Hello everyone,

My company is new to Windows 2016 server. We are using version 1607; we have 2 servers. looks like we have an issue with applying windows updates; nothing gets downloaded to them after we approve all Win Server 2016 updates from WSUS. The only thing that has actually worked is the Defender virus definition updates a couple weeks ago. IF we HIT the check for updates button now, it says my system is up to date but we now at least 10+ patches need to be installed.  I can apply patches manually, but I don't want to do that every month.  Are there any patches that need to be installed first?

I don't have any issues patching some old 2008r2 servers, WIn2012r2 and Win10. My GPO settings for WSUS haven't changed.What am I missing here?

Thanks in advance for the help. 

Alert!

We are an SME. We run an old version of WSUS (on Win 2008 R2 Server) which will likely be upgraded to the latest version available within 6 months.

Our estate consists of a mix of old (2008, 2008 R2) through to new (2016) servers and we are heavily virtualised. We use Windows 7 Desktops.

Our core objectives for the application of Windows Updates are as follows:

-Achieve the installation of Updates ASAP post-release but never sooner than one month after release (the time lag is intended to increase the likelihood of evading "bad" Updates)
-Install of Updates (and reboot for the installation of Updates) only during specified time periods (i.e. Saturday 12PM through to Saturday 8PM) which will always be outside our standard business hours (Mon-Fri 9am-5pm)
-On a weekend when the Installation of Updates will occur, an engineer must be on call for the following reasons:
---1) to check that all systems where Updates have been applied are operating successfully post-Update installation;
---2) to manually intervene and remediate where any "bad" Updates have been applied or related Availability issues arise, with a view to ensuring that all systems and services are fully Available for the start of business Monday morning

To be clear, it isn't always the case that an engineer will be available on a given weekend, and if that is indeed the case, the installation of Updates will be deliberately delayed until the next weekend when an engineer is available to be on-call. The view of the business is that the risk of applying Updates  over a weekend without an on-call engineer outweighs the risk of further delaying Update installations until such time as an engineer can be available.

Now,

1)  It is evident that when certain combinations of Updates are Approved, some Windows hosts will not complete installation of all those Approved Updates within the next available installation time period; and in such cases, installation will continue automatically during subsequent time periods. Indeed, if our observations are correct, then full installation of a set of Updates that were Approved at the same time may stretch over as many as 3 or 4 different time periods end-to-end. For example, the chronology of events might look like this:

Mon Jan 20: Updates 1,2,3,4 and 5 Approved
Sat Jan 25: Update 1 is successfully installed on host X, with reboot
Sat Feb 1: Updates 2 & 3 & 4 are successfully installed on host X, without reboot
Sat Feb 8: Update 5 is successfully installed on host X, with reboot

With this example, a single set of Update Approvals has resulted in the allocation of Update Installations over three subsequent weekends, not just one.

We are told this behaviour is by design, but it causes us planning headaches if we are unable to know at the point of approval of the Updates how many weekends of installations we are effectively triggering; because we cannot then plan accordingly for availability of the corresponding human resources.

We are being told by our IT Support company that it is in fact not possible to know at the time the Updates are Approved how many weekly installation cycles will be triggered as a result of those Approvals. Is this correct?

We are also told that it is impossible to ensure that all of the Approved Updates are Installed within the scope of thenext single time period; in other words, looking at any given host, the determination of how many Approved Updates will be installed within thenext time period is entirely non-configurable. Is this correct, or is there a better way of managing this so that we can plan ahead adequately?

2) Any thoughts as to what extent, if any, is the set of challenges I have described above going to worsen (or lessen) when we migrate from Windows 7 to Windows 10 desktops, and/or to a new version of WSUS?

Many thanks

So I've got a WSUS server set up on my 2016 server and it deal with 99% 2016 clients. I've run into the issue that my servers are automatically installing updates instead of only installing approved updates. Below are my current registry settings. I also work in tandem with another Windows Engineer and we've been trying to get WSUS working using the GPO. So when he makes changes in the WSUS GPO settings it overrides the registry settings.

Am I missing something as to why my servers are auto updating? In my other environment I have 2008/2012 servers with practically identical registry settings and they have no issues automatically updating unless the patches are approved by me.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
"AcceptTrustedPublisherCerts"=dword:00000001

"BranchReadinessLevel"=dword:00000020

"DeferFeatureUpdates"=dword:00000001

"DeferFeatureUpdatesPeriodInDays"=dword:000000b4

"DeferQualityUpdates"=dword:00000001

"DeferQualityUpdatesPeriodInDays"=dword:00000000

"DoNotConnectToWindowUpdateInternetLocations"=dword:00000000

"WUServer"=xxxxxxxxx

"WUStatusServer"=xxxxxxxxx

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 

"AlwaysAutoRebootAtScheduledTime"=dword:00000001

"AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000000f

"AUOptions"=dword:00000004 

"AutoInstallMinorUpdates"=dword:00000001

"DetectionFrequency"=dword:00000012 

"DetectionFrequencyEnabled"=dword:00000001 

"NoAutoRebootWithLoggedOnUsers"=dword:00000000 

"NoAutoUpdate"=dword:00000000

"ScheduledInstallDay"=dword:00000000 

"ScheduledInstallTime"=dword:00000004 

"UseWUServer"=dword:00000001 

Actually, our WSUS content folder was full and that's why to reduce the size of the folder I tried the following steps and after that I am in a big trouble.

1. Close any open WSUS consoles.

2. Go to Administrative Tools – Services and STOP the Update Services service.

3. In Windows Explorer browse to the WSUSContent folder (typically D:\WSUS\WSUSContent or C:\WSUS\WSUSContent)

4. Delete ALL the files and folders in the WSUSContent folder.

5. Go to Administrative Tools – Services and START the Update Services service.

6. Open a command prompt and navigate to the folder: C:\Program Files\Update Services\Tools.

7. Run the command WSUSUtil.exe RESET.

After all the above steps, our WSUS is not synchronizing and no updates are being downloaded at all. Every time showing "Reset Server Node"

Please help me out as soon as possible.

Thanks

Hello

I have started pushing updates to Windows 10 Pro computers via WSUS2016. The majority are version 1809.  The client computers are getting the notification below:

If I click 'Another time' this postpones the notification for 2 hours.

Questions:

1. Does anyone know what GPO setting is responsible for this notification?
2. Will clicking 'Restart Now' restart the computer?
3. What will clicking 'OK' do?
4. Will the computer eventually force a restart if the user keeps clicking 'Another time'?  Is there a limited number of times they can postpone the installation - can you specify in a GPO Setting?

Any assistance would be appreciated.

Hello All ,

After installing December month patches, couple of Windows 2012 Server stuck in restart loop. Can anyone confirm is there any known issue with December 2019 patches ?

Does anyone face this issue?

Resolution is already there:

To break the loop you need to press F8 and select safe mode. Server will most likely take another reboot but will come up after that.

Thanks

Baneesh

Regards Baneesh Pal Singh

Hello,

Using WSUS and System Center Update publisher to deploy 3rd party software, I tried to publish a package. it is able to download the package to a temporary directory but when trying to sign the package and add it in the store, it failed with the following error message :" Error    UpdatesPublisher.15    Publisher.SignPackageCab    Error signing cab file:

C:\WSUS_Test\UpdateServicesPackages\13b6b5d8-c539-43f8-b6e2-3aabb8b4c2e2\6ef9fd6e-f40f-4540-9e68-7a571be150e0_1.cab, result: 2147500034"

When looking into the forums, I already check the following :

- make sure that the following shares are mapped to the right location:

• \WSUS\WsusContent
• \WSUS\UpdateServicesPackages

- regenerate all certificates and make sure that the new certificates are in the trusted root certificate and in the trusted publishers.

These two actions didn't solve anything - still the same error message.

Any idea on how to solve this ?

Hi,

The SSU from last November was approved on my WSUS but I don't see it when I'm checking for new updates on my servers.

In the reportingevents.log from softwaredistribution foler, it is writed 2 updates detected but I only can see one of them.

I already renamed this folder and restart wuauserv service but it's not better.

Any idea?

Thanks.

T.

We have a server running Server 2016 with the latest version of SCCM on it.

We have IIS and WSUS setup on the same server and all was running nicely until a couple of weeks ago.

Now WSUS won't sync and if you open the console you get "Fatal Error: The system cannot find the file specified"

I have searched forums online and they recommend either reinstalling WSUS or WSUS and IIS.

I have tried both but still getting the same error message.

Can anyone shed some light on this issue?

Hi

We have 2 WSUS server 2012 R2, Versión: 6.3.9600.18324, when We made test with 6 machines recently installed, it worked like a charm, yesterday I put 25 machines in the OU where it worked, but today I made a check and it shows that the last contact was today 22:05 (some earlier..), but the last status report continue Not yet reported, so Failed count, needed count, installed and so on are in 0

Any idea where to search, if were only one or two computers, I can check it, but all these computers are not yet reported... or what I missed in the WSUS server, all worked right in the test computers...

Thanks in advance

Doc MX

Hi

I've issues with schedule installation through WSUS.

Here's what i want : 

   - Schedule installation every sunday at 4pm
   - No windows update notifications for clients (even administrator)
   - No Reboot of clients 
   - Windows Update Client can download updates but not installing it until schedule 
   - Autorize reboot only at schedule date

My configuration : 

Windows Server 2012 R2 
Windows 10 1909 clients
GPOs configuration : wsus html report

Logs : Get-WindowsUpdateLog

We can see that wu client install updates even with the setting AUOptions 4 set.

I don't know why...


Thanks in advance

I wanted to try out a test 2019 WSUS server. Everything seemed to go smoothly, however when I go look at All Computers, I get a system node crash.

I looked at the possibility of it being the same as the bad BIOS name, but I do not seem to see any errors.

The error is as follows:

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, 

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.InvalidCastException -- Unable to cast object of type 'System.Guid' to type 'System.String'.

Source
Microsoft.UpdateServices.BaseApi

Stack Trace:
   at Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow(SoapException soapException)
   at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.ExecuteSPSearchComputers(String computerTargetScopeXml)
   at Microsoft.UpdateServices.Internal.BaseApi.ComputerTarget.SearchComputerTargets(ComputerTargetScope searchScope, UpdateServer updateServer)
   at Microsoft.UpdateServices.UI.AdminApiAccess.ComputerTargetManager.GetComputerTargets(ComputerTargetScope searchScope)
   at Microsoft.UpdateServices.UI.AdminApiAccess.BulkComputerPropertiesCache.GetAndCacheComputers(ExtendedUpdateScope updateScope, ComputerTargetScope computerTargetScope)
   at Microsoft.UpdateServices.UI.SnapIn.Pages.ComputersListPage.GetListRows()

Has anyone come across this error before?

Thanks.

I have a Server 2019 standard enviroment and am trying to setup WSUS.

I have installed the Role and post restart attempt to launch the post installation task to configure however this fails.

I get errors relating to various services not working:

The DSS Authentication Web Service is not working.

The SimpleAuth Web Service is not working.

The Client Web Service is not working.

The Server Synchronization Web Service is not working.

The API Remoting Web Service is not working.

The Reporting Web Service is not working.

Does anyone have any ideas?

Hi,

we have extended W7 support.

I want to ask about the option of "importing" extended support KBs into WSUS.

My WSUSes always syncs with MS catalog and I don't really want to connect to organizational UPSTREAM server for these KBs.

Probably they should come in form of executables that could be installed on WSUS and then available for approval.

Am I correct? I will just ask the files for "import"...

Thanks.

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

Hello everyone,

My company is new to Windows 2016 server. We are using version 1607; we have 2 servers. looks like we have an issue with applying windows updates; nothing gets downloaded to them after we approve all Win Server 2016 updates from WSUS. The only thing that has actually worked is the Defender virus definition updates a couple weeks ago. IF we HIT the check for updates button now, it says my system is up to date but we now at least 10+ patches need to be installed.  I can apply patches manually, but I don't want to do that every month.  Are there any patches that need to be installed first?

I don't have any issues patching some old 2008r2 servers, WIn2012r2 and Win10. My GPO settings for WSUS haven't changed.What am I missing here?

Thanks in advance for the help. 

Alert!

I’ve been troubleshooting a problem with a Server 2012 machine refusing to install updates for a week. I tried EVERYTHING at https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resourceswithout success. Then I finally found the culprit – I always get this message in the shutdown sequence in the windowsupdate.log when I press restart after installing updates:

2020-01-25 10:37:04:331  772 690 Shutdwn Checking to see whether install at shutdown is appropriate
2020-01-25 10:37:04:331  772 690 Shutdwn user declined update at shutdown
2020-01-25 10:37:04:331  772 690 AU AU initiates service shutdown
2020-01-25 10:37:04:331  772 690 AU ###########  AU: Uninitializing Automatic Updates  ###########
2020-01-25 10:37:04:331  772 690 WuTask Uninit WU Task Manager
2020-01-25 10:37:04:643  772 690 Report CWERReporter finishing event handling. (00000000)
2020-01-25 10:37:05:018  772 690 Service *********
2020-01-25 10:37:05:018  772 690 Service **  END  **  Service: Service exit [Exit code = 0x240001]
2020-01-25 10:37:05:018  772 690 Service *************

My problem now: I can’t find any documentation about “user declined update at shutdown.” Does ANYBODY know anything about how this condition is set and unset?

Hi All,

We use option 3 (download only) now but we want to change to option 4 (Automatically download updates and install them on the schedule specified below).

When I put a change in this policy. For example: Scheduled update day "Tuesday 11.00" instead of "Monday 11.00"  than the auto update only works when I reboot the machine. I have this problem with Windows 10 and Windows 2016 clients/servers both.

When I check RSOP I see that my policy is applied correctly.

I try to only restart de Windows update services (instead of reboot the client) but that was not the trick.

When I change the settings with regedit myself and I do not reboot te client I have the same problem.

Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime

Testing this case is somewhat difficult because I always must wait one hour to see if my changes have some effect.

My question; what action (restart service/commandline) can I do so I don't have to restart de client to apply the changes in this GPO?

I have a workaround an that is a scheduled restart 2 hours before the automatic updates take place but I don't like this "fix".

Hope somebody can help me.

WSUS server running under Windows Server 2019. Clients running Windows 10 version 1903 education. We have approved the following updates in WSUS

1. Feature update to Windows 10 (business edition), version 1909, en-us x64
2. Feature update to Windows 10 Version 1909 x64-based systems 2019-11 via Enablement Package

Some of our 1903 clients downloaded and install the update just fine and are now at 1909. We have other clients that when I actually visit the client and run Check for Updates, only two updates show up

1. 2020-01 Cumulative Update for Windows 10 Version 1903 for x64 based systems (KB4532695)
2. 2020-01 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 for x64 (KB4534132)

These two updates to Win10 1903 do show up in WSUS but of course there is no sense approving them because what I really want is the upgrade to 1909. Why are a bunch of my 1903 clients not even seeing the update we have approved to go to 1909?