Is WSUS broken on Windows 10 / Server 2016?

Discussion in 'Windows Server, Hyper-V Virtualization' started by Wixner, Oct 2, 2018.

  1. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    Problem:

    Windows Server 2016 won't detect updates on connected WSUS. A manual trigger will detect and install updates according to GPO.


    Background:

    We are an MSP providing a lot of Remote Desktop Servers to our customers and we want to control when and what updates are being installed to these RD-servers hence we installed a WSUS server. We have seven GPO's configured for this environment (one GPO with unique settings per day) and everything seems to work - atleast the WSUS configuration on the client side.

    Situation:

    Even though my test server is reporting in to the WSUS server it just won't check for updates. If I manually trigger the update process everything works as expected - the updates I've approved in WSUS is being downloaded, installed and the server will trigger a reboot.

    I've attached a screenshot of the GPO i'm testing (please not that the target group is called WSUS-Mondau even though the update is scheduled to Tuesdays - this is "intended" as I won't create new target groups just because this obviously will take several days to fix...)
     

    Attached Files:

    #1
  2. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    Have you done a gpresult /r and possibly a /h filename.html or a RSOP so see if the GPO is actually applied?
     
    #2
  3. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    Hi and thank you for you reply.

    Yes the GPO is applied and the registry is set up accordingly to my WSUS configuration
     
    #3
  4. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    You mentioned it is reporting in WSUS, but was that after adding or does "wuauclt /r" also update the report in WSUS?
     
    #4
  5. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    Hi,

    It never reports in it current patch state, I can see it in the WSUS console - that is all.
    It does not matter if I run any wuauclt command - it won't check for updates unless i trigger it manually by the UI
     
    #5
  6. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    Weird. In that case I would remove the object in WSUS and then use wuauclt /a /r /detectnow.
    It may not make much sense, but then again neither does the current situation.

    Also, check the logs on both servers. There's got to be some logging in either.
     
    #6
    Last edited: Oct 4, 2018
  7. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,734
    Likes Received:
    356
    This sounds like a client issue and not WSUS. What version of Windows 10 is on your clients?
     
    #7
  8. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    I'm currently evaluating these GPO's on Windows Server 2016 and the event log of the client I keep receiving "No updates found" in WSUSUpdateClient
     
    #8
  9. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    Here you can see that the server i'm trying to fix has connected to the WSUS console (but still haven't reported in)
    notreported.PNG

    And this is the eventlog on the server (acc999999) where it has connected to some kind of update repository but found no updates
    noupdates.JPG

    If I trigger this update manually with the GUI - the client will detect approved updates and install them...
     
    #9
  10. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    That is hasn't reported to WSUS yet is also an indication something is wrong client side.
    That the client is being added to the correct group is a GPO thing afaik, not 100% sure if that's done using a background wuauclt /r, though.
    Would make sense to me if it would.

    Somehow you need to figure out where the manual check receives the updates from.
    Because I am doubting it is getting from WSUS because it hasn't reported yet.
    Even a manual check/install shows it in the report status of WSUS.
     
    #10
  11. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    If I trigger the update manually the client actually reports to my WSUS so everything works as intended. It seems that the server ignores that it should check updates automatically... somehow
     
    #11
  12. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    Ah, ok. The screenshot from your WSUS server shows "not yet reported".
    That got me confused.
     
    #12
  13. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    According to our firewall, wuauclt ignores the registry settings for WSUS and talks directly with Windows Update and as far as I know, wuauclt is part of the scheduled task to look for new updates...
     
    #13
  14. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    That is weird? Afaik only Endpoint Security (from SCCM) check directly on the internet when checking manually.
    Stupid feature.

    Is this a new server or existing one with a bunch of software on it?
    Because you've spend a lot of time on it by now, and re-installing is faster.
    At least build one next to it, same GPO/WSUS group and see what that one does.
     
    #14
  15. Wixner

    Wixner Member

    Joined:
    Feb 20, 2013
    Messages:
    43
    Likes Received:
    3
    I've just reinstalled a new domain with the bare necessity and the updated ADMX-files for Windows 10/Server 2016 and WSUS -seems- to work as intended right now. I just need to update the ADMX-files in our production environment to verify this.

    To bad you need to update your Windows Server 2016 template when you want to administer Windows Server 2016... on.. Windows Server 2016
     
    #15
  16. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    Updating the ADMX/ADML files from time to time isn't a bad idea.
    They are updated every now and then, and especially during big releases.

    But the combination with your issue is new to me.
     
    #16
  17. Maurice.Torres

    Maurice.Torres New Member

    Joined:
    Feb 12, 2019
    Messages:
    2
    Likes Received:
    0
    #17
  18. weust

    weust Member

    Joined:
    Aug 15, 2014
    Messages:
    251
    Likes Received:
    21
    #18
  19. DavidRa

    DavidRa Infrastructure Architect

    Joined:
    Aug 3, 2015
    Messages:
    248
    Likes Received:
    107
    So a couple of things come to mind. First, wuauclt is deprecated and no longer does anything. Lookup USOClient as the replacement.

    What version of WSUS server is it? Is it up to date and synchronising the right patches?

    Next, Get-WindowsUpdateLog followed by viewing the log file, and see if it's doing what you expect it to do, when you expect it to be done. Check your firewall is working, check for dual-scan weirdnesses.

    Windows 2016 needs the very first CU applied or WSUS won't work as expected, but as long as you've done that, it should be fine (I have dozens of working 2016-generation WSUS clients - mostly to 2016 WSUS servers, but also 2012 R2).
     
    #19
    cesmith9999 and cheezehead like this.

Share This Page