none
WSUS Clients are not getting updates

    Domanda

  • Hello all,

    So we have new issue in our little group.

    WSUS server is reporting that W10 client need some updates but client is not getting any, even after "forcing" the update by "check for updates" (Client is reporting that he has all updates).

    Software Distribution, catroot2 folders were deleted, Windows update / BITS / Cryptsvc / MSIserver services were stopped and ran again, all of them are configured "Start = auto" and registry keys such as "AccountDomainSid, PingID, SuSClientId, SuSClientIDValidation" were deleted also.

    We ran WSUS clean script already, without any help.

    We ran new WSUS server on Windows 2016 server with same results (originally running on 2012 R2).

    Some client are getting updates without any issues and reporting to WSUS correctly.

    We pushed the 04 Cum update via 3rd party software (KB from Microsoft catalog) and client was updated correctly but still not getting updates from WSUS.

    Windows update troubleshooter wont help.

    On event log of impacted client is status: WindowsUpdateFailure3

    Thanks for answering,

    Ondrej

    martedì 24 aprile 2018 06:59

Tutte le risposte

  • When you ran the WSUS Clean script - are you talking about WSUS Automated Maintenance or another? Did you run it with -FirstRun? Did you modify the config or kept the defaults?

    When you say W10 clients need updates - can you be more specific - specific KB's, what the current W10 version is (taken from Settings > System > About - include the complete OS Build number)


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    mercoledì 25 aprile 2018 04:13
  • Yes, I ran it with -Firstrun and kept defaults.

    Problem clients are 1709 Win 10.

    They are not getting any updates, seems like first issue was around 01 cum update (maybe after faĺl creator?). Thats what thrilling my mind, all clients were OK and all were updated same way and some are working / some are not.

    mercoledì 25 aprile 2018 05:21
  • Hi,

    Did you refer to these link for troubleshooting?

    https://serverfault.com/questions/656562/wsus-clients-cant-find-updates

    https://community.spiceworks.com/topic/1795095-error-80072efe-when-searching-for-updates-for-windows-server


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mercoledì 25 aprile 2018 07:17
  • Yes, I think I tried everything.

    I think that issue will be with that clients, not server or any settings... like, they got some kind of "bad" update and now their Windows update files/services are stuck and stopping / reseting etc. is not helping.

    At the moment I am trying to reinstall Fall Creator update with saving apps and files so I do not have to do clean install but so far it seems without any changes.

    mercoledì 25 aprile 2018 11:13
  • Run the following on an affected client system in an Admin Command Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

    This should fix it.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    mercoledì 25 aprile 2018 12:37
  • This won't help, I even made similar script by myself...

    net stop wuauserv
    net stop bits
    net stop cryptsvc
    net stop msiserver
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
    RD /s /q %windir%\SoftwareDistribution
    ren C:\Windows\System32\catroot2 catroot2.old
    net start wuauserv
    net start bits
    net start msiserver
    net start cryptsvc
    SC config wuauserv start= auto
    SC config bits start= auto
    SC config cryptsvc start= auto
    SC config trustedinstaller start= auto
    wuauclt /resetauthorization /detectnow
    wuauclt /reportnow
    I am so desperate, I am dealing with this issue like for two weeks now and this is big pain in my a*s

    • Modificato xDuff giovedì 26 aprile 2018 08:10 Edit
    giovedì 26 aprile 2018 07:58
  • Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    giovedì 26 aprile 2018 13:26
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    giovedì 26 aprile 2018 15:38
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    WSUS is a repository for updates and associated files. It is not a true deployment tool. Windows clients check in with the WSUS server using the Windows Update client and ask if there are any updates that are applicable to them, and if there are, the Windows Update policy will take over.

    Now, in saying that, is the computer object a part of the WSUS group that is getting the updates approved - either directly or by way of inheritance?


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    giovedì 26 aprile 2018 15:49
  • Have you deleted the computer object from the WSUS Console and THEN run your script (which is similar to my client side script).

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Yes I did, and also I tried that on multiple clients
    venerdì 27 aprile 2018 07:30
  • If you are using just WSUS console to deploy updates is that client member of any group to which needed updates were deployed?

    Cherif Benammar

    No, they are not. All clients are in same group (All computers > Unassigned computers)
    venerdì 27 aprile 2018 07:31
  • All needed updates are approved, detail is Approval> Install | Status > Not Installed
    venerdì 27 aprile 2018 07:33
  • Thus, create a group to which you deploy needed updates and add one machine at least and look,

    Cherif Benammar

    venerdì 27 aprile 2018 08:00
  • Thus, create a group to which you deploy needed updates and add one machine at least and look,

    Cherif Benammar

    Done, but why do you think it should help? Is there any function of it I do not know?

    But still, thank you all guys for trying to help me.

    venerdì 27 aprile 2018 08:14
  • Hello guys,

    hope you had great weekend :)

    So creating a test group in WSUS won't help and there are no changes so far, any other ideas?

    Thanks in advance,

    Ondrej

    lunedì 30 aprile 2018 05:15
  • Screenshot the report of the update for the approvals (so we can see where it is approved), and one for the pages that show the 'needed' status for the computers you're talking about (mention which computer if it's not obvious).

    Then screenshot the computer report in WSUS with regards to the computer reporting times and another for that KB (mention it so that it's obvious).

    Post them here so that we can see them and try to figure out what's going wrong with your systems.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    lunedì 7 maggio 2018 04:22
  • We approved 04 cum update like 2 weeks ago.. mby more.

    Here is the most problematic group, set with same settings.

    lunedì 7 maggio 2018 05:29
  • From an Admin Command Prompt, run a gpresult /h gpo.html from NB034

    pastebin it and show us here.

    WSUS shows correctly; but it's the Windows Update Agent that does the heavy lifting.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    lunedì 7 maggio 2018 14:11
  • Sorry for late response, I had days off.

    GPO for NB203, nb034 is off for a week


    • Modificato xDuff giovedì 10 maggio 2018 11:41
    giovedì 10 maggio 2018 05:33
  • This was not run using "Run as administrator" for the CMD Prompt. It's missing all the computer details (the stuff that's required.)

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    giovedì 10 maggio 2018 20:03
  • When I run CMD as admin, gpresult reading the data as administrator, not user..

    So results:

    local admin: System do not have any RSoP data

    domain admin: System do not have any RSoP data

    User: As provided in link :/

    venerdì 11 maggio 2018 08:27
  • No, from any domain user account with local admin rights (like your domain admin user for example):

    Open CMD using the Right click method and "Run as Administrator" and click yes to the UAC Prompt to run it in elevated permissions.

    Run gpresult /h gpo.html

    Post this file.

    Without elevated permissions, it cannot get the Computer policies RSOP data.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    venerdì 11 maggio 2018 14:36
  • trick is you have to run the command prompt as admin of the machine but run the gpresult under a user context that has a local profile on the machine you are running from.

    e.g. you are a domain admin -> you have a user account without domain admin priv -> you auth cmd as local/domain admin -> you run the gpresult impersinating a user account on the local machine that is attached to the domain.

    venerdì 11 maggio 2018 14:46
  • Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

    Even when I am trying to specify the user ...

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>

    And why GP is taking role here ? 
    • Modificato xDuff martedì 15 maggio 2018 06:01
    martedì 15 maggio 2018 05:27
  • Hello guys, I did it exatly you saying but gpresult still getting my account without RSoP data.

    Even when I am trying to specify the user ...

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s \\nb034
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>gpresult /r /u demjanovicova /s localhost
    WARNING: Ignoring the user credentials for the local system.
    INFO: The user "DEMOS\arudek" does not have RSoP data.

    C:\WINDOWS\system32>

    And why GP is taking role here ? 
    Is it possible for you to just run it from the local machine directly, or use psexec to run cmd.exe and then run it?

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    mercoledì 16 maggio 2018 01:58
  • In that case, just for sure, I went to the user / notebook directly, PsExec wasn't used.

    But why we are focusing on GP? Or for what we are looking for?


    • Modificato xDuff mercoledì 16 maggio 2018 09:28
    mercoledì 16 maggio 2018 09:28
  • WSUS is a website that holds data - it's a repository. It is NOT a deployment system. It does not deploy updates, it does not push updates. All it does is approve updates and manage reporting.

    Windows Update Agent on each individual system does ALL of the heavy lifting.... BUT... It doesn't do anything unless configured correctly by way of GPOs or Registry settings. If it is MISCONFIGURED than you have issues. Combinations of certain settings may cancel each other out, or act in such a manor that you are not expecting. This is why I need to see the RSOP data from a client machine that's having the issue.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    mercoledì 16 maggio 2018 15:21
  • Hope this is the correct one ?

    GPO for NB034

    (For others, run CMD as domain admin > gpresult /s *computername* /user *usernameOfUserWhoIsUsingThatComputer* /scope computer /h gpofinal.html - I had issues with RPC server and RSoP created for domain admin and etc... - this does it for me)


    giovedì 17 maggio 2018 06:49