I have a farm of 10 web servers that recently failed a PCI compliance scan for not having KB3042553 installed.  I fired up WSUS and run an update report for this particular KB.  It shows "not applicable" for all of our prod web-servers (which flunked the PCI scan).  Control Panel of the servers show that the update is not installed.  These servers are running windows 2012 R2.  Interestingly, all of our test web-servers (also running windows 2012 R2) do have the update successfully installed and WSUS reflects that.  I have tried several different things to no avail:

deleted one of the computer objects from WSUS server

tried this on the client 'wuauclt.exe /resetauthorization /detectnow'

ran microsoft fixit and manual steps to re-register the wsus client into wsus (MS Article ID: 971058) multiple times

3 other clues:

1.  About 3 months ago, these problematic servers were upgraded from windows 2008 to windows 2012 R2.  However, my test servers (that do successfully have the update installed) were also upgraded from 2008 to 2012r2.  So, i'm not sure if this is relevant or not.

2.  Our WSUS server crashed about 6 months ago.  We were forced to start from scratch on a new WSUS server.  I created the new one with a new server name and updated group policy accordingly.  Obviously the machines registered and are reporting, so i don't beleive this is a problem, but thought that it might be relevant based on an error that I'm intermittently seeing in the client logs: 

WARNING: Failed to initialize event uploader for new server {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} with hr = 8024043d.

3.  I'm consistently seeing these in the logs.  I have found some old posts from 2010 that mention that these might be superseded updates that the client is struggling with, but i can't seem to find a way to resolve them or if this is even related:

2016-10-2700:09:44:603 84410b4AgentWARNING: Failed to evaluate Installed rule, updateId = {{4DEB7F5F-D14D-43E2-93FA-F81B10846CF7}.200}, hr = 80070057

At this point, i am not sure what to do and the interwebs are leading me down too many rabbit holes.  If anyone has any recommendations, i would greatly appreciate it.  full snippets of client log is below.

I have a breakdown between a single node on my network and the WSUS server.    Since the problem could be on either end, this makes it hard to document the problem in words alone.  So I've prepared an image that spells out where things stand at the moment.  Basically, the server reports the node as needing a single update and that it's been out of communication for four months.  There is no way to get it to report its status as anything else.  While this message persists, the workstation cannot receive updates from the server -- only from the web. 

I've tried the fixit utility for repairing WSUS functionality in a workstation, and that didn't have any effect.  Can anyone suggest a fix for this?  Or at least the next step they'd take if they personally encountered it?  I've pretty much exhausted the self-help options for this problem.

We have a WSUS 3.0 SP2 server running on Windows 2008 R2, with 25 replica servers pulling from it and they are all the same WSUS version 3.2.7600.226. One of the replica servers has stopped running its Synchronization each night, all other synchronizations leading up to it are successful, but it just stopped one day and has not run since.

I have attached a picture of the synchronizations, there are no failed syncs to check the details, it appears that they are not even starting. I have checked the schedule and it is set properly, nothing has changed there and nothing has changed on the primary server as far as I am aware. If I try to run a manual Sync, it just sits at 0% and does not proceed. I wanted to check the logs for the sync schedule, but wasn't sure where these are actually located?

Any ideas are greatly appreciated.

I have WSUS 6.2 installed on windows server 2012 targetting windows 7 and windows 8 PCs. When I push bulk like 15 patches together, some time installation stuck due to a .NET patch, I guess some patches are exclusive and need to be installed separately for any reason....my question is how I can identify those kind of patches ahead of time so that I won't include them and install them separate first ?

Other question - some times when I schedule patch installation at certain time... but WSUS missed that installation window for some reason ..how long I should wait to re-schedule patch installation ?

Service host local system is taking up lot of cpu usage(30-38%). Its been like for this hours. Any solutions to this problem would be greatful. 

Thank you 

Hi -

I have a number of machines with a bloated Windows\SoftwareDistribution folder.  I usually address this by:

1. Stopping the Automatic Updates service.
2. Deleting the Windows\SoftwareDistribution folder.
3. Restarting the Automatic Updates service.

I'm considering using a computer startup script to perform this task automatically.  Does anyone have a more elegant method of automating this task?

Thanks in advance for your input.

I found a client today that was updating KB3194496 directly from Microsoft servers instead of WSUS. We run WSUS on a Server 2008 R2 machine.

I already found out that Win10 clients needed to go to M$ to get the Anniversary Update Version 1607 and other "upgrades", so I had some clients get 1607 from M$ over the last couple of weeks. But as far as I have seen, the clients should go back to the WSUS for any subsequent updates.

This is a 800 MB update I think. Will all my clients on 1607 do this? So much for using WSUS. Can this behavior be stopped?

Incidentally, this client updated with 100% status report to the WSUS server earlier today... I am not sure before or after going to the M$ server. So it is somehow using both WSUS and M$ updating. I have never heard of this, and I need a M$ comment on this. I am frustrated... and is this fixed on either Server 2012 or 2016?

Hello, 

in our company we have arround 40 Windows 10 PCs by now. Four of them are "Beta-Testers" for recently released Updates. 
(We are releasing (Non-Security-)Updates for every User with about 2-3 weeks delay, depending on the Admins Mood) 

The last "Test-Release" made the Windows-Update Service stop working on all 4 Test-Devices. They are still connecting to WSUS (according to "Last Contact") - but they never send an updated Status Report.

Also, invoking "Search for Update" manually on these devices always "finds" new Updates, but gets stuck with "0% Downloading". 

The Event Log shows a big bunch of services beeing "stopped" right after system-startup.

(Also "Windows Update Service", "Background Transfer Service", and the like) 

The Option "Search online for Updates" is no longer available (on these clients) 

Is there any Update "known", causing this problem? If yes, which KB is it, and how to get the "Test-Clients" back on track? 

I've been keeping tabs on the various WSUS and Windows 10 issues for awhile now. I just want the damn thing to work like Windows 7 did as I don't have time to dive into technical details on a re-designed WSUS.

Currently, my Windows 10 1607 machines that have patches approved and are logged off that just sit there doing nothing when they should be installing and rebooting overnight. When I check the WSUS console I can see the updates have statuses of downloaded but they are not being installed and rebooted as they were on Windows 7. Can anybody please point me in the right direction here? What am I missing?

Hello,I have a MS Windows 2012 R2 WSUS szerver.

Clinet computer's IE show certification error some website (for example: microsoft, google, ect.). I check the server's IE, they the same show.

I don't know what can I do.

Could you give me some practice?

Wsus version: 6.3.9600.16384

Thank you Everybody

Hey WSUS forum.  This is a repost from the SCCM forums.  Didn't learn much more than I already knew over there, however it was nice to see someone step up very quickly.  The SCCM forum doesn't believe the update broke WSUS, and the logs I provided may indicate as such.  However, my SOftware Update Points have been running flawlessly for months until I did the upgrade and now they are unable to synchronize with Microsoft Servers.  Please pay close attention to the chronological order of events to see where I'm coming from here.  In the original thread, near the end, I indicate that other non-SCCM WSUS servers are experiencing the same issue.  At this point, however, after seeing the data provided by our other WSUS admins, I can see that this is not the case.  The original question is below and the thread from the SCCM forum is here:  https://social.technet.microsoft.com/Forums/en-US/bc428a9c-740f-43bc-8842-5543a8b36a58/sups-failing-to-synchronize-after-sccm-1602-to-1606-inconsole-upgrade?forum=ConfigMgrCompliance

- I've verified that other non-SCCM integrated WSUS servers (on the same subnet and VLAN) in our environment are synchronizing.

- I've verified via extensive Wireshark and Firewall research, in communication with both our Networks and Security teams, that sync attempts via WSUS console and via SCCM console are reaching Microsoft Servers and that said Microsoft Servers are apparently resetting the connection (the rejection occurs within the first 3 seconds of the sync attempt).

- Although recent security patches were installed and we had successful syncs afterwards (again, please see the chronological order of events), I still removed and tested without them installed.  Removal of recent KBs did not solve issue.  KB's listed below have since be re-installed.

- To sum it up.  I've verified to the best of my ability that all in house communications and configurations through SCCM and and native WSUS logs that everything is still set up as it was before the 1602 to 1606 upgrade.  Why the WSUS servers are suddenly unable to synchronize with Microsoft eludes me.  The SCCM forum is clear that they believe the upgrade would not cause this, but I want to see the data to prove this at this point by being pointed to a relevant KB article or Technet reference.

- The error found in SCCM's wsyncmgr.log below is just a copy paste from the exact error found in the WSUS console itself in the Synchronizations section.  So, there it is.

Otherwise, any insight is greatly appreciated. 

_________________________________________________________________________________________________________

Hello,

I recently configured the WSUS server o Windows 2012 R2

Version - 6.3.9

But on WSUS,  Eindows 10 shows as vista

How do I recognize Windows 10 as Windows 10.

Thank you.

After the monthly update cycle, I now have a WSUS server that will not allow local connection via WSUS Console.

In the past, uninstalling KB2720211 has helped, but not this time. 

The OS installed is Server 2012 R2

I have tried the following...

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

C:\Windows\system32>"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
Log file is located at C:\Users\bpadmin\AppData\Local\Temp\tmpBC8D.tmp
Post install is starting
Post install has successfully completed

Completed this: (Insert https : / /  in front - I'm not allowed to put full address it seems - nice)

support.microsoft.com/en-us/kb/3159706 

Tried removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

Restarting the following services does not fix issue.
The Windows Internal Database service
Update Services
World Wide Web Publishing Service

I have tried (Insert http in front - I'm not allowed to put full address) jackstromberg.com/2013/10/windows-update-services-multiple-errors-in-event-viewer-event-id-1205212042-12022-12032-12012-1200213042/

Now, running a wsusutil checkhealth the following errors are created in application log.  They were not present before the update.

The DSS Authentication Web Service is not working.
Event ID 12052

The SimpleAuth Web Service is not working.
Event ID 12042

The Client Web Service is not working.
Event ID 12022

The Server Synchronization Web Service is not working.
Event ID 12032

The API Remoting Web Service is not working.
Event ID 12012

The Reporting Web Service is not working.
Event ID 12002

Many client computers have not reported back to the server in the
last 30 days. 32 have been detected so far.
Event ID 13032

Error generated from console.

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

System.IO.IOException -- The handshake failed due to an unexpected packet format.

Source
System

Stack Trace:
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
** this exception was nested inside of the following exception **

System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.

Source
Microsoft.UpdateServices.Administration

Stack Trace:
   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
   at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()

Hello all,

I can't seem to connect to my WSUS server anymore through the MMC. When I try, I get the following error message:

Cannot connect to 'ServerName'. SQL server may not be running on the server.

I don't know what caused this problem, it just stopped working one day. I'm not sure if it is related or not, but I'm getting the following error message in the application event log.

Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: <named pipe>]

Unfortunately, I'm not too familiar with SQL. When I installed WSUS over a year ago, I chose all defaults, so I believe that the express version of SQL is installed. Any help that you could give me would be great.

Thanks,

Joe

Hi,

The last couple of cumulative updates for windows 10 Pro 1607 have gotten stuck downloading at 45% when using wsus ? e.g. KB 3199209

I have noted that windows when updating language packs are also getting stuck.

Anyone had any luck getting to the bottom of this?

Stuart

Hey all

I have a Server 2012 R2 environment. My WSUS server is running the latest version pretty default setup.

We have introduced a new Server 2016 client to check it out.

However we are having issues getting it to download and install patches from our WSUS server.

As its so new google dosnt have any info or help.

Just wondering if any other sys admins have done this and how they went?

I approved on WSUS only 'Security and Quality Rollup for .NET Framework' (KB3188740) - and 'Security Only Update for .NET Framework (KB3188730)' is NOT needed for computers.

I approved on WSUS 'Security Monthly Quality Rollup' (KB3185330) - but all computers in WSUS console reports, what 'Security Only Quality Update for Windows 7' (KB3192391) is required.

Is KB3185330 supersede KB3192391?

I am having an issue with my Windows 7 machines and a GPO to enforce update rules. I have setup a WSUS server and configured all the rules for updates. However, some of the machines are sticking with their old update settings no matter what I do. Here is the rsop result showing the policy is getting to the machine:

Which you can see is set to auto download and schedule the install for 3:00 PM. But the updates were not being installed so. I checked in control panel and here are the settings I see:

As you can see, it isn't getting set to automatically install. Instead its sticking with its old config (which was done locally via control panel) to download but not install. It doesn't even have the correct time.

Dave

Getting above error on Win7 Pro machines after installing October patches. Screenshot of updates selected for Win7 machines:

https://1drv.ms/f/s!AoDWiVsD6S4XgmDCH6oopJuRPo17

WindowsUpdate log snippet:

Thanks!

Hank Vare