none
WSUS Clients are not getting updates

    Pregunta

  • Hello all,

    So we have new issue in our little group.

    WSUS server is reporting that W10 client need some updates but client is not getting any, even after "forcing" the update by "check for updates" (Client is reporting that he has all updates).

    Software Distribution, catroot2 folders were deleted, Windows update / BITS / Cryptsvc / MSIserver services were stopped and ran again, all of them are configured "Start = auto" and registry keys such as "AccountDomainSid, PingID, SuSClientId, SuSClientIDValidation" were deleted also.

    We ran WSUS clean script already, without any help.

    We ran new WSUS server on Windows 2016 server with same results (originally running on 2012 R2).

    Some client are getting updates without any issues and reporting to WSUS correctly.

    We pushed the 04 Cum update via 3rd party software (KB from Microsoft catalog) and client was updated correctly but still not getting updates from WSUS.

    Windows update troubleshooter wont help.

    On event log of impacted client is status: WindowsUpdateFailure3

    Thanks for answering,

    Ondrej

    martes, 24 de abril de 2018 6:59

Todas las respuestas

  • When you ran the WSUS Clean script - are you talking about WSUS Automated Maintenance or another? Did you run it with -FirstRun? Did you modify the config or kept the defaults?

    When you say W10 clients need updates - can you be more specific - specific KB's, what the current W10 version is (taken from Settings > System > About - include the complete OS Build number)


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    miércoles, 25 de abril de 2018 4:13
  • Yes, I ran it with -Firstrun and kept defaults.

    Problem clients are 1709 Win 10.

    They are not getting any updates, seems like first issue was around 01 cum update (maybe after faĺl creator?). Thats what thrilling my mind, all clients were OK and all were updated same way and some are working / some are not.

    miércoles, 25 de abril de 2018 5:21
  • Hi,

    Did you refer to these link for troubleshooting?

    https://serverfault.com/questions/656562/wsus-clients-cant-find-updates

    https://community.spiceworks.com/topic/1795095-error-80072efe-when-searching-for-updates-for-windows-server


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    miércoles, 25 de abril de 2018 7:17
  • Yes, I think I tried everything.

    I think that issue will be with that clients, not server or any settings... like, they got some kind of "bad" update and now their Windows update files/services are stuck and stopping / reseting etc. is not helping.

    At the moment I am trying to reinstall Fall Creator update with saving apps and files so I do not have to do clean install but so far it seems without any changes.

    miércoles, 25 de abril de 2018 11:13
  • Run the following on an affected client system in an Admin Command Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

    This should fix it.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    miércoles, 25 de abril de 2018 12:37
  • This won't help, I even made similar script by myself...

    net stop wuauserv
    net stop bits
    net stop cryptsvc
    net stop msiserver
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
    RD /s /q %windir%\SoftwareDistribution
    ren C:\Windows\System32\catroot2 catroot2.old
    net start wuauserv
    net start bits
    net start msiserver
    net start cryptsvc
    SC config wuauserv start= auto
    SC config bits start= auto
    SC config cryptsvc start= auto
    SC config trustedinstaller start= auto
    wuauclt /resetauthorization /detectnow
    wuauclt /reportnow
    I am so desperate, I am dealing with this issue like for two weeks now and this is big pain in my a*s

    • Editado xDuff jueves, 26 de abril de 2018 8:10 Edit
    jueves, 26 de abril de 2018 7:58
  • Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    jueves, 26 de abril de 2018 13:26
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    jueves, 26 de abril de 2018 15:38
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    WSUS is a repository for updates and associated files. It is not a true deployment tool. Windows clients check in with the WSUS server using the Windows Update client and ask if there are any updates that are applicable to them, and if there are, the Windows Update policy will take over.

    Now, in saying that, is the computer object a part of the WSUS group that is getting the updates approved - either directly or by way of inheritance?


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    jueves, 26 de abril de 2018 15:49
  • Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Yes I did, and also I tried that on multiple clients
    viernes, 27 de abril de 2018 7:30
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    No, they are not. All clients are in same group (All computers > Unassigned computers)
    viernes, 27 de abril de 2018 7:31
  • All needed updates are approved, detail is Approval> Install | Status > Not Installed
    viernes, 27 de abril de 2018 7:33
  • Thus, create a group to which you deploy needed updates and add one machine at least and look,

    Cherif Benammar

    viernes, 27 de abril de 2018 8:00
  • Thus, create a group to which you deploy needed updates and add one machine at least and look,

    Cherif Benammar

    Done, but why do you think it should help? Is there any function of it I do not know?

    But still, thank you all guys for trying to help me.

    viernes, 27 de abril de 2018 8:14
  • Hello guys,

    hope you had great weekend :)

    So creating a test group in WSUS won't help and there are no changes so far, any other ideas?

    Thanks in advance,

    Ondrej

    lunes, 30 de abril de 2018 5:15
  • Screenshot the report of the update for the approvals (so we can see where it is approved), and one for the pages that show the 'needed' status for the computers you're talking about (mention which computer if it's not obvious).

    Then screenshot the computer report in WSUS with regards to the computer reporting times and another for that KB (mention it so that it's obvious).

    Post them here so that we can see them and try to figure out what's going wrong with your systems.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    lunes, 7 de mayo de 2018 4:22
  • We approved 04 cum update like 2 weeks ago.. mby more.

    Here is the most problematic group, set with same settings.

    lunes, 7 de mayo de 2018 5:29
  • From an Admin Command Prompt, run a gpresult /h gpo.html from NB034

    pastebin it and show us here.

    WSUS shows correctly; but it's the Windows Update Agent that does the heavy lifting.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    lunes, 7 de mayo de 2018 14:11
  • Sorry for late response, I had days off.

    GPO for NB203, nb034 is off for a week


    • Editado xDuff jueves, 10 de mayo de 2018 11:41
    jueves, 10 de mayo de 2018 5:33
  • This was not run using "Run as administrator" for the CMD Prompt. It's missing all the computer details (the stuff that's required.)

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    jueves, 10 de mayo de 2018 20:03
  • When I run CMD as admin, gpresult reading the data as administrator, not user..

    So results:

    local admin: System do not have any RSoP data

    domain admin: System do not have any RSoP data

    User: As provided in link :/

    viernes, 11 de mayo de 2018 8:27
  • No, from any domain user account with local admin rights (like your domain admin user for example):

    Open CMD using the Right click method and "Run as Administrator" and click yes to the UAC Prompt to run it in elevated permissions.

    Run gpresult /h gpo.html

    Post this file.

    Without elevated permissions, it cannot get the Computer policies RSOP data.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    viernes, 11 de mayo de 2018 14:36
  • trick is you have to run the command prompt as admin of the machine but run the gpresult under a user context that has a local profile on the machine you are running from.

    e.g. you are a domain admin -> you have a user account without domain admin priv -> you auth cmd as local/domain admin -> you run the gpresult impersinating a user account on the local machine that is attached to the domain.

    viernes, 11 de mayo de 2018 14:46
  • Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

    Even when I am trying to specify the user ...

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>

    And why GP is taking role here ? 
    • Editado xDuff martes, 15 de mayo de 2018 6:01
    martes, 15 de mayo de 2018 5:27
  • Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

    Even when I am trying to specify the user ...

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>

    And why GP is taking role here ? 
    Is it possible for you to just run it from the local machine directly, or use psexec to run cmd.exe and then run it?

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    miércoles, 16 de mayo de 2018 1:58
  • In that case, just for sure, I went to the user / notebook directly, PsExec wasn't used.

    But why we are focusing on GP? Or for what we are looking for?


    • Editado xDuff miércoles, 16 de mayo de 2018 9:28
    miércoles, 16 de mayo de 2018 9:28
  • WSUS is a website that holds data - it's a repository. It is NOT a deployment system. It does not deploy updates, it does not push updates. All it does is approve updates and manage reporting.

    Windows Update Agent on each individual system does ALL of the heavy lifting.... BUT... It doesn't do anything unless configured correctly by way of GPOs or Registry settings. If it is MISCONFIGURED than you have issues. Combinations of certain settings may cancel each other out, or act in such a manor that you are not expecting. This is why I need to see the RSOP data from a client machine that's having the issue.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    miércoles, 16 de mayo de 2018 15:21
  • Hope this is the correct one ?

    GPO for NB034

    (For others, run CMD as domain admin > gpresult /s *computername* /user *usernameOfUserWhoIsUsingThatComputer* /scope computer /h gpofinal.html - I had issues with RPC server and RSoP created for domain admin and etc... - this does it for me)


    jueves, 17 de mayo de 2018 6:49
  • Here are a couple of snippits from my new blog (going to be posted June 1st)

    Administrative Templates (.admx)

    You will want to get the latest Administrative Templates (.admx) for Windows 10 which, at the time of this writing, is located at:

    https://www.microsoft.com/en-us/download/details.aspx?id=56880

    Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller. The best way to update them is to take a copy of the PolicyDefinitions folder and stick it in a temp folder for a backup of what is currently working. Then take the ADMX files and the language folder you're using and copy/paste them into the PolicyDefinitions folder, overwriting files as required. Don't worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.

    If for some reason you don't have the Central Store, please set it up following the directions at https://support.microsoft.com/en-ca/help/3087759/

    Take note of all your client systems but plan for Windows 10.

    Whatever client systems you have you should make a mental note of, but plan your WSUS around Windows 10. Although according to Microsoft, it is the last version of Windows they will build, this simply is a marketing gimmick as they've just changed the name of "Windows" to "Windows 10". One thing that is very good that comes out of this is their switch to WaaS where you get free upgrades to the latest revision of Windows 10 for the life of your device. What does 'life of your device' mean? As it has always been, it really means your motherboard, so if you have a catastrophic failure and need to replace your motherboard, you'll have to buy a new license of Windows 10. Now, another way to look at the phrase 'life of your device' is the hardware capabilities that it has. For example, if you're using Windows 10 on a 32bit Generation 1 netbook with 1GB of RAM, you may have realized that there's an end of life due to minimum requirements going up to 2GB.

    In your policies:

    Computer Settings > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode > Set this to LAN

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > You're missing the 'Set the alternate download server:' - When you update your ADMX files, you will see this - then you should set it to 'http://wsus.demos.cz:8530'

    You'll want to setup Active Hours too.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    sábado, 26 de mayo de 2018 14:10
  • Thanks you for update.

    Do we have to update these policies?:

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10


    It is because we still have some W7 clients (like 20 of them).

    lunes, 28 de mayo de 2018 5:54
  • Thanks you for update.

    Do we have to update these policies?:

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Re-prompt for restart with scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10

    Computer Settings > Policies > Administrative Templates > Windows Components > Windows Update > Reschedule Automatic Updates scheduled installations > Set this to Not Configured - it doesn't apply to Win8/Win10


    It is because we still have some W7 clients (like 20 of them).

    No - I was just going off the name of the GPO being for Win8/Win10.

    I would break off the Win7 settings into another GPO and scope them to a group that contains only Windows 7 machines - this way only the Win7 machines get these policies and none of the others get them. They don't have any effect on Win10 machines though.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    lunes, 28 de mayo de 2018 14:54