locked
WSUS - Feature Update 1709 Not Needed RRS feed

  • Question

  • I'm going to answer my own question here in case others run into this problem.  I had a good deal of my clients show the latest feature update 1709 as "not needed" after approving it via WSUS.  There have been issues in the past with this, including 1607 when people had to set "Windows components - Store - Turn off the offer to update to the latest version of Windows" to disabled.  I can confirm that I still have that GPO setting set to enabled because my root issue was with a registry setting in GPO from a previous build of Windows 10 (I believe from the 1511 ADM)

    The setting in question is 

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate with the value name of DeferUpgrade set to 0.  This is no longer a valid GPO setting so I used Remove-GPRegistryValue to remove the spurious registry setting and now my clients are getting the latest feature upgrade.

    So my command was the following (replacing "Test Policy" with the name of your policy)

    Remove-GPRegistryValue -Name "Test Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ValueName DeferUpgrade

    After performing that I did a gpupdate /force on the clients and re-ran windows update
    (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

    Hope this helps others



    • Edited by sallenk Wednesday, October 18, 2017 8:23 PM
    Wednesday, October 18, 2017 7:54 PM

Answers

  • See above for question and answer
    • Marked as answer by sallenk Wednesday, October 18, 2017 7:55 PM
    Wednesday, October 18, 2017 7:55 PM

All replies

  • See above for question and answer
    • Marked as answer by sallenk Wednesday, October 18, 2017 7:55 PM
    Wednesday, October 18, 2017 7:55 PM
  • I'm going to answer my own question here in case others run into this problem.  I had a good deal of my clients show the latest feature update 1709 as "not needed" after approving it via WSUS.  There have been issues in the past with this, including 1607 when people had to set "Windows components - Store - Turn off the offer to update to the latest version of Windows" to disabled.  I can confirm that I still have that GPO setting set to enabled because my root issue was with a registry setting in GPO from a previous build of Windows 10 (I believe from the 1511 ADM)

    The setting in question is 

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate with the value name of DeferUpgrade set to 0.  This is no longer a valid GPO setting so I used Remove-GPRegistryValue to remove the spurious registry setting and now my clients are getting the latest feature upgrade.

    So my command was the following (replacing "Test Policy" with the name of your policy)

    Remove-GPRegistryValue -Name "Test Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ValueName DeferUpgrade

    After performing that I did a gpupdate /force on the clients and re-ran windows update
    (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

    Hope this helps others



    I am having this same problem. I have "Defer Upgrade" set to 'not configured' which SHOULD allow workstations to install the update. I am seeing in WSUS reports that workstations are showing the version 1709 as 'not applicable' which is false since I can manually install it. Is this the scenario you are seeing? I do not have any registry settings for the 'defer upgrade' as you mentioned. Or, am I understanding this wrong?

    TRhoades5

    Monday, October 23, 2017 5:25 PM
  • Have you checked the registry of a computer showing as "not applicable" and confirmed the DeferUpgrade key is missing or are you just looking at the settings of the GPO?  I'd confirm that to make sure.

    If the key is indeed missing, then some other GPO setting might be preventing it.  My GPO looks like this now after deleting the defer upgrade part...


    Monday, October 23, 2017 5:36 PM
  • I looked in the HKLM\software\policies\Microsoft\windows\windowsupdate    and indeed it is not there.

    Here are my Windows Update settings


    TRhoades5

    Monday, October 23, 2017 6:00 PM
  • I'm not sure then.  That was the ticket for me, as all my clients now show it as needed.  Do all your Windows 10 clients show as not needed?  If so, are you certain that the update has finished downloading and was approved for the proper computer group?  Did you confirm you approved the correct feature update (proper language & version)?
    • Edited by sallenk Monday, October 23, 2017 6:14 PM
    Monday, October 23, 2017 6:13 PM
  • ahh!!! I see that I am not fully downloaded on updates! Dumb me! I am sure that is what the problem is even though it doesn't show exactly what it is downloading. This may be a dumb question but I have 2 windows 10 version 1709 that looks like the exact same thing approved. Do I really need both of them? this will make the download bigger thus taking up more space if I don't need to.

    TRhoades5

    Monday, October 23, 2017 6:42 PM
  • I noticed the same.  I just filter the update list by Unapproved and Failed or Needed, which just showed 1 of the 2 seemingly identical updates.  However, that won't help if you've already approved both
    Monday, October 23, 2017 6:49 PM
  • I wonder if one is for 32bit and the other 64bit. It doesn't specify, but I believe that would be the only difference.

    TRhoades5

    Monday, October 23, 2017 6:51 PM
  • One thing that will help with this space issue is getting rid of declined updates in the database. Do you know of a way to do this?

    TRhoades5

    Monday, October 23, 2017 8:29 PM
  • Run the server cleanup wizard
    Monday, October 23, 2017 8:31 PM
  • That doesn't actually get rid of the declined updates from the database does it? From my understanding it still doesn't get rid of those because I still see updates from 2008 in the declined updates list.

    TRhoades5

    Monday, October 23, 2017 8:32 PM
  • If the update has been declined first, then yes, it should reclaim the drive space.  I doesn't remove it from the list of updates, but the underlying files are removed.  That's my understanding and correlates from what I see after running the wizard
    Monday, October 23, 2017 8:39 PM
  • Are their guidelines as to how often one needs to go to approved updates, decline them, and then run the wizard?

    TRhoades5

    Monday, October 23, 2017 8:43 PM
  • I don't think anyone can give a firm answer to that.  It depends on the number of products you're supporting and how much free disk space you have.  If you are supporting a wide range of operating systems and software packages updated via WSUS then you probably should run in more frequently.  The longer you go, the longer it takes for the cleanup wizard to complete successfully.  With the new Windows 10 update cadence it could quickly get messy if you don't make an effort to get most people up on the same version because of the cumulative monthly updates which get bigger each month beyond feature releases.  I do it every few months
    Monday, October 23, 2017 8:50 PM
  • Ok, thanks. From the sounds of it, it seems, I need to really pay attention to the approved updates and decline them once they reach being superseded as those are no longer needed and will then need to be declined and cleaned out. Nothing needs to be done to the already declined updates as those are already cleared out from running the cleanup wizard but yet they simply show up within the WSUS Console. Is this correct or from your understanding?

    Sorry, I just want to make sure I am interpreting this correctly.


    TRhoades5

    Monday, October 23, 2017 9:01 PM
  • So, do you keep only top level updates? Do you decline any and all superseded updates?

    TRhoades5

    Monday, October 23, 2017 9:55 PM
  • Yes to all those questions
    Tuesday, October 24, 2017 3:22 PM
  • Ok, thanks! I will go in and periodically decline them. I always thought the cleanup wizard was doing that for me. It actually says that in the steps when running it.

    As far as the Windows 10 Version 1709, our endpoint protection isn't compatible with that version. Just found that out as well.


    TRhoades5

    Tuesday, October 24, 2017 3:47 PM
  • I am also having the issue where 1709 does not show as needed on my client's.

    This is a brand new Windows server 2016 with the WSUS Server role added.

    I approved 1709 (There were two us-en versions) - both were approved.

    My PC is showing 100% up-to-date and it has been over a week.

    Any help would be appreciated

    Wednesday, October 25, 2017 12:28 PM
  • Make sure it is fully downloaded. That was my problem. Although, our AV does not support the update at the moment, so we are unable to apply this update at this time.

    TRhoades5

    Wednesday, October 25, 2017 1:18 PM
  • Make sure it is fully downloaded. That was my problem. Although, our AV does not support the update at the moment, so we are unable to apply this update at this time.

    TRhoades5

    How can you tell if it has been completely downloaded?

    I aproved it a week ago, I would think by now it would be downloaded on the WSUS server.

    Thanks!

    Wednesday, October 25, 2017 7:18 PM
  • On the left hand side of the WSUS console click on the server name. This will bring up status of a lot of items. Within that page there is a download status. If it has completed the download then, it will show 'updates needing files' as 0. If there is something that needs to be downloaded it will state the contrary. It will not tell you exactly what it lacks, but that is a good indicator that its not fully downloaded. The main thing that would cause download problems, for me, is space. If there isn't enough space in the drive that houses the update content then it will not download. Also, check to make sure that your AV is compatible/supports the update. Mine, for instance, does not support this new update, so I will have to wait in order to install.

    TRhoades5

    Wednesday, October 25, 2017 7:24 PM
  • On the left hand side of the WSUS console click on the server name. This will bring up status of a lot of items. Within that page there is a download status. If it has completed the download then, it will show 'updates needing files' as 0. If there is something that needs to be downloaded it will state the contrary. It will not tell you exactly what it lacks, but that is a good indicator that its not fully downloaded. The main thing that would cause download problems, for me, is space. If there isn't enough space in the drive that houses the update content then it will not download. Also, check to make sure that your AV is compatible/supports the update. Mine, for instance, does not support this new update, so I will have to wait in order to install.

    TRhoades5

    I also do not have these update for business policies in place.

    One odd thing I noticed is that if I decline the 1709 update, and then re-approve it.. I see it download the ~10GB file. Then My computer shows as "2" updates with no status.

    Once I check for updates a few times, my machine then shows 100% up to date. The machine is on build 1703 win10.


    Thursday, October 26, 2017 1:07 PM
  • I believe the metadata for the download is still there if you don't do a server cleanup. I could be wrong on that so don't quote me on that.

    I had to decline as well since my AV is not compatible with that upgrade yet. Its being worked on now from our AV company. I wonder even after declining the update and cleaning the server if the update can be recovered.


    TRhoades5

    Thursday, October 26, 2017 1:44 PM
  • As I mentioned before our AV is not compatible with this update YET. So, I have declined them for the time being so that it doesn't keep trying to install it. After I perform more clean up of the server and that download gets cleaned out, am I able to go back to the declined update and re-approve it in order to be installed? When re-approving a declined update will the server re-download that update?

    TRhoades5

    Thursday, October 26, 2017 1:47 PM
  • As I mentioned before our AV is not compatible with this update YET. So, I have declined them for the time being so that it doesn't keep trying to install it. After I perform more clean up of the server and that download gets cleaned out, am I able to go back to the declined update and re-approve it in order to be installed? When re-approving a declined update will the server re-download that update?

    TRhoades5

    See our AV supports the new update.

    I also tested on another WSUS server (6.3.9600.18694) and that is having the same issue.

    Machines show as 100% up-to-date yet they will not download 1709 update.

    Thursday, October 26, 2017 2:06 PM
  • As I mentioned before our AV is not compatible with this update YET. So, I have declined them for the time being so that it doesn't keep trying to install it. After I perform more clean up of the server and that download gets cleaned out, am I able to go back to the declined update and re-approve it in order to be installed? When re-approving a declined update will the server re-download that update?


    TRhoades5

    See our AV supports the new update.

    I also tested on another WSUS server (6.3.9600.18694) and that is having the same issue.

    Machines show as 100% up-to-date yet they will not download 1709 update.


    I confirmed that our AV does not support it just yet. They are in the process of fixing that. As for the declined updates can declined updates be re-approved and installed?

    TRhoades5

    Thursday, October 26, 2017 2:09 PM
  • Found on SpiceWorks forum, sharing it here, this worked for me. 

    3dbrad

    I got it. The problem occurs when the registry key HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\BranchReadinessLevel is set to 0x20. It should be set to 0x10. The former setting represents Current Branch for Business, and this setting is intended for use with Windows Update for Business (and not WSUS,) so everything gets reported as "not applicable" in WSUS. This setting was available in a previous version of Win10, apparently, and I can only speculate why it wasn't a problem for so long until it was.

    Thanks again for the help. While investigating, I discovered a lot I was doing wrong with WSUS, and I'll now have a better setup because of this (otherwise infuriating) issue.

    • Proposed as answer by Elton_Ji Wednesday, November 29, 2017 9:00 AM
    Wednesday, November 1, 2017 9:35 PM
  • That doesn't actually get rid of the declined updates from the database does it? From my understanding it still doesn't get rid of those because I still see updates from 2008 in the declined updates list.

    TRhoades5

    Use AdamJ WSUS CLeanup Wizard SCript,

    https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

    Saturday, January 6, 2018 5:31 AM
  • This is a great fix. However, I am curious to know more where you found this solution, or the process you went through to determine that that key is not applicable. Thank you.
    Tuesday, January 23, 2018 1:56 PM