locked
WSUS on Windows 2016 server not downloading updates for Windows 2016 RRS feed

  • Question

  • I have WSUS installed on a Windows 2016 server.  It has been up and running for at least a year and was working fine on a small domain consisting of Windows 2016 (the WSUS server)/2008R2 servers and Windows 10/7 workstations.  About a month ago we upgraded the domain, removing the 2008R2 servers and replacing them with another Windows 2016 server running Exchange and 3 Windows 2019 servers, 2 of which are DCs. We use group policies to manage the updates and have the same group policies applied to the Windows 2016 and 2019 servers.

    In checking the servers for updates (the first time since the upgrade), I'm finding that no Windows 2016 updates have been downloaded in WSUS.  However, the 2016 servers are checking in and reporting status to WSUS. They also show other approved updates ready to install, including Office updates and the SQL updates. But they do NOT show that they're being managed when looking on the server itself, i.e., no message stating "Some settings are managed by your organization," even though one of them is the WSUS server.  

    Never seen this one before...strange!

    Friday, May 3, 2019 3:03 PM

All replies

  • I know this is a silly first question but as far as not downloading the updates have you made sure on the WSUS that your products and classifications didn't get messed with basically that they are set to download the updates you are looking for? I like to start with the simple stuff first. 

    Thomas Faherty

    Friday, May 3, 2019 3:55 PM
  • Hello SOS_DLO

    Sometimes It happes becaue of Microsoft Update Servers. I've experienced It many times and just waited for 2-3 days and It fixed automatically after solving problems from Microsoft side.


    Mark it as answer if your question has solved. MCT Regional Lead. x2 MCSE-MCSA Exchange Server & Windows Server

    Friday, May 3, 2019 4:01 PM
  • Hi,
      

    I think it starts with a group policy check.
      

    • If the situation you mentioned only appears on clients in these newly joined environments, use an elevated command prompt and execute "gpupdate /force" to force a synchronization of Group Policy.
    • If the situation occurs for all clients in your environment, this could be a problem with your Group Policy. Use an elevated command prompt to execute "gpresult /h C:\gpresult.html" to get the group policy report. Then check if the GPO for Windows Update is correct.
        

    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 6, 2019 3:21 AM
  • Yes - I've double-checked all settings for products and classifications.  I've also double-checked the group policies, making sure that the servers in question are in the right OU and that the policy is applied to that OU.
    Monday, May 6, 2019 2:03 PM
  • Hi SOS_DLO,
      

    Please check this part of the client, whether the following services are enabled:
      

    • For Windows 10 version 1511 and later: "Connected User Experiences and Telemetry"
    • For Other OS: "Diagnostics Tracking Service"
        

    It is recommended to start these services and set the startup type to automatic. Then restart and check again if the client is resumed to be supervised.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 7, 2019 5:40 AM
  • What version of Windows Server 2016 have you installed (winver command)?

    What Windows Server 2016 branch is enabled in WSUS?

    Tuesday, May 7, 2019 6:31 AM
  • The "Connected User....." service is started.  There is no service on Windows 2016 server called "Diagnostics Tracking Service."  There is a service called "Diagnostic Policy Service" and that is started.

    Regards,

    SOS_DLO


    Deb

    Thursday, May 9, 2019 3:45 PM
  • Windows 2016 is version 1607, 14393.2848.

    Not sure what you mean by a branch being enabled in WSUS.  The group policy setting for "Select when Preview Builds and Feature Updates are received" is enabled and set to Semi-Annual Channel. This is a standard setting we use although to my knowledge there are no such updates being issued by Microsoft for Windows Server 2016.


    SOS_DLO


    • Edited by SYNOFF Thursday, May 9, 2019 3:51 PM
    Thursday, May 9, 2019 3:50 PM
  • I should probably also add that we have the group policy "Do not connect to any Windows Update Internet locations" enabled.

    Again, this is all working fine with the Windows 2019 servers; it's only a problem on the 2016 servers.

    SOS_DLO


    Deb

    Thursday, May 9, 2019 3:55 PM
  • If you are using WSUS, why do you have such group policies? All updates should come through WSUS and you choose what to approve (unless you use automatic approval for everything). As you have mentioned, it shouldn't do anything, as you are using LTSC version (1607) and not the Semi-annual.

    By branch i meant this:

    I didn't have much experience with WSUS and Windows Server 2016. On my last job we just installed a few VMs with that version in provider's data center and i have connected them to our WSUS by selecting this branch in the products window. After they were joined to our domain, they have received a GPO with a link to our WSUS server and started reporting. I think it took a while until they have actually downloaded something to install. But this was 7-8 months ago and i was already leaving that company, so i haven't saved any notes. I just remember that after selecting this branch it started pulling updates with build numbers (1709 and 1803) and updates without build numbers and then i found out that 1607 is the LTSC version and for them you have to approve updates without build numbers. Because with build numbers are meant for Semi-annual versions (same like with regular Windows 10).

    We would always manually check and approve updates in WSUS. And GPO only had two settings, manual updates and a link pointing to WSUS. Same for Windows 10. We were not using Windows Update for Business settings as we were doing all updates management in WSUS. Same goes for Windows 10 feature updates.

    You mentioned in your first message that no WS2016 updates were downloaded in WSUS. This is weird and probably the main problem.


    • Edited by wrootw Thursday, May 9, 2019 6:29 PM
    Thursday, May 9, 2019 6:28 PM
  • Of course Windows 2016 Server is selected in the Products and Classifications settings. I have used WSUS for many years and am completely familiar with its setup. I even stated that I had double-checked that in an earlier post. I just didn't understand your use of the word "branch" as that's not a term I've used to describe the process of selecting products for WSUS to update.

    The reason for including the "Do not connect to any Windows Update Internet locations" is that I found in several cases Windows 10 workstations and some versions of the server OS were connecting to the Internet IN ADDITION TO using the WSUS server and were downloading updates that I hadn't approved nor wanted to have installed at that point in time.  All of the group policy settings are standard to all of our client installations and are ones that we've developed over a number of years to allow us to control how and when our clients' user workstations and servers get updated and restarted.

    Thanks for your response,

    SOS_DLO


    Deb

    Thursday, May 9, 2019 6:50 PM