none
WSUS and issues pushing Win 10 1703

    Question

  • I am rolling out the creators update to our Windows 10 machines. I am testing with three machines -  a VirtualBox VM running Windows 10 Pro, a Dell 7010 Desktop and a Dell XPS 13 laptop. The WSUS Server is running on a Sever 2012 R2 machine. The XPS 13 has bitlocker with a TPM enabled, while the other machines do not. WSUS version is Version: 6.3.9600.18228. I have also tried upgrading Windows 7 machines to Windows 10 using the WSUS console and update.

    The machines are in a test WSUS group for the Windows 10 upgrades. The Update History setting in Windows Update show the Status of the update as "Failed" and approval is set to "Install". All other Windows updates install fine.

    WSUS report says: "Feature update to Windows 10 Pro, version 1703, en-gb Retail Error: Download failed."

    2017-05-09 
    11:41:58:028     804    358 Report 
    REPORT EVENT: {07B79E9B-0A6D-4D08-AA68-38179A2C566C}    2017-05-09 11:41:50:707+0100    1  
    182 101 {081B357C-B9A3-497C-8E8C-206E1D723B29}  201 80240020    AutomaticUpdates    Failure Content Install Installation
    Failure: Windows failed to install the following update with error 0x80240020:
    Windows 7 and 8.1 upgrade to Windows 10 Pro, version 1703, en-us.

    The Windows 10 machines shows that the update is avalible, but stays on 0% downloaded. There is no network activity on the LAN cable, and TCPView does not show anything being downloaded.

    What I have tried so far:

    • Check that the KB3159706 for decryption of ESD content is installed
    • Checked that the prerequisites for KB3095113 are all installed
    • Checked that the KB3095113 for WSUS support for Windows 10 feature upgrades.
    • Set the MIME type on the IIS Server for the .esd file and .msu file types(which the above update should have sorted).
    • Removed the Windows Update cache from the machines, stopped the BITS/Windows Update services and restarted.
    • Restarted IIS Website
    • Rebooted WSUS server
    • Checked Windows Firewall status (disabled on Server)
    • Asked the Windows 10 machine to get updates from Windows Updates rather than WSUS (this appeared to download and install OK) so this makes me think it's an issue with our WSUS server.
    • Installed the Windows 10 ADMX templates and set the “Download Mode” in GPO to both “Bypass”  and “HTTP only”.
    • Set WSUS to download express installation files
    • Build a different Windows Server 2012 R2 machine, updated Windows Update GPO policy and got machines checking in, but download of this one update does still not happen.

    I'm rapidly running out of ideas - I could try and install WSUS on an eval copy of Server 2016, but I'd rather like to avoid installing WSUS again.

    Thanks,
    Tom

    Wednesday, May 24, 2017 2:01 PM

All replies

  • Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, May 25, 2017 2:44 AM
  • Also, I'm wondering if you have the downloaded files done PRIOR to the encryption/decryption or if your database is in a bad state (what I like to call a dirty database)

    https://support.microsoft.com/en-us/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus

    You may have to modify the SQL query as it relates to 1607.

    Also - you mention you enabled express installation files. You do realize this makes the size of your content folder roughly 3-5 times the size that it could be as it downloads every single possible change with any file in an update or subsequent updates. It's like document management with history. I'd recommend turning this off unless you have a business case use for it. When you do, perform a manual sync, and then re-run my script's -FirstRun and then after that finishes, run -QuarterlyRun


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, May 25, 2017 2:52 AM
  • Hi tombull,

    Please check if you install KB3095113 and KB3159706(with manual steps) before enabling "Upgrades" and sync the upgrade files into WSUS server. If not, please remove the upgrade file and re-download it again.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 25, 2017 6:32 AM
    Moderator
  • Thank you for your suggestion - the script ran through, declined a large number of updates and freeded up around 200GB of disk space.
    Wednesday, May 31, 2017 2:30 PM
  • I found I had a dirty database state with 66 responses in the query. I've ran through the fixes and ran firstrun and quaterlyrun.

    This does not seem to have fixed the issue, however.

    Wednesday, May 31, 2017 2:31 PM
  • Hi Anne,

    I made sure that both the KB were installed before enabling upgrades - this still does not appear to have worked.

    I built a third server recently, and installed the WSUS server role. I then fully updated the server from Windows update online and installed the other WSUS prerequsites including the Net installer, SQL Management studio and the report viewer, as well as making sure the other KBs were installed.

    I then ticked the "Upgrades" classification and the "Windows 10" product before running a sync, downloading the Feature update to Windows 10 Pro, version 1703, en-gb, and the en-gb Retail. Checked on the client and this still failed with "Downloading, 0%". Do base Windows 10 versions need to be update to 1511 then 1607 then 1703, or can it go straight to the latest version?

    Wednesday, May 31, 2017 2:46 PM
  • I found I had a dirty database state with 66 responses in the query. I've ran through the fixes and ran firstrun and quaterlyrun.

    This does not seem to have fixed the issue, however.

    So since you ran the queries to remove the data from the database, and then you ran my script, I take it you re-checked the Upgrades box in products/classifications, and have Windows 10 products checked (I have all but GDR-DU LP checked)

    Did you perform another sync? does it have data to pull? WSUS is not instant, and it's not meant to be either. It takes time. Take a screenshot after clicking the server name in the WSUS console and post it please.



    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Thursday, June 1, 2017 1:36 AM
  • Hi Anne,

    I made sure that both the KB were installed before enabling upgrades - this still does not appear to have worked.

    I built a third server recently, and installed the WSUS server role. I then fully updated the server from Windows update online and installed the other WSUS prerequsites including the Net installer, SQL Management studio and the report viewer, as well as making sure the other KBs were installed.

    I then ticked the "Upgrades" classification and the "Windows 10" product before running a sync, downloading the Feature update to Windows 10 Pro, version 1703, en-gb, and the en-gb Retail. Checked on the client and this still failed with "Downloading, 0%". Do base Windows 10 versions need to be update to 1511 then 1607 then 1703, or can it go straight to the latest version?

    Hi tombull89,

    Do you also add .esd MIMIE type into WSUS site in IIS:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 1, 2017 5:47 AM
    Moderator
  • Hi Anne,

    I can confirm the MIME Type was added to the WSUS administration site (and also restarted the website for good measure).

    Thursday, June 8, 2017 3:13 PM
  • Hi Adam,

    I performed another sync and WSUS found 70 updates - all updates for Windows 7/8 to 10 and Windows 10 upgrades in various en-gb, en-us, retail, Home, Pro, Pro N, education etc. I chose the updates for Widown 10 Pro en-us and en-gb as these are the versions we have in service. I left the download running for the updates and now the "Download Status" is displaying "Updates Needing Files: 0" so as far as I can tell the files have been downloaded. If I do a search in the WSUS content folder there are a number of *.esd files present.

    Thursday, June 8, 2017 3:19 PM
  • This is normal. The default is to sync the updates to the WSUS database, but not actually download the binary install files until the updates are approved to a group of computers. Did you re-approve the feature upgrade to 1703?

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Friday, June 9, 2017 5:12 AM
  • Yes, the feature update was approved for 1703. The laptop I am testing with is back on "Updates are available (Feature Update to Windows 10 Pro, version 1703, en-us, Retail) - Downloading updates 0%"

    The report for the update says "(Unable to Find Resource:) ReportingEvent.Client.167; Parameters: Feature update to Windows 10 Pro, version 1703, en-us, Retail". As far as I can tell this is because KB4013214 is required to be installed, however, this doesn't appear to even be in WSUS to be approved (see https://www.reddit.com/r/sysadmin/comments/692e50/is_it_just_me_or_is_kb4013214_not_being_sent_to/) and also doesn't appear in the Microsoft Update Catalogue.


    EDIT: okay, the machine has now rebooted and is has staus as "Downloading 0%" for "Feature Update to Windows 10 Pro, version 1703, en-us, Retail".
    • Edited by tombull89 Friday, June 9, 2017 11:50 AM
    Friday, June 9, 2017 8:38 AM
  • Now I am receiving the error "Installation Failure: Windows failed to install the following update with
    error 0xc1800118: Feature update to Windows 10 Pro, version 1703, en-us, Retail" when I look in the WSUS console. Seems like I'm going around in circles.
    Monday, June 12, 2017 10:34 AM
  • Hi!

    Windows 10 adds the following three settings to Computer Configuration/Administrative Templates/Windows Components/Windows Update:

    ·Always automatically restart at the scheduled time
    ·Defer Upgrade (this setting is specific to Windows 10)
    ·Do not connect to any Windows Update Internet locations

    Additionally, the settings in Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds, and Computer Configuration/Administrative Templates/Windows Components/Delivery Optimization are specific to Windows 10.

    Windows 10 has more than 200 new or changed settings in Administrative Templates

    Some of these settings fall under the following main categories:

    Windows Update

    Windows Insider

    Microsoft Passport

    Microsoft Edge

    App Deployment


    -Dont forget to check your GPO inheritance! And security filtering.

    Also check this printscreen bellow.

    

    Here I post you a step by step description how to migrate easily WSUS to a new server. Just in case you needed later. Migrate WSUS

    Also restart the WSUS server, and Computers as well. Give them a time to sinchronize all the updates.

    Do a mantainance in the WSUS database and server as well. 

    Check the URL and port.

    Good luck!

    Cheers,

    German



    Monday, June 12, 2017 10:47 AM
  • As described by Adam Marshall, did you check decryption key's in SUSDB?

    Similar problem here:

    0xC1800118 with 15063.0.170317-1834.rs2_*.esd after KB3159706 (+manual steps) the DecryptionKey in SUSDB is again NULL

    Can you post the result from this SUSDB SQL Query?

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 


    Tuesday, June 13, 2017 5:24 AM
  • Hi Geraldo,

    I have "TotalResults" return a result of 0 when I run that query.
    Regards,
    Tom.

    Tuesday, June 13, 2017 9:41 AM
  • Hi Tom, maybe a Client update repository reset can help

    net stop bits
    net stop wuauserv
    net stop appidsvc
    net stop cryptsvc
    Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
    Ren %systemroot%\system32\catroot2 catroot2.bak
    net start bits
    net start wuauserv
    net start appidsvc
    net start cryptsvc 
    wuauclt /resetauthorization /detectnow /updatenow
    Regards


    Tuesday, June 13, 2017 10:07 AM
  • In addition,

    what is the Value from Client Registry? Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade
    “AllowOSUpgrade”

    For other OS see: https://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-7-8-81-registry-edits-to-prevent-windows/4cbd4842-d11f-4579-a8de-18576aad2597?auth=1

    Tuesday, June 13, 2017 10:30 AM
  • Resetting the client update repository did not appear to make a a difference.

    My test system does not have the OSUpgrade entry under WindowsUpdate in the registry. I have Auto Update, Orchestrator, Reporting, Services, and SLS.

    Tom.

    Tuesday, June 13, 2017 11:02 AM
  • Really strange!

    Are you really sure to edit the web.config and enable HTTP Activation under .NET Framework 4.5 Features as explained in KB3159706?


    Tuesday, June 13, 2017 11:37 AM
  • Hi,

    HTTP Activation was enabled under .net 4.5 settings. I have not edit the web.config as I understand you only need to do this if HTTPS is used on the WSUS Server, which to my knowledge it isn't.

    Tom.

    Tuesday, June 13, 2017 2:32 PM
  • Fix the web.config anyways. SSL is Microsoft's Best practice and they base their instructions off best practices. You are also future-proofing your environment, and...



    SSL Setup
    ---------------------------------------------

    I follow a really smart guy named Emin Atac (he was the one who helped me develop part of my WSUS Script) and he posted something that was enlightening in all regards with regards to WSUS and MITM attacks and how relatively easy it would be to compromise a network.

    Black Hat USA 2015 - WSUSpect Compromising The Windows Enterprise Via Windows Update

    https://p0w3rsh3ll.wordpress.com/2015/11/24/switch-wsus-to-https/

    Video here: https://www.youtube.com/watch?v=mU8vw4gRaGs

    It is worth the watch as they explain exactly how to take over a network by just having access to it

    Please, everyone, mitigate this risk and switch to SSL.

    Official MS TechNet article for SSL for WSUS

    https://technet.microsoft.com/library/hh852346.aspx#bkmk_3.5.ConfigSSL


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Tuesday, June 13, 2017 2:50 PM
  • If it's still not working after you tried Adam's suggestions have a look at this post...

    https://community.spiceworks.com/topic/1993205-windows-10-1607-not-upgrading-to-1703-via-wsus-or-if-checking-for-updates-online

    and

    https://community.spiceworks.com/topic/1993205-windows-10-1607-not-upgrading-to-1703-via-wsus-or-if-checking-for-updates-online?page=2#entry-6970735

    It may not apply to your situation but when we disabled Dual Scan, 1703 upgrades started successfully pushing out to all 1607 machines.  Worth a shot as a last resort. (reset your client repository before trying this).



    • Edited by raimondb1 Wednesday, June 14, 2017 4:40 AM
    Wednesday, June 14, 2017 4:29 AM
  • Hi Raimondb1,

    Thanks for your suggestion, I'll take a look at this shortly. However none of our Windows 10 builds are on 1607 or 1703, they're all on the retail release (but with some updates applied, so I think that's 1511?)


    • Edited by tombull89 Wednesday, June 14, 2017 11:01 AM
    Wednesday, June 14, 2017 9:21 AM
  • I have now also tested with a Windows 7 to 10 upgrade from WSUS. This is also failing.

    WSUS Console on the server says "(Unable to Find Resource:) ReportingEvent.Client.167"
    WU Console on local machine says "Error 80246007"

    Running the SolarWinds WSUS diagnostics tool says:
    WSUS Server Connectivity
      clientwebservice/client.asmx: OK
      simpleauthwebservice/simpleauth.asmx: OK
      content: Error: Forbidden (Incorrect proxy client configuration - use settings tab to test proxy configuration settings; may also be caused by misconfigured SSL implementation or access rights on WSUS server)
      selfupdate/iuident.cab: OK
      iuident.cab: Error: NotFound (Omitting required port suffix on URL to access WSUS installed to port 8530 or resource is unreachable)

    Browsing to the resulting URLS shows:
    http://officewsus02.domain.tld:8530/content - 403 forbidden
    http://officewsus02.domain.tld:8530/selfupdate/iuident.cab - okay
    http://officewsus02.domain.tld:8530/iuident.cab - 404

    There is a $WINDOWS.~BT folder of ~60MB in the root of the C drive so I assume the download has started. Exports of the setuperr and setupact logs are:
    Pastebin for setuperr.log https://pastebin.com/gAAy5k6R
    Pastebun for setupact.log https://pastebin.com/pAd322SF

    EDIT: it appears that the error messages from the SolarWinds report tool are expected.



    • Edited by tombull89 Tuesday, June 20, 2017 10:28 AM
    Tuesday, June 20, 2017 9:15 AM
  • Oddly, while the Wsus Server and WSUS Status Server is set correctly:

    2017/06/23 11:51:16.7784571 1068  1500  Agent           WSUS server: http://officewsus01.top.level.domain:8530
    2017/06/23 11:51:16.7784577 1068  1500  Agent           WSUS status server: http://officewsus01.top.level.domain:8530

    and all the other downloads work, the .esd and the installer .exe are not downloaded as WSUS requests data from the officewsus01:8530 address which 404s.


    2017/06/23 10:18:41.2272275 892   1020  DownloadManager File: http://officewsus01:8530/Content/0F/ACAF6BAF9D5F52B23E3136BB847CFDB49E357B0F.esd
    2017/06/23 10:18:41.2309928 892   1020  DownloadManager Error 0x80244022 occurred while downloading update; notifying dependent calls.
    2017/06/23 11:48:43.7428777 288   4180  Misc            Got WSUS Client/Server URL: http://officewsus01.top.level.domain:8530/ClientWebService/client.asmx""
    2017/06/23 11:48:43.7524768 288   4180  Misc            Got WSUS SimpleTargeting URL: http://officewsus01.top.level.domain:8530""
    2017/06/23 11:48:43.7532611 288   4180  ProtocolTalker    Server URL = http://officewsus01.top.level.domain:8530/SimpleAuthWebService/SimpleAuth.asmx
    2017/06/23 11:48:43.9962046 288   4180  Misc            Got WSUS Reporting URL: http://officewsus01.top.level.domain:8530/ReportingWebService/ReportingWebService.asmx""
    2017/06/23 11:48:44.0327708 288   4180  Misc            Got WSUS Client/Server URL: http://officewsus01.top.level.domain:8530/ClientWebService/client.asmx""
    2017/06/23 11:48:44.0521808 288   4180  Misc            Got WSUS Reporting URL: http://officewsus01.top.level.domain:8530/ReportingWebService/ReportingWebService.asmx""
    2017/06/23 11:48:44.0664304 288   4180  Misc            Got WSUS Client/Server URL: http://officewsus01.top.level.domain:8530/ClientWebService/client.asmx""
    2017/06/23 11:48:44.0843871 288   4180  Misc            Got WSUS Reporting URL: http://officewsus01.top.level.domain:8530/ReportingWebService/ReportingWebService.asmx""
    2017/06/23 11:48:44.0844328 288   4180  WebServices     Auto proxy settings for this web service call.
    2017/06/23 11:50:52.5638840 288   4328  DownloadManager BITS job {E96E2468-05A6-456A-AA36-9DCA79964774} hit a transient error, updateId = {CFE3F6C1-D9F8-4372-9B9D-FBB6C0601199}.202, error = 0x801901F7
    2017/06/23 11:50:52.5646061 288   4328  DownloadManager File: http://officewsus01:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe
    2017/06/23 11:50:52.5683896 288   4328  DownloadManager Error 0x80244022 occurred while downloading update; notifying dependent calls.
    2017/06/23 11:50:52.5911411 288   4868  DownloadManager BITS job {E96E2468-05A6-456A-AA36-9DCA79964774} hit a transient error, updateId = {CFE3F6C1-D9F8-4372-9B9D-FBB6C0601199}.202, error = 0x801901F7
    2017/06/23 11:50:52.5917394 288   4868  DownloadManager File: http://officewsus01:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe
    2017/06/23 11:50:52.5933063 288   4868  DownloadManager Error 0x80244022 occurred while downloading update; notifying dependent calls.
    2017/06/23 11:50:52.6252315 288   1672  Agent             Title = Security Update for Windows 10 Version 1511 for x64-based Systems (KB3172729)
    2017/06/23 11:51:16.7784557 1068  1500  Agent           Initializing global settings cache
    2017/06/23 11:51:16.7784571 1068  1500  Agent           WSUS server: http://officewsus01.top.level.domain:8530
    2017/06/23 11:51:16.7784577 1068  1500  Agent           WSUS status server: http://officewsus01.top.level.domain:8530
    2017/06/23 11:51:16.7784580 1068  1500  Agent           Target group: SIFTALL
    2017/06/23 11:51:16.7784587 1068  1500  Agent           Windows Update access disabled: No
    2017/06/23 11:51:16.7995139 1068  2444  Agent           Initializing Windows Update Agent
    If I try and access http://officewsus01:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe in a browser, I get a 404. If I manally set the URL to  http://officewsus01.top.level.domain:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe it works fine. So why are these few files trying to use an incorrect URL?





    Friday, June 23, 2017 11:03 AM
  • In what I think is an end to this saga we have put in a setting on our work proxy (SQUID) to resolve the name  of the server correctly.

    172.17.100.150 officewsus officewsus.top.level.domain.

    We can check the in the SQUID logs that the server name is now resolving successfully and the content is downloaded.

    Logs on local machine:

    2017/06/23 11:51:16.7784571 1068  1500  Agent           WSUS server: http://officewsus01.top.level.domain:8530
    2017/06/23 11:51:16.7784577 1068  1500  Agent           WSUS status server: http://officewsus01.top.level.domain:8530
    2017/06/23 11:50:52.5646061 288   4328  DownloadManager File: http://officewsus01:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe
    2017/06/23 11:50:52.5683896 288   4328  DownloadManager Error 0x80244022 occurred while downloading update; notifying dependent calls.
    2017/06/23 11:50:52.5911411 288   4868  DownloadManager BITS job {E96E2468-05A6-456A-AA36-9DCA79964774} hit a transient error, updateId = {CFE3F6C1-D9F8-4372-9B9D-FBB6C0601199}.202, error = 0x801901F7
    2017/06/23 11:50:52.5917394 288   4868  DownloadManager File: http://officewsus01:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe
    2017/06/23 11:50:52.5933063 288   4868  DownloadManager Error 0x80244022 occurred while downloading update; notifying dependent calls.

    If you try and access the URL of the file that is giving the 0x80244022 error, does it succeed or fail? If it fails, try typing in the FQDN of the server, for example:

    http://officewsus01.top.level.domain:8530/Content/C9/A9186BC92CFDACE903B62AB20E6A7F0FCDB533C9.exe

    If that works, try putting an entry in the hosts file on the local machine with the name and FQDN of the WSUS server and see if this resolves the issue

    172.17.100.150 officewsus officewsus.top.level.domain.


    • Edited by tombull89 Friday, June 23, 2017 9:27 PM
    Friday, June 23, 2017 9:16 PM
  • BITS Job Error:

    BG_E_HTTP_ERROR_503 (0x801901F7)

    The service is temporarily overloaded and cannot process the request. Resume the job at a later time.

    What is the Value of Private Memory Limit in IIS/WSUS App Pool? 
    Try to increase up to 7843200 or 0(unlimited)



    Saturday, June 24, 2017 4:47 PM