locked
WSUS not working properly on Windows 2012 Server RRS feed

  • Question

  • I have WSUS installed on a Windows 2008 server. I have 5 2008 Servers and recently installed 2 Windows 2012 Server. I also have Windows 7 and 8 workstations. I have a GPO which pushed the WSUS settings to all my machines. I have a separate one for the servers which doesn't install updates, but only downloads and notifies.

    For some reason only my Windows 2012 Servers seem to have a problem. I verified that the GPO was in fact pushed to the server registries. Whenever I reboot the server on the login screen to the bottom right it shows that there updates that need to be installed. However, if I go to the Windows Update section I get the message that these settings are set by my administrator and I can not manually install. It says the last time updates were installed on this screen were April 27, 2015. Any ideas where I can check what is preventing the updates. If not, what is the best way to put back the Update to go directly to Microsoft and not thourgh my WSUS internally and I will update these 2 separately.


    Thanks,

    Monday, August 3, 2015 3:48 PM

All replies

  • In Windows8/WS2012, significant changes were made to Windows Update, and those changes "took away" several controls, and changed "the ways things always were".

    One of the impacts of this, was that "download+notify", and this kind of "feature lockout".

    You may be able to tinker with settings to get what you need, but from memory, others tried and failed.

    This article indirectly refers to some changes, and an update for Win8/WS2012 which may help:
    http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx

    If you actually have WS2012R2, the update is already installed, but you may need to apply the settings.

    If you want to revert back to standard windowsupdate.com behaviour, remove the relevant GPO settings for these servers (de-scope the GPLink, apply a deny-GPO, move the server objects, etc), so that the registry settings for WUServer are no longer populated. You may then need to use wuauclt /resetauthorisation /detectnow, on the client machine.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, August 3, 2015 9:37 PM
  • so is your issue that when using option #3 in WSUS GPOs/registry (download & notify), updates are not being installed automatically nor can you trigger them manually?

    can you trigger them using the restart and update option from the shutdown menu?

    have you updated your group policy templates to the latest so you can see the additional 2012 R2 GPO options?

    http://www.microsoft.com/en-ca/download/details.aspx?id=43413

    Tuesday, August 4, 2015 1:26 PM
  • I use option 3 and it tells me when you log on on the bottom right

    Windows Update

    Important updates are available. Go to PC settings to

    install them.

    However, it won't let me install them. There is no option an it says these settings are managed by your administrator. There is also no option on the shutdown to install.

    I have the updated GPO.I also have R2 so regarding the first response, the update should be included.

    Tuesday, August 4, 2015 1:56 PM
  • I've seen the yellow notification on the logon screen but never the lack of option to install updates thru the control panel unless it's with a non-admin account. are you able to post a screenshot of the missing install updates section from control panel?

    if u run rsop.msc are you seeing any other conflicts with the windows update GPO?

    Tuesday, August 4, 2015 2:18 PM
  • I think the issue why it doesn't display with the shutdown option is because I have User Configuration of the GPO enabled for the following:

    Do not display 'Install Updates and Shutdown' option
    Remove access to use all Windows Update features

    The reason I did this was because this 2012 is a Remote Desktop Application server with Published Desktop and I didn't want the users to have this option available.

    Tuesday, August 4, 2015 2:28 PM
  • are you able to setup security filters for users GPOs so they don't impact you as an administrator and only apply to the RDS users?

    another option to get around this is to apply your updates using the local administrator account of the server (or any other local account with admin rights in order to bypass GPOs)

    Tuesday, August 4, 2015 4:05 PM
  • I prefer not to have to use a local admin account. I currently use Authenticated Users. Even if I were to change this to an internal group, all my groups which include all my users also include my admin. I am not sure that I would want to create a group with all my users excluding the admin. Is there a way (I couldn't see it) to use a Deny so that I can have authenticated Users access but add Admin account with Deny.
    Tuesday, August 4, 2015 4:20 PM
  • yeah the best way to do it is by going to the Delegation tab of that GPO in GPMC, Advanced, Advanced again and here figure out if you want to add your admin account to the list and tick Deny for Apply group policy (usually all the way at the bottom) or what I usually do is edit the existing entry for Domain Admins and just tick Deny for Apply group policy

    at the end of the day though, best practices would call for separating your users and admins into different groups for reasons like this, just helps things from overlapping from a security perspective

    Tuesday, August 4, 2015 5:43 PM
  • So I went with the best practice and removed the admin from the user group. For this policy I only added the users. I logged onto the server as admin and ran rsop to verify and in fact this user setting for WSUS is no longer there. However, it still won't let me update, so there must be another setting from the GP or set on the server that is blocking. The reason I say this is because I also had one other 2012 server which was NOT a remote desktop server, but also was being blocked. So I removed that server from the OU of the other ones but still applied the WSUS policy and I can now install updates on this one. Any thoughts of where I can look for what's preventing it.
    Tuesday, August 4, 2015 5:52 PM
  • so when u check rsop, do you see anything under the computer configuration for windows update which might be preventing/conflicting installing updates?

    you may have also configured wsus using just registry keys which may need to be altered, look under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Tuesday, August 4, 2015 6:34 PM
  • Nothing that I can see. See attached screenshot from Gpresult. As far as the registry, the records there are identical to the GPO which is what they should be
    Tuesday, August 4, 2015 6:48 PM
  • yeah looks fine, just wondering if other lockdown policies from Citrix are causing your account not to appear as an administrator

    Tuesday, August 4, 2015 6:56 PM
  • Any chance you already have a local policy restricting this.

    Check here...

    c:\windows\system32\GroupPolicy\Machine

    supporting forum post....

    http://superuser.com/questions/290035/failed-to-open-the-group-policy-object-windows-7-administrator

    Rename the file and reboot. 


    • Edited by march111 Tuesday, August 4, 2015 7:39 PM
    Tuesday, August 4, 2015 7:38 PM
  • I don't think this would apply in my case. Even after I show Hidden files and system files, the folder is Empty
    Tuesday, August 4, 2015 7:50 PM
  • ...However, it still won't let me update, so there must be another setting from the GP or set on the server that is blocking. The reason I say this is because I also had one other 2012 server which was NOT a remote desktop server, but also was being blocked. So I removed that server from the OU of the other ones but still applied the WSUS policy and I can now install updates on this one. Any thoughts of where I can look for what's preventing it.
    Do you have Loopback processing enabled for this RDS-SH?
    If so, there may be a user setting, causing the UI to be locked out, being applied due to loopback?
    (check the rest of the gpresult output, like in the user section)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, August 4, 2015 9:08 PM
  • I do have Loopback enabled with Merge and I can't see any user settings that would conflict with the WSUS settings.
    Thursday, August 6, 2015 8:43 PM