Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17



Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Share tech news, updates, or what's on your mind.

Sign up to Post

I hope you have good day. i've server (WIN 2012 datacenter R2)installed on it wsus role and also SCCM 2012 (with external SQL DB) i just need to configure the autmatic update that sccm will take it from wsus and deploy it on the PCs in my network, how can i make that?
Important Lessons on Recovering from Petya
LVL 10
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

One audit finding was raised to us:

a) it's a risk if SCCM (which we use to manage PCs, workstations, including critical payment workstations),
    WSUS (which we used to patch servers in Prod DMZ, Prod internal zones as well as Development/UAT),
    Desktop Central (to manage PCs, laptops), AD & NTP contain authenticators (eg: login id & password) of
    the endpoints they manage.  Do these managemt tools truly contain the authenticators?
    They may use AD credentials or even local credentials (eg: local administrator) to login to control
     the endpoints but do they actually contain the authenticators ?

b) if the answer is "yes", we were told to place all these mgmt tools (SCCM, DCentral, AD server, NTP etc)
     in an isolated secure zone rather than in DMZ so that the authenticators are not easily "stolen" : is
     this a valid mitigation/recommendation?    
    If it's too much to overhaul this, can we create Windows Firewall on these devices to block all traffic
     except the required traffic to mitigate ?

One more tool that we use to lodge privileged accounts credentials : the vendor actually recommend
we put it in DMZ when we 1st set it up, so quite confused if the vendor or the auditor is right
I just built two Windows 2016 Datacenter Cluster Servers for testing in my vCenter VM environment.
I have a Windows 2016 DataCenter VM which is the Domain Controller which works great.

On the two cluster servers I installed a program WindowsUpdateNiotifier which works similar to the old windows update icon in the system tray I use this on all my Windows 8 and up machines and works great.

The source for my updates is my Windows 2012 R2 WSUS server
Both cluster servers are registered in WSUS

When I try to apply the updates I get this message.

We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure your're connected to the internet.


I retry and retry no luck

How can I force the Windows 2016 to search MS online for updates too

The Windows 2016 Data Center Domain Controller works fine with updates from My WSUS server just these two puzzled

I am trying to reinstall WSUS 3.0 SP2 on a 2008 R2 server.  This server originally had WSUS 3.0 on in and had been uninstalled including logs, database, etc  If fails when I try to install it either from Add Roles in Server Manager or from a Downloaded WSUS 3.0 SP2 .exe (WSUS30-KB972455-x64.exe).  Following the progress of the install, is gets to the Configuring the Database step and fails with "There is a problem with this Windows Installer Package.  A program run as part the the setup did not finish as expected.

Any help will be greatly appreciated.  I am out of ideas and don't understand the setup logs (attached).

Thanks in advance

I just saw my wsus showing windows vista for windows 10 machines. I found hotfix for WIndows server 2012R2, but our wsus is 2008 R2.

Is there any work around?

KB2463332 simply fails to install.  What am I missing here?
I have WSUS Server 2012 which I am syncing with Microsoft website. It is showing that WSUS server is synced but when I verify the download folder no update is there. How to fix this? This is very urgent

Event ID:364
Error: Content file download failed. Reason: Error calling [kernel32.dll]:CreateDirectory(E:\WSUS1\WsusContent\B6) Source File:  Destination File: .
Windows 2012 R2 server running WSUS for ages, out of the blue has stopped working. Checks from clients show 8024401F. Server shows a few errors:

Self-update is not working.

The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.9.9600.18756
P2: 8024401f
P3: D67661EB-2423-451D-BF5D-13199E37DF28
P4: Scan
P5: 1
P6: 0
P7: 0
P8: SelfUpdate
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: 88bfccdd-9cf4-11e7-80d6-00155d00230f
Report Status: 262144
Hashed bucket:
From windowsupdate.log
2017-09-18      21:39:29:807       920      146c      EP      Got WSUS SelfUpdate URL: ""
2017-09-18      21:39:29:807       920      146c      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x801901f4
2017-09-18      21:39:29:807       920      146c      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x801901f4
2017-09-18      …
Hi All,

We have WSUS configured so that client machines will "automatically download but notify for install."  I would assume that this would mean that clients would need manual approval for all installation.

However, we have a bunch of client machines that seem to be installing updates anyway.  In poking around GPO, I found a setting to disallow automatic update immediate installation.  The details seem to indicate that any updates that don't require a reboot will be automatically installed, seemingly disregarding my intention to approve all updates.

Will disallowing this setting get me to my goal, which is to manually install all updates (which have previously been approved in WSUS)?

As many users already reported, this month there are a lot of issues with WSUS.

I have an SCCM CB 1702 Site Server with WSUS on same server.

All was working fine until approx. 1 month ago.
The w3wp.exe process is constantly running at 95-100%.

I installed this Hotfix as described here.

However, the hotfix didn't solve the CPU usage but I could open the WSUS console again. (didn't start before)

After I've installed the hotfix, the WsusPool shuts down after recycling.
I've increased Private Memory to 8GB (used to be 4GB) but it still shuts down.
Only after I've set Rapid-Fail Protection to False the WsusPool is not shutting down.
But this doesn't seem to be a very smart setting.

Errors that keep coming back...
Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SITE=CM2 PID=2804 TID=6100 GMTDATE=do sep 14 10:02:26.175 2017 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Sync failed. Will retry in 60 minutes

Free Tool: IP Lookup
LVL 10
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

i have a windows 2008 r2 server i am no longer able to install any updates. the server does not want to het installed with any updates. all updates it says not applicable for this computer message. even the standalone installer has also the same problem. with dism commands the result. i am not sure what the problem is. i tried all the tools like windows update trouble shooter , readiness tools, sfc, reset windows updates components etc. nothing seemed to work. please help.
I have deployed Office 2016 ISO version and I am having problems with WSUS updating office to the latest version.
Currently I am running office 2016 version 16.9.4549.1000 and windows update does not show any available updates for it.
I am running WSUS on server 2016 with every product classification turned on. I have downloaded the ADMX files for office 2016 and all the update settings only apply to the CTR version.  Microsoft seems to have abandoned office 2016 ISO and moved to the CTR version i'm guessing??

Two questions, for the love of god, why does microsoft keep doing this to us and how do I fix WSUS and office 2016?
Hi All,

I've got primary WSUS in the Head Office which downloads the updates and then distributes it into the Site Office 1, 2 and 3.
now, the Site Office 3 WSUS has broken, I need to know how to break the replication so I can just set it as the normal stand alone WSUS server directly downloading from the internet.

Can anyone here please let me know how to break the WSUS structure so that the site office which is now Synchronizing to the head office WSUS server can now be standing on its own?

I'm using WSUS 4.0 on Windows Server 2012 R2.
I have windows server 2012 Wsus Server and I have windows 10 systems in the same domain. but windows 10 system Updates are failed through WSUS.kindly help on this.
how to delete WSUS Database Manually?
We have an offsite location with a site to site tunnel setup.  For some reason, all of the devices on that side of the tunnel (opposite side of the WSUS server) can't download updates.  In the WSUS console, they show up as not reporting their status in 300+ days.  Any ideas why this is happening?  Its not the firewalls or IPS, we just switched brands and confirmed with the vendor (24/7 support with them)

I went on the servers and ran 'wuauclt /resetauthorization /detectnow'

Here is the results:

2017-09-07	13:07:31:631	 936	149c	Misc	===========  Logging initialized (build: 7.9.9600.18756, tz: -0500)  ===========
2017-09-07	13:07:31:631	 936	149c	Misc	  = Process: C:\Windows\system32\svchost.exe
2017-09-07	13:07:31:631	 936	149c	Misc	  = Module: c:\windows\system32\wuaueng.dll
2017-09-07	13:07:31:631	 936	149c	Service	*************
2017-09-07	13:07:31:631	 936	149c	Service	** START **  Service: Service startup
2017-09-07	13:07:31:631	 936	149c	Service	*********
2017-09-07	13:07:31:631	 936	149c	IdleTmr	Non-AoAc machine.  Aoac operations will be ignored.
2017-09-07	13:07:31:631	 936	149c	Agent	  * WU client version 7.9.9600.18756
2017-09-07	13:07:31:631	 936	149c	Agent	WARNING: SleepStudyTracker: Machine is non-AOAC. Sleep study tracker disabled.
2017-09-07	13:07:31:631	 936	149c	Agent	  * Base directory: C:\Windows\SoftwareDistribution
2017-09-07	13:07:31:631	 936	149c	Agent	  * Access type: No proxy
2017-09-07	13:07:31:631	 936	149c	Service	UpdateNetworkState 

Open in new window

I can able to find the Creation date by using the command GetUpdateApprovals.

But I approved the "Update123" to Group1 @ 01,Jan'17

and I approved the same update to Group2 @ 07, Sep'17

This command's output showing the same creation date for both groups.


Group name       Creation Date


Group1              07, Sep'17

Group2              07, Sep'17

Please guide me to view the exact approval date from Powershell.
I'm running a WSUS on Server 2012 R2. Just about everyday, I get the following result when I access the MMC (See screen shot below-name of the server has been changed for this issue)
I can usually reset it by a simple batch file that stops and restarts ISS, and have even created a task that does this, but that din't work. I smartened up and copied the error statement to the clipboard. Here's the content of that error:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

System.Net.WebException -- The request failed with HTTP status 503: Service Unavailable.


Stack Trace:
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPGetConfiguration()
   at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.ExecuteSPGetConfiguration()
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServerConfiguration.Load()
   at Microsoft.UpdateServices.Internal.ClassFactory.CreateWellKnownType(Type type, Object[] args)
   at …
Should my computers appear in the WSUS console even if I have them connecting directly to windows updates via GPO?
New benefit for Premium Members - Upgrade now!
LVL 10
New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.


We have a legacy internal WSUS server running on Windows 2008 which we use to deploy updates to our Windows 7 workstations using a GPO.  

We have observed that our Windows 10 workstations might not be pulling updates from this server but from the internet or not pulling any updates at all.  

Would somone please advise if Windows 2008 WSUS supports Windows 10 workstation updates?  

We operate 24x7, and we just do not want update to happen or reboot while users are working.  

Someone please advise how this should be properly configured.  

I would like to create an update server that would update clients Widows OS / Office security patches as well as update 3rd party apps like Symantec endpoint virus updates, adobe acrobat reader, java, flash, chrome.  Is there anything like this available?  I am thinking of something executed on the client side that would kick off the update.

I have been following the instructions on this link and I have ran both the script to change the identity:

$updateServer = get-wsusserver

$config = $updateServer.GetConfiguration()

$config.ServerId = [System.Guid]::NewGuid()


and also the command to generate encryption key:

%ProgramFiles%\Update Services\Tools\wsusutil.exe postinstall

This link then states to verify the configuration by checking to see if the computers that existed on the source server now appear - but they do not appear! I migrated the binaries previously but I put them into a folder I crated on the c: drive and I'm not sure if WSUS on the new server knows where to look to find these. I'm in a bit of a mess with this one, are there any experts on here with working knowledge of migrating WSUS servers?
We want to move to a Server 2016 environment, but we have too many disparate (and disconnected) networks to do it all at once. Our WSUS infrastructure relies on WSUS meta-data being pushed up to these networks daily (along with all the install files). We are thinking of starting the OS migration with our Internet facing network. Has anyone seen issues with importing meta-data from a WSUS 2016 server into a "lower" OS version like 2012 R2 or 2012, or can it even be done?
Just setup WSUS on my 2012r2 server.  Created my GPO and I've pushed it out to one client Win10 Pro

The client is not being listed in the WSUS control panel.

Not sure what else to look for.


I have already a wsus server but I recently created a SCCM server and now wants to link wsus server with SCCM.


Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.