locked
Clients say no updates needed but WSUS server says one update needed RRS feed

  • Question

  • Hi all,

    WSUS server v. 6.3.9600.18694 running on a 2012r2 hyper-v VM.  

    On all Windows 2016 servers, WSUS server says KB4034658 is needed and will be installed pending reboot but even after rebooting, WSUS server still says it needs the updated and the status is pending reboot.  When you look at update history on the 2016 servers, it says "No updates have been installed yet".  

    On Windows 10 Enterprise Clients build 1607,  WSUS server says KB4034674 is needed and will be installed pending reboot but it never installs after rebooting the clients.  When the 1607 clients automatically check for updates, it always says "your device is up to date".  However, when I check online for updates from Microsoft, I get this error:

    "There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x8024401c)"

    Things I have tried:

    Tested all other Windows 7, Windows 8.1, servers 2012r2 --all update fine.I ran the SQL script (I also found on this site) to check for a dirty database but it came up fine (0)

    I followed the advice of someone on this site and manually upgraded one of my test Windows 10 Enterprise 1607 Clients to build 1703 and, like they said, the problems went away.  Is this the only option that will work with Windows 10 clients.  I can't upgrade yet because software we run on our clients will not run on Windows Build 1703 yet.

    I think that last batch of updates broke something on my clients but I have not been able to pinpoint which ones.

    Any help would be greatly appreciated.

    Thanks,

    FD.


    Bob Andres

    Friday, August 11, 2017 12:14 PM

All replies

  • Hi ,

    As for 2016 servers , please try to run command to check if that update exists :

    get-hotfix

    As for windows 10 client , please check the windows update log to see if there is any clue .

    Any further information please feel free to let us know .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 14, 2017 10:07 AM
  • Hi Elton_Ji,

    I ran the get-hotfix command and it showed my 2016 servers installed that update on 8/9/2017.  However, the WSUS server status has this:

    Approval - install

    Status - Pending reboot

    When I reboot, the status does not change.

    I ran the get-hotfix command on the Windows 10 machines.  They also show the update was installed on 8/9/2017 but the WSUS server says the update will be installed after reboot.

    I ran these powershell commands on the 2016 servers. (since wuauclt.exe /detectnow has been removed)

    $AutoUpdates = New-Object -ComObject "Microsoft.Update.AutoUpdate"

    $AutoUpdates.DetectNow() 

    I then restarted the WSUS service.

    Status did not change.  WSUS still thinks the updates are needed (pending reboot). 

    On one of my 2016 servers, I clicked on the "check for updates" button and received this error message.

    There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x8024401c).

    I then clicked on the "Update History" and it still shows "No updates have been installed yet".

    The updates are really installed on the Windows 10 and Windows Server 2016 machines but WSUS Server does not recognize it. 

    Any other suggestions?

    Thanks,

    FD


    Bob Andres

    Monday, August 14, 2017 12:17 PM
  • Hi Sir,

    >>The updates are really installed on the Windows 10 and Windows Server 2016 machines but WSUS Server does not recognize it. 

    Have you checked the "Last status report" for these client computer?

    Also , please restart the windows update agent service for client computer .

    Then , "check for updates" and note the time when you click that button .

    Open powershell.exe and run command "Get-WindowsUpdateLog" to get windows update log .

    By default you may get a log file on your desktop .

    Please check if there is any error/failure in that log after the time you have noted .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 15, 2017 2:10 AM
  • Hi Elton_Ji,

    I followed all your instructions.

    The last status report shows "Your device is up to date"  Update History shows "no updates

    I restarted the windows update agent on the 2016 server.  Did not help.

    I also downloaded the KB4034658 hotfix from Microsoft Update Catalogue and tried to manually install it (thinking maybe the client really did not have the KB installed; the message was it was already installed and the command get-hotfix verified that).

    Here is the Windows Update Log error I found on a 2016 server.

    2017/08/14 11:30:31.0584748 3244  2356  AppAU           * START *
    2017/08/14 11:30:31.0585231 3244  2356  AppAU           * START * Check for Failed Tasks to Retry
    2017/08/14 11:30:31.0833691 3244  2356  AppAU           * END * Check for Failed Tasks to Retry, exit code = 0x00000000
    2017/08/14 11:30:31.0846096 3244  2356  AppAU           * END *, exit code = 0x00000000

    I think the problem is the WSUS server and Windows 10 machines.  The WSUS server is fully patched with the latest updates. 

    After googling my problem, it seems others have had the same type of issues.  Their fix was to upgrade to build 1703.  I will try that and report back.

    Thanks,

    FD


    Bob Andres

    Tuesday, August 15, 2017 2:06 PM
  • Hi, everyone!

    My internal WSUS server is running on MS Windows Server 2016 [Version 10.0.14393].
    The communication’s established on TCP ports: 8530 (http) and 8531(https).

    All clients running MS Windows 10 build 1607 stopped reporting of status to WSUS server just after August's provided monthly updates where installed. Now the update history on client says "no updates have been installed yet". Each already patched Windows 10 system with Windows Update status 0x8024401c causes a quite huge CPU load on WSUS server w3wp.exe process while connecting. The WSUS server itself as well.

    All clients running MS Windows 10 build 1511 got Windows Update status 0x800705b4 (gonna check it out) and did not reported status since June.
    But clients running MS Windows 10 build 1703 report Windows Update status.

    So, the same type of issues.
    Regards,

    Krzysztof

    Friday, August 18, 2017 10:46 AM
  • Hi all,

    I found some posts with suggestions that I implemented to try to fix my WSUS 2012r2 servers.  

    I did this:

    "Filter the All Updates view with Approval=”Approved” and Status=”Installed/NotApplicable”.
    Enable the Supersedence column display
    Sort by the “Installed/Not Applicable Percentage” column. Alternatively, you can also sort by the Supersedence column. You may prefer one method over the other, and either will serve the purpose.
    Select the updates reported as 100% Installed/NotApplicable that are identified as superseded.

    I then defragged the drive (I am running WSUS in Hyper-V).

    This freed up tons of space and made my WSUS server run more smoothly

    The next thing I did was follow the instructions on another post entitled:

    "Windows 10 1703 Enterprise - download stuck at 0% from WSUS".  In this post, it was recommended to do this:

    "Added the MIME type .esd (application/octet-stream) in IIS -> Sites -> WSUS Administration Site -> MIME Types"

    (There is also an excellent powershell script, Adamj Clean-WSUS, that I am working on to automate the above fixes).

    ***********************

    After I did all of this, the clients received the new 1703 build (I gave up on build 1607- too many bugs) Also the Server 2016 updates are now recognized by my WSUS Server.  The 1703 build was pushed out successfully and the workstations upgraded successfully BUT the workstations that upgraded successfully do not report back to the WSUS server.  

    Any help would be greatly appreciated. 

    Thanks,

    FD


     


    Bob Andres

    Wednesday, August 23, 2017 4:26 PM
  • Hi Bob!

    As far as the KB4034658 update is concerned “Microsoft is investigating this issue and will provide an update as soon as possible”, according to their website: 

    https://support.microsoft.com/en-us/help/4034658/windows-10-update-kb4034658

    So, I must politely wait because of my MS Windows Server 2016 installations not only clients with MS Windows 10 build 1607.

    To be quite clear about the correct reporting to my WSUS server by clients with MS Windows 10 build 1703. They were not upgraded from previous builds but fresh installed. Perhaps that is the difference or my WSUS server version?

    I would try two scenarios: a fresh OS installation on one of your client computer and Windows Update service cleanup procedure on one's successfully upgraded to 1703 build.

    Best Regards,

    Krzysztof

    • Proposed as answer by Krzysztof_Zep Wednesday, August 30, 2017 11:33 AM
    • Unproposed as answer by Krzysztof_Zep Wednesday, August 30, 2017 11:33 AM
    Thursday, August 24, 2017 8:26 AM
  • Installing the KB4039396 hotfix in my organization solved the problem for Windows Server 2016 and Windows 10 build 1607.

    Regards,

    Krzysztof

    Wednesday, August 30, 2017 11:40 AM
  • Hi Krzysztof,

    Thanks for the reply.

    Because there are so many bugs in 1607, I upgraded to build 1703 using a new WSUS 2016 Server to alleviate the issues of my old WSUS server crashing, etc.  However, with all the modifications, I still have issues with the new system and clients.

    I double checked my workstations that were upgraded to build 1703. Good news is there are actually a few that not only upgraded correctly but are reporting back to the WSUS 2016 server. Also, all my Windows Server 2016 machines report back to the new WSUS 2016 Server. However,  I am baffled because the same laptop model of one user upgraded successfully and is reporting back but the same model of another user upgraded but is not reporting back.  I have run powershell commands on the non-reporting laptops to detect the WSUS server but it does not work.

    I also have issues with two desktops. (I also ran the powershell commands to detect the WSUS server but it also was an exercise in futility).  Here is the error from one of them.

    ************

    There were problems installing some updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help:

    • Feature update to Windows 10 Enterprise, version 1703, en-us - Error 0x80070005

    Feature update to Windows 10 Enterprise, version 1703, en-us
    Event reported at 8/23/2017 5:10 AM:
    (Unable to Find Resource:) ReportingEvent.Client.167; Parameters: Feature update to Windows 10 Enterprise, version 1703, en-us

    From the Windows Update Log: (snippets because the log is so long)

       ISusInternal:: DisconnectCall failed, hr=8024000C
    2017/08/24 14:52:48.9977717 5352  7736  AppAU           * END * Check for Failed Tasks to Retry, exit code = 0x00000000
    2017/08/24 14:52:48.9984753 5352  7736  AppAU           * END *, exit code = 0x00000000

    Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL, error = 0x80245002
    2017/08/24 19:00:09.5711378 5864  6784  Agent           Failed to verify authenticity of service 117cab2d-82b1-4b5a-a08c-4d62dbee7782, hr=0
    2017/08/24 19:00:09.5839383 5864  7752  Agent           * START * Queueing Finding updates [CallerId = Update;taskhostw  Id = 6]
    2017/08/24 19:00:09.5839510 5864  7752  Agent           Service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 is not in sequential scan list
    2017/08/24 19:00:09.6049602 5864  6784  IdleTimer       WU operation (SR.Update;taskhostw ID 4, operation # 14) stopped; does use network; is not at background priority
    2017/08/24 19:00:09.6192861 7028  6176  ComApi          Federated Search: Starting search against 1 service(s) (cV = OYnOhqgoz0q+Or5t.0.73.1.1.0)
    2017/08/24 19:00:09.6193786 7028  6176  ComApi          * START *   Search ClientId = Update;taskhostw, ServiceId = 855E8A7C-ECB4-4CA3-B045-1DFA50104289 (cV = OYnOhqgoz0q+Or5t.0.73.1.1.0.0)
    2017/08/24 19:00:09.6202787 5864  7752  IdleTimer       WU operation (CSearchCall::Init ID 7) started; operation # 23; does use network; is at background priority
    2017/08/24 19:00:09.6492235 5864  7752  Agent           * START * Queueing Finding updates [CallerId = Update;taskhostw  Id = 7]
    2017/08/24 19:00:09.6492323 5864  7752  Agent           Service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 is not in sequential scan list
    2017/08/24 19:00:10.0388429 5864  3944  Agent           Added update 4D142AA3-B961-456B-9292-707F5C8AB98F.1 to search result
    2017/08/24 19:00:10.0388648 5864  3944  Agent           Found 1 updates and 5 categories in search; evaluated appl. rules of 25 out of 33 deployed entities
    2017/08/24 19:00:10.0472439 5864  3944  Agent           * END * Finding updates CallerId = Update;taskhostw  Id = 5
    2017/08/24 19:00:10.0491969 5864  3944  IdleTimer       WU operation (CSearchCall::Init ID 5, operation # 17) stopped; does not use network; is at background priority
    2017/08/24 19:00:10.0494594 5864  6000  Agent           Service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 is not in sequential scan list
    2017/08/24 19:00:10.0558228 5864  6296  Agent           * END * Queueing Finding updates [CallerId = Update;taskhostw  Id = 6]
    2017/08/24 19:00:10.0575175 7028  7804  ComApi          *RESUMED*   Search ClientId = Update;taskhostw, ServiceId = 855E8A7C-ECB4-4CA3-B045-1DFA50104289 (cV = Zoz5FF8yHkC0F5yb.0.7.4.2.1.0.0)
    2017/08/24 19:00:10.0600657 7028  7804  ComApi          * END *   Search ClientId = Update;taskhostw, Updates found = 1, ServiceId = 855E8A7C-ECB4-4CA3-B045-1DFA50104289 (cV = Zoz5FF8yHkC0F5yb.0.7.4.2.1.0.0)
    2017/08/24 19:00:10.0602662 7028  8324  ComApi          * END *   All federated searches have completed. Jobs = 1, Succeeded = 1, ClientId = Update;taskhostw (cV = Zoz5FF8yHkC0F5yb.0.7.4.2.1.0)
    2017/08/24 19:00:10.0610044 7028  2260  ComApi          ISusInternal:: DisconnectCall failed, hr=8024000C
    2017/08/24 19:00:10.0620721 7028  2260  ComApi          ISusInternal:: DisconnectCall failed, hr=8024000C
    2017/08/24 19:00:10.0630233 5864  7752  DownloadManager No locked revisions found for update 4D142AA3-B961-456B-9292-707F5C8AB98F; locking the user-specified revision.
    2017/08/24 19:00:10.0635178 5864  7752  DownloadManager No locked revisions found for update FC315D1C-C986-4713-BC15-E22E238BF68F; locking the user-specified revision.
    2017/08/24 19:00:10.0638802 5864  7752  DownloadManager No locked revisions found for update 0BC54564-374B-4764-8486-8D158ED6E86D; locking the user-specified revision.
    2017/08/24 19:00:10.0639493 5864  6296  Agent           * START * Finding updates CallerId = Update;taskhostw  Id = 6
    2017/08/24 19:00:10.0639518 5864  6296  Agent           Online = No; Interactive = No; AllowCachedResults = No; Ignore download priority = No

    Agent           Failed to verify authenticity of service 117cab2d-82b1-4b5a-a08c-4d62dbee7782, hr=0
    2017/08/24 19:00:18.6998746 5864  7752  Agent           * START * Queueing Finding updates [CallerId = Update;taskhostw  Id = 10]
    2017/08/24 19:00:18.6998824 5864  7752  Agent           Service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 is not in sequential scan list
    2017/08/24 19:00:18.6999603 5864  6000  Agent           Service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 is not in sequential scan list

    EEHandler       DeterminePatchSequence succeeded but status indicated an error 0x00000000

    Misc            *FAILED* Send request, hr=0x80072EE7
    2017/08/28 06:35:42.9234467 2852  5096  Misc            *FAILED* WinHttp: SendRequestToServerForFileInformation (retrying with default proxy), hr=0x8024402C
    2017/08/28 06:35:42.9289949 2852  5096  Misc            *FAILED* Send request, hr=0x80072EE7
    2017/08/28 06:35:42.9290212 2852  5096  Misc            Library download error. Error 0x8024402c. Will retry. Retry Counter:0
    2017/08/28 06:35:42.9371728 2852  5096  Misc            *FAILED* Send request, hr=0x80072EE7
    2017/08/28 06:35:42.9371944 2852  5096  Misc            *FAILED* WinHttp: SendRequestToServerForFileInformation (retrying with default proxy), hr=0x8024402C
    2017/08/28 06:35:42.9422039 2852  5096  Misc            *FAILED* Send request, hr=0x80072EE7
    2017/08/28 06:35:42.9422290 2852  5096  Misc            Library download error. Error 0x8024402c. Will retry. Retry Counter:1
    2017/08/28 06:35:42.9502971 2852  5096  Misc            *FAILED* Send request, hr=0x80072EE7
    2017/08/28 06:35:42.9503244 2852  5096  Misc            *FAILED* WinHttp: SendRequestToServerForFileInformation (retrying with default proxy), hr=0x8024402C

     Beginning install of parallel work item
    2017/08/30 07:40:17.4923414 10996 2676  Agent           *  START  *  Installing updates CallerId = Update;taskhostw
    2017/08/30 07:40:17.4923439 10996 2676  Agent           Updates to install = 1
    2017/08/30 07:40:17.4926878 8416  11952 ComApi          *QUEUED* Updates to install = 1
    2017/08/30 07:40:17.4926903 8416  11952 ComApi          Install ClientId = Update;taskhostw
    2017/08/30 07:40:17.4927063 10996 2676  Agent             Title = OneNote
    2017/08/30 07:40:17.4927112 10996 2676  Agent             UpdateId = 22DAEA8E-EF38-4CE1-998D-0F6A5C80E59E.1
    2017/08/30 07:40:17.4927126 10996 2676  Agent               Bundles 5 updates:
    2017/08/30 07:40:17.4927165 10996 2676  Agent                 99044B7E-7908-4EAD-87AF-86C850BC1FF8.1
    2017/08/30 07:40:17.4927204 10996 2676  Agent                 A57AECB7-FCFF-4893-8110-968A496442EC.1
    2017/08/30 07:40:17.4927240 10996 2676  Agent                 5A4D8851-4BAF-4EB2-928B-92012AE5ADED.1
    2017/08/30 07:40:17.4927279 10996 2676  Agent                 520BF4FB-B55B-4E20-86B0-410A82F97929.1
    2017/08/30 07:40:17.4927318 10996 2676  Agent                 E70426A6-FED3-403F-A940-BD903A7C8E65.1
    2017/08/30 07:40:17.6324564 10996 2676  Agent           Fail to get custom reporting data for install started event.
    2017/08/30 07:40:17.6523135 10996 2676  DownloadManager Preparing update for install, updateId = A57AECB7-FCFF-4893-8110-968A496442EC.1.

    *********************

    I am currently researching the errors listed above for some solution. However;

    Even though I have tried everything I can think of (and everything everyone has said on forums, google searches) I still welcome and extend thanks for all suggestions.

    FD


    Bob Andres

    Wednesday, August 30, 2017 2:49 PM
  • First, Run the following script on clients that do not report in correctly:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    Then have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by AJTek.caMVP Wednesday, September 13, 2017 2:08 PM
    Saturday, September 2, 2017 1:56 AM
  • Finally! my WSUS 2016 Server is now working and all clients have been updated. I have tried a zillion things but here a few that I thought made a difference.

    -forget about build 1607.  I just has too many bugs which build 1703 fixes.

    -upgrade to a WSUS 2016 server.  It seems to run smoother. 

    -Make sure to install KB 4039396 (as mentioned by Krzysztof) into the new WSUS 2016 server.  "Update History" as well as "CPU, Memory, and network utilization when Windows Update clients perform their first scan" are solved by this update. It also fixed the issue of Windows Server 2016 machines refusing to report.

    -For the two computers that refused to upgrade, I ran Adam's script "on clients that would not report" and that fixed that issue.

    So a big thanks to Krzysztof and Adam for helping me fix these problems!!!

    FD


    Bob Andres

    Wednesday, September 13, 2017 2:03 PM
  • Glad it's all working for you now. Keep it working by using my WSUS cleanup maintenance script :)

    Don't forget, just because your WSUS is new doesn't mean it's optimized!


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, September 13, 2017 2:10 PM