- Wsus Server Not Downloading Updates
- Offline Wsus Server Not Downloading Updates
- Wsus Server Download Updates Very Slow
Check and make sure to apply security updates and upgrades to WSUS server once in a month. We have observed due to some reason 'auto approval' on certain updates does not happen, once in a month approve updates manually. Microsoft releases 'Security Patches' every month 2nd week of Tuesday and in rare cases, emergency patches will be released.
We have a WSUS server running on Windows Server 2016. WSUS detects and sends updates to all systems, including the 2012 servers. WSUS will detect but not send updates to any of the 2016 servers.
It shows 0 updates needed, all updates show 'installed or not applicable'. These are fresh server installs, they have just been installed straight from a disk image created November of last year.
WSUS using SSL clients not downloading updates I have just deployed a new WSUS server in our environment and configured it to use SSL to encrypt the website using the Microsoft instructions of only changing the binding on certain sites within the main WSUS website. After you update to Configuration Manager current branch, version 1806, software updates do not download. This failure occurs only in environments that use Windows Server Update Services (WSUS) on a disconnected (air gapped) network.
If I run a report on one of the servers and I set the product filter to 'Windows Server 2016' I get 31 updates installed or not applicable.
All 31 updates are set to approval 'Install'. The status for all of them is 'Not Applicable' They are all Critical updates and Security Updates.
I have manually gone through the installed updates on one of the servers in question and verified that these 'Not Applicable' updates are not installed.
After you update to Configuration Manager current branch, version 1806, software updates do not download. This failure occurs only in environments that use Windows Server Update Services (WSUS) on a disconnected (air gapped) network. A couple of weeks ago a technician had declined a large amount of active needed updates and run the server cleanup tool, when this was discovered the WSUS SQL Database was restored giving the appearance that everything was back to normal however the server cleanup wizard had removed the files. As you can not export lists from WSUS Management Console, you will need to install SQL Management Studio and connect to the Windows Internal Database (WID) hosting WSUS - or an external database in the event your not using WID! Nov 16, 2018 I have come across an interesting “feature” or “bug” in Windows Update service on Windows Server 2016 (Windows 10 RTM). If you’re not using an internal WSUS server and your OS must be updated directly from Microsoft Update servers in the Internet, when you downloading the updates in Windows Server 2016 via a proxy server, the download process stucks at 0% (Downloading Updates 0%).
All these servers are fresh installs and they are in an OU that prevents them from restarting themselves after an update install and I am the only one who manually restarts them. Since they have been installed they have gotten 0 updates. I have a hard time believing that there are 0 applicable updates for a fresh Windows Server 2016 install.
I have ensured that BITS and the Windows Update services are running. I have run the wuauclt /reportnow and wuauclt /detectnow. It doesn't seem to do anything. I have run the cleanup wizard to deny and remove all of the superseded updates. I have verified that the machines are in the correct groups in AD and in WSUS. I have verified in the registry on the affected machines that they are pointing to the WSUS server and it can be pinged. The client can be pinged from the WSUS server. There is no firewall or port blocker or anything like that. I created a completely new 2016 server installation with absolutely nothing installed on it; no roles, no firewalls no virus scanner no nothing, just a blank server and tried to force it to connect. WSUS detects that the server exists but that is about it.
Every other OS works fine, it is only the 2016 servers that have this problem. It is definitely a WSUS server problem; if I go into the registry and change it back to Microsofts server it finds updates.
Does anyone have any idea what might be causing the problem and how to fix it?
Thanks.
EDIT - UPDATE:Still having problems. Tried installing a 2nd 2016 WSUS server, same problem, only with the 2016 servers.
I even tried installing 2019 server (though I don't think there are any differences...). No difference.
I even ruled out Group Policy. I put a 2016 test server all by itself in an OU with blocked inheritance. The only GPO I linked was the WSUS server setting which pointed to the 2019 server. The machine isn't getting any other policy. There isn't even a virus scanner or firewall configured on the test 2016 server, they are even on the same segment.
We are converting more and more of our servers from 2012 to 2016 which means this is more and more of a problem as NONE of them will get updates from WSUS... As much as I don't want to, I am going to have to call Microsoft...
7 Answers
Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.
The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.
The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.
Here is what you have to do to fix it:Run the following commands in Powershell on the offending server
You will get something back like this:
If it says 'Windows Update - True' Then that is your default source, no matter what your GPO says...
The first thing you have to do is make sure the following patches are installed on your server.
kb4103720 and kb4462928
You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.
These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.
Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)
Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Specify the search server for device driver updates
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')
Turn off access to the Store
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
No auto-restart with logged on users for scheduled automatic updates installations
Specify intranet Microsoft update service location
Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.
Run the above powershell commands again.
It should now say
If you get 'Windows Server Update Service' True, then it should work!
I hope this helps someone else. This has certainly been a frustrating issue...
I accept donations in unmarked bills, gold bars and scotch.
alexander.polomodovIf you scan the web you'll see all the things @Redwizard000 tried being suggested so it's clear @Redwizard000 tried really hard to solve this one (see https://serverfault.com/a/940236/203726 for how @Redwizard000 eventually solved the issue). Read on for my experience:
In my case the WSUS server was running on Windows Server 2012 R2, had all the patches, had run the VB cleanup script you see floating around, had been through the cleanup process (which took hours), could serve updates to Windows 10 machines but fresh Windows Server 2016 client machines would fail to fetch updates from WSUS and gave 0x8024401c error messages. The only thing that helped was on the WSUS server: increasing/removing some of the IIS Application Pool resource limits (e.g. Queue Length, Limit Interval, Private Memory Limit but there are others) for the WSUS App Pool as described in https://serverfault.com/a/835941 and https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/ and then restarting IIS. It seems that checking for updates required around 2GBytes of memory from IIS server and took about 8 minutes. After this the error message went away but...
..the client Windows Server 2016 machines would become stuck downloading 0% of the updates indefinitely. To get past this I had to manually download a recent cumulative update (on the client Windows Server 2016 machines) from http://www.catalog.update.microsoft.com/home.aspx (or use Microsoft's Windows update servers temporarily to fetch a cumulative update) and install that before changing settings to use WSUS.
Update: There's a MS support article called 'Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016' that talks about how you have to update the Windows Update Agent on Windows 10/2016/2019 client machines past the RTM version (10.0.14393.0) before you are able to use WSUS. This sounds like what was effectively being done in the previous paragraph.
I had such a problem, 2016 would throw out the error: 0x8024401c,and in WSUS would show 0% updated (not reported yet).
To fix this I changed the values of the WSUS Application Pool in IIS (Advanced Settings) and all 2016 servers.
Then go to https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsusand copy paste the code as instructed.
- Name it
Clean-WSUS.ps1 - Install the required software
- Run
.Clean-WSUS.ps1 -FirstRun - Finally,
.Clean-WSUS.ps1 -DirtyDatabaseCheck
This guy definitely deserves a donation!
Same issue, same scenario. Uncheck 'Upgrades' from the Classifications for your site servers software update point configurations.
Other suggestion was to do the command line
'c:Program FilesUpdate ServicesTools” “wsusutil.exe postinstall /servicing”
But I haven't gone back through that process yet as I'm waiting for more explanation from MS.
I had the same issue, here's how I fixed it.
- In policy (whether this would be group policy or the local policy), enable the policy 'Do not connect to any Windows Update Locations'. This prevents the server from contacting Microsoft/Windows Update.
- In policy, added an alternative Update Server in the 'Specify Microsoft Update Location'- this was the same server as the reporting and update server.
- In Windows Update- Advanced Options- unchecked the box for 'defer feature updates'
After doing this, I was able to fully patch the server through WSUS- This has been confirmed on two servers in two different environments. It seems the most important change is the defer updates option to unchecked, but the other ones could also cause update issues based on what I've read around the net.
If you have this setup in group policy, I'd suggested check the registry key [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]. Make a backup of the key, deleted it, and run gpupdate /force to recreate it.
In my case after comparing the backup and the new record I found a key named 'DisableWindowsUpdateAccess'=dword:00000000 that was causing my issue. This key was created by a third party.
Actually all you need to do is update the Servicing Stack. https://support.microsoft.com/en-us/help/4485447/servicing-stack-update-for-windows-10. Doesn't even require a reboot. Once you do that it will start reporting in to WSUS just fine.
Not the answer you're looking for? Browse other questions tagged windowswsuswindows-server-2016 or ask your own question.
I have recently been put in charge of a WSUS setup. It consists of an upstream server that gets its updates from Microsoft and a downstream server that is autonomous (i.e. not a replica). The downstream server had recently been replaced (before i got here) and they assumed the new one was working correctly. I tend to disagree. The first thing I noticed while trying to update was that on the downstream server all of the updates showed in an error state, i.e. litte red X next to them. They were complaining that they couldnt be downloaded. A quick check of the event log led me to the fact that WSUS was trying to save them to the D drive when the was none. I changed the SQL entry for WSUS that pointed it to the correct drive (E). The reason this was wrong seems to be that they copied the SQL tables from the old server to this one, at least that's all i can come up with. Now that the entry is fixed those errors have gone away. I noticed that almost all of the updates said they had yet to be downloaded, so I selected all and pushed retry download. It has been 2 days now and it seems that nothing is being downloaded. One option I did notice was different between the upstream and the downstream was under 'Update Files and Languages' the 'Download update files to this server only when updates are approved' was not check on the downstream, but was checked on the upstream. I have tried checking this but it did not make a difference. The 'Download express installation files' is checked on both.All clients seem to be checking in, but they find no updates. Which is what i would expect since they are not downloaded to the downstream server.
The syncronizations between the servers seem to be working just fine and the downstream server shows all the new updates from yesterday's patch tuesday updates, but the updates arent downloaded. It's almost as if it's set to download metadata but not the updates themselves. I'm not sure that's even possible.
When I highlight an update the bottom center pane of the console says 'The files for this update have not yet been downloaded. The update can be approved but will not be available to comptuers until the download is complete'
Wsus Server Not Downloading Updates
Any help you may have would be great!Thanks