WSUS on Windows 2012

I have a Windows 2008 R2 server which has been running the WSUS Role for several years and I have not had a problem in the past with any of my clients. I setup 2 RDP/ Citrix Servers with Windows 2012 in the beginning of the year. WSUS seemed to have worked initially but the last update was April. Since then it tells me that there are updates when I log in but when I go to the Wndows Update screen, it won’t give me the option to update because it says the settings are managed by my system (through GP and WSUS). I pushed the WSUS settings with GPO. I had a similar problem with my third 2012 server which wasn’t RDP / Citrix. I removed that one from the OU so it doesn't get the GP for WSUS and I am now able to manually run updates. I ran RSOP on the first 2 servers, but can’t see anything that would block the WSUS. Not sure why I would only have an issue with 2012 servers.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
do those clients show as reporting in the wsus console?
have any updates been approved for that computer group since april?
swenger7Author Commented:
Actually they show as not reported in almost a year. There is a Firewall exception for that port. What else could be stopping them?
Seth SimmonsSr. Systems AdministratorCommented:
is the firewall port correct?  by default 2012 uses port 8530 (8531 for ssl)
is the URL in the GPO correct (specify intranet location) ?
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

swenger7Author Commented:
Yes to both. See attached screenshots. I always have only added Firewall rules for Inbound. Never seemed the need for Outbound. Correct me if this is wrong with WSUS
Seth SimmonsSr. Systems AdministratorCommented:
when you run windows update, what happens?  does it give an error?
what if you did in a browser?  does it download a cab file?
swenger7Author Commented:
The file does download.

When I go to windows update, I have attached the first screenshot. When I click on the "Check for Updates" on the side I get the second screen shot.
Seth SimmonsSr. Systems AdministratorCommented: we ruled out communication problems; appears to be how the GPO is configured for that OU
what settings are configured when you run rsop?
swenger7Author Commented:
Attached screenshot
Hector2016Systems Administrator and Solutions ArchitectCommented:
If you are logged on as administrator you should be look something like this:

Normal view of Windows Updates in a Windows 2012 R2 Server.
Please, run the following comand on any failling server and send the resulting HTM file in order to make a deeper analysis of your group policy setting for that specific server.

GPResult /h MyGPSettings.htm
swenger7Author Commented:
Here are the results
Hector2016Systems Administrator and Solutions ArchitectCommented:
I´m sorry for the delay.

I read the 70 pages file but can't find anything wrong in your policies.
There is only one thing that may be something to do with: On "Citrix Servers" GPO check the "Remove links and access to Windows Update" setting. Just try to disable it and see what happens.

I would like to suggest you check some registry setting that may be responsible for this behaviour:

These are the settings you should have on the registry, some values may be different, verify them with this.

Windows Registry Editor Version 5.00



Open in new window

Also, check that the next settings are not set on the registry (Delete them if are found, again see what happens):


[HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication]


Open in new window

You don't have to reboot to apply changes, just restart the WUAUSERV service, and close/open Control Panel window.
Change things one by one, in that way you will be able to find exactly that the problem is and what is not.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
swenger7Author Commented:
There is only one thing that may be something to do with: On "Citrix Servers" GPO check the "Remove links and access to Windows Update" setting. Just try to disable it and see what happens.

The above fixed the problem. I can now manually run the update. I still don't know what changed in 2012 whereas the same GPO in 2008 notified me that there was updates available and it allowed me to install even the above change.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.