locked
Multiple Issues with WSUS - Clients trying to install declined updates over a year old RRS feed

  • Question

  • Hi,

    I am having serious issues with WSUS.

    I have multiple servers trying to install updates that are declined and from over a year ago, they do not successfully install, but in the Windows Update settings on each client, I can see multiple attempts to install old updates, which on the WSUS Console are DECLINED.

    The update fails, but why is this happening, it is filling up the Windows Update screen with 'Failed to Install On XXXX', it is also trying to install these OLD updates at the wrong date/time, it is not on the scheduled time I have set via GPO.

    The old updates do seem to be ones that were missed in previous months, but this shouldn't occur when the updates are set to decline, and this never happened when the clients were installing from MS.

    Approved updates are installing at the correct time.

    Has anyone seen this before?

    Tuesday, April 21, 2020 8:00 AM

All replies

  • Hi,
       

    According to the situation you mentioned, first of all, my suggestion is to confirm the source of its update by running the following command on the client's powershell:
        

    $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
    $MUSM.Services | select Name, IsDefaultAUService

        
    If Windows Server Update Service is not the only Ture project in the results, then this may be the cause of the problem. 
    Reply back with the problem would be happy to help.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 21, 2020 9:44 AM
  • Hi

    Thanks for the response.

    WSUS is the only value set to True.

    This issue has only occurred since implementing to WSUS, the dates it tried to install old updates is also NOT when my schedule is set.

    Thanks

    Tuesday, April 21, 2020 10:38 AM
  • Hi,
       

    Thank you for your reply.
    In theory, such a situation should not happen. If I encounter such a problem, I may also check:
       

    1. In the WSUS console> Update view> All updates, filter "Approved + Any", check all the approved updates in the search results, and check whether they contain those with a long history. 
      You can also consider filtering "Any Except Declined + Any", adding "Supersedence" column to the result, and arranging according to this attribute. The following types consider direct decline:
          
       Blue square in the middle: this update has been superseded by another update and superseded another update as well.
       Blue square in the right below corner: this update has been superseded by another update.
          
    2. In the WSUS console> Settings> Automatic approvals, check whether any automatic rules that may cause these updates to be approved are included.
         

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 22, 2020 1:58 AM
  • Hi,

    They were all declined, I declined every single update when i set-up WSUS because the servers were updating from MS, this month was the first month the clients used WSUS, and only this months updates have ever been approved on this WSUS Server.

    What I did notice, was the old updates that were attempted to install, appear to be ones missed in previous months, but regardless, these were all 100% declined way before the clients tried to install them, probably a month before, and WSUS Clean up runs every week so they should be removed from the catalog.

    This may be some sort of bug in WSUS, any other ideas?

    Thanks

    Thursday, April 23, 2020 11:58 AM
  • Hi,
       

    Provide an idea, we can confirm where these updates are obtained from. First we need to guide the following information:
       

    • Updated ID, it can be found in the WSUS console.
      Or find it in the URL in the Microsoft Update Catalog.
         


          
    • WindowsUpdate.log of the client with installation problems
         

    With the above information, we can find similar information in WindowsUpdate.log:
        

         

    The above example shows that the update KB4540725 comes from the service {3DA21691-E39D-4da6-8A4B-B43877BCB1B7}, and the different service ID means the source of the update:
        

    • {3da21691-e39d-4da6-8a4b-b43877bcb1b7} Stands for WSUS or SCCM.
    • {9482f4b4-e343-43b6-b170-9a65bc822c77} Stands for Windows Update.
    • {7971f918-a847-4430-9279-4a52d1efe18d} Stands for Microsoft Update.
    • {117cab2d-82b1-4b5a-a08c-4d62dbee7782} Stands for Windows Store.

    Identifying the source of outdated updates will help your problem analysis.
    Hope the above can help you.
        

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 24, 2020 2:53 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 1, 2020 2:23 AM