Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All,
I have given a task to implement WSUS only for the servers(Windows server 2012 r2) to get update. Scope is to all servers to receive updates from wsus server and install automatically (I have enabled auto update and scheduled install). But i have instructed not to enable auto restart after update. Please recommend me the best practice GPO settings to fulfill following requirements -
Auto install
scheduled update
no auto restart (i have instructed to perform manual restart on monthly basis) - doesn't matter user logged in or not
Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Block Windows update from Internet, but only to SCCM for Windows 7 and 10

We're moving our windows update scheme form directly from Microsoft Update to internal SCCM/WSUS.

So I need to block Windows updates through GPO.
Ones that I found is this item, "Remove access to use all windows update features" which are under two hives, the one in Computer Policy can be applied to only Windows 10 above and the one under User Policy can be applied to both Windows 7 and 10 as I read the description. I am not sure if this is correct, but as I read the description through GPMC, it looks as true. Then 'Turn off access to all Windows Update Features' which has exactly the same description as "Remove access to use all windows update features" under Computer Policy. So I guess 'Turn off access to all Windows Update Features' is the one to go with? GPO items look complicate, don't know why two items with different name having the same description.

Also, the description says it "Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update". Does it imply that if I enable this, it will block Windows update from SCCM/WSUS as well?

1. Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update->Remove access to use all windows update features

"This setting allows you to remove access to scan Windows Update.

If you enable this …
Group policy is applied to Win 10 computer, but the Win 10 computers settings do not change.  Specifically, we are testing a new WSUS server on the network.  We're using a Windows 10 machine for testing.  We've verified by using the Group Policy Wizard that the machine had the correct GPO applied, which has all the new WSUS server settings in it.  After confirming the GPO was "applied" to the test machine, when we pull up the GPEDIT on the Win 10 machine, we see that NONE of the GPO settings were actually applied - everything was default and not enabled.  What causes a machine to "ignore" GPO settings, when that GPO was successfully applied??  The AD server is 2008R2.

Thanks for your help
I am successfully using WSUS to update our fleet.
I have an issue with the timing of the installation and reboots, particularly of Servers.

At 4am (scheduled install time) all servers download, install and reboot.
Which is what its meant to do.
The issue i have is that often the reboots happens within minutes of each other, and worse, may have all Active Directory Servers rebooting at exactly the same time, so for a few minutes there is no AD servers on the network.

I want to be able to randomise the reboots by 1 hour so that they dont all occur at exactly the same time.

I looked at the Maintenance Scheduler GPO settings which should allow randomisation, so that the Automatic Maintenance runs at 3am (plus or minus 1 hour), which should install Updates and reboot if needed. But this doesnt seem to work.

My GPO settings are as below:

Computer Configuration (Enabled)
Administrative Templates

Windows Components/Maintenance Scheduler

Automatic Maintenance Activation Boundary Enabled  
Regular maintenance activation boundary 2000-01-01T03:00:00

Automatic Maintenance Random Delay Enabled  
Regular maintenance random delay PT1H

Windows Components/Windows Update

Allow Automatic Updates immediate installation Enabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following
interval (hours):  6

Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto …
We have a WSUS server running and it has been working just fine for months but the other day I noticed that there were 18 computers sitting under the Unassigned Group and not under the Desktop group we created. The rest of the computers which is about 190, are in the Desktop group. Now we are using the GP for the pc to go to the desktop group that we created. When I move these 18 computers back to the desktop group, after a while they all end up going back to the Unassigned Group.
What is causing this and how can I resolve it?
Whether  Downloading different OS updates sequentially using WSUS is possible?

Query: Set WSUS for “Win 7” updates, Approve and download. Move the download updates to another folder. Change the setting to “Win 10” updates, approve and download  
While performing Image Testing, If Images created using different version (Build) ,  To test two Image (2013/ 2017 with different build), is there any difference in the updates that get downloaded using WSUS. If yes, Then how to manage using WSUS ?
I need to present the computer status tabular reports in form of pie charts and then have the report sent automatically.  Please help me with how I can go about it. I am quite new to this so would appreciate answers in the most basic form if possible.
Thank you.
I need to present the computer status tabular reports in form of pie charts and then have the report sent automatically.  Please help me with how I can go about it.
Thank you.
Windows server 2003 get synchronization failure with following error. What's wrong? How to fix it?

WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
Free Tool: IP Lookup
LVL 12
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


We recently set up a new WSUS server with Server 2012 R2 OS.
GPO's are working fine, all updates are downloaded on the WSUS server.

The problem is that the update on the client side is not downloading.
When running WSUS diagnostic tool, on the client, it says that the content is not found.

How do we fix this issue?
Permissions on the content folders are configured correctly.

Please see below:

# Solarwinds® Diagnostic Tool for the WSUS Agent
# 2018/03/12
Machine state
  User rights:                                       User has administrator rights
  Update service status:                             Stopped
  Background Intelligent Transfer service status:    Running
  OS Version:                                        Windows 10 Pro
  Windows update agent version:                      6.2.15063.674 (WU Agent update is required)
Windows Update Agent configuration settings
  Automatic Update:                                  Enabled
  Options:                                           Automatically download and notify of installation
  Use WSUS Server:                                   Enabled
  Windows Update Server:                             HTTP://WSUS-Server:8530 
  Windows Update Status Server:                      HTTP://WSUS-Server:8530
  WSUS URLs are identical:                           Identical
  WSUS URL is valid:                                 Valid URL
WSUS Server Connectivity
  clientwebservice/client.asmx:   …
SCCM (2012R2) shows server updates for Win 2008 X64 or Win 2012 X64 which are not installed but also not required. Why are they not required?
I am new to SCCM windows patching and while some patches are installing just fine others show as not required despite that I have a few hundred server running 2008 and 2012, why is it that these updates are not required?

Thanks in advance.

Windows 2008 R2 Server Failing to install updates
Windows 2012 R2 Server running WSUS 4.0
Other servers updating fine.

One update fails to apply this is after we lost power to the data center all machines came backup up with now errors
This is a physical box running Exchange Server 2010

The update is KB915597  Defender update

The server continues to report to the WSUS server every 6 hours per GPO policy in place

I ran this process on the server

Please try the following steps on your client:

1. Stop the Automatic Updates service and BITS service.

net stop wuauserv

net stop bits

2. Delete “%windir%\softwaredistribution” directory.

3. Start the Automatic Updates service and BITS service. When these two services
have been started, they will auto-create “softwaredistribution” and its subfolder
at system directory.

net start wuauserv

net start bits

4. After the “%windir%\softwaredistribution” directory has been generated, please
let the client contact the WSUS server immediately.

wuauclt.exe /resetauthorization /detectnow

If the problem still exists, please check %windir%\windowsupdate.log
and post the error message in this thread

In the Windowsupdate.log I see this

2018-03-09      21:46:29:060      2040      40e8      Handler      :::::::::::::
2018-03-09      21:46:29:060      2040      40e8      Handler      :: START ::  Handler: Command Line Install
2018-03-09      21:46:29:060      2040      40e8      Handler      :::::::::
2018-03-09      21:46:29:060      2040      40e8      Handler        : Updates …
Recently installed WSUS 3.0 sp2 on new install of 2008 r2.  The issue I'm having is that sometimes the MMC console has an error "reset server node" when attempting to display updates.  This is accompanied by event ID 7053.  I have installed KB2720211; .Net 4.6.2 and we are using WID for the database.  Is there a value that can be increased, timeout or otherwise.
Thank you

The link shows a way to import upates into wsus 10 (server 2016) what would otherwise be impossible due to a bug. Very important for WSUS admins.
i have wsus installed on windows srv 2016 when i try to make the client gate the update from wsus the wsus pool on iis stopping
so where is the problem ?
i have windows 2016 and i install wsus role.
first time evertging is working fine.
after i start sync  when i reload the wsus consol and when i click on sync it's give me after 2min that it's can connect to wsus server.
Two Hyper-V Server 2016 virtual servers are having problems downloading and installing the Server 2016 KB4074590 update.

Please provide me with instructions on how to manually download and install this update within Server 2016.

My organization currently isn't using Windows Server Update Services (WSUS).
Finally: Microcode updates against the Spectre2 vulnerability.
From Microsoft. Not for all OS' (Win10 1709 exclusive), not for all CPUs (but for some skylake CPUs, for example for and )
That patch will be updated as more Microcode updates are released.

Important: it does not distribute automatically! It can be imported to WSUS!
LVL 59

Author Comment

Depends which skylake laptop (and CPU) you are talking about. Lenovo will have offered updates for its skylake laptops already, they were quick.
LVL 101

Expert Comment

Yes that could be the reason. Lenovo BIOS was out with the January out-of-band updates.
Free Tool: SSL Checker
LVL 12
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Im having some problems to download updates with WSUS server.
Windows server 2008 R2
WSUS 3.2

Update Service use domain-admin user. The server have internet access.

Fails when try to download WSUS updates and event ID 364 appear.

Event ID 364
Content file download failed. Reason: The operation being requested was not performed because the user has not logged on to the network. The specified service does not exist. (Exception from HRESULT: 0x800704DD) Source File: /msdownload/update/software/crup/2010/06/ Destination File: d:\WSUS\WsusContent\EB\

Any clue? I've been searching every forum and still can´t solve this problem.

We recently upgraded our WSUS to a windows 2012 server following the process outlined in one of the articles on the web The upgrade process went to plan, I deleted the original wsus server after taking a complete backup and the new machine was added to the domain with the original name and IP address. For some reason none of the clients are reporting back to the server. I have attached a  log from my workstation where you can see that it is complaining that it cannot contact the web-server

[webserviceinfra]WS error: There was an error communicating with the endpoint at 'http://mpau-wsus/SimpleAuthWebService/SimpleAuth.asmx'.

I am stuck with how to proceed from here. Any help would be appreciated

WSUS server failed to download kb4022730 update.I could not conclude this issue and when I check eventvwr it is showing  Event Id=364,and 10032
I am using wsus on 2012r2 and using WID.
Only problem with downloading kb4022730. Rest of all updates are good.

Any reply can be helpful to me.Thanks in advance.
Can I have the powershell script for .exe files multiple patch installation
Hello all,

Some of our machines are in WSUS, but they are not taking updates. I looked up the computer in Wsus and it shows updates have unknown status. We have 20 WIN10 test machines 16 are good but 4 machines are showing no status.
Any suggestions?

We have a group policy where the pc's report to WSUS. I would like the servers to report to it also

We have a group policy for the computers but I do not see anything for the servers. At the moment each server gets  its updates from the internet

Do you have any idea where I would find the group policy for the severs?

The update control panel is locked down for the computers but its not for the servers


Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.