WSUS Group policy not reaching to computers / servers
I have installed a new WSUS server. Have setup the Group policies, but computers are not getting the policy for WSUS.
They are getting rest of the GPs, but not the WSUS one?
Have checked on computers, registry settings, port settings all seems to be fine to target WSUS server.
But the GP for WSUS is not showing up in gpresult. Have restarted computers / servers few times.
WSUS is on server version is 2016, rest of the servers are at least 2012;.
Thanks,
They are getting rest of the GPs, but not the WSUS one?
Have checked on computers, registry settings, port settings all seems to be fine to target WSUS server.
But the GP for WSUS is not showing up in gpresult. Have restarted computers / servers few times.
WSUS is on server version is 2016, rest of the servers are at least 2012;.
Thanks,
Last Comment
silly question I know but have you checked that the policy is linked to the domain?
ASKER
I think so, how can I make sure?
We have single forest single domain setup for 9 countries.
thanks
We have single forest single domain setup for 9 countries.
thanks
They are getting rest of the GPs, but not the WSUS one?Have you run gpupdate /force on the client machines?
How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers:
GPO:
Configure Automatic Updates - Enabled
Specify Intranet Microsoft Update Service Location - Enabled (http://wsus-server:8530)
Enable client-side targeting - Enabled
How to check GPO settings on the computer?
Open regedit on the computer -> HKLM\SOFTWARE\Policies\Mic
There are other items you can check. I would start with this guide. Can you verify that all needed items have been configured?
https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/
ASKER
"How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers"
It was not setup to Use "Use Group Policy or registry settings" , All the rest of settings and link from prajwaldesai. I have checked it, they are fine.
So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how?
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers"
It was not setup to Use "Use Group Policy or registry settings" , All the rest of settings and link from prajwaldesai. I have checked it, they are fine.
So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how?
So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how?If you choose "Use the Update Service console", new computers will be automatically placed in the Unassigned Computers group.
ASKER
I tried that setting and after two days, there are still only 3 server. No new servers or laptops has been discovered.
When I was configuring WSUS, I selected E: drive to store all updates, but that drive is empty, no updates has been downloaded? I did the initial sync for download, that was successful.
When I was configuring WSUS, I selected E: drive to store all updates, but that drive is empty, no updates has been downloaded? I did the initial sync for download, that was successful.
@Leo Any progress?
ASKER
Yes, I manage to get updates downloaded, but I cant see any computers / server.
I run registry query and they are pointing to WSUS server.
I checked under group policy, they have been set properly.
But they still dont show under WSUS console, I have unauthorize, re-authorize few times, that didnt work.
Do i have to do anything with Group policy templates for Windows 10 and Windows server 2012 / 2016?
I run registry query and they are pointing to WSUS server.
I checked under group policy, they have been set properly.
But they still dont show under WSUS console, I have unauthorize, re-authorize few times, that didnt work.
Do i have to do anything with Group policy templates for Windows 10 and Windows server 2012 / 2016?
Is the filter set to Any?
Can you provide a screenshot of the group where you are supposed to see computers?
Can you click on "Computers" and share a screenshot of "Overview"?
Can you provide a screenshot of the group where you are supposed to see computers?
Can you click on "Computers" and share a screenshot of "Overview"?
Run this script on all machines and see if it helps.
net stop bits
net stop wuauserv
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
exit
Where did you link the wsus GPO in group policy management console?
What is your WSUS GPO structure?
Do you have a single wsus GPO sitting and linked at the top of youraddomain.suffic?
Computer GPOs are loaded at BOOT.
YOu should have LAYERED wsus GPOs
Top of the domain intranet site set
WSUS rules, client targeting should be a GPO linked to the OU where the computers/servers are in the event you want to control and separate controls.
I.e. For workstations, the rules are to install once the update is approved for install, while on the servers the ruke is download and notify.
What is your WSUS GPO structure?
Do you have a single wsus GPO sitting and linked at the top of youraddomain.suffic?
Computer GPOs are loaded at BOOT.
YOu should have LAYERED wsus GPOs
Top of the domain intranet site set
WSUS rules, client targeting should be a GPO linked to the OU where the computers/servers are in the event you want to control and separate controls.
I.e. For workstations, the rules are to install once the update is approved for install, while on the servers the ruke is download and notify.
ASKER
@Hello There, I have tried that script it didnt work.
@arnold. The layered WSUS GPO approach you mentioned, is there any example of it?
thanks,
@arnold. The layered WSUS GPO approach you mentioned, is there any example of it?
thanks,
I just did? Not sure I understand your question.
GPO settings can layer. Or you can configure wsus GPOs per OU with all the detail within.
GPO settings can layer. Or you can configure wsus GPOs per OU with all the detail within.
Is the filter set to Any?
Can you provide a screenshot of the group where you are supposed to see computers?
Can you click on "Computers" and share a screenshot of "Overview"?
Can you provide a screenshot of the group where you are supposed to see computers?
Can you click on "Computers" and share a screenshot of "Overview"?
ASKER
Yes set to Any, I have attached screenshot, only one computer is showing, status of it is not reported.
Wsus01.JPGWSUS03.JPG
Wsus01.JPGWSUS03.JPG
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I have verified the setting that you asked. thanks.
When i browse to http://server.domain.local:8530/ClientWebService/client.asmx ; i get the screenshot attached.
thanks.WSUS02.JPG
When i browse to http://server.domain.local:8530/ClientWebService/client.asmx ; i get the screenshot attached.
thanks.WSUS02.JPG
If you can download the fine, it seems to be ok.
Now verify that the WSUS policy is linked to an OU with computers.
Is the sole reporting server the one on which you installed wsus?
Double check the mode in which you cobfigured wsus to run in. GPO based assignment?
The wsus is a computer configuration. Do layered GPOs.
At the top of the domain wsus intranet destination gpo
The only entries here are the intranet site and the reporting site which should be the same thing. I would suggest you don't use the server name, but a place holder such as myupdateser.myaddomain.com
Within the DNS add an alias of that record pointing to wsusserver. The reason is that DNS can be easily retargeted as compared to changes in a computer GPO. Such that five, seven when the upgrade cycle kicks in, you can build a new WSUS hosting system, get data from the current, and when ready transition all clients to the new one via DNS record update.
Now you create a GPO per type wsus server GPO, wsus wprkstation gpo
Here, you would define clienttarget server or workstation
For server set download and notify, while the workstation install
Both should have no-auto restart when there is a loged in user.
You can alter the frequency at which the clients look if new updates are available from once every 24 hours to more frequent. Deals with workstations if they are regularly powered off. I.e. You may approve updates in the middle of the day in hopes that they will be retrieved and applied that day .... Completed on boot ...
My suggestion, you should have one of each type of your environment's workstations into a test OU to which you would apply a wsus workstation test GPO (clienttarget must be its own). Test workstations
The point deals with wsus config where you would use the auto-approval process to approve critical and sevurity updates for test workstation group within wsus.
This will require that you apply the install of the pending updates to the remaining Workstations.
Double check the mode in which you cobfigured wsus to run in. GPO based assignment?
The wsus is a computer configuration. Do layered GPOs.
At the top of the domain wsus intranet destination gpo
The only entries here are the intranet site and the reporting site which should be the same thing. I would suggest you don't use the server name, but a place holder such as myupdateser.myaddomain.com
Within the DNS add an alias of that record pointing to wsusserver. The reason is that DNS can be easily retargeted as compared to changes in a computer GPO. Such that five, seven when the upgrade cycle kicks in, you can build a new WSUS hosting system, get data from the current, and when ready transition all clients to the new one via DNS record update.
Now you create a GPO per type wsus server GPO, wsus wprkstation gpo
Here, you would define clienttarget server or workstation
For server set download and notify, while the workstation install
Both should have no-auto restart when there is a loged in user.
You can alter the frequency at which the clients look if new updates are available from once every 24 hours to more frequent. Deals with workstations if they are regularly powered off. I.e. You may approve updates in the middle of the day in hopes that they will be retrieved and applied that day .... Completed on boot ...
My suggestion, you should have one of each type of your environment's workstations into a test OU to which you would apply a wsus workstation test GPO (clienttarget must be its own). Test workstations
The point deals with wsus config where you would use the auto-approval process to approve critical and sevurity updates for test workstation group within wsus.
This will require that you apply the install of the pending updates to the remaining Workstations.
ASKER
I verified that, thanks, but still not working.
Uptick a system and run gpupdate /f
Note you would be forced to reboot when computer GPO changes are seen.
Note you would be forced to reboot when computer GPO changes are seen.
ASKER
i have already done that on few computers, thanks.
do i have to install templates in GPO for windows 10 and server 2012 computers?
do i have to install templates in GPO for windows 10 and server 2012 computers?
No, on boot they should be getting the info.
Use GRoup policy Managment console (GPMC) on the server and confirm the GPO with WSUS settings are applied and confirm the settings you are pushing.
Note if you used 8530 that the intranet directive points there.
Look at the get-windowsupdatelog to see what the system reports when it tries to get updates.
While you are saying the right things in terms what should be setup to work, your subsequent statement that it does not pointing to a disconnect somewhere.
Even if you did not select the right products, the system should be reporting in.
Use GRoup policy Managment console (GPMC) on the server and confirm the GPO with WSUS settings are applied and confirm the settings you are pushing.
Note if you used 8530 that the intranet directive points there.
Look at the get-windowsupdatelog to see what the system reports when it tries to get updates.
While you are saying the right things in terms what should be setup to work, your subsequent statement that it does not pointing to a disconnect somewhere.
Even if you did not select the right products, the system should be reporting in.
ASKER
We have to decommission WSUS server (2016) and test it on Windows server 2012. Servers have started to appear on new server. But laptops and desktops are still not appearing.
When i run this query on cmd;
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
they are pointing to WSUS server IP address but not to FQDN name, when I run the same query on servers, they point to WSUS FQDN name.
Both of them have same group policy settings.
When i run this query on cmd;
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
they are pointing to WSUS server IP address but not to FQDN name, when I run the same query on servers, they point to WSUS FQDN name.
Both of them have same group policy settings.
Are all systems on the same ip segment?
Double check the port
On the client, win10, run powershell get-winfowsudatelog
Then look throug to see what errors exist/reported
Check wsus unassigned computer grouppig
Double check the port
On the client, win10, run powershell get-winfowsudatelog
Then look throug to see what errors exist/reported
Check wsus unassigned computer grouppig
ASKER
They are on the same IP segment, I have attached the logWindowsUpdate.2WindowsUpdate.20200518.140408.981.9.etl0200518.140408.981.10.etl
On some of the laptops / computers, they are not pointing to any wsus server.
On some of the laptops / computers, they are not pointing to any wsus server.
Double check the gpo applies and does not have errors.
Staggered good ed luminaries typos.
Intranst/reporting info.
Use Gpmc on a server to confirm the wsus would apply to the workstation.
Staggered good ed luminaries typos.
Intranst/reporting info.
Use Gpmc on a server to confirm the wsus would apply to the workstation.
Any progress?
ASKER
yes, apologies got sidelined with other tasks.
I have to reinstall WSUS server and after that servers start to show up in WSUS container.
But Laptops are still not showing.
The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that?
thanks.
I have to reinstall WSUS server and after that servers start to show up in WSUS container.
But Laptops are still not showing.
The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that?
thanks.
I have to reinstall WSUS server and after that servers start to show up in WSUS container.So the WSUS server is working.
But Laptops are still not showing.Since you reinstalled WSUS, we need to start here from scratch. Verify that the GPO is applying to the correct OU. And go through all the troubleshooting steps we discussed above.
The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that?Open WSUS -> Products and Classifications -> tick all products you use in the network that you want to update via WSUS. Do the same on the Classification tab (except drivers).
Then open Update FIles and Languages -> tick English (or whatever languages you use).
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
