PC directly connect to Internet to update not via WSUS after upgrading to 1709


  • Hi All,

    Once the PC was upgraded from 1511 to 1709, it seems that GPO didn't work very well.

    There is a "Allow connecting to Windows Update locations" which was conflict with the other one "Do not connect to any windows update  internet  locations".    The "allow connecting to windows update lcoations"  is not in our group policy.  Wonder where it is coming from?  Is there anyone who can explain it? Thanks!

    • Modifié Jason Ding vendredi 6 juillet 2018 03:34
    vendredi 6 juillet 2018 03:30

Toutes les réponses

  • Hello Jason Ding,


    Glad to help.


    Before we moved on, it would be very helpful if you could check GPO setting on the DC, to make sure there is not any other GPO which could cause this issue linked to the client.


    And what's more, what we need to invest is when and how these unexpected GPO were applied on your clients.


    You should check Group Policy Event log by following steps:


    1. To start Event Viewer
      1. Click Start.
      2. Click Control Panel.
      3. Click System and Maintenance.
      4. Click Administrative Tools.
      5. Double-click Event Viewer.


    1. To view the Group Policy operational log
      1. Start the Event Viewer.
      2. Click the arrow next to Applications and Services Logs.
      3. Click the arrow next to Microsoft, and then Windows, and then Group Policy.
      4. Click Operational.


    Refer to this:


    Troubleshooting Group Policy Using Event Logs


    Hope this answer could helps you.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact

    vendredi 6 juillet 2018 08:59
  • On the affected computer in an Administrative Command Prompt window type:

    gpresult /h gpo.html

    Open up the gpo.html file and find the locations of those settings. It will tell you which policy 'won' on the extreme right.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    dimanche 8 juillet 2018 05:43
  • Hi Ray,

    I checked the GPO, seems every Policy has been successfully applied to client.  The client now is able to talk with server and gets the patch from WSUS. Perhaps I changed one configuration in policy as following picture(see pic 1)

    But I still have no idea where  "allow connecting to windows update locations" came from.

    Also I noticed that the version showing in the WSUS  is much lower than the client one.  In the client it's 16299.492, but from WSUS, it's always 16299.413.  It's inconsistent.  Don't know why it could not be updated to the latest version.  See pic 2.

    lundi 9 juillet 2018 07:20
  • Hello Jason Ding,


    For the difference of Build number, it does not need to worry.


    In the WSUS console, the build number is wua's version of client, not OS version. The WUA version is not always consistent with OS version.


    You could check the WUA version of client by following steps:


    1. Open the %systemroot%\system32 folder. %systemroot% is the folder in which Windows is installed. For example, the %systemroot% folder is C:\Windows.
    2. Right-click Wuaueng.dll, and then select Properties.
    3. Select the Details tab, and then locate the file version number.


    Hope my answer helps.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact

    vendredi 13 juillet 2018 05:22