Link to home
Start Free TrialLog in
Avatar of Dan
DanFlag for United States of America

asked on

WSUS not installing all the updates.

I'm running a new install of WSUS, on windows server 2016, fresh install, and the server is not used for anything else, but WSUS.
All my servers and computers show "needed count" for updates with large numbers.  Even after I install updates on the clients or servers, the number never goes to 0, how do I install all the needed updates on my servers/workstations?

The 2nd problem is, for a few computers, it looks like the computers have contacted the WSUS server, a few weeks ago, but there's no status report, and there's no info about the computers.  Any idea's how to resolve?

User generated image
User generated image
SOLUTION
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dan

ASKER

Yes, i have set the settings for automatic approval, for the workstations group, but there's not one machine that shows 100% complete.
I have configured the policy for the computers to download and install.
Avatar of Dan

ASKER

Does anyone know how to get the computers to report back 100% of the time, so I can when they are fully patched and updated?
Visit such a win10 machine, try to update it, see what it does and why updating fails.
For server 2012 R2, the reason could be, that it did not successfully install "update 1", which is a prerequisite for all newer updates. Check that by logging on, opening powershell and starting the command
get-hotfix | sls 2919355

Open in new window

See if it find that update or not - output should be
\\servername\root\cimv2:Win32_QuickFixEngineering.HotFixID="KB2919355",ServicePackInEffect=""
Avatar of Dan

ASKER

I typed the get-hotfix command as you suggeseted, but nothing happened, the prompt appeared again, flashing.

In regards to your last comment, in one of the servers, the root folder is empty.  I will check others soon.  
I'll walk to a few win10 machines and try to figure out why it's failing.
If it comes up empty, that patch is NOT installed and we have found the reason why newer patches don't install. Now download and install kb2919355 from https://www.microsoft.com/en-us/download/details.aspx?id=42334
Avatar of Dan

ASKER

Perhaps it wasn't installed if it wasn't part of a critical or security update, as those where the only two categories for servers I had selected.
I opened up the classifications to include service packs, update rollups, updates and upgrades, should I add any other category for hte automatic updates for the servers as well?
I think it is classified as update rollup, that's why it wasn't found. What you selected now is ok. If you select "upgrades" however and you don't want upgrades for windows 10 (if win10 is a selected product) deployed by wsus, you may want to deselect it again.
Avatar of Dan

ASKER

Just curiuos, why don't I want the upgrades, isn't that the release updates, like 1803 I think is the newest upgrade, otherwise, all my computers will not be on the newest version, right?  Why shouldn't I want them to upgrade to the newest version?
The newest version is usually the preferred version, right. Deploying these upgrades using WSUS is not preferred in secured environments (in my opinion), since it will turn off bitlocker during the upgrade (assuming that you use bitlocker). So what we do here, is roll-out upgrades in a more controlled manner using scripts.
Dan, is your problem solved? Please close this now, or return with feedback.
Avatar of Dan

ASKER

McKnife,

So I checked my own PC, and KB2919355 is not installed.  When, I checked for updates, it says it's all up to date.
When I Checked my WSUS server, I searched for kb2919355, and you can see what comes up. I set for all updates to be automatically updated, so I don't know why it didn't approve the updates?  

User generated image
Avatar of Dan

ASKER

Perhaps I'm missing something, as you can see from this screenshot, the computer with IP 192.168.102.10, shows it needs 14 more updates, but when I did a check on my computer,  windows says it's "up to date".  So which one is lying.   I think this problem is happening to most or all my computers, and that's why the installed updates in WSUS will never get to 100%, because it thinks that there are updates that still need to be installed, but the local PCs think they are up to date.

User generated image
Slowly.

You write "When I Checked my WSUS server, I searched for kb2919355, and you can see what comes up. I set for all updates to be automatically updated, so I don't know why it didn't approve the updates? " - as your screenshot shows, these updates are NOT related to kb2919355, they apply to systems that don't have kb2919355 installed. Just scroll down and see if you see kb2919355 itself.
Avatar of Dan

ASKER

yes, that KB is listed three times at the bottom of the search box.  not sure what that means, as if I configured all updates to automatically approve, I don't know why it didn't approve the install and why it's not installed on all my PCs/servers.


User generated image
Well, download it manually and all its prerequisites and install it as described at https://www.microsoft.com/en-us/download/details.aspx?id=42334
These KB's must be installed in the following order: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018.
KB2919442 is a prerequisite for Windows Server 2012 R2 Update and should be installed before attempting to install KB2919355
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dan

ASKER

Thanks guys for your help, sorry about the late response.