One audit finding was raised to us:

a) it's a risk if SCCM (which we use to manage PCs, workstations, including critical payment workstations),
    WSUS (which we used to patch servers in Prod DMZ, Prod internal zones as well as Development/UAT),
    Desktop Central (to manage PCs, laptops), AD & NTP contain authenticators (eg: login id & password) of
    the endpoints they manage.  Do these managemt tools truly contain the authenticators?
    They may use AD credentials or even local credentials (eg: local administrator) to login to control
     the endpoints but do they actually contain the authenticators ?

b) if the answer is "yes", we were told to place all these mgmt tools (SCCM, DCentral, AD server, NTP etc)
     in an isolated secure zone rather than in DMZ so that the authenticators are not easily "stolen" : is
     this a valid mitigation/recommendation?    
    If it's too much to overhaul this, can we create Windows Firewall on these devices to block all traffic
     except the required traffic to mitigate ?

One more tool that we use to lodge privileged accounts credentials : the vendor actually recommend
we put it in DMZ when we 1st set it up, so quite confused if the vendor or the auditor is right

I am trying to reinstall WSUS 3.0 SP2 on a 2008 R2 server.  This server originally had WSUS 3.0 on in and had been uninstalled including logs, database, etc  If fails when I try to install it either from Add Roles in Server Manager or from a Downloaded WSUS 3.0 SP2 .exe (WSUS30-KB972455-x64.exe).  Following the progress of the install, is gets to the Configuring the Database step and fails with "There is a problem with this Windows Installer Package.  A program run as part the the setup did not finish as expected.

Any help will be greatly appreciated.  I am out of ideas and don't understand the setup logs (attached).

Thanks in advance
ajw
WSUSSetup.log
WSUSSetupmsi_170921_0906.log

KB2463332 simply fails to install.  What am I missing here?

Windows 2012 R2 server running WSUS for ages, out of the blue has stopped working. Checks from clients show 8024401F. Server shows a few errors:

13042
Self-update is not working.

12072
The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

1001
Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.9.9600.18756
P2: 8024401f
P3: D67661EB-2423-451D-BF5D-13199E37DF28
P4: Scan
P5: 1
P6: 0
P7: 0
P8: SelfUpdate
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:
C:\Windows\WindowsUpdate.log
C:\Windows\SoftwareDistribution\ReportingEvents.log

These files may be available here:

Analysis symbol:
Rechecking for solution: 0
Report Id: 88bfccdd-9cf4-11e7-80d6-00155d00230f
Report Status: 262144
Hashed bucket:
-----------------------
From windowsupdate.log
2017-09-18      21:39:29:807       920      146c      EP      Got WSUS SelfUpdate URL: "http://dc01.domain.com:8530/selfupdate"
2017-09-18      21:39:29:807       920      146c      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x801901f4
2017-09-18      21:39:29:807       920      146c      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x801901f4
2017-09-18      …

Hi,

As many users already reported, this month there are a lot of issues with WSUS.

I have an SCCM CB 1702 Site Server with WSUS on same server.

All was working fine until approx. 1 month ago.
The w3wp.exe process is constantly running at 95-100%.

I installed this Hotfix as described here.

However, the hotfix didn't solve the CPU usage but I could open the WSUS console again. (didn't start before)

After I've installed the hotfix, the WsusPool shuts down after recycling.
I've increased Private Memory to 8GB (used to be 4GB) but it still shuts down.
Only after I've set Rapid-Fail Protection to False the WsusPool is not shutting down.
But this doesn't seem to be a very smart setting.

Errors that keep coming back...
wsyncmgr.log

Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=CMServer.domain.com SITE=CM2 PID=2804 TID=6100 GMTDATE=do sep 14 10:02:26.175 2017 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Sync failed. Will retry in 60 minutes

WCM.log

…

i have a windows 2008 r2 server i am no longer able to install any updates. the server does not want to het installed with any updates. all updates it says not applicable for this computer message. even the standalone installer has also the same problem. with dism commands the result. i am not sure what the problem is. i tried all the tools like windows update trouble shooter , readiness tools, sfc, reset windows updates components etc. nothing seemed to work. please help.

Hi All,

I've got primary WSUS in the Head Office which downloads the updates and then distributes it into the Site Office 1, 2 and 3.
now, the Site Office 3 WSUS has broken, I need to know how to break the replication so I can just set it as the normal stand alone WSUS server directly downloading from the internet.

Can anyone here please let me know how to break the WSUS structure so that the site office which is now Synchronizing to the head office WSUS server can now be standing on its own?

I'm using WSUS 4.0 on Windows Server 2012 R2.

how to delete WSUS Database Manually?

I can able to find the Creation date by using the command GetUpdateApprovals.

But I approved the "Update123" to Group1 @ 01,Jan'17

and I approved the same update to Group2 @ 07, Sep'17

This command's output showing the same creation date for both groups.

Output:

Group name       Creation Date

------------------------------------

Group1              07, Sep'17

Group2              07, Sep'17

Please guide me to view the exact approval date from Powershell.

Should my computers appear in the WSUS console even if I have them connecting directly to windows updates via GPO?

Hello,

We have a legacy internal WSUS server running on Windows 2008 which we use to deploy updates to our Windows 7 workstations using a GPO.  

We have observed that our Windows 10 workstations might not be pulling updates from this server but from the internet or not pulling any updates at all.  

Would somone please advise if Windows 2008 WSUS supports Windows 10 workstation updates?  

We operate 24x7, and we just do not want update to happen or reboot while users are working.  

Someone please advise how this should be properly configured.  

Thanks.

Hi,

I have been following the instructions on this link and I have ran both the script to change the identity:

$updateServer = get-wsusserver

$config = $updateServer.GetConfiguration()

$config.ServerId = [System.Guid]::NewGuid()

$config.Save()

and also the command to generate encryption key:

%ProgramFiles%\Update Services\Tools\wsusutil.exe postinstall

This link then states to verify the configuration by checking to see if the computers that existed on the source server now appear - but they do not appear! I migrated the binaries previously but I put them into a folder I crated on the c: drive and I'm not sure if WSUS on the new server knows where to look to find these. I'm in a bit of a mess with this one, are there any experts on here with working knowledge of migrating WSUS servers?

Just setup WSUS on my 2012r2 server.  Created my GPO and I've pushed it out to one client Win10 Pro

The client is not being listed in the WSUS control panel.

Not sure what else to look for.

Thoughts?

Thanks!