We have a WSUS server running on Windows Server 2016. WSUS detects and sends updates to all systems, including the 2012 servers. WSUS will detect but not send updates to any of the 2016 servers.
It shows 0 updates needed, all updates show "installed or not applicable". These are fresh server installs, they have just been installed straight from a disk image created November of last year.
If I run a report on one of the servers and I set the product filter to "Windows Server 2016" I get 31 updates installed or not applicable.
All 31 updates are set to approval "Install". The status for all of them is "Not Applicable" They are all Critical updates and Security Updates.
I have manually gone through the installed updates on one of the servers in question and verified that these "Not Applicable" updates are not installed.
All these servers are fresh installs and they are in an OU that prevents them from restarting themselves after an update install and I am the only one who manually restarts them. Since they have been installed they have gotten 0 updates. I have a hard time believing that there are 0 applicable updates for a fresh Windows Server 2016 install.
I have ensured that BITS and the Windows Update services are running. I have run the wuauclt /reportnow and wuauclt /detectnow. It doesn't seem to do anything. I have run the cleanup wizard to deny and remove all of the superseded updates. I have verified that the machines are in the correct groups in AD and in WSUS. I have verified in the registry on the affected machines that they are pointing to the WSUS server and it can be pinged. The client can be pinged from the WSUS server. There is no firewall or port blocker or anything like that. I created a completely new 2016 server installation with absolutely nothing installed on it; no roles, no firewalls no virus scanner no nothing, just a blank server and tried to force it to connect. WSUS detects that the server exists but that is about it.
Every other OS works fine, it is only the 2016 servers that have this problem. It is definitely a WSUS server problem; if I go into the registry and change it back to Microsofts server it finds updates.
Does anyone have any idea what might be causing the problem and how to fix it?
Thanks.
EDIT – UPDATE:
Still having problems. Tried installing a 2nd 2016 WSUS server, same problem, only with the 2016 servers.
I even tried installing 2019 server (though I don't think there are any differences…). No difference.
I even ruled out Group Policy. I put a 2016 test server all by itself in an OU with blocked inheritance. The only GPO I linked was the WSUS server setting which pointed to the 2019 server. The machine isn't getting any other policy. There isn't even a virus scanner or firewall configured on the test 2016 server, they are even on the same segment.
We are converting more and more of our servers from 2012 to 2016 which means this is more and more of a problem as NONE of them will get updates from WSUS… As much as I don't want to, I am going to have to call Microsoft…
Best Answer
Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.
The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.
The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.
Here is what you have to do to fix it: Run the following commands in Powershell on the offending server
You will get something back like this:
If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...
The first thing you have to do is make sure the following patches are installed on your server.
kb4103720 and kb4462928
You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.
These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.
Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)
Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Specify the search server for device driver updates
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')
Turn off access to the Store
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
No auto-restart with logged on users for scheduled automatic updates installations
Specify intranet Microsoft update service location
Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.
Run the above powershell commands again.
It should now say
If you get "Windows Server Update Service" True, then it should work!
I hope this helps someone else. This has certainly been a frustrating issue...
I accept donations in unmarked bills, gold bars and scotch.