WSUS on Windows 2012

I have a Windows 2008 R2 server which has been running the WSUS Role for several years and I have not had a problem in the past with any of my clients. I setup 2 RDP/ Citrix Servers with Windows 2012 in the beginning of the year. WSUS seemed to have worked initially but the last update was April. Since then it tells me that there are updates when I log in but when I go to the Wndows Update screen, it won’t give me the option to update because it says the settings are managed by my system (through GP and WSUS). I pushed the WSUS settings with GPO. I had a similar problem with my third 2012 server which wasn’t RDP / Citrix. I removed that one from the OU so it doesn't get the GP for WSUS and I am now able to manually run updates. I ran RSOP on the first 2 servers, but can’t see anything that would block the WSUS. Not sure why I would only have an issue with 2012 servers.
swenger7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
do those clients show as reporting in the wsus console?
have any updates been approved for that computer group since april?
0
swenger7Author Commented:
Actually they show as not reported in almost a year. There is a Firewall exception for that port. What else could be stopping them?
0
Seth SimmonsSr. Systems AdministratorCommented:
is the firewall port correct?  by default 2012 uses port 8530 (8531 for ssl)
is the URL in the GPO correct (specify intranet location) ?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

swenger7Author Commented:
Yes to both. See attached screenshots. I always have only added Firewall rules for Inbound. Never seemed the need for Outbound. Correct me if this is wrong with WSUS
Registry.JPG
Firewall.JPG
0
Seth SimmonsSr. Systems AdministratorCommented:
when you run windows update, what happens?  does it give an error?
what if you did http://192.168.1.28:8530/iuident.cab in a browser?  does it download a cab file?
0
swenger7Author Commented:
The file does download.

When I go to windows update, I have attached the first screenshot. When I click on the "Check for Updates" on the side I get the second screen shot.
Update.JPG
check.JPG
0
Seth SimmonsSr. Systems AdministratorCommented:
ok...so we ruled out communication problems; appears to be how the GPO is configured for that OU
what settings are configured when you run rsop?
0
swenger7Author Commented:
Attached screenshot
GP.JPG
0
Hector2016Systems Administrator and Solutions ArchitectCommented:
If you are logged on as administrator you should be look something like this:

Normal view of Windows Updates in a Windows 2012 R2 Server.
Please, run the following comand on any failling server and send the resulting HTM file in order to make a deeper analysis of your group policy setting for that specific server.

GPResult /h MyGPSettings.htm
0
swenger7Author Commented:
Here are the results
GPresults.pdf
1
Hector2016Systems Administrator and Solutions ArchitectCommented:
I´m sorry for the delay.

I read the 70 pages file but can't find anything wrong in your policies.
There is only one thing that may be something to do with: On "Citrix Servers" GPO check the "Remove links and access to Windows Update" setting. Just try to disable it and see what happens.

I would like to suggest you check some registry setting that may be responsible for this behaviour:

These are the settings you should have on the registry, some values may be different, verify them with this.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://MyWUServer:8530"
"WUStatusServer"="http://MyWUServer:8530"
"ElevateNonAdmins"=dword:00000000
"AcceptTrustedPublisherCerts"=dword:00000001
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="MySERVERS"
"DisableWindowsUpdateAccess"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:0000003c
"RebootWarningTimeoutEnabled"=dword:00000001
"RebootWarningTimeout"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAUShutdownOption"=dword:00000001
"NoAUAsDefaultShutdownOption"=dword:00000001
"AUPowerManagement"=dword:00000001
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:00000002
"AutoInstallMinorUpdates"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000004
"ScheduledInstallTime"=dword:00000008
"EnableFeaturedSoftware"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:00000001

Open in new window


Also, check that the next settings are not set on the registry (Delete them if are found, again see what happens):

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
 NoWindowsUpdate

[HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication]
DisableWindowsUpdateAccess

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
DisableWindowsUpdateAccess

Open in new window


You don't have to reboot to apply changes, just restart the WUAUSERV service, and close/open Control Panel window.
Change things one by one, in that way you will be able to find exactly that the problem is and what is not.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
swenger7Author Commented:
There is only one thing that may be something to do with: On "Citrix Servers" GPO check the "Remove links and access to Windows Update" setting. Just try to disable it and see what happens.

The above fixed the problem. I can now manually run the update. I still don't know what changed in 2012 whereas the same GPO in 2008 notified me that there was updates available and it allowed me to install even the above change.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.