Windows 8.1 wsus problems

Hi, we now have several windows 8.1 laptops on our domain network but we are having problems using wsus to update them.
Domain functional level is windows 2008 r2 and we have one 2012 R2 DC.
We are applying wsus through GPO.

The laptops receive all the correct GPO settings and recieve the updates (event logs show files downloaded)

That's about it, the updates never seem to get installed.

There's an error along the lines of:
"Installation ready: updates are ready... to install updates an administrator should log on.. windows will prompt with further instructions..."

Non admins are approved to approve updates via the gpo (and have checked the registry)

Logged on user is an administrator of the laptop anyway.

Help appreciated.
Paul BlackmoreIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob GMicrosoft Systems EngineerCommented:
What version of WSUS is it?
There was a service pack to WSUS to address issues with windows 8.1
The WSUS server in some versions have a bug that they see 8.1 as windows XP x64 and cannot apply the updates. The errors you get from this are all sorts of weird..

Another bug is UAC controls with Updates, you must have UAC enabled to get the updates to install with WSUS on 8.1

I had to create another GPO, Clone of the Win7 Ones to correct this issue, with UAC enabled, and drop all of the 8.1 machines into that GPO.
Paul BlackmoreIT ManagerAuthor Commented:
WSUS is latest verion. The updates are getting to the laptop. UAC has been turned off (manually not by GPO), I'll re-enable it to see if it makes any difference. Thanks
Paul BlackmoreIT ManagerAuthor Commented:
Nope, I've enabled UAC, no change (and approved a few more updates to poss give it a kick)
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Rob GMicrosoft Systems EngineerCommented:
Do you see anything in the Windowsupdate.log file?
If you do Windows key + R and type in WindowsUpdate.LOG you will have a text file come up..
It should give you additional info as to what is actually occurring..
Paul BlackmoreIT ManagerAuthor Commented:
2014-11-13      17:47:34:263       904      9d0      Report      CWERReporter finished handling 8 events. (00000000)
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {9FED22FC-CDD2-4724-8463-C08F21DE6196}.204 to search result
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {48585DD4-FB49-487C-BBED-2BB96A1A8A3A}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent      Update {61C88EDE-FCD7-4C91-809E-A7E58FB97E3C}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {0DACBEA9-4019-4E5C-B551-6AF2823BBAA5}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {54254032-E629-4ADC-BA84-CE1B9BA9F281}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {AB8A49A4-532E-4767-A514-E98DD08CBAB9}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent      Update {5B241E6A-BC17-44F1-AC7E-10D3BB21FDCB}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent      Update {D59F5FEA-5C29-4CF5-8416-D7279FFB585A}.201 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent      Update {A070249A-3B10-4E2D-A56D-8C3414936358}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent      Update {F4242AA0-9C5F-4882-8306-2E75CC370FAA}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent      Update {5E51B95B-C253-4BCE-B304-F475A05DA58C}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent      Update {14295203-7DDA-4388-B7C7-86FE10E6973C}.200 is pruned out due to potential supersedence
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {64A69324-3A89-43F3-B658-3B3168DFBA34}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent        * Added update {E219B681-EA39-4EBC-BE81-AE6EAB998936}.200 to search result
2014-11-13      17:47:37:085       904      d94      Agent        * Found 7 updates and 77 categories in search; evaluated appl. rules of 3123 out of 4490 deployed entities
2014-11-13      17:47:37:085       904      d94      Agent      Reporting status event with 192 installable, 57 installed,  0 installed pending, 0 failed and 7 downloaded updates
2014-11-13      17:47:37:085       904      d94      Agent      *********
2014-11-13      17:47:37:085       904      d94      Agent      **  END  **  Agent: Finding updates [CallerId = Windows Update Command Line  Id = 44]
2014-11-13      17:47:37:085       904      d94      Agent      *************
2014-11-13      17:47:37:085       904      d94      IdleTmr      WU operation (CSearchCall::Init ID 44, operation # 3346) stopped; does use network; is not at background priority
2014-11-13      17:47:37:085       904      d94      IdleTmr      Decremented idle timer priority operation counter to 0
2014-11-13      17:47:37:085       904      dac      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {9433486F-02C1-4E02-90FD-2E6305466A5D} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-11-13      17:47:37:085       904      dac      AU        # 7 updates detected
2014-11-13      17:47:37:085       904      dac      AU      #########
2014-11-13      17:47:37:147       904      dac      AU      ##  END  ##  AU: Search for updates  [CallId = {9433486F-02C1-4E02-90FD-2E6305466A5D} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-11-13      17:47:37:147       904      dac      AU      #############
2014-11-13      17:47:37:147       904      dac      AU      All AU searches complete.
2014-11-13      17:47:37:147       904      dac      AU      AU setting next detection timeout to 2014-11-14 12:13:29
Paul BlackmoreIT ManagerAuthor Commented:
This is last bit of windows log. There are 7 downloaded updates but I cant seem to get anyway of installing them.
Paul BlackmoreIT ManagerAuthor Commented:
By switching from option 4 (Download and schedule) to option 3 (Download and notify) I've now got a message on action centre that there are updates that need to be approved but no way of approving them?
Rob GMicrosoft Systems EngineerCommented:
What is the setting in the GPO?
It should be set to a time to install them..
What time is it set to install updates?

There are a few settings:
1. Notify for download and notify for install
2. Auto Download and notify for installation
3. Auto Download and schedule the installation
4. Allow local admin to choose the settings

In those settings you have additional settings:
1. Schedule installation time of day
1-1. everyday or Monday - Sunday
2. Scheduled Time of day for installation
2-1. 24hour clock based on time for installation

Another variable here:
If you have "delay restart for scheduled installation" set to enabled;
The system will not install the updates till after the next reboot.

assuming you have rebooted, since you had to make the UAC control changes, the policy definition will determine when the system actually applies the updates.. Otherwise it would be better to not define anything, accept for the "specify intranet Microsoft update service location" and set the client machines to auto update, and reboot at will.. ;)

The logs, though, they look good..
No errors from what i can see..
Rob GMicrosoft Systems EngineerCommented:
The approval process needs to take place on the WSUS console.
While the user is an administrator that is allowed to locally OK what to install, the domain admin on the WSUS Server needs to approve the actual update prior to it being OK for the local admin to install or not install..

Is the Server hosting WSUS fully updated?
While the WSUS system itself has a variety of updates, there are some updates in the hosted OS that help as well.. Specifically with Signed certificates..
Paul BlackmoreIT ManagerAuthor Commented:
I've given up on this one. My GPO for windows 8.1 updates just points to our wsus server so that we can at least control what updates are received, all the other wsus settings I've controlled via registry edits.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul BlackmoreIT ManagerAuthor Commented:
Not fixed but a workaround until I have time to look more in depth at this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.