We help IT Professionals succeed at work.

Windows updates not available on server from WSUS server

173 Views
Last Modified: 2020-06-05
I am running windows server 2019, with only the WSUS services installed.
I have downloaded a certain KB update that is critical that has not been installed on my servers, it's for exchange.  I am running windows server 2016 for my exchange server.

When I check for windows updates on my (Exchange) server, it doesn't show me any updates, or does not show me specifically the manual update I downloaded to my WSUS server.

How can I get my windows server to install a specific KB update that my WSUS server has on it, it's approved for install and everything.  How can I push it out to my Exchange server, is there a manual work around if needed, not sure why the check for updates is not working?
Comment
Watch Question

Seth SimmonsLead Systems Administrator
CERTIFIED EXPERT

Commented:
if you run a report for the exchange server for what is needed, does that update appear in the list as being approved - not installed or something different?
Udara PeirisSystem Engineer
CERTIFIED EXPERT

Commented:
Hi Dan,
You can use Microsoft Update Catalog to download KB updates manually.
https://www.catalog.update.microsoft.com/Home.aspx

To Download Exchange 2016 CU updates manually, Followup given links in below document,
https://docs.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2016 

Harjit DhaliwalSysAdmin
CERTIFIED EXPERT

Commented:
If you have approved and deployed the patches from WSUS, and if they are not seen on specific systems, then they are not applicable or needed by those systems.
DanNetwork Engineer

Author

Commented:
Seth, how do I run that report?

Udara, Yes, I used MUC, I downloaded the KB update manually to my WSUS, I don't know why it wasn't there. The article in question is: KB4536987
Not sure why my WSUS did not download that file.  So it's stilling on my WSUS server, approved, but when I go to my exchange and do windows updates, that one does not come up.

Harjit, Well it is applicable, as the KB is a security threat, and since it hasn't been installed yet, I don't know how it can not be be applicable?
Harjit DhaliwalSysAdmin
CERTIFIED EXPERT

Commented:
Okay, this makes more sense now. What you are looking at is a CU specifically for Exchange. Have you tried to run Windows Update on the Exchange server directly against Microsoft? If so, then does this particular patch appear? 
DanNetwork Engineer

Author

Commented:
Harjit, I don't see the option to run windows update against Microsoft instead of my WSUS server, how is that done?
Harjit DhaliwalSysAdmin
CERTIFIED EXPERT

Commented:
You click on "Check for updates from Microsoft Updates".

On Server 2019, click on Start, Settings, Update & Security.


DanNetwork Engineer

Author

Commented:
Harjit, I think you are using windows 10, but I'm using windows server 2016.
I don't see that option for windows server 2016.
DanNetwork Engineer

Author

Commented:
These are the options I have.

DanNetwork Engineer

Author

Commented:
So my Exchange server still does not show up in my WSUS server, so I think for now, that's my problem, how do I manually add the exchange server to my WSUS server, why doesn't it automatically populate?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Verify if the settings for windows update point to your wsus at all. To do so, look at the contents of this registry key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate Is WUServer  populated with your WSUS' address? And under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, is there a key UseWUServer present and set to 1?
Needs to be.
DanNetwork Engineer

Author

Commented:
McKnife,  yes, the first entry points to
 http://wsus.domain.org:8530   (not sure about the port, but I believe it's the correct port.)
yes to the 2nd question as well, there's a key using hexadecimal, set to 1

I just checked and it's still not showing up in my wsus server.  I double checked my AD, and it's in the same container OU as all my other servers that are showing up.

I'm just puzzeled how my exchange server is in the same folder as the other servers, but it somehow gets different GP's applied to it.  How is this possible?  Elisha is my exchange server and netinfo is just another server in the same OU.  

I do see that the exchange server is part of more groups than my other server, but I don't know how that would have anything to do with it.
What gets me is, how do I find where some of the GPs are coming from, for example "printers-for all departments", as that's a user GP not a computer GP.









CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
On the server that does not update, open an elevated command prompt and launch (if it fails executing once launch it twice)
Net stop wuauserv & rd c:\windows\softwaredistribution /s /q
Net start wuauserv
Then search for updates again and after a while, check on your wsus again.

DanNetwork Engineer

Author

Commented:
the commands were successful on first try.  I'm waiting now, I'll keep you updated.
DanNetwork Engineer

Author

Commented:
how long should I be waiting
DanNetwork Engineer

Author

Commented:
I just discovered my windows update service was stopped, so I started it.    Waiting again.......
DanNetwork Engineer

Author

Commented:
after starting the windows update service on the server and then executed the wsus commands again, it's been over 10 hours now since yesterday and the server still has not appeared in my WSUS console.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Download https://web.archive.org/web/20151227002916/http://www.hs2n.at/component/docman/doc_download/11-wuinstall-11-32-bit
extract it and run the command and quote the output:
Wuinstall /install
DanNetwork Engineer

Author

Commented:
This is what I get:

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"no wsus server configured" is the result. Since it is configured via registry, that is odd.
1 rename the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
2 on an elevated command line, do
gpupdate /force /target:computer
Press F5 in regedit and verify if the renamed key gets recreated (it should)
3 if it does, restart the windows update service and run wuinstall /install again.
DanNetwork Engineer

Author

Commented:
i ran that file on my exchange server, not on my WSUS server.
The registry is empty, at least the  key you mentioned.





DanNetwork Engineer

Author

Commented:
So how can I figure out why these GPOs were not applied?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The reasons are listed in your screenshot. Security filtering excludes the exchange from the wsus policy and a wmi filter excludes it from the Def dom policy.
Now right click the wsus policy select properties - security - and see what's set there and reconfigure it so that exchange is no longer excluded.
DanNetwork Engineer

Author

Commented:
McKnife,  I looked everywhere, so I did a right click on the policy, and there's no "properties" option anywhere.
I must be doing something wrong, unless you wanted me to click on "edit", and then try to edit the policy?  If you look at the 2nd screenshot, were you wanting me to just click on the policy, as I don't see anywhere where the policy is being excluded?





CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Right. 1st Edit, then right click the policy name.
DanNetwork Engineer

Author

Commented:
McKnife,  I did come accross where to exclude the group policy I believe, so in looking at the GP, I see some "unknown" accounts, not sure why or how they got there.  Maybe they are causing this issue?  Can I delete them?
I looked up my exchange server to see in what groups its in, and the only group that it's in this GP is the "servers" group.  Looks like the servers group has the option DENY "apply group policy" selected.

As I was typing this, I figured it out, the "servers" DL had old servers and my exchange server.   All my new servers are NOT part of the DL for some reason.

So what is the correct way configure this, do I just leave the servers DL under the delegation tab, add all my servers to the DL, and just remove the checkmbox for "deny" apply group policy option, right?

Do you recommend something different?


CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
DanNetwork Engineer

Author

Commented:
Now since the server is in my WSUS server, I have updates approved, I even added the cab file and approved KB4536987, which I'm trying to install on my exchange server, but the serer is telling me, "your device is up to date"  When I click on update history, the only update is an HP laserjet pro driver that actually failed to install.
It's been about 3 hours now, I would think that my exchange server and WSUS server had time to sync.
Not sure what else I'm missing.

DanNetwork Engineer

Author

Commented:
Something is wrong.  So in WSUS, my exchange server as a green check mark for installation status.
But when counting all the updates on the server, there are only 11, and the one I needed installed KB4536987 is NOT even installed, but it's showing me a green checkmark.  How crazy is that, I guess that's Microsoft for you, I have so many issues with running Microsoft, makes me want to jump ship to Linux.







CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Check if that update is possibly already included in the exchange cu that you are running.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It would already be included in ex2016 CU16.
DanNetwork Engineer

Author

Commented:
I'm only on CU11.  I guess I can install CU16, but I think it uninstalls exchange and then reinstalls exchange in the process, and that's nerve-wracking, as so many times, when uninstall and then re-installing software, I run into issues.  I will make a backup of exchange.  

It would just be easier for me to install the KB that I need installed, not sure why WSUS is not installing the updates.   Either way, that's an issue, so even if I install CU16, it will won't resolve my issue with my WSUS not installing updates on my exchange.  I wonder if this is happening on other servers as well.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
[Edit: corrected the last link]
DanNetwork Engineer

Author

Commented:
I know that the KB4536987 applies only to 14 an 15, not CU11, as it's old.
I Just can't figure out why the exchange server sees no updates.  Checked again, and says it's up to date, but it's not.  
I had already tried to install the MSP on the exchange server, but I get this error when installing.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What MSP number is it?
DanNetwork Engineer

Author

Commented:
The filename is Exchange2016-KB4536987-x64-en.msp
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, you write "I know that the KB4536987 applies only to 14 an 15, not CU11, as it's old" but you still try to install it and wonder why it fails? That is perfectly normal.Your Exchange version string is what? See https://support.microsoft.com/en-us/help/152439/how-to-determine-the-version-number-the-build-number-and-the-service-p  to determine it.
Then we can determine what update it needs.

I am 99% sure that all you see is normal and there are no further updates possible for your exchange 2016 CU11.
DanNetwork Engineer

Author

Commented:
Well, even if I have all the updates for CU11 as you said, why doesn't WSUS/exchange install the update for cu15, which is now on my wsus server?  

Name                : ELISHA
Edition             : Standard
AdminDisplayVersion : Version 15.1 (Build 1591.10)
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I highly doubt that you have cu15 itself on the wsus. You will have some update for cu15, not cu15 itself. I don't think cumulative updates for exchange can be deployed via wsus at all.
DanNetwork Engineer

Author

Commented:
I think you're right, it's probably an update, Oh I see, so If I don't have CU15 installed on the server, then the only updates the server will get is only the updates for CU11, is that what you're saying?   If that's the case, that makes sense, and I guess I need to upgrade to CU15 ASAP.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
That's it.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Take CU16.
DanNetwork Engineer

Author

Commented:
The only issue is, If I install CU16, I believe it's a new install, so when I install Cu16, it removes or uninstalls my exchange server, and then re installs it from scratch.  That's nerve wracking, as it's very easy for it to have issues, and then my entire exchange install is gone and have to attempt to reinstall exchange and restore from backups.
I like the fact of having a file and just updates the application, not completely uninstalls the application and re-installs it from scratch.

I will make sure I have a backup of my exchange, and will install CU16 as soon as I get a chance.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
CU16 is a new installation, so is CU15,14,... But never from scratch.
I did them all, no issues, nothing lost.
DanNetwork Engineer

Author

Commented:
ok, well what I mean is that when you install a new CU, it removes your current version of exchange, and reinstalls it with the new CU, and tries to apply your current settings back.  I will give that a try.
DanNetwork Engineer

Author

Commented:
I just installed exchange 2016 CU16, and it took 5 hours, this was crazy.
OWA works, I can send emails, but I can't receive emails.
The server has been restarted and I have manually restarted the IS store and transport services already.
All my receive connectors are in place and active.

Any ideas why I am not receiving emails?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Our last upgrade CU15->16 took maybe 30 minutes.
Never had problems, never needed to adjust anything.

I think it would be time for a new question to let other exchange experts look at that error, Dan. If you need your server back2normal ASAP, I suggest to revert to a backup if you have a true and tried one.
And please quote the error messages along with your question and maybe some screenshots of your exchange settings.
DanNetwork Engineer

Author

Commented:
thanks McKnife. after about two hours or so it started working on its own. thanks for all your help yes I did open another question. I believe both are closed now.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You are welcome.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions