We help IT Professionals succeed at work.

WSUS Group policy not reaching to computers / servers

122 Views
Last Modified: 2020-08-25
I have installed a new WSUS server. Have setup the Group policies, but computers are not getting the policy for WSUS.

They are getting rest of the GPs, but not the WSUS one?

Have checked on computers, registry settings, port settings all seems to be fine to target WSUS server.

But the GP for WSUS is not showing up in gpresult. Have restarted computers / servers few times.

WSUS is on server version is 2016, rest of the servers are at least 2012;.

Thanks,
Comment
Watch Question

Sean BravenerSenior Information Technology Consultant
CERTIFIED EXPERT
Awarded 2019
Distinguished Expert 2019

Commented:
silly question I know but have you checked that the policy is linked to the domain?

LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
I think so, how can I make sure?

We have single forest single domain setup for 9 countries.

thanks
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
They are getting rest of the GPs, but not the WSUS one?
Have you run gpupdate /force on the client machines?

How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers:

GPO:
Configure Automatic Updates - Enabled
Specify Intranet Microsoft Update Service Location  - Enabled (http://wsus-server:8530)
Enable client-side targeting - Enabled

How to check GPO settings on the computer?
Open regedit on the computer -> HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> verify that all settings are correct

There are other items you can check. I would start with this guide. Can you verify that all needed items have been configured?
https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
"How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers"
It was not setup to Use "Use Group Policy or registry settings" , All the rest of settings and link from prajwaldesai. I have checked it, they are fine.

So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how? 


Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how?
If you choose "Use the Update Service console", new computers will be automatically placed in the Unassigned Computers group.
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
I tried that setting and after two days, there are still only 3 server. No new servers or laptops has been discovered.
When I was configuring WSUS, I selected E: drive to store all updates, but that drive is empty, no updates has been downloaded? I did the initial sync for download, that was successful.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
@Leo Any progress?
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
Yes, I manage to get updates downloaded, but I cant see any computers / server.
I run registry query and they are pointing to WSUS server.
I checked under group policy, they have been set properly.
But they still dont show under WSUS console, I have unauthorize, re-authorize few times, that didnt work.

Do i have to do anything with Group policy templates for Windows 10 and Windows server 2012 / 2016?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Is the filter set to Any?

Can you provide a screenshot of the group where you are supposed to see computers?

Can you click on "Computers" and share a screenshot of "Overview"?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Run this script on all machines and see if it helps.
net stop bits
net stop wuauserv
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
exit
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Where did you link the wsus GPO in group policy management console?
What is your WSUS GPO structure?
Do you have a single wsus GPO sitting and linked at the top of youraddomain.suffic?
Computer GPOs are loaded at BOOT.
YOu should have LAYERED wsus GPOs
Top of the domain intranet site set
WSUS rules, client targeting should be a GPO linked to the OU where the computers/servers are in the event you want to control and separate controls.
I.e. For workstations, the rules are to install once the update is approved for install, while on the servers the ruke is download and notify.



LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
@Hello There, I have tried that script it didnt work.

@arnold. The layered WSUS GPO approach you mentioned, is there any example of it?

thanks,
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I just did? Not sure I understand your question.
GPO settings can layer. Or you can configure wsus GPOs per OU with all the detail within.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Is the filter set to Any?

Can you provide a screenshot of the group where you are supposed to see computers?

Can you click on "Computers" and share a screenshot of "Overview"?                                  
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
Yes set to Any, I have attached screenshot, only one computer is showing, status of it is not reported.

Wsus01.JPGWSUS03.JPG
System Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
I have verified the setting that you asked. thanks.

When i browse to http://server.domain.local:8530/ClientWebService/client.asmx  ; i get the screenshot attached.

thanks.WSUS02.JPG
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
If you can download the fine, it seems to be ok.

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Now verify that the WSUS policy is linked to an OU with computers.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Is the sole reporting server the one on which you installed wsus?

Double check the mode in which you cobfigured wsus to run in. GPO based assignment?

The wsus is a computer configuration. Do layered GPOs.
At the top of the domain wsus intranet destination gpo
The only entries here are the intranet site and the reporting site which should be the same thing. I would suggest you don't use the server name, but a place holder such as myupdateser.myaddomain.com
Within the DNS add an alias of that record pointing to wsusserver. The reason is that DNS can be easily retargeted as compared to changes in a computer GPO. Such that five, seven when the upgrade cycle kicks in, you can build a new WSUS hosting system, get data from the current, and when ready transition all clients to the new one via DNS record update.

Now you create a GPO per type wsus server GPO, wsus wprkstation gpo
Here, you would define clienttarget server or workstation
For server set download and notify, while the workstation install
Both should have no-auto restart when there is a loged in user.
You can alter the frequency at which the clients look if new updates are available from once every 24 hours to more frequent. Deals with workstations if they are regularly powered off. I.e. You may approve updates in the middle of the day in hopes that they will be retrieved and applied that day .... Completed on boot ...

My suggestion, you should have one of each type of your environment's workstations into a test OU to which you would apply a wsus workstation test GPO (clienttarget must be its own). Test workstations
The point deals with wsus config where you would use the auto-approval process to approve critical and sevurity updates for test workstation group within wsus.
This will require that you apply the install of the pending updates to the remaining Workstations. 


LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
I verified that, thanks, but still not working.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Uptick a system and run gpupdate /f
Note you would be forced to reboot when computer GPO changes are seen.
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
i have already done that on few computers, thanks.
do i have to install templates in GPO for windows 10 and server 2012 computers?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
No, on boot they should be getting the info.

Use GRoup policy Managment console (GPMC) on the server and confirm the GPO with WSUS settings are applied and confirm the settings you are pushing.
Note if you used 8530 that the intranet directive points there.

Look at the get-windowsupdatelog to see what the system reports when it tries to get updates.

While you are saying the right things in terms what should be setup to work, your subsequent statement that it does not pointing to a disconnect somewhere.

Even if you did not select the right products, the system should be reporting in.
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
We have to decommission WSUS server (2016) and test it on Windows server 2012. Servers have started to appear on new server. But laptops and desktops are still not appearing.
When i run this query on cmd;
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
 they are pointing to WSUS server IP address but not to FQDN name, when I run the same query on servers, they point to WSUS FQDN name.
Both of them have same group policy settings.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are all systems on the same ip segment?
Double check the port

On the client, win10, run powershell get-winfowsudatelog

Then look throug to see what errors exist/reported
Check wsus unassigned computer grouppig
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
They are on the same IP segment, I have attached the logWindowsUpdate.2WindowsUpdate.20200518.140408.981.9.etl0200518.140408.981.10.etl
On some of the laptops / computers, they are not pointing to any wsus server.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Double check the gpo applies and does not have errors.

Staggered good ed luminaries typos.
Intranst/reporting info.

Use Gpmc on a server to confirm the wsus would apply to the workstation.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Any progress?
LeoSnr Network Eng
CERTIFIED EXPERT

Author

Commented:
yes, apologies got sidelined with other tasks.
I have to reinstall WSUS server and after that servers start to show up in WSUS container.
But Laptops are still not showing.
The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that?

thanks.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I have to reinstall WSUS server and after that servers start to show up in WSUS container. 
So the WSUS server is working.

But Laptops are still not showing.
Since you reinstalled WSUS, we need to start here from scratch. Verify that the GPO is applying to the correct OU. And go through all the troubleshooting steps we discussed above.

The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that? 
Open WSUS -> Products and Classifications -> tick all products you use in the network that you want to update via WSUS. Do the same on the Classification tab (except drivers).
Then open Update FIles and Languages -> tick English (or whatever languages you use).

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.