Is WSUS broken on Windows 10 / Server 2016?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Wixner

Member
Feb 20, 2013
46
3
8
Problem:

Windows Server 2016 won't detect updates on connected WSUS. A manual trigger will detect and install updates according to GPO.


Background:

We are an MSP providing a lot of Remote Desktop Servers to our customers and we want to control when and what updates are being installed to these RD-servers hence we installed a WSUS server. We have seven GPO's configured for this environment (one GPO with unique settings per day) and everything seems to work - atleast the WSUS configuration on the client side.

Situation:

Even though my test server is reporting in to the WSUS server it just won't check for updates. If I manually trigger the update process everything works as expected - the updates I've approved in WSUS is being downloaded, installed and the server will trigger a reboot.

I've attached a screenshot of the GPO i'm testing (please not that the target group is called WSUS-Mondau even though the update is scheduled to Tuesdays - this is "intended" as I won't create new target groups just because this obviously will take several days to fix...)
 

Attachments

weust

Active Member
Aug 15, 2014
353
44
28
44
Have you done a gpresult /r and possibly a /h filename.html or a RSOP so see if the GPO is actually applied?
 

Wixner

Member
Feb 20, 2013
46
3
8
Hi and thank you for you reply.

Yes the GPO is applied and the registry is set up accordingly to my WSUS configuration
 

weust

Active Member
Aug 15, 2014
353
44
28
44
You mentioned it is reporting in WSUS, but was that after adding or does "wuauclt /r" also update the report in WSUS?
 

Wixner

Member
Feb 20, 2013
46
3
8
Hi,

It never reports in it current patch state, I can see it in the WSUS console - that is all.
It does not matter if I run any wuauclt command - it won't check for updates unless i trigger it manually by the UI
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Weird. In that case I would remove the object in WSUS and then use wuauclt /a /r /detectnow.
It may not make much sense, but then again neither does the current situation.

Also, check the logs on both servers. There's got to be some logging in either.
 
Last edited:

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
This sounds like a client issue and not WSUS. What version of Windows 10 is on your clients?
 

Wixner

Member
Feb 20, 2013
46
3
8
I'm currently evaluating these GPO's on Windows Server 2016 and the event log of the client I keep receiving "No updates found" in WSUSUpdateClient
 

Wixner

Member
Feb 20, 2013
46
3
8
Here you can see that the server i'm trying to fix has connected to the WSUS console (but still haven't reported in)
notreported.PNG

And this is the eventlog on the server (acc999999) where it has connected to some kind of update repository but found no updates
noupdates.JPG

If I trigger this update manually with the GUI - the client will detect approved updates and install them...
 

weust

Active Member
Aug 15, 2014
353
44
28
44
That is hasn't reported to WSUS yet is also an indication something is wrong client side.
That the client is being added to the correct group is a GPO thing afaik, not 100% sure if that's done using a background wuauclt /r, though.
Would make sense to me if it would.

Somehow you need to figure out where the manual check receives the updates from.
Because I am doubting it is getting from WSUS because it hasn't reported yet.
Even a manual check/install shows it in the report status of WSUS.
 

Wixner

Member
Feb 20, 2013
46
3
8
If I trigger the update manually the client actually reports to my WSUS so everything works as intended. It seems that the server ignores that it should check updates automatically... somehow
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Ah, ok. The screenshot from your WSUS server shows "not yet reported".
That got me confused.
 

Wixner

Member
Feb 20, 2013
46
3
8
According to our firewall, wuauclt ignores the registry settings for WSUS and talks directly with Windows Update and as far as I know, wuauclt is part of the scheduled task to look for new updates...
 

weust

Active Member
Aug 15, 2014
353
44
28
44
That is weird? Afaik only Endpoint Security (from SCCM) check directly on the internet when checking manually.
Stupid feature.

Is this a new server or existing one with a bunch of software on it?
Because you've spend a lot of time on it by now, and re-installing is faster.
At least build one next to it, same GPO/WSUS group and see what that one does.
 

Wixner

Member
Feb 20, 2013
46
3
8
I've just reinstalled a new domain with the bare necessity and the updated ADMX-files for Windows 10/Server 2016 and WSUS -seems- to work as intended right now. I just need to update the ADMX-files in our production environment to verify this.

To bad you need to update your Windows Server 2016 template when you want to administer Windows Server 2016... on.. Windows Server 2016
 

weust

Active Member
Aug 15, 2014
353
44
28
44
Updating the ADMX/ADML files from time to time isn't a bad idea.
They are updated every now and then, and especially during big releases.

But the combination with your issue is new to me.
 

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
So a couple of things come to mind. First, wuauclt is deprecated and no longer does anything. Lookup USOClient as the replacement.

What version of WSUS server is it? Is it up to date and synchronising the right patches?

Next, Get-WindowsUpdateLog followed by viewing the log file, and see if it's doing what you expect it to do, when you expect it to be done. Check your firewall is working, check for dual-scan weirdnesses.

Windows 2016 needs the very first CU applied or WSUS won't work as expected, but as long as you've done that, it should be fine (I have dozens of working 2016-generation WSUS clients - mostly to 2016 WSUS servers, but also 2012 R2).
 

matkisson

Member
Apr 11, 2017
32
7
8
36
So we recently had to setup a Server2016/Windows10 WSUS server at my job. It took a littl ework but there were 2 things I noticed. First off, group policy seemed to not work. We had to Set the servers information via regedit (https://support.microsoft.com/en-us...c-updates-by-using-group-policy-or-registry-s). Secondly, make sure IIS (Not the server but specifically IIS) on the WSUS has enough RAM. Dy default it did not allocate enough RAM and would fail with little to no indication. I am working on little sleep so if I need to elaborate please let me know.