WSUS

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,


Is there way to auto-approve Windows update from WSUS?

Thanks
0
Microsoft Azure 2017
LVL 13
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

What would be the best way of making sure that Microsoft Office clients do not update themselves? I am running a Windows 10/Server 2016 environment, Office is a combination of 2016 and 2019 Click to Run. I do not use WSUS or anything similar.

Is there a registry key that can be applied to all machines via a logon script for example?

Many thanks :)
0
I have a Server 2016 - it's actually a terminal server with a lot of apps on it.  I can not get an updates on it. I think the last time it updated was sometime early July, maybe even June.  I've tried deleting the software distribution folder and re-registering it with my wsus server but still not luck.  I've tried Sconfig and that doesn't work either.  I even tried downloading the updates manually and installing them and that isn't working either.  There is no information in the event logs and the update history isn't any help either.  I've tried dism too and that hasn't given me any information either.  This is a VM and it's heavily used.  I'm out of ideas.. Any suggestions?
0
WSUS is only showing updates needed for the desktop PCs once a month. They're all Windows 7 and I used to see patches more often. WSUS server and services have been restarted. WSUS says synchronization was successful with a recent date.

How can I verify I'm getting all released patches from MS?

Windows 2012 R2 Server
Windows 7 Workstations
65 Users
0
It seems that window 10 update deployed from WSUS to client's workstation required user to confirm the installation.

Is it possible for these patches to install automatically ? Alternatively, can we have the remote powershell to trigger the update on each workstations ?

Thx
0
Hello IT gurus

I've configured WSUS server 2016. And to test it if it's working or not, I've pointed another server to it so it gets its updates from wsus. the server is offline. but wsus server is online.
when I try to force update, it gives me error from the client side "we couldn't connect to the update service"
but I see it in the wsus server, but with an error:"This computer has not yet contacted"

Capture.PNG
notice in the photo, dhcp3 was working fine but I've stopped it. the I tried with another servers and the problem appears
0
Using SCCM to patch windows servers.  We are way behind in patching.  My apps teams wants to know how many times a server will need a reboot.  Is there an easy way to check to see which windows update will cause a server to reboot.  In control panel > windows update it always says 'You may need to restart your computer for this update to take effect'.  Is there a website that can tell me for certain if an update will require a reboot?
0
Hey IT people

I'm setting up a WSUS server, but when I reach the point to test the connection, it gives me this message :"HTTP error occurred"

Screenshot--3-.png
I contact the network team before I start to make sure they allow the connection on http and https, 80 & 443, 8350 & 8351 ports.

and to allow the connection to these urls:
http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

https://download.microsoft.com

http://*.download.windowsupdate.com

http://wustat.windows.com

http://ntservicepack.microsoft.com

http://go.microsoft.com

http://dl.delivery.mp.microsoft.com

https://dl.delivery.mp.microsoft.com

but still facing this error.
0
Hello Everyone and as always a big thanks to everyone for their time and expert insights.
Kind of a silly question as it has never come up before until Windows 10 and the need for WSUS.
We did not traditionally sysprep desktops since unique identifiers changed enough when joining domain and we did not use WSUS so SID issue was not really applicable.
Never had nay problems with W7, but now need to use WSUS (2016) for W10 and aware of SID problems with it.
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?
Ran
Get-WmiObject -class Win32_UserAccount | Select AccountType, Caption, Domain, SID, FullName, Name | Export-CSV C:\exports\Computerlist.csv -NoTypeInformation
and
dsquery computer -name "is004109" | dsget computer -SID

Examples in image include 4 x W7 desktops from same image, 4 x W10 desktops from same image and a variety of physical and virtual servers with various roles. Note last 4 digits are different
So does that mean that we do not have a SID duplication issue?
The SID I am displaying was queued from domain bound machines that are in AD!
We do generally not promote machines into a domain before we make an image of them. Servers tend to have the sysprep run with OOBE or are one off servers built from ground up without image.
SID.jpg
0
I need to upgrade all my Win10 Pro business systems (600ea) to version 1809 by November to ensure they all continue to receive security updates (that version required by Nov according to MS release notes).

WSUS fails the download to my systems (corrupt/missing files) just like many people experience online - i'm at about 50% success rate. Which of course is terrible without having to remediate (remove softwaredistribution folder, try again) - and with almost 300 remote employees, this is not a scenario i want to try and remediate every single dang failure. There has to be a better way.

Can i download the 1809 feature update as a .msi so i can push it with another 3rd party tool that has a MUCH better success rate than what i'm experiencing with WSUS?  What is everyone else doing with this kind of problem?  This can't be the only way to deal with this.  Something else must be a better approach.

Help!
0
Expert Spotlight: Joe Anderson (DatabaseMX)
LVL 13
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

I do know that Microsoft changed update servers on July 8th to
$server = Get-WsusServer
$config = $server.GetConfiguration()
# Check current settings before you change them 
$config.MUUrl
$config.RedirectorChangeNumber

Open in new window

returns
PS C:\Windows\system32> $server = Get-WsusServer
$config = $server.GetConfiguration()
# Check current settings before you change them 
$config.MUUrl
$config.RedirectorChangeNumber
https://sws.update.microsoft.com
4002

Open in new window


WSUS Error details
WebException: The remote name could not be resolved: 'sws.update.microsoft.com'
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

Open in new window


nslookup

Name:    sws.update.microsoft.com.nsatc.net
Address:  40.77.228.227
Aliases:  sws.update.microsoft.com



Already used this as reference https://andys-tech.blog/2019/07/wsus-synchronization-fails-with-soapexception-after-july-8th-2019/
softwaredistribution.log
0
Windows 2012R2 WSUS Server
Windows 2012R2
Windows 2016 Data Center
Windows 2019
Windows 10
Windows 8.1
Windows 7
VMware ESXI 6.5

My Windows Update Server has updates ready for all the computers listed above.
All computers are checking in every 6 hours and that is working I see all them checked in with current time stamp.
I use Windows Update Notifier version 1.5.0

None of my machines show any pending updates to apply.

The GPO has not changed in a long time all WSUS settings are the same Download updates and manually install.

All updates are approved ready to install.

Any thoughts on why the updates are not downloading?
0
WSUS - on DC?

I could be wrong because I have had a bit of experience with thirdparty enterprise level patch remediation solutions, but I originally thought it was recommended to install WSUS on a DC.  I was just about to do it, and now everything I read suggests strongly against it.  It is a secondary DC, and really was the only  available VM with the lowest utilization so thought it would be a safe bet, otherwise would have to purchase an additional Server license.  What do you guys think regarding WSUS with 2012/16. Keep it off the DC?  It is a small environment about 25 nodes, just wanted to gain more control with the mess Microsoft consistently bestows on everyone with their under-tested Win10 updates and also regain the control as to when computers can be rebooted!  No software company should decide when computers get rebooted!  Monst businesses are 24x7 (Sorry venting ;-))
Thanks!!
0
WSUS Update Repository Export from connected machine and Import to new server.

We are getting ready to deploy a large number of servers to remote field offices. Most of these field offices have limited bandwidth. In our server group, we will have a WSUS. Right now, the update repository from Microsoft is 800+ GB. We currently have a WSUS that contains all of the updates. Ideally, we would like to export the updates from our current WSUS that has all of the current updates and import them into our new servers before we ship them out.

There seems to be some conflicting information out there regarding how to do this or the ability to do this.

Any guidance on this situation.
0
Dear Experts,

I have found some website that with a domain controller, a WSUS can be setup for a non domain PCs to get updates from a WSUS server by editing the end user PCs.

Is there anyway to control the security or permissions for this setup?

So that even PCs that do not belong to the network don't get the updates?
0
I’m looking for something along the lines of WSUS but maybe not so sophisticated where I can keep an eye on what versions all the PC’s are on in my network.

For example I’ve done a quick check and seen some are awaiting the May Windows 10 update so manually kicked it off, but would be nice to have all the info in front of me.

looking for someone maybe cloud based or lightweight not a full solution like solar winds as only interested in the OS versions (and maybe updates pending)

cheers
Shaun
0
Dear All


               i'm planning to create a GPO for running the bat login screen with below command, just wonder do i need to input anything in the "script parameters" field ? and by looking at the GPO setting, it shows no settings defined, is that normal ? the aim of creating this GPO is to let the client report back to WSUS server, any help would be appreicated

1
2


wuauclt.exe /detectnow /reportnow
wuauclt /resetauthorization /detectnow
net stop wuauser
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /f /v SusClientId
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /f /v SusClientIdValidation
net start wuauserv
wuauclt /resetauthorization /detectnow


net stop wuauserv  
net stop cryptSvc
net stop bits  
net stop msiserver  
#Rename SoftwareDistribution and Catroot2 folder. Type these command and press Enter after each command:  
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old  
ren C:\Windows\System32\catroot2 Catroot2.old  

net start wuauserv  
net start cryptSvc  
net start bits  
net start msiserver  

wuauclt.exe /resetauthorization
wuauclt.exe /r /detectnow
wuauclt.exe /reportnow
Exit /B
0
Hello IT fellows :)

what is the best practice to configure WSUS windows server?
my plan is to setup two clusters for WSUS

some people said WSUS doesn't works as cluster, but I really don't know. I've never configured one
0
I have numerous versions of Win10 on our domain that are ver1709 and previous - that are no longer receiving newer windows updates as detailed by MS website. My question is this:

I see WSUS has these version updates available. Can i use (for instance) a ver1607 laptop and assign the ver1803 update to bring it up to that version, or do i have to do EACH incremental update/version upgrade to move older Win10 versions up to the latest version? That would not be preferred. :)  Please let me know.

thanks!
0
Become a CompTIA Certified Healthcare IT Tech
LVL 13
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Hi,

I'm not too familiar with WSUS. How computer is added in WSUS console list? Is is manually or by GPO or both way exist?

Thanks
0
Dear Experts,

My customer is unable to console into the WSUS server.

My customer restarted the server.

In the services.msc, I saw that the Windows Internal Database set to Automatic but did not start, I went ahead to start it.

Error: Connection Error

I have restarted the server's Update Services, IIS Admin.

I have gone into IIS manage to check the framework is using framework64.

Restarted IIS service from IIS manager

I have used WsusUtil.exe postinstall /servicing

After that I see the Server's Windows Application Log:

1. Self-update is not working
2. Some client computers have not reported back to the server in the
last 30 days. 25 have been detected so far.
3. The catalog was last synchronized successfully 1 or more days ago.
4. The Reporting Web Service is not working.
5. The API Remoting Web Service is not working.
6. The Server Synchronization Web Service is not working.
7. The Client Web Service is not working.
8. The SimpleAuth Web Service is not working.
9. The DSS Authentication Web Service is not working.
10. The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)
0
Our WSUS for some reason only goes up "Feature Update to Windows 10 Enterprise, version 1703"
We need to deploy windows 10 1809 feature update across domain, we're at a lose as to why our WSUS doesn't download the newer feature updates.  We've confirmed the classifications\products are set correctly.
0
I have several server core installs that are not contacting our WSUS server despite manually adding these WSUS registry keys :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000000
"TargetGroup"="Servers"
"TargetGroupEnabled"=dword:00000001
"WUServer"="<mywsus server>"
"WUStatusServer"="<mywsus server>"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000005
"AutoInstallMinorUpdates"=dword:00000000
"DetectionFrequency"=dword:0000000c
"DetectionFrequencyEnabled"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RebootRelaunchTimeout"=dword:0000000f
"RebootRelaunchTimeoutEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001


We see the following error in the Event log on the server-core when trying "wuauclt /detectnow"

Fault bucket , type 0
Event Name: WindowsUpdateFailure2
Response: Not available
Cab Id: 0

Is this is firewall issue?  We have full OS installs in the same subnet that ARE communicating with the WSUS server.

Can someone point me to documentation that will tell me how to configure the GPO's for our server-core servers so they at least check-in with our WSUS server so we can manually install the updates during planned maintenance windows?
0
Workstations not applying updates.

I am pushing our Win10 1903 update via WSUS, the workstations have it ready and if Iog in and look at updates it says:
'We're all set for the restart you scheduled at......'

each workstation seems to have a different date and time, despite being all turned on at the same time. If I select 'restart now' the update applies. otherwise they never seem to actually install the update. I want a setting that makes any updates to install at next reboot. I have a number of Windows Update GPO, something must be missing.

can anyone advise?
screens.docx
0
Having a connection error when loading up our WSUS server

Error code:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.IO.IOException -- The handshake failed due to an unexpected packet format.

Source
System

Stack Trace:
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at …
0

WSUS

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.