Avatar of Leo
LeoFlag for Australia asked on

WSUS Group policy not reaching to computers / servers

I have installed a new WSUS server. Have setup the Group policies, but computers are not getting the policy for WSUS.

They are getting rest of the GPs, but not the WSUS one?

Have checked on computers, registry settings, port settings all seems to be fine to target WSUS server.

But the GP for WSUS is not showing up in gpresult. Have restarted computers / servers few times.

WSUS is on server version is 2016, rest of the servers are at least 2012;.

Thanks,
Microsoft Server OSWSUSActive DirectoryNetworking

Avatar of undefined
Last Comment
Hello There

8/22/2022 - Mon
Sean Bravener

silly question I know but have you checked that the policy is linked to the domain?

ASKER
Leo

I think so, how can I make sure?

We have single forest single domain setup for 9 countries.

thanks
Hello There

They are getting rest of the GPs, but not the WSUS one?
Have you run gpupdate /force on the client machines?

How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers:

GPO:
Configure Automatic Updates - Enabled
Specify Intranet Microsoft Update Service Location  - Enabled (http://wsus-server:8530)
Enable client-side targeting - Enabled

How to check GPO settings on the computer?
Open regedit on the computer -> HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> verify that all settings are correct

There are other items you can check. I would start with this guide. Can you verify that all needed items have been configured?
https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Leo

"How to set up WSUS and GPO:
Go to the WSUS server and open the console -> Options -> Computers -> Which setting is selected? If you choose "Use the Update Service console", you will find computers in the Unassigned Computers group. If you choose "Use Group Policy or registry settings", you need to configure GPO and apply it to computers"
It was not setup to Use "Use Group Policy or registry settings" , All the rest of settings and link from prajwaldesai. I have checked it, they are fine.

So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how? 


Hello There

So far I can see 3 servers under WSUS, when i run gpresult /r on these servers, they are not getting the group policy for WSUS, but still they show up under WSUS. not sure how?
If you choose "Use the Update Service console", new computers will be automatically placed in the Unassigned Computers group.
ASKER
Leo

I tried that setting and after two days, there are still only 3 server. No new servers or laptops has been discovered.
When I was configuring WSUS, I selected E: drive to store all updates, but that drive is empty, no updates has been downloaded? I did the initial sync for download, that was successful.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Hello There

@Leo Any progress?
ASKER
Leo

Yes, I manage to get updates downloaded, but I cant see any computers / server.
I run registry query and they are pointing to WSUS server.
I checked under group policy, they have been set properly.
But they still dont show under WSUS console, I have unauthorize, re-authorize few times, that didnt work.

Do i have to do anything with Group policy templates for Windows 10 and Windows server 2012 / 2016?
Hello There

Is the filter set to Any?

Can you provide a screenshot of the group where you are supposed to see computers?

Can you click on "Computers" and share a screenshot of "Overview"?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Hello There

Run this script on all machines and see if it helps.
net stop bits
net stop wuauserv
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
exit

Open in new window

arnold

Where did you link the wsus GPO in group policy management console?
What is your WSUS GPO structure?
Do you have a single wsus GPO sitting and linked at the top of youraddomain.suffic?
Computer GPOs are loaded at BOOT.
YOu should have LAYERED wsus GPOs
Top of the domain intranet site set
WSUS rules, client targeting should be a GPO linked to the OU where the computers/servers are in the event you want to control and separate controls.
I.e. For workstations, the rules are to install once the update is approved for install, while on the servers the ruke is download and notify.



ASKER
Leo

@Hello There, I have tried that script it didnt work.

@arnold. The layered WSUS GPO approach you mentioned, is there any example of it?

thanks,
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

I just did? Not sure I understand your question.
GPO settings can layer. Or you can configure wsus GPOs per OU with all the detail within.
Hello There

Is the filter set to Any?

Can you provide a screenshot of the group where you are supposed to see computers?

Can you click on "Computers" and share a screenshot of "Overview"?                                  
ASKER
Leo

Yes set to Any, I have attached screenshot, only one computer is showing, status of it is not reported.

Wsus01.JPGWSUS03.JPG
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Hello There

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Leo

I have verified the setting that you asked. thanks.

When i browse to http://server.domain.local:8530/ClientWebService/client.asmx  ; i get the screenshot attached.

thanks.WSUS02.JPG
Hello There

If you can download the fine, it seems to be ok.

Hello There

Now verify that the WSUS policy is linked to an OU with computers.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

Is the sole reporting server the one on which you installed wsus?

Double check the mode in which you cobfigured wsus to run in. GPO based assignment?

The wsus is a computer configuration. Do layered GPOs.
At the top of the domain wsus intranet destination gpo
The only entries here are the intranet site and the reporting site which should be the same thing. I would suggest you don't use the server name, but a place holder such as myupdateser.myaddomain.com
Within the DNS add an alias of that record pointing to wsusserver. The reason is that DNS can be easily retargeted as compared to changes in a computer GPO. Such that five, seven when the upgrade cycle kicks in, you can build a new WSUS hosting system, get data from the current, and when ready transition all clients to the new one via DNS record update.

Now you create a GPO per type wsus server GPO, wsus wprkstation gpo
Here, you would define clienttarget server or workstation
For server set download and notify, while the workstation install
Both should have no-auto restart when there is a loged in user.
You can alter the frequency at which the clients look if new updates are available from once every 24 hours to more frequent. Deals with workstations if they are regularly powered off. I.e. You may approve updates in the middle of the day in hopes that they will be retrieved and applied that day .... Completed on boot ...

My suggestion, you should have one of each type of your environment's workstations into a test OU to which you would apply a wsus workstation test GPO (clienttarget must be its own). Test workstations
The point deals with wsus config where you would use the auto-approval process to approve critical and sevurity updates for test workstation group within wsus.
This will require that you apply the install of the pending updates to the remaining Workstations. 


ASKER
Leo

I verified that, thanks, but still not working.
arnold

Uptick a system and run gpupdate /f
Note you would be forced to reboot when computer GPO changes are seen.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Leo

i have already done that on few computers, thanks.
do i have to install templates in GPO for windows 10 and server 2012 computers?
arnold

No, on boot they should be getting the info.

Use GRoup policy Managment console (GPMC) on the server and confirm the GPO with WSUS settings are applied and confirm the settings you are pushing.
Note if you used 8530 that the intranet directive points there.

Look at the get-windowsupdatelog to see what the system reports when it tries to get updates.

While you are saying the right things in terms what should be setup to work, your subsequent statement that it does not pointing to a disconnect somewhere.

Even if you did not select the right products, the system should be reporting in.
ASKER
Leo

We have to decommission WSUS server (2016) and test it on Windows server 2012. Servers have started to appear on new server. But laptops and desktops are still not appearing.
When i run this query on cmd;
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
 they are pointing to WSUS server IP address but not to FQDN name, when I run the same query on servers, they point to WSUS FQDN name.
Both of them have same group policy settings.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

Are all systems on the same ip segment?
Double check the port

On the client, win10, run powershell get-winfowsudatelog

Then look throug to see what errors exist/reported
Check wsus unassigned computer grouppig
ASKER
Leo

They are on the same IP segment, I have attached the logWindowsUpdate.2WindowsUpdate.20200518.140408.981.9.etl0200518.140408.981.10.etl
On some of the laptops / computers, they are not pointing to any wsus server.
arnold

Double check the gpo applies and does not have errors.

Staggered good ed luminaries typos.
Intranst/reporting info.

Use Gpmc on a server to confirm the wsus would apply to the workstation.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Hello There

Any progress?
ASKER
Leo

yes, apologies got sidelined with other tasks.
I have to reinstall WSUS server and after that servers start to show up in WSUS container.
But Laptops are still not showing.
The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that?

thanks.
Hello There

I have to reinstall WSUS server and after that servers start to show up in WSUS container. 
So the WSUS server is working.

But Laptops are still not showing.
Since you reinstalled WSUS, we need to start here from scratch. Verify that the GPO is applying to the correct OU. And go through all the troubleshooting steps we discussed above.

The computer drive (E:) i selected to store WSUS updates is showing its empty, what could be reason for that? 
Open WSUS -> Products and Classifications -> tick all products you use in the network that you want to update via WSUS. Do the same on the Classification tab (except drivers).
Then open Update FIles and Languages -> tick English (or whatever languages you use).

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.