Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Share tech news, updates, or what's on your mind.

Sign up to Post

Windows patch overnight has stripped my server 2016 build! Removed Hyper-v, removed all (domain) user folders and left a raw Administrator folder to sign in with. It left no windowsold folder. Had to install LSI software to shut up the alarm! Theres no recent server backup. Oh and its spits a general network error when trying to change the computer name or join my domain.
From what I'm reading on the internet- this is normal for Microsoft to do this???? But it usually leaves a Windows.old folder so that we can rollback to previous build?
How is this acceptable practice?!! It appears that I've lost all my work and have to start from scratch. I mean the machine's primary roll is to server Hyper-v  and I have all my guest VHDS(X) in another location but it will take me countless hours to get back to working on my current project.

Is there anything I can do?
Patch also broke my windows 10 machine. It left a windows.old folder to boot into install media and rollback but its broken too!
 Contantly cycling theough "Hold on while we get your computer ready". Whwn I try to rollback and login to the domain I get an error that the system32 desktop folder is missing or something.
Windows update is sweeping through my office like a terrible virus!
Free Tool: ZipGrep
LVL 12
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Hello I use WSUS on Server 2016 to deply updates throughout the LAN, I have one Upstream & on Downstream.  Everything has been working fine, until this morning when I attempt to sync the downstream to the upstream it fails.  I can ping back & forth not sure what's happened.
After (2 of us) electing to approve ONLY security updates in WSUS and being extremely careful not to include any updates with Windows 10 in the subject we are left with Windows 10 update 1803 being deployed throughout the company. The deployment is an issue in itself, but the greater concern is how these updates became approved.

Once we discovered 1803 being deployed I went back into WSUS and saw a host of Win10 related updates as being approved, none of which were seen the day previous when the approvals to security patches were made.

Has anyone seen this before of have a logical explanation? Other than the possibility of two of us overlooking the slew of Win10 updates the only related thought I can offer is that the WSUS server was restarted between approval and deployment (to install its own updates).

BTW - no-one has access to WSUS other than the 2 admins that worked together on approving the updates.

I'd like to patch an old 2003 server with several Windows updates.  Does anyone know of a relatively easy way of doing this without using WSUS.  Failing that, can anyone tell me how to install WSUS and how to use it?
I have vm with win server 2012 R2, I keep getting an error when the windows update tries to install the
2017-09 security and quality rollup for .NET framework 3.5 ..... 4.7 and,
2018-05 security and quality rollup for .NET framework 3.5 ..... 4.7
I find the the Window 1803 is not available to deploy through the WSUS. Do I need to select the "Updates" in the Classifications". please note that under "Product" tab, I have already select Window 10 Version 1803 and Later Upgrade & Servicing Drivers.

Windows 7 workstations.    50 computers have not reported status for more than 30 days.  The check in status are random across workstations. Some 30 days some more.

I performed the following on a single workstation.

      1. netsh winhttp reset proxy

After executing the command I  restarted the  workstation

      2. Executed the following commands on workstation
wuauclt /detectnow /resetauthorization
wuauclt /reportnow

The workstation was not checking in.
After carrying out these commands the Windows Update utility can be started to search for updates. At this point the client should register with WSUS after 15 minutes.   Nope did not ever check in....

I then ran the diagnostics report attached using the utility here.
            a. (Report Attached)
      1. Reset WSUS repository on workstation   ( This did not help)

Final Error IS 80244018 as seen in attachment

WindowsUpdate Log File Data
    06-01	10:59:31:440	 836	1750	Agent	*************
2018-06-01	10:59:31:440	 836	1750	Agent	** START **  Agent: Finding updates [CallerId = <<PROCESS>>: sftservice.exe]
2018-06-01	10:59:31:440	 836	1750	Agent	*********
2018-06-01	10:59:31:440	 836	1750	Agent	  * Online = Yes; Ignore download priority = No
2018-06-01	10:59:31:440	 836	1750	Agent	  * Criteria = "( IsInstalled = 0 and IsHidden = 0 and 

Open in new window

WSUS servers not reporting back - The Computer has not reported status in 7 or more days

We recently set up a WSUS enviornment and ALL the servers (Server 2016) reported in fine last week but have not since - they are all online -the client computers (W10) are reporting back ok.
I have checked the reg settings and have the WSUS server listed, windows update service is set to Manual but running.

Any ideas?
I have run the following script on a server under the assumption this was going to force the Server (2012) to report into WSUS as WSUS was not detecting this server and others, but instead it has removed the 'Windows Update service' completely and I can't get it back.

Any ideas guys?

net stop "Automatic Updates"
net stop wuauserv
regsvr32 /u wuaueng.dll /s
del /f /s /q %windir%\SoftwareDistribution\*.*
del /f /s /q %windir%\windowsupdate.log
del /s %windir%\SoftwareDistribution
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
regsvr32 wuaueng.dll /s
net start "Automatic Updates"
wuauclt /detectnow /resetauthorization
WSUS not working properly. Lots of wsus pool errors in the event log (5011, 5012, 5013, 5017 and 5038). Cant get the console to load. w3wp.exe and sqlservr.exe using all of the CPU. Is there anything I can try before I reinstall?

Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

I'm running a new install of WSUS, on windows server 2016, fresh install, and the server is not used for anything else, but WSUS.
All my servers and computers show "needed count" for updates with large numbers.  Even after I install updates on the clients or servers, the number never goes to 0, how do I install all the needed updates on my servers/workstations?

The 2nd problem is, for a few computers, it looks like the computers have contacted the WSUS server, a few weeks ago, but there's no status report, and there's no info about the computers.  Any idea's how to resolve?


I have recently configured the Wsus server 2012 and applied the GPO to get all updates on servers on  our MS estate which consist over 200 Servers mostly Server 2012 but  few still on Server 2003 which I need to exclude  from this.  
I have created the custom update view for server 2012 and choose  only for  critical, security, and roll-up updates. But unfortunately non of the server is appearing in costume view. all server 2012 and 2003 are apearing under All computer--->Servers.
 Please  how I can  force only mention updates only on Server 2012 and exclude the Server 2003 to disappear from Servers under the All computers.
secondly how I can force to get Custom view updated and can apply in more refine way to push the updates.  

Please help.

WSUS on Server 2016 not showing any Windows updates available for Windows 10 systems: I've read the EE thread with this title.  The OP abandoned the question (and abandoned WSUS) without a resolution.  I'm having the exact same problem. I've searched and searched for several weeks without finding a solution.  I found a long series of posts on the exact same issue on another tech community site which has no resolution either.  Here's the deal:

I have WSUS installed on a Windows 2016 server.  This is a 2016 Standard domain that was migrated from an old SBS2008 domain.  It's been up and running successfully for nearly a year.  The domain consists of two 2016 servers (one DC and one RDS, both v1607), one Windows 2008 R2 server running SQL 2008, five Win7 workstations and eight Win10 workstations (6 are v1703 and 2 were upgraded to v1709).  The original WSUS database was on the Win2008R2 server.  At the end of the migration I moved it to the 2016 RDS server.  It was working fine for about 7 or 8 months. All of a sudden (I assume it was probably some update that caused it), WSUS stopped working for all of the servers (including the 2008R2 server) and all of the Windows 10 workstations.  It would download the required updates but all updates (except for Office and Win7) showed as not needed ("Needed" column = 0).

After a number of tries to repair WSUS, I decided to move it to the Win2016 DC.  This was a fresh install, not a migration, and is where it's now installed.  …
I am unable to view WSUS reports on Windows Server 2016. When I try it gives me the error: The Microsoft Report Viewer 2012 Redistributable is required for this feature. Please close the console before installing this package.

So, I do that, and try to install the report viewer. Then I get the error: Setup is missing an installation prerequisite - Microsoft System CLR Types for SQL Server 2012.

So, I install those but even though they install I still can't get the Report Viewer to install.

I've seen many articles showing me where to go but they always make it seem like once I install the CLR package (As this one does:  I should be able to run the Report Viewer. And yet, it keeps saying it needs those CLR files.

I've tried the x64 and the x86 packages with no luck. I can't seem to get the system to recognize that I've downloaded what I'm looking for. Any suggestions would be most appreciated.
We’ve two identical 2012R2 networks updated from one WSUS.
Need to setup WU GPO’s, and just discovered that the WU are different,  see attachments - #2 has sub-folder "Defer WU":

Please help to understand what the problem is.
Thank U.
My company implemented WSUS on server 2012R2 , we have 1 upstream server and 7 downstream servers in several sites. We are using Server side targeting . We have a GPO using item level targeting to assign clients to their WSUS server base on IP address.   All this is working fine.

Management requested a ways to automatically assign new servers to a specific group  if they fall out of the IP range specified in the GPO.

Is there a way to do this, while maintaining Server Side Targeting.
Block Windows update from Internet, but only to SCCM for Windows 7 and 10

We're moving our windows update scheme form directly from Microsoft Update to internal SCCM/WSUS.

So I need to block Windows updates through GPO.
Ones that I found is this item, "Remove access to use all windows update features" which are under two hives, the one in Computer Policy can be applied to only Windows 10 above and the one under User Policy can be applied to both Windows 7 and 10 as I read the description. I am not sure if this is correct, but as I read the description through GPMC, it looks as true. Then 'Turn off access to all Windows Update Features' which has exactly the same description as "Remove access to use all windows update features" under Computer Policy. So I guess 'Turn off access to all Windows Update Features' is the one to go with? GPO items look complicate, don't know why two items with different name having the same description.

Also, the description says it "Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update". Does it imply that if I enable this, it will block Windows update from SCCM/WSUS as well?

1. Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update->Remove access to use all windows update features

"This setting allows you to remove access to scan Windows Update.

If you enable this …
SCCM (2012R2) shows server updates for Win 2008 X64 or Win 2012 X64 which are not installed but also not required. Why are they not required?
I am new to SCCM windows patching and while some patches are installing just fine others show as not required despite that I have a few hundred server running 2008 and 2012, why is it that these updates are not required?

Thanks in advance.

Recently installed WSUS 3.0 sp2 on new install of 2008 r2.  The issue I'm having is that sometimes the MMC console has an error "reset server node" when attempting to display updates.  This is accompanied by event ID 7053.  I have installed KB2720211; .Net 4.6.2 and we are using WID for the database.  Is there a value that can be increased, timeout or otherwise.
Thank you
Cloud Class® Course: CompTIA Cloud+
LVL 12
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Hello all,

Some of our machines are in WSUS, but they are not taking updates. I looked up the computer in Wsus and it shows updates have unknown status. We have 20 WIN10 test machines 16 are good but 4 machines are showing no status.
Any suggestions?

I have a detached WSUS server that I can't get to import updates correctly.  I export the metadata and move the content files from my attached server, run the wsusutil.exe import command,  and I see the new updates available for approval.  Once I approve the new updates it never "downloads" the files even though the files are present in the correct directory on the import server.  When I look in the SoftwareDistribution log I see an error that says the following:

 "Warning w3wp.8SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user DOMAINNAME\, IP Address x.x.x.x, exception System.Security.SecurityException: Request for principal permission failed.
 at System.Security.Permissions.PricipalPermission.ThrowSecurityException()
 at System.Security.Permissions.PricipalPermission.Demand()
 at System.Security.PermissionSet.DemanNonCAS()
 at MicrosoftUpdateServices.Internal.DatabaseAccess.AdminDataAccess.ExecuteSPGetComputerCount(StringcomputerTargetScopeXmll)
 at MicrosoftUpdateServices.Internal.ApiRemoting.Exeecute.SPGetComputerCount(String computerTargetScopeXml)
 The action that failed was:
 The type of the first permission that failed was:

 Any one have any suggestions on what I need to do to get this fixed?
None of my 2012 servers are able to update.  There are no GPO's preventing updates and no WSUS server.  Registry shows defaults and no update servers.  I'm at a loss.  Where else might I look please.

What will happen when I delete all superseded updates in WSUS? Is it safe to decline them all?

Why doesn't WSUS Cleanup Tool find and clean all these superseded updates if they aren't needed? Why is there shown a warning that indicates the superseded update might still be needed?

The WSUS built-in cleanup-wizard seems to leave a lot of unnecessary updates on a WSUS server. When the number of updates available exceeds a certain amount, WSUS clients stop being able to update and start generating time out errors.

   If this is the case, and I'm not saying it isn't, then why does WSUS recommend verifying a superseded update is no longer needed by any computers?  If superseded updates are never needed after their superseding successors are released, we shouldn't be shown a warning that indicates the superseded update might still be needed.

Why is that?

When answering, consider this (I did some research):

   "WSUS does not automatically decline superseded updates, and it is recommended that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers.
    The following are examples of scenarios in which you might need to install a superseded update:

    "      If a superseding update supports only newer versions of an operating system, and some of your client
Hello Everybody,

We're testing the Offline Servicing way of working on Configuration Manager 1702.

I succeeded to add the cumulative update of November inside the WIM. I can see it in the 'Update Statuts' tab, but not in 'Installed Updates' tab in Properties of this image. I don't know why ?..

I also wanted to know how to remove this update from the image ? When I will add the December CU, I want to remove the oldest.

Does somebody know how to do it ?

Thanks in advance
All our clients are laptops in different states and they frequently get online and offline on different occasions .
Lots of clients when they are not connected to internet or they just turned off  they disappeared form WSUS.
As soon as  you put them online they appeared back on .
In order keep inventory we have t keep all clients visible and in to the right group. Any idea whey clients have to be online in order stay on WSUS



Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Top Experts In