Asked by:
WSUS Clients are not getting updates

Question
-
Hello all,
So we have new issue in our little group.
WSUS server is reporting that W10 client need some updates but client is not getting any, even after "forcing" the update by "check for updates" (Client is reporting that he has all updates).
Software Distribution, catroot2 folders were deleted, Windows update / BITS / Cryptsvc / MSIserver services were stopped and ran again, all of them are configured "Start = auto" and registry keys such as "AccountDomainSid, PingID, SuSClientId, SuSClientIDValidation" were deleted also.
We ran WSUS clean script already, without any help.
We ran new WSUS server on Windows 2016 server with same results (originally running on 2012 R2).
Some client are getting updates without any issues and reporting to WSUS correctly.
We pushed the 04 Cum update via 3rd party software (KB from Microsoft catalog) and client was updated correctly but still not getting updates from WSUS.
Windows update troubleshooter wont help.
On event log of impacted client is status: WindowsUpdateFailure3
Thanks for answering,
Ondrej
Tuesday, April 24, 2018 6:59 AM
All replies
-
When you ran the WSUS Clean script - are you talking about WSUS Automated Maintenance or another? Did you run it with -FirstRun? Did you modify the config or kept the defaults?
When you say W10 clients need updates - can you be more specific - specific KB's, what the current W10 version is (taken from Settings > System > About - include the complete OS Build number)
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITWednesday, April 25, 2018 4:13 AM -
Yes, I ran it with -Firstrun and kept defaults.
Problem clients are 1709 Win 10.
They are not getting any updates, seems like first issue was around 01 cum update (maybe after faĺl creator?). Thats what thrilling my mind, all clients were OK and all were updated same way and some are working / some are not.
Wednesday, April 25, 2018 5:21 AM -
Hi,
Did you refer to these link for troubleshooting?
https://serverfault.com/questions/656562/wsus-clients-cant-find-updates
https://community.spiceworks.com/topic/1795095-error-80072efe-when-searching-for-updates-for-windows-server
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, April 25, 2018 7:17 AM -
Yes, I think I tried everything.
I think that issue will be with that clients, not server or any settings... like, they got some kind of "bad" update and now their Windows update files/services are stuck and stopping / reseting etc. is not helping.
At the moment I am trying to reinstall Fall Creator update with saving apps and files so I do not have to do clean install but so far it seems without any changes.
Wednesday, April 25, 2018 11:13 AM -
Run the following on an affected client system in an Admin Command Prompt:
net stop bits net stop wuauserv reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f rd /s /q "C:\WINDOWS\SoftwareDistribution" net start bits net start wuauserv wuauclt /resetauthorization /detectnow PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
This should fix it.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITWednesday, April 25, 2018 12:37 PM -
This won't help, I even made similar script by myself...
net stop wuauserv net stop bits net stop cryptsvc net stop msiserver REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f RD /s /q %windir%\SoftwareDistribution ren C:\Windows\System32\catroot2 catroot2.old net start wuauserv net start bits net start msiserver net start cryptsvc SC config wuauserv start= auto SC config bits start= auto SC config cryptsvc start= auto SC config trustedinstaller start= auto wuauclt /resetauthorization /detectnow wuauclt /reportnow
I am so desperate, I am dealing with this issue like for two weeks now and this is big pain in my a*s- Edited by xDuff Thursday, April 26, 2018 8:10 AM Edit
Thursday, April 26, 2018 7:58 AM -
Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITThursday, April 26, 2018 1:26 PM -
If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?
Cherif Benammar
Thursday, April 26, 2018 3:38 PM -
If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?
Cherif Benammar
WSUS is a repository for updates and associated files. It is not a true deployment tool. Windows clients check in with the WSUS server using the Windows Update client and ask if there are any updates that are applicable to them, and if there are, the Windows Update policy will take over.
Now, in saying that, is the computer object a part of the WSUS group that is getting the updates approved - either directly or by way of inheritance?
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITThursday, April 26, 2018 3:49 PM -
Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).
Yes I did, and also I tried that on multiple clients
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITFriday, April 27, 2018 7:30 AM -
If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?
No, they are not. All clients are in same group (All computers > Unassigned computers)
Cherif Benammar
Friday, April 27, 2018 7:31 AM -
All needed updates are approved, detail is Approval> Install | Status > Not InstalledFriday, April 27, 2018 7:33 AM
-
Thus, create a group to which you deploy needed updates and add one machine at least and look,
Cherif Benammar
Friday, April 27, 2018 8:00 AM -
Thus, create a group to which you deploy needed updates and add one machine at least and look,
Cherif Benammar
Done, but why do you think it should help? Is there any function of it I do not know?
But still, thank you all guys for trying to help me.
Friday, April 27, 2018 8:14 AM -
Hello guys,
hope you had great weekend :)
So creating a test group in WSUS won't help and there are no changes so far, any other ideas?
Thanks in advance,
Ondrej
Monday, April 30, 2018 5:15 AM -
Screenshot the report of the update for the approvals (so we can see where it is approved), and one for the pages that show the 'needed' status for the computers you're talking about (mention which computer if it's not obvious).
Then screenshot the computer report in WSUS with regards to the computer reporting times and another for that KB (mention it so that it's obvious).
Post them here so that we can see them and try to figure out what's going wrong with your systems.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITMonday, May 7, 2018 4:22 AM -
We approved 04 cum update like 2 weeks ago.. mby more.
Here is the most problematic group, set with same settings.
Monday, May 7, 2018 5:29 AM -
From an Admin Command Prompt, run a gpresult /h gpo.html from NB034
pastebin it and show us here.
WSUS shows correctly; but it's the Windows Update Agent that does the heavy lifting.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITMonday, May 7, 2018 2:11 PM -
-
This was not run using "Run as administrator" for the CMD Prompt. It's missing all the computer details (the stuff that's required.)
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITThursday, May 10, 2018 8:03 PM -
When I run CMD as admin, gpresult reading the data as administrator, not user..
So results:
local admin: System do not have any RSoP data
domain admin: System do not have any RSoP data
User: As provided in link :/
Friday, May 11, 2018 8:27 AM -
No, from any domain user account with local admin rights (like your domain admin user for example):
Open CMD using the Right click method and "Run as Administrator" and click yes to the UAC Prompt to run it in elevated permissions.
Run gpresult /h gpo.html
Post this file.
Without elevated permissions, it cannot get the Computer policies RSOP data.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITFriday, May 11, 2018 2:36 PM -
trick is you have to run the command prompt as admin of the machine but run the gpresult under a user context that has a local profile on the machine you are running from.
e.g. you are a domain admin -> you have a user account without domain admin priv -> you auth cmd as local/domain admin -> you run the gpresult impersinating a user account on the local machine that is attached to the domain.
Friday, May 11, 2018 2:46 PM -
Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.
Even when I am trying to specify the user ...
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.
C:\WINDOWS\system32> And why GP is taking role here ?- Edited by xDuff Tuesday, May 15, 2018 6:01 AM
Tuesday, May 15, 2018 5:27 AM -
Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.
Even when I am trying to specify the user ...
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.
C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
WARNING: Ignoring the user credentials for the local system.
INFO: The user "DEMOS\arudek" does not have RSoP data.
C:\WINDOWS\system32> And why GP is taking role here ?Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITWednesday, May 16, 2018 1:58 AM -
In that case, just for sure, I went to the user / notebook directly, PsExec wasn't used.
But why we are focusing on GP? Or for what we are looking for?
- Edited by xDuff Wednesday, May 16, 2018 9:28 AM
Wednesday, May 16, 2018 9:28 AM -
WSUS is a website that holds data - it's a repository. It is NOT a deployment system. It does not deploy updates, it does not push updates. All it does is approve updates and manage reporting.
Windows Update Agent on each individual system does ALL of the heavy lifting.... BUT... It doesn't do anything unless configured correctly by way of GPOs or Registry settings. If it is MISCONFIGURED than you have issues. Combinations of certain settings may cancel each other out, or act in such a manor that you are not expecting. This is why I need to see the RSOP data from a client machine that's having the issue.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITWednesday, May 16, 2018 3:21 PM -
Hope this is the correct one ?
(For others, run CMD as domain admin > gpresult /s *computername* /user *usernameOfUserWhoIsUsingThatComputer* /scope computer /h gpofinal.html - I had issues with RPC server and RSoP created for domain admin and etc... - this does it for me)
Thursday, May 17, 2018 6:49 AM -
Here are a couple of snippits from my new blog (going to be posted June 1st)
Administrative Templates (.admx)
You will want to get the latest Administrative Templates (.admx) for Windows 10 which, at the time of this writing, is located at:
https://www.microsoft.com/en-us/download/details.aspx?id=56880
Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller. The best way to update them is to take a copy of the PolicyDefinitions folder and stick it in a temp folder for a backup of what is currently working. Then take the ADMX files and the language folder you're using and copy/paste them into the PolicyDefinitions folder, overwriting files as required. Don't worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.
If for some reason you don't have the Central Store, please set it up following the directions at https://support.microsoft.com/en-ca/help/3087759/
Take note of all your client systems but plan for Windows 10.
Whatever client systems you have you should make a mental note of, but plan your WSUS around Windows 10. Although according to Microsoft, it is the last version of Windows they will build, this simply is a marketing gimmick as they've just changed the name of "Windows" to "Windows 10". One thing that is very good that comes out of this is their switch to WaaS where you get free upgrades to the latest revision of Windows 10 for the life of your device. What does 'life of your device' mean? As it has always been, it really means your motherboard, so if you have a catastrophic failure and need to replace your motherboard, you'll have to buy a new license of Windows 10. Now, another way to look at the phrase 'life of your device' is the hardware capabilities that it has. For example, if you're using Windows 10 on a 32bit Generation 1 netbook with 1GB of RAM, you may have realized that there's an end of life due to minimum requirements going up to 2GB.
In your policies:
Computer Settings > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode > Set this to LAN
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > You're missing the 'Set the alternate download server:' - When you update your ADMX files, you will see this - then you should set it to 'http://wsus.demos.cz:8530'You'll want to setup Active Hours too.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITSaturday, May 26, 2018 2:10 PM -
Thanks you for update.
Do we have to update these policies?:
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
It is because we still have some W7 clients (like 20 of them).Monday, May 28, 2018 5:54 AM -
Thanks you for update.
Do we have to update these policies?:
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10
It is because we still have some W7 clients (like 20 of them).No - I was just going off the name of the GPO being for Win8/Win10.
I would break off the Win7 settings into another GPO and scope them to a group that contains only Windows 7 machines - this way only the Win7 machines get these policies and none of the others get them. They don't have any effect on Win10 machines though.
Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for ITMonday, May 28, 2018 2:54 PM