We help IT Professionals succeed at work.

WSUS - Workstations not applying updates that are ready to install

Medium Priority
120 Views
Last Modified: 2019-06-17
Workstations not applying updates.

I am pushing our Win10 1903 update via WSUS, the workstations have it ready and if Iog in and look at updates it says:
'We're all set for the restart you scheduled at......'

each workstation seems to have a different date and time, despite being all turned on at the same time. If I select 'restart now' the update applies. otherwise they never seem to actually install the update. I want a setting that makes any updates to install at next reboot. I have a number of Windows Update GPO, something must be missing.

can anyone advise?
screens.docx
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
At WSUS, you can set deadlines on updates which force the installation if not done by the deadline and even automatically restarts (even if the user is working). That's a hard measure.
What I would rather do is use a script to deploy 1903 using a scheduled task. I have shown that here for 1809: https://www.experts-exchange.com/questions/29140739/WSUS-Server-Disk-Full.html#a42830269 and you can easily change some numbers to make it work on 1903. Say if you need help with that.

Author

Commented:
Thanks mcknife, I definitely don't want to restart users machines if they are working but I do want to force the update, be it major updates or any other update, to install at next restart. They all get a schedule shutdown each evening, so when the machine turns on that morning the update applies. Can you advise how I set his in WSUS? I'm surprised it's not Group policy.

I will look at your script too, thanks for the help.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Can you check the WindowsUpdate.log on any workstation?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
To make you aware of a security problem with feature updates, I would like to know whether you use Bitlocker or any sort of full disk encryption. In case you do, it is not recommendable to use WSUS for upgrading windows versions.

Author

Commented:
no we dont use bitlocker.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Since we use Bitlocker and Windows feature upgrades suspend bitlocker, we don't use WSUS for that - in other words, no idea what happens if you set the clients up to install updates at, say, 11 AM. Will the feature updates install at 11 AM as well? I don't think so, since they need so many restarts (and not only one). I guess the feature updates will need manual intervention. Haven't tried.

Author

Commented:
Hey McKnife I am looking at the script. It looks at the windows version, if already up to date delete the scheduled task and end
but not sure about:

"for /f "tokens=3 delims=\:" %%a in ('reg query hklm\system\mounteddevices ^| findstr /c:"5C003F00" ^| findstr /v "{.*}"') do (%%a:\setup.exe /Auto Upgrade /DynamicUpdate Disable)"

also does the 1903_upgrade scheduled task need to exist on the workstation first, added via another method?

Thanks
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Yes, the task needs to be deployed, first. Either as an immediate task (starts right after the GPO that deploys it is read), or as a scheduled task that should run at a certain day.

That script line just starts setup on all sorts of DVD drives (since we cannot know what dvd drive letter will be used after the ISO is mounted). If you happen to have another DVD drive even with a setup DVD inserted (some other setup), that will not matter, since the setup options that I gave you only work on windows setup.

Author

Commented:
OK so the scheduled task is created by GPO, then auto deleted if it has already run and applied the update. then eventually we delete the GPO completely? will removing the GPO remove the task or do we need to run it for a bit a delete action?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
The tasks can be configured to deploy once only (->on the "common" tab, select: "apply only once and do not reapply"). That way, you can keep the GPO in place and add another task, when you are ready to deploy the next feature update in 6 months or so.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.