locked
Issue with Windows 10 - can't download updates from WSUS with KB3213986 installed RRS feed

  • Question

  • *Reposting this in WSUS forum as advised*

    I've encountered an apparent issue when trying to update Windows 10 clients from my WSUS server (Server 2012). All WSUS updates are installed, including KB3095113 and KB3159706 (post install done too) and I've added .esd into MIME types in IIS.

    I believe I've narrowed it down to the KB3213986 update - with that installed, clients are unable to download updates from WSUS. They can report in successfully, it is only the actual download of the update that fails. I get the error message 'We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet.' No error code.

    I've tried to look at the windows update log but wasn't about to get much useful information out of it, even with the latest symbols installed. Very frustrating.

    Uninstalling KB3213986 results in successful downloads from WSUS once again (going back to 14393.577). Oh, I also tried installing the new KB3216755 (14393.726) and the issue persisted.

    Is anyone else out there experiencing this issue, or might have a suggestion as to the cause? 

    Friday, February 3, 2017 5:51 AM

Answers

  • I found an extremely simple workaround / solution in my case, and I thought I'd post so maybe it will help someone else. If you are using GPO to specify your WSUS server, In the "Set the alternate download server" box, enter the same information that you put in the other 2 boxes. In my case it is http://SVRWSUS:8530 . I am not sure if it matters, but I also made sure the case matched for the server name as well. If you are just pushing registry entries, add new string value

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Name: UpdateServiceUrlAlternate

    Data:http://YOURSERVERHERE:8530

    Chris

    Wednesday, February 15, 2017 9:24 PM

All replies

  • Nobody else experiencing this issue? Any suggestions what might be the cause? I'm stumped.
    Monday, February 6, 2017 7:21 AM
  • I don't have an answer for you, sorry, but you could take a look or ask a question on the PM list.

    I've not read anything there recently which sounds like what you're describing

    http://marc.info/?l=patchmanagement

    http://patchmanagement.org/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, February 6, 2017 8:53 AM
  • Hi scottjames_12,

    Then, what is the result after installing KB4010672, does the issue still exit after the latest monthly rollup?

    https://support.microsoft.com/en-us/help/4010672

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 10, 2017 2:37 AM
  • Hi Anne,

    Unfortunately, the issues still exists after installing KB4010672. 

    Thanks

    Friday, February 10, 2017 5:30 AM
  • Hi scottjames_12

    Glad there is someone with the same issue like me! Ok, not that glad, because I wish we both not have this issue...

    We are starting with implementing server 2016. For that I installed a fresh 2016 WSUS and connected a 2016 member server with it. Everything works fine, member servers are getting updates. Right now they find 3 updates and install them (KB3213986, KB3211320 and KB3213522)

    After the reboot, the member server cannot connect to the WSUS again! I get the following message in the Settings-Windows Update screen:

    We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet.

    After uninstalling KB3213986, everything seems to work fine again.

    Friday, February 10, 2017 3:15 PM
  • Hi scottjames_12,

    Then, what is the result after installing KB4010672, does the issue still exit after the latest monthly rollup?

    https://support.microsoft.com/en-us/help/4010672

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hi Anne

    Will KB4010672 be available in WSUS soon? Because I don't think it makes sense to install an update on every server separately and avoiding the WSUS channel...

    Friday, February 10, 2017 3:19 PM
  • I am having the exact same issue and have been since January when the update came down. I only have 3 machines on Windows 10 1607, and all 3 are experiencing the EXACT same symptoms. I was getting ready to deploy this to all of my machines when I noticed this issue. All of the Windows 10 1511 machines are fine.

    Since I was having this problem I tried all of the troubleshooting steps I could find. This included deleting the software distribution folder, re-registering dlls, restarting services, turning off the firewalls, turning off security programs, adding the items to IIS and the post-install nonsense that needs to be done and restarting it.

    I since have created a VM and attempted several different scenarios. I started with a 14393.447 build and install 1 CU at a time with the stack update in between.

    KB3201845 - 14393.479 --> KB3199986 --> KB3206632 - 14393.576 --> KB3211320 --> KB3213986 - 14393.693 --> ( No More WSUS Connectivity ).

    I then went back to KB3206632 - 14393.576 --> KB3211320 --> KB3216755 - 14393.726 skipping KB3213986, however since the updates are cumulative  no more WSUS connectivity.

    If I change the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | UseWUServer to 0, delete the software distribution folder and restart services, the machine will pull the updates from Windows Update without an issue.

    I have a GPO set which sets the install days and time, Computer Group Target Name, Intranet location  (http://myserver.local:8530) as well as Download Mode to Bypass.

    I'm not sure what to do at this point myself either.

    FYI ... https://support.microsoft.com/en-us/help/4010672 , This release is intended only for Microsoft Server 2016 audiences.  It is available only on the Microsoft Update Catalog website.


    • Edited by CHRIS.FL Friday, February 10, 2017 5:12 PM
    Friday, February 10, 2017 5:11 PM
  • Comforting to know that I'm not the only one experiencing the issue. I wondered whether my 2012 (non R2) WSUS server was a contributing factor, but it sounds like Basileus18932 is having the same issue with a 2016 WSUS server.

    I've tried tweaking every setting I can find, like you CHRIS.FL, to no avail.

    Monday, February 13, 2017 12:46 AM
  • Just for the record, I am on a 2012 R2 Server.
    Monday, February 13, 2017 8:30 PM
  • I found an extremely simple workaround / solution in my case, and I thought I'd post so maybe it will help someone else. If you are using GPO to specify your WSUS server, In the "Set the alternate download server" box, enter the same information that you put in the other 2 boxes. In my case it is http://SVRWSUS:8530 . I am not sure if it matters, but I also made sure the case matched for the server name as well. If you are just pushing registry entries, add new string value

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Name: UpdateServiceUrlAlternate

    Data:http://YOURSERVERHERE:8530

    Chris

    Wednesday, February 15, 2017 9:24 PM
  • I found an extremely simple workaround / solution in my case, and I thought I'd post so maybe it will help someone else. If you are using GPO to specify your WSUS server, In the "Set the alternate download server" box, enter the same information that you put in the other 2 boxes. In my case it is http://SVRWSUS:8530 . I am not sure if it matters, but I also made sure the case matched for the server name as well. If you are just pushing registry entries, add new string value

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Name: UpdateServiceUrlAlternate

    Data:http://YOURSERVERHERE:8530

    Chris

    Thanks for sharing this solution.

    In the GPO Mgmt Editor there is the following note about this setting:

    If the "Alternate Download Server" is not set, it will use the WSUS server by default to download updates.

    So it doesn't really make sense, but glad it worked for you.

    Another strange strange thing about this.

    We disconnected a member server from WSUS (moved it into another OU) to update directly from microsoft. Then we installed KB3213986, you remember, the patch that killed the WSUS connection if you install it from a WSUS! So installed this patch directly from windows update servers, then moved the server back to the OU with the WSUS GPO, which connected him back to the WSUS. And you know what is coming, connection with WSUS is working perfectly, even with patch KB3213986 installed!

    I have no idea what to do. KB4010672 is still not available in WSUS, maybe because Microsoft cancelled the whole patch day and postponed it to March! So maybe they noticed "our" problem? Maybe not? Nobody knows...

    Thursday, February 16, 2017 8:02 AM
  • Hi Chris

    Thanks for sharing your workaround, and I can confirm that it worked for me as well.

    Basileus18932 - I'm curious, in the scenario you described, was the server able to successfully download an update? I ask because I never had an issue with the affected machine reporting in to WSUS, it was only the download of a new update that was failing. 

    I had been testing by uninstalling the Security Update for Flash Player (KB3214628), stopping the WU service, renaming/deleting the 'C:Windows\SoftwareDistribution' folder (otherwise the update file was already cached) and then re-detecting The KB3214628 update. 

    Friday, February 17, 2017 3:01 AM
  • Hi all,

    Does anyone know if this Alternate Download Server setting can be used to force clients to download the update files directly from MS?  We have field users checking in with our 2016 WSUS server over VPN.  Previously, I thought a separate server that would not host any update files needed to be set up for these clients.  But now, seeing this new GPO option, I am wondering if I can point them to MS for the update files over their own broadband connections (instead of the VPN) while still specifying our internal WSUS server for reporting and approvals?

    Using a client, I checked online for windows Updates, then checked the WindowsUpdate.log file and saw a URL https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx, but am not sure if this is correct.  I will set that location and update my post if I see it work, but first wondered if anyone else had any input??

    Thanks

    Wednesday, February 22, 2017 3:28 PM
  • Am 22.02.2017 schrieb Cooperb_Reily:

    Does anyone know if this Alternate Download Server setting can be used to force clients to download the update files directly from MS?  We have field users checking in with our 2016 WSUS server over VPN.  Previously, I thought a separate server that would not host any update files needed to be set up for these clients.  But now, seeing this new GPO option, I am wondering if I can point them to MS for the update files over their own broadband connections (instead of the VPN) while still specifying our internal WSUS server for reporting and approvals?

    Pls read:
    UpdateServiceUrlAlternate
    https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/device-update-management

    https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management

    https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Wednesday, February 22, 2017 5:16 PM
  • Thanks Chris!

    Your solution did the trick. I've been busy with this problem all day now.

    Thanks a lot for sharing!

    Monday, March 13, 2017 2:30 PM
  • I see listed under the fixes and improvements for the March update:

    March 14, 2017—KB4013429 (OS Build 14393.953)

    - Addressed issue where adjusting the Windows Server Update Services settings using the Group Policy feature causes downloads to fail.

    Will have to test this tomorrow!

    Wednesday, March 15, 2017 12:10 PM
  • Thx Chris!!
    Saturday, March 25, 2017 2:56 PM
  • Thanks Chris!
    Thursday, April 27, 2017 8:37 PM
  • In my situation, Delivery Optimization "bypass mode" kills windows 10 wsus downloads. Using"HTTP Only" and everything is working as it should. 
    Thursday, May 11, 2017 5:02 PM
  • This solved my issue.

    Many thanks, Chris.

    Monday, May 15, 2017 9:23 AM
  • I've had an issue for several weeks with the new Surface Pro 2017, which was added to a domain, carried out some updates, and then on the 26th June decided to stop. 

    I modified the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | UseWUServer to 0

    then restarted the Windows Update service

    then click on check for updates

    Suddenly all the updates for the past month started downloading.

    Definitely worth highlighting this solution for others who encounter the same issue.

    Thanks for posting the solution Chris.

    Thursday, August 10, 2017 9:57 AM
  • Thanks for detailing the steps

    It works like a charm now

    Monday, September 11, 2017 9:53 PM
  • Confirmed this solution. This is so dumb, it amazes me WSUS can be this mature, yet still be so friggin fragile.

    Tuesday, September 19, 2017 6:16 PM