locked
Install updates is greyed out on all Windows 2016 server systems. RRS feed

  • General discussion

  • I have 2 WSUS servers joined to a single domain and each is dedicated to a single site. WSUS server "A" located at site "A" is using GPO policy "A" and administrators are able to check for updates and install any pending updates. However, WSUS server "B" located at site "B" is using GPO policy "B", which is the same as GPO policy "A", but pointing to itself for patching and everything is greyed out and displaying some settings are managed by your organization.

    GPO modification in any way does not clear the "some settings are managed by your organization" and does not give administrators the ability to install pending updates. Systems are checking into WSUS server and receiving updates.

    Monday, January 15, 2018 8:41 PM

All replies

  • Is server A the upstream and server B the downstream replica?

    From a computer that shows both ways, please run gpresult /h gpo.html and pastebin both systems results for us to look at. It's very possible there's a configuration missing in 1 that is applied at the SITE level (or other level) between the 2 systems.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Tuesday, January 16, 2018 3:51 AM
  • Do you have the configured the "Remove access to use all Windows Update features" GPO?

    I had deactivated this settings and this was causing the greyed out installation button. Changing the setting back to 'not configured' didn't solve the issue. I had to completly remove the Update GPO from the client and run the Windows update troubleshoter to reset the update components. After that I reaplied the GPO with the "Remove access to use all Windows Update features" set to 'not configured'. Since then I got my buttons back :)


    Tuesday, January 16, 2018 4:15 PM
  • Hi Adam, I had it configured that way prior to troubleshooting, but have since removed site "B" as a replica of upstream server at site "A".
    Tuesday, January 16, 2018 10:01 PM
  • Where would I find the setting? I don't see it under Windows Update available settings.
    Tuesday, January 16, 2018 10:09 PM
  • Anyone have any suggestions? Issue is ongoing.

    • Edited by Ricks_IT Thursday, January 18, 2018 10:45 PM
    Thursday, January 18, 2018 10:45 PM
  • That is simply MAD. It also applies to Windows 10 LTSB 2016

    I had applied "Remove access to use all Windows Update features" but as

    DISABLED

    And that buggered the lot!

    thaBo77 suggestion above is correct

    Unlink GPO that does WU

    On local machine run gpupdate /force so the following is deleted

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Restart WU service

    Run Windows Update Troubleshooter

    allow it to apply FIX(es) (what do they do?)

    Now we have the button back!

    But there must be an easier way!

    Also this is OK for a single machine, but not 100's of them!

    Seb

    • Edited by scerazy Friday, January 19, 2018 9:51 AM
    Friday, January 19, 2018 9:06 AM
  • Thanks for the reply Scerazy. The update setting, "Remove access to use all Windows Update features" seems to be a Windows 2016 available setting. The domain functional level I'm running in is 2008 R2 and the setting isn't available. I have (2) GPOs, one for site "A" and one for site "B". Both have identical settings except for WSUS target servers.


    • Edited by Ricks_IT Friday, January 19, 2018 6:16 PM
    Friday, January 19, 2018 6:15 PM
  • Settings that show in GPO are down to what .admx templates are used

    Update them first, you should be using new templates if you have new OS, no matter at what level as this is irrelevant! (at least that what I would do)


    • Edited by scerazy Saturday, January 20, 2018 10:04 AM
    Saturday, January 20, 2018 10:03 AM
  • You could use this script to do all 100 machines remotely...

    Take a look at

    https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc

    Monday, January 22, 2018 7:46 AM
  • I'll check out the new ADMX templates available and go from there. But, one thing I want to point out is that the setting is set to default, because I'm not able to configure the setting.
    Monday, January 22, 2018 7:52 PM
  • I unlinked WSUS GPO for a day, made sure all machines got unconfigured

    Linked the changed GPO back ("Remove access to use all Windows Update features" Unconfigured)

    All seems to be back to normal

    Seb

    Monday, January 29, 2018 11:08 AM
  • Unfortunately, this trick didn't work for me.

    I unlinked the GPO for a day and a half, confirmed it was no longer being applied.

    When I re-linked it the Install button is greyed out again.

    Thursday, February 1, 2018 2:52 PM
  • I'm still in the process of implementing the ADMX templates. Should I be concerned about any downtime while applying the ADMX templates?
    Thursday, February 1, 2018 4:20 PM
  • I'm still in the process of implementing the ADMX templates. Should I be concerned about any downtime while applying the ADMX templates?

    Copying and overwriting the ADMX files and ADML files don't do anything with regards to group policy except give the interface the ability of a UI.

    There is no downtime.

    Administrative Templates (.admx)
    -----------------
    You will want to get the latest Administrative Templates (.admx) for Windows 10 which, at the time of this writing, is located at:

    https://www.microsoft.com/en-us/download/details.aspx?id=56121

    Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller. The best way to update them is to take a copy of the PolicyDefinitions folder and stick it in a temp folder for a backup of what is currently working. Then take the ADMX files and the language folder you're using and copy/paste them into the PolicyDefinitions folder, overwriting files as required. Don't worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Thursday, February 1, 2018 4:28 PM
  • Perfect! I'll give this a shot and report back early next week. Have to submit a CR for implementation.

    Thursday, February 1, 2018 8:28 PM
  • CR was approved and changes will be made this weekend. I'll follow up after I make the change.
    Thursday, February 8, 2018 4:05 PM
  • Adam, I downloaded the files from the link you provided and the files contained are ADML files. I reviewed this article and found another process for populating the PolicyDefinitions folder using existing 2016 server ADMX files. This is the same process, correct?

    https://msdn.microsoft.com/en-us/library/bb530196.aspx

    Thursday, February 8, 2018 4:29 PM
  • Found the ADMX files. I was in the language folder. My mistake.
    Thursday, February 8, 2018 4:31 PM
  • ADMX files have been imported and new settings are configurable. I disabled and un-linked the WSUS GPOs for 24 hours and re-enabled and re-linked and I'm able to check for updates, but get the error on 2016 servers, "There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x8024500c)". I tried to rebooting, but the issue exists.

    Any ideas?

    Wednesday, February 14, 2018 11:24 PM
  • Run from an Administrative Command Prompt on an affected server:

    gpresult /h gpo.html

    rename it to TXT and attach it here, or pastebin it.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Thursday, February 15, 2018 3:43 AM
  • I emailed you the doc.
    Thursday, February 15, 2018 7:37 PM
  • Responded to the email

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Wednesday, February 21, 2018 6:29 PM
  • Issue has been resolved with Adam's assistance. His expertise in the matter has resolved my issue. Updating ADMX files and modifying the configs has fixed the issue. Thanks Adam!!
    Monday, February 26, 2018 7:12 PM
  • The issue was 3-fold

    1. Set the alternate download server
    2. Disable - Do not connect to any Windows Update Internet locations
    3. Remove - HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableOSUpgrade

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Wednesday, February 28, 2018 2:01 AM
  • I have the same issue and I tried the solution and that did not work. I have all updated ADMX files as well. Clients check in and report and install after approved but on Windows 10 and server 2016 machines the option is grayed out to check for updates. 
    Tuesday, April 3, 2018 4:06 PM
  • It amazes me that no one has any suggestions on this.
    Monday, April 9, 2018 2:51 PM
  • On an affected client, run from an Admin command prompt

    gpresult /h gpo.html

    And attach the result here so that we can see it and run through it to find out what your specific issue is.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Monday, April 9, 2018 5:46 PM
  • I've been having the same problem. I pulled the gpresult, but can't see how to attach it here? Or do you want me to just paste the contents (which would be a rather large post)?

    Thanks

    Monday, April 9, 2018 7:42 PM
  • pastebin it (the contents) and then give the link here

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Monday, April 9, 2018 7:50 PM
  • Found it, not sure if you'll be able to figure this one out, it's been driving me crazy for a while.

    Link




    Monday, April 9, 2018 8:06 PM
  • http://pasted.co/a01c726e

    Please note, I had to redact identifying information to be permitted to post it; however, the redactions should be consistent (things like DOMAIN, FQDN, COMPANY, PROGRAM etc.).

    Monday, April 9, 2018 8:10 PM
  • Kind of interesting you have it set

    Configure Automatic Updates Disabled SERVER3-WSUS-Default 

    Why not setup #2 or #3 (this is POSSIBLY part of the reason why, but I'm not sure)


    Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled SERVER-WSUS-Default 

    Doesn't apply to anything past Win7/2008R2 so this does nothing and is extra that you can remove

    Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Disabled SERVER-WSUS-Default ..

    ...

    There's no reason to set:

    Remove access to use all Windows Update features Disabled SERVER-WSUS-Default 

    It's setup by default - you should set that to Not Configured

    You're missing:

    Set the alternate download server:  


    Also

    Turn on recommended updates via Automatic Updates Enabled SERVER3-WSUS-Default 

    Doesn't apply to server 2016 and should be set to not configured.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Tuesday, April 10, 2018 12:59 AM
    Tuesday, April 10, 2018 12:58 AM
  • I've made the recommended changes, and will let you know if it makes any difference...
    Tuesday, April 10, 2018 1:33 PM
  • I wouldn't mind some help as well
    Tuesday, April 10, 2018 6:36 PM
  • I wouldn't mind some help as well
    Sorry, I didn't see your pastebin before it expired. Please re-add it and let me know. I'll have a look.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Wednesday, April 11, 2018 3:10 AM
  • Sure thing, here you go

    Link

    If you can figure this one out I'll owe you a drink, :)

    Wednesday, April 11, 2018 12:56 PM
  • Sure thing, here you go

    Link

    If you can figure this one out I'll owe you a drink, :)

    That wasn't run from an Administrative Command prompt window as it only contains user data. Please re-run it.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Wednesday, April 11, 2018 2:27 PM
  • Updated

    Link

    Thursday, April 12, 2018 1:52 PM
  • Set the alternate download server: is blank - you need to fix this - Set it to https://wsus.domain.com:8531

    I don't see the normal markers of issues;

    No auto-restart with logged on users for scheduled automatic updates installations IMO should be Disabled

    and

    Enable client-side targeting - I would recommend you enable - it's SO MUCH EASIER than manually sorting them.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Thursday, April 12, 2018 3:49 PM
  • Oh, and

    Allow non-administrators to receive update notifications

    Does not apply to anything past Windows 8.1/Server 2012R2


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Thursday, April 12, 2018 3:50 PM
  • I put in the wrong policy that's the original one. This one is one I created for scratch and it setup the way I want it. (Client Side targeting will be enabled later on). We do have Windows 7 machines and a couple XP ones believe it or not so the allow non-administrators to receive update notifications is why I want that. 

    Here is an update results file Link

    Thursday, April 12, 2018 4:27 PM
  • After making the listed changes and giving it overnight, these changes seem to have worked.

    Thank you for your assistance.

    Friday, April 13, 2018 3:05 PM
  • set Do not include drivers with Windows Updates to NOT CONFIGURED

    You're using WSUS to control what updates are 'visible' to the systems. If you don't make drivers visible, they can't install them :P


    I would also recommend Specify active hours range for auto-restarts (and set a time for active hours).

    I know that's not necessarily for Servers, but it's worth mentioning for clients.

    >>>>> This right here is more than likely the issue. This needs to be removed. This is causing Dual scan

    Setting State Winning GPO
    Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade 0 WSUS - Pilot Workstations2



    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, April 13, 2018 5:09 PM
  • After making the listed changes and giving it overnight, these changes seem to have worked.

    Thank you for your assistance.

    You're welcome. Glad you got it working :)

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Friday, April 13, 2018 5:09 PM
  • set Do not include drivers with Windows Updates to NOT CONFIGURED

    You're using WSUS to control what updates are 'visible' to the systems. If you don't make drivers visible, they can't install them :P


    I would also recommend Specify active hours range for auto-restarts (and set a time for active hours).

    I know that's not necessarily for Servers, but it's worth mentioning for clients.

    >>>>> This right here is more than likely the issue. This needs to be removed. This is causing Dual scan

    Setting State Winning GPO
    Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade 0 WSUS - Pilot Workstations2



    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    set Do not include drivers with Windows Updates to NOT CONFIGURED and that didn't work. I forced the GP update and restarted and still grayed out. 
    Saturday, April 14, 2018 3:56 AM
  • Do not connect to windows update internet locations

    Set that to 0


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Saturday, April 14, 2018 4:16 AM
  • If I set that then it goes out to Microsoft to get updates and not to the WSUS. The last time I set it to disabled it started downloading updates that I didn't approve.

    I gave it a shot and still grayed out.

    Saturday, April 14, 2018 4:46 AM
  • So after changing it this is my test client and what it looks like. The grayed out went away but now as you can see it's downloading updates I did not approve. 
    Saturday, April 14, 2018 5:03 AM
  • So after changing it this is my test client and what it looks like. The grayed out went away but now as you can see it's downloading updates I did not approve. 

    I would be seriously checking WSUS and what's approved there. You might be surprised as those are probably approved there. If the WSUS locations are set to your WSUS Server (all 3), and NOTHING else is setup, all updates will go through WSUS. As soon as you start making customizations as to try to limit access to Microsoft Update servers from clients, you usually run into dual scan issues. That DeferUpgrade key you posted is part of the problem. You're telling Windows to defer updates and when the deferred time is reached, go grab it from MS Servers.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Saturday, April 14, 2018 2:36 PM
  • I did change the defer upgrade from 0 to 1 and same thing. Yes I checked and those were not approved updates. This is the only WSUS server as well. Even if they were approved why is the "Install Now" grayed out? If those updates were indeed approved the clients would have already have had them installed as they were 100% patched. I've already started from scratch on the WSUS server a while back and that wasn't it. I checked the clients this morning and it looks like they even installed the updates but the restart now is grayed out. The scheduled install time is 3am every day. I am at a loss on this one I don't know what it could be.
    Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade 0
    Saturday, April 14, 2018 3:56 PM
  • This can be archived, I am unable to find a solution on this so I'll have to go to the 2012R2 for my WSUS. 
    Thursday, April 19, 2018 5:32 PM
  • See if anyone can relate? After I built a new 2016 OS, I used the local Gpedit.msc to configure it manually to the WSUS in order to patch it fully before joining to the domain. The patching worked seamless.

    After patching completed I  joined it to the Domain and an existing GPO re-enforce my Windows Update settings... obviously overwriting the local policy right? But now my Windows update button is greyed out, all the patches are listed in the panel but I am not able to install it.

    After breaking my back with all the article suggestions I went and set the Windows Update settings using the local Gpedit.msc back to not configured.

    one reboot later and the install button was visible as it should be. 

    Thursday, July 11, 2019 10:13 AM
  • I know this is an old post, but just in case someone has this same issue (as I did), I found a work around.

    When you start setup, don't select the "recommended" option to "install updates" before proceeding.

    This allowed me to select the option to keep files and folders and saved me a ton of time. Thanks M$.

    Cheers

    Monday, November 4, 2019 9:37 PM