Sign in to vote

All needed updates are approved, detail is Approval> Install | Status > Not Installed

Friday, April 27, 2018 7:33 AM
0

Sign in to vote

Thus, create a group to which you deploy needed updates and add one machine at least and look,
Cherif Benammar

Friday, April 27, 2018 8:00 AM
0

Sign in to vote

Thus, create a group to which you deploy needed updates and add one machine at least and look,

Cherif Benammar

Done, but why do you think it should help? Is there any function of it I do not know?

But still, thank you all guys for trying to help me.

Friday, April 27, 2018 8:14 AM
0

Sign in to vote

Hello guys,

hope you had great weekend :)

So creating a test group in WSUS won't help and there are no changes so far, any other ideas?

Thanks in advance,

Ondrej

Monday, April 30, 2018 5:15 AM
0

Sign in to vote

Screenshot the report of the update for the approvals (so we can see where it is approved), and one for the pages that show the 'needed' status for the computers you're talking about (mention which computer if it's not obvious).

Then screenshot the computer report in WSUS with regards to the computer reporting times and another for that KB (mention it so that it's obvious).

Post them here so that we can see them and try to figure out what's going wrong with your systems.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Monday, May 7, 2018 4:22 AM
0

Sign in to vote

We approved 04 cum update like 2 weeks ago.. mby more.

Here is the most problematic group, set with same settings.

Monday, May 7, 2018 5:29 AM
0

Sign in to vote

From an Admin Command Prompt, run a gpresult /h gpo.html from NB034

pastebin it and show us here.

WSUS shows correctly; but it's the Windows Update Agent that does the heavy lifting.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Monday, May 7, 2018 2:11 PM
0

Sign in to vote
Sorry for late response, I had days off.

GPO for NB203, nb034 is off for a week
- Edited by xDuff Thursday, May 10, 2018 11:41 AM
Thursday, May 10, 2018 5:33 AM
0

Sign in to vote

This was not run using "Run as administrator" for the CMD Prompt. It's missing all the computer details (the stuff that's required.)
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, May 10, 2018 8:03 PM
0

Sign in to vote

When I run CMD as admin, gpresult reading the data as administrator, not user..

So results:

local admin: System do not have any RSoP data

domain admin: System do not have any RSoP data

User: As provided in link :/

Friday, May 11, 2018 8:27 AM
0

Sign in to vote

No, from any domain user account with local admin rights (like your domain admin user for example):

Open CMD using the Right click method and "Run as Administrator" and click yes to the UAC Prompt to run it in elevated permissions.

Run gpresult /h gpo.html

Post this file.

Without elevated permissions, it cannot get the Computer policies RSOP data.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Friday, May 11, 2018 2:36 PM
0

Sign in to vote

trick is you have to run the command prompt as admin of the machine but run the gpresult under a user context that has a local profile on the machine you are running from.

e.g. you are a domain admin -> you have a user account without domain admin priv -> you auth cmd as local/domain admin -> you run the gpresult impersinating a user account on the local machine that is attached to the domain.

Friday, May 11, 2018 2:46 PM
0

Sign in to vote
Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

Even when I am trying to specify the user ...
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.

C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.

C:\WINDOWS\system32>
And why GP is taking role here ?
- Edited by xDuff Tuesday, May 15, 2018 6:01 AM
Tuesday, May 15, 2018 5:27 AM
0

Sign in to vote

Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

Even when I am trying to specify the user ...
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.

C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.

C:\WINDOWS\system32>
And why GP is taking role here ?
Is it possible for you to just run it from the local machine directly, or use psexec to run cmd.exe and then run it?
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Wednesday, May 16, 2018 1:58 AM
0

Sign in to vote
In that case, just for sure, I went to the user / notebook directly, PsExec wasn't used.

But why we are focusing on GP? Or for what we are looking for?
- Edited by xDuff Wednesday, May 16, 2018 9:28 AM
Wednesday, May 16, 2018 9:28 AM
0

Sign in to vote

WSUS is a website that holds data - it's a repository. It is NOT a deployment system. It does not deploy updates, it does not push updates. All it does is approve updates and manage reporting.

Windows Update Agent on each individual system does ALL of the heavy lifting.... BUT... It doesn't do anything unless configured correctly by way of GPOs or Registry settings. If it is MISCONFIGURED than you have issues. Combinations of certain settings may cancel each other out, or act in such a manor that you are not expecting. This is why I need to see the RSOP data from a client machine that's having the issue.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Wednesday, May 16, 2018 3:21 PM
0

Sign in to vote

Hope this is the correct one ?

GPO for NB034

(For others, run CMD as domain admin > gpresult /s *computername* /user *usernameOfUserWhoIsUsingThatComputer* /scope computer /h gpofinal.html - I had issues with RPC server and RSoP created for domain admin and etc... - this does it for me)

Thursday, May 17, 2018 6:49 AM
0

Sign in to vote

Here are a couple of snippits from my new blog (going to be posted June 1st)

Administrative Templates (.admx)

You will want to get the latest Administrative Templates (.admx) for Windows 10 which, at the time of this writing, is located at:

https://www.microsoft.com/en-us/download/details.aspx?id=56880

Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller. The best way to update them is to take a copy of the PolicyDefinitions folder and stick it in a temp folder for a backup of what is currently working. Then take the ADMX files and the language folder you're using and copy/paste them into the PolicyDefinitions folder, overwriting files as required. Don't worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.

If for some reason you don't have the Central Store, please set it up following the directions at https://support.microsoft.com/en-ca/help/3087759/

Take note of all your client systems but plan for Windows 10.

Whatever client systems you have you should make a mental note of, but plan your WSUS around Windows 10. Although according to Microsoft, it is the last version of Windows they will build, this simply is a marketing gimmick as they've just changed the name of "Windows" to "Windows 10". One thing that is very good that comes out of this is their switch to WaaS where you get free upgrades to the latest revision of Windows 10 for the life of your device. What does 'life of your device' mean? As it has always been, it really means your motherboard, so if you have a catastrophic failure and need to replace your motherboard, you'll have to buy a new license of Windows 10. Now, another way to look at the phrase 'life of your device' is the hardware capabilities that it has. For example, if you're using Windows 10 on a 32bit Generation 1 netbook with 1GB of RAM, you may have realized that there's an end of life due to minimum requirements going up to 2GB.

In your policies:

Computer Settings > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode > Set this to LAN

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > You're missing the 'Set the alternate download server:' - When you update your ADMX files, you will see this - then you should set it to 'http://wsus.demos.cz:8530'

You'll want to setup Active Hours too.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Saturday, May 26, 2018 2:10 PM
0

Sign in to vote

Thanks you for update.

Do we have to update these policies?:

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

It is because we still have some W7 clients (like 20 of them).

Monday, May 28, 2018 5:54 AM
0

Sign in to vote

Thanks you for update.

Do we have to update these policies?:

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

It is because we still have some W7 clients (like 20 of them).

No - I was just going off the name of the GPO being for Win8/Win10.

I would break off the Win7 settings into another GPO and scope them to a group that contains only Windows 7 machines - this way only the Win7 machines get these policies and none of the others get them. They don't have any effect on Win10 machines though.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Monday, May 28, 2018 2:54 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

WSUS Clients are not getting updates

Question

All replies

Administrative Templates (.admx)

Take note of all your client systems but plan for Windows 10.