PC directly connect to Internet to update not via WSUS after upgrading to 1709


  • Hi All,

    Once the PC was upgraded from 1511 to 1709, it seems that GPO didn't work very well.

    There is a "Allow connecting to Windows Update locations" which was conflict with the other one "Do not connect to any windows update  internet  locations".    The "allow connecting to windows update lcoations"  is not in our group policy.  Wonder where it is coming from?  Is there anyone who can explain it? Thanks!

    • Editado Jason Ding viernes, 6 de julio de 2018 3:34
    viernes, 6 de julio de 2018 3:30

Todas las respuestas

  • Hello Jason Ding,


    Glad to help.


    Before we moved on, it would be very helpful if you could check GPO setting on the DC, to make sure there is not any other GPO which could cause this issue linked to the client.


    And what's more, what we need to invest is when and how these unexpected GPO were applied on your clients.


    You should check Group Policy Event log by following steps:


    1. To start Event Viewer
      1. Click Start.
      2. Click Control Panel.
      3. Click System and Maintenance.
      4. Click Administrative Tools.
      5. Double-click Event Viewer.


    1. To view the Group Policy operational log
      1. Start the Event Viewer.
      2. Click the arrow next to Applications and Services Logs.
      3. Click the arrow next to Microsoft, and then Windows, and then Group Policy.
      4. Click Operational.


    Refer to this:


    Troubleshooting Group Policy Using Event Logs


    Hope this answer could helps you.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact

    viernes, 6 de julio de 2018 8:59
  • On the affected computer in an Administrative Command Prompt window type:

    gpresult /h gpo.html

    Open up the gpo.html file and find the locations of those settings. It will tell you which policy 'won' on the extreme right.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    domingo, 8 de julio de 2018 5:43
  • Hi Ray,

    I checked the GPO, seems every Policy has been successfully applied to client.  The client now is able to talk with server and gets the patch from WSUS. Perhaps I changed one configuration in policy as following picture(see pic 1)

    But I still have no idea where  "allow connecting to windows update locations" came from.

    Also I noticed that the version showing in the WSUS  is much lower than the client one.  In the client it's 16299.492, but from WSUS, it's always 16299.413.  It's inconsistent.  Don't know why it could not be updated to the latest version.  See pic 2.

    lunes, 9 de julio de 2018 7:20
  • Hello Jason Ding,


    For the difference of Build number, it does not need to worry.


    In the WSUS console, the build number is wua's version of client, not OS version. The WUA version is not always consistent with OS version.


    You could check the WUA version of client by following steps:


    1. Open the %systemroot%\system32 folder. %systemroot% is the folder in which Windows is installed. For example, the %systemroot% folder is C:\Windows.
    2. Right-click Wuaueng.dll, and then select Properties.
    3. Select the Details tab, and then locate the file version number.


    Hope my answer helps.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact

    viernes, 13 de julio de 2018 5:22