1.SVR 2008 r2-wsus environment
2.KB4490628 has been approved in WSUS.
3.The client server can't find this SSU.
4.Any Prerequisites for this SSU? we need to install this SSU for more than 1500 servers.
↧
KB4490628 can't be found from the windows 2008R2 Client.
↧
KB question
Hi Guy's
I have a question regarding the update of 13-08-2019, when go to the https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182 and check the update for the server 2008 R2 SP1 or server 2012 R2 I can see 2 updates:
server 2008 R2 SP1
4512506 Monthly
4512486 Security only
On my servers is only 4512506 is installed, this would be enough correct? or we should also install the 4512486 as well?
Thanks
Shahin
↧
↧
Declining updates for certain computer groups
Hello
I have a wsus server serving many clients/servers.
Some of the servers and clients served by this wsus server have installed software from a software vendor that test new windows patches for compatibility with their system, and releases lists with approved updates for their system.
Some of the new windows updates are found to cause trouble for the software and are not to be installed until further notice.
The servers and clients that have this software installed are grouped, so I would like to decline the updates with compatibility issues for these specific computer groups while the updates are still available to other computers that are not affected by these updates.
Can you tell me how I can easily in wsus decline updates from certain computer groups without declining them for all computers??
Don't tell me to just not approve these updates for install, that is not an answer. There should be a way to distinguish not yet approved updates(as in just released ) from the updates I really don't want to install.
I would also like to keep track of these updates that I don't want installed so that I can check those specific updates the next time the software vendor update their list of approved patches to see if they can be installed or still needs to be declined.
The WSUS tool could potentially have been an awesome tool, but because of some strange design choices and features like this missing, the tool is just mediocre at best...
I have a wsus server serving many clients/servers.
Some of the servers and clients served by this wsus server have installed software from a software vendor that test new windows patches for compatibility with their system, and releases lists with approved updates for their system.
Some of the new windows updates are found to cause trouble for the software and are not to be installed until further notice.
The servers and clients that have this software installed are grouped, so I would like to decline the updates with compatibility issues for these specific computer groups while the updates are still available to other computers that are not affected by these updates.
Can you tell me how I can easily in wsus decline updates from certain computer groups without declining them for all computers??
Don't tell me to just not approve these updates for install, that is not an answer. There should be a way to distinguish not yet approved updates(as in just released ) from the updates I really don't want to install.
I would also like to keep track of these updates that I don't want installed so that I can check those specific updates the next time the software vendor update their list of approved patches to see if they can be installed or still needs to be declined.
The WSUS tool could potentially have been an awesome tool, but because of some strange design choices and features like this missing, the tool is just mediocre at best...
↧
How to decline updates for certain computer groups
Hello
I have a wsus server serving many clients/servers.
Some of the servers and clients served by this wsus server have installed software from a software vendor that test new windows patches for compatibility with their system, and releases lists with approved updates for their system.
Some of the new windows updates are found to cause trouble for the software and are not to be installed until further notice.
The servers and clients that have this software installed are grouped, so I would like to decline the updates with compatibility issues for these specific computer groups while the updates are still available to other computers that are not affected by these updates.
Can you tell me how I can easily in wsus decline updates from certain computer groups without declining them for all computers??
Don't tell me to just not approve these updates for install, that is not an answer. There should be a way to distinguish not yet approved updates(as in just released ) from the updates I really don't want to install.
I would also like to keep track of these updates that I don't want installed so that I can check those specific updates the next time the software vendor update their list of approved patches to see if they can be installed or still needs to be declined.
The WSUS tool could potentially have been an awesome tool, but because of some strange design choices and features like this missing, the tool is just mediocre at best...
I have a wsus server serving many clients/servers.
Some of the servers and clients served by this wsus server have installed software from a software vendor that test new windows patches for compatibility with their system, and releases lists with approved updates for their system.
Some of the new windows updates are found to cause trouble for the software and are not to be installed until further notice.
The servers and clients that have this software installed are grouped, so I would like to decline the updates with compatibility issues for these specific computer groups while the updates are still available to other computers that are not affected by these updates.
Can you tell me how I can easily in wsus decline updates from certain computer groups without declining them for all computers??
Don't tell me to just not approve these updates for install, that is not an answer. There should be a way to distinguish not yet approved updates(as in just released ) from the updates I really don't want to install.
I would also like to keep track of these updates that I don't want installed so that I can check those specific updates the next time the software vendor update their list of approved patches to see if they can be installed or still needs to be declined.
The WSUS tool could potentially have been an awesome tool, but because of some strange design choices and features like this missing, the tool is just mediocre at best...
↧
WSUS 2019 Downstreamserver bug - Downstream Computers not available on Upstream
Hello,
I think there might be an issue with downstream servers in server wsus 2019.
First I did update my main WSUS to 2019. All Downstream were 2016. After that I was not able to view the complete computer list on the main server. As soon as you choose the “All Computers” or a computer group that is from a downstream server the console crashes. When you delete the downstream server from the “Downstream Servers” section I am able to browse the list again.
After that I decided to reinstall all WSUS Servers with server 2019 even including the main one. And I did again get the error.
Tried it via Powershell gives me the following error.
$wsusserver = "localhost"
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$False)
$computerScope = New-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerScope.IncludeDownstreamComputerTargets = $true
$wsus.GetComputerTargets($computerScope)Exception calling "GetComputerTargets" with "1" argument(s):"Unable to cast object of type 'System.Guid' to type 'System.String'."
At line:1 char:1
If I choose to not include Downstream Computer Targets it works.
↧
↧
Windows 10 1903 not downloading updates from WSUS 2016
Hello,
I have several windows 10 1903 pro that are not getting any updates from the WSUS 2016 server.
I have enable on WSUS products classifications Windows 10, version 1903 and later and downloaded all updated related to 1903.
Windows 10 1903 appear on WSUS with 100% installed updates but they never download any update.
would appreciate any advice
Thanks in advanced.
Mickey
I have several windows 10 1903 pro that are not getting any updates from the WSUS 2016 server.
I have enable on WSUS products classifications Windows 10, version 1903 and later and downloaded all updated related to 1903.
Windows 10 1903 appear on WSUS with 100% installed updates but they never download any update.
would appreciate any advice
Thanks in advanced.
Mickey
↧
Can't see my computer on WSUS
Hello everyone,
Some weeks ago i did some changes on my network. My dns was on my Windows server 2008 R2 but i changed it to my firewall (pfsense) and i'm changing all my computer and upgrade them to Windows 10 and i'm changing there name.
Yestuday i saw that my WSUS does not have the good computer name, could you tell me why please ?
Thank a lot
↧
WSUS - computers groups synchronization and updates view
Hi Technet,
I'm in front of stupid question I think but this is turning me mad.
1) In my WSUS, I'm creating sub-groups in order to separate new Products and Classifications updates and to apply them to my test computers pool.
Unfortunately, as you can see on my screenshot, these groups are empty.
I've checked the GPO created for these tests and everything is settled as for our other WSUS GPO, which are well synchronized to our server.
Here is the screenshot of GPO settings :
Here is what I've tried :
* Delete the computers group, recreated it and wait for 90 to 120 minutes for the DC to synchronize ---> Not OK.
* Force the sync with gpupdate /force on WSUS server ---> Not OK.
* Delete GPO and recreate them ---> Not OK.
What is strange is that it's not the first time I'm using side targeting and all other Computers Groups I have are well working.
Based on my first screenshot, my problem is on sub-groups under GVA_Test_Computers.
Is there anything I can try to have them get computers ?
2) For custom view I can create, (for example, I've created Office 2010 in the first screenshot) is it possible to keep them alive or do I have to recreate them everytime I'm connecting to the WSUS console ?
Many thanks.
TiGrOu.
↧
Can't get computer to report to WSUS?
I'm setting up a WSUS server in the domain at work. I have 2 computers that I'm working with as my test computers. One is a Win10 and the other is a Server 2016. The Win10 reported to the WSUS just fine, the Server 2016 did not.
I have ran the commands to try to get to report, but it's not working.
wuauclt /detectnow
wuauclt /reportnow
It has been sitting there in the queue for like 3 days now with no status change.
Any special commands or tricks to get it to report?
↧
↧
windows server 2016 连接WSUS 出现代码错误0x80244022
同一个网段下发2台windows ,一台windows 2012 一台2016 ,更新时,2012可以正常更新,但是2016出现错误。可以telnet通,能够ping通
↧
Fail to update 2019-06 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4503292)
Hi all,
Is there anyone encountered windows updates failure on KB4503292 recently. Let me tell something more about the background.
OS: Windows 2008 R2 SP1
Found error "Install failed, error = 0x8007000" from windowsupdate.log
Already tried:
rename C:\Windows\SoftwareDistribution
execute System Update Readiness Tool for Windows 7 (KB947821) and no error was found
Manual apply KB4503292 (June) and KB4507449 (July) but turn out FAILED as well.
May I ask how could I troubleshoot such issue? what else I could do? Please let me know, many thanks.
↧
Supersedence and security\critical\non-critical updates
Hi,
The latest 2019-08 Windows 10 1803 security updates (4512501) caused some issues with one of our programs. This was fixed in an updated version of the patch (4512509), but this only appears as an Update (as opposed to a Security or Critical Update) so we didn't see it until i enabled Updates as a Classification. However, this now means I've got loads of updates to work through and all our systems suddenly seem more out of date than they used too. The original security update is now also showing as superseded, but it's superseded by a non-critical update which seems obtuse and makes it harder than it should be to find the superseding update. This leads me to a couple of questions:
- Why does a new version of a critical\security update not display as a critical\security update?
- What's best practise for the specific Update classification? My understanding was that they were updates that are for non-critical\non-security updates so we've never used them, but now that I've seen new versions of security\critical updates appear in there I'm not so sure.
Thanks
↧
New WSUS server 2016 keeps crashing - WSUS 10.0.14393.2007
I built a brand new Windows Server 2016 and Added the WSUS role.
All has been well up until recently.
My WSUS server keeps crashing now (Completely random).
This is the error I get
The WSUS administration console was unable to connect to the WSUS Server via the remote API.Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,
Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.
System.IO.IOException -- The handshake failed due to an unexpected packet format.
Source
System
Stack Trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
** this exception was nested inside of the following exception **
System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.
Source
Microsoft.UpdateServices.Administration
Stack Trace:
at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()
I am thinking that there may be a machine that is causing WSUS to crash, but I am not sure.
Overall, this server is basically brand new.
I did run a server cleanup on it a couple of weeks ago.
Hopefully someone has a solution to this issue.
WSusService - is running
IISAdmin service is running
SQL service's also appear to be running.
Thanks
↧
↧
Security stand alone KB not in Monthly Rollups?
Hi I would like to understand the logic behind patching, we are using SCCM to patch our estate and what I was taught was that if there is a security stand alone update, for example it fixes some vulnerability, it should be added to monthly security rollups. Yet while using 3rd party tools, or SCCM to verify what was installed and what was not we are getting information that we are missing KBs. For example:
May 14, 2019—KB4499165 (Security-only update) seems to be missing and it should be in Monthly Rollup I believe, but we got August now and none of monthly rollups applied this
June 11, 2019—KB4503290 (Security-only update), same here
So how do I verify missing KBs? Is there any information that they are not in Rollup because reasons, or that another part of rollup fixes it...or should I patch with all standalone security updates along with monthly rollups?...can't find the logic here
↧
Two WSUS servers - declined the same updates...
I have two WSUS servers. For the purposes of this question, let us define them as:
Server A - with access to the internet, without any clients connected, only as a source, being backup for server B
Server B - in a closed network, without internet access, with connected clients.
Both WSUS servers are based on W2k16. Once a month on server A, I download patches and using Windows Server Backup I backup WSUSContent and use wsusutil.exe to export xml.gz and log. Then everything is imported on server B and approved for installation on clients.
And now, I would like to clean the base and Content on server A - decline updates unneeded by any computers because there are a lot of them ...
But for it to make sense (not transfer the removed updates every month), I should decline and delete these updates also on the source server A. There is only a problem because on server A, I don't have the unneeded parameter (zero computers connected, this is only source-backup server) Is there any way (e.g. powershell) to export the list of declined updates on server A, then import it on server B and doing the same ? In short, what method to use to remove the same patches on Server A as those removed on server B ?
Server A - with access to the internet, without any clients connected, only as a source, being backup for server B
Server B - in a closed network, without internet access, with connected clients.
Both WSUS servers are based on W2k16. Once a month on server A, I download patches and using Windows Server Backup I backup WSUSContent and use wsusutil.exe to export xml.gz and log. Then everything is imported on server B and approved for installation on clients.
And now, I would like to clean the base and Content on server A - decline updates unneeded by any computers because there are a lot of them ...
But for it to make sense (not transfer the removed updates every month), I should decline and delete these updates also on the source server A. There is only a problem because on server A, I don't have the unneeded parameter (zero computers connected, this is only source-backup server) Is there any way (e.g. powershell) to export the list of declined updates on server A, then import it on server B and doing the same ? In short, what method to use to remove the same patches on Server A as those removed on server B ?
↧
i cant update my pc
rahul
↧
WSUS Administration Console
The Wsus Administration COnsole was unable to connect to the WSUS Server via Remote API. Getting Error the Operation has timed out Source System.Web.Sevices Stack Trace:at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at Microsoft.UpdateServices.Internal.DatabaseAccess.ApiRemotingCompressionProxy.GetWebresponse...
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPSearchUpdates(String updateScopeXml, String preferredCulture, Int32 publicationState) at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.ExecuteSPSearchUpdates(String updateScopeXml, String preferredCulture, ExtendedPublicationState publicationState) at Microsoft.UpdateServices.Internal.BaseApi.Update.SearchUpdates(UpdateScope searchScope, ExtendedPublicationState publicationState, UpdateServer updateServer) at Microsoft.UpdateServices.UI.AdminApiAccess.UpdateManager.GetUpdates(ExtendedUpdateScope filter) at Microsoft.UpdateServices.UI.AdminApiAccess.WsusSynchronizationInfo.InitializeDerivedProperties() at Microsoft.UpdateServices.UI.SnapIn.Pages.SyncResultsListPage.GetSyncInfoRow(WsusSynchronizationInfo syncInfo) at Microsoft.UpdateServices.UI.SnapIn.Pages.SyncResultsListPage.GetListRows()
↧
↧
WSUS Admin Web Page returning a 404 Error
Hi all,
We're running WSUS version: 10.0.14393.2969 on Windows Server 2016. When I try to access the client.asmx page, I get the following:
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /ClientWebService/client.asmx
If I run the wsusutil.exe checkhealth, my event logs show lots of errors:
- Self Update is not working
- The server is failing to download some updates (the main console page shows 0 updates needing files though?)
- The reporting web service is not working
- The API Remoting Web Service is not working
- The Server Synchronization web service is not working
- The client web service is not working
- The SimpleAuth Web Service is not working (This is not true though, if I go to http://<wsus server>/SimpleAuthWebService/SimpleAuth.asmx it returns the Simple Auth web page
- The DSS Authentication Web Service is not working
- The WSUS content directory is not accessible. System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse() at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)
Alot of systems are updating from this server properly though, however, we are having lots of clients that can not update either. Here's an example of an error log from a Windows Server 2016 system:
WebServices WS error: There was an error communicating with the endpoint at 'http://<wsus
server>/ClientWebService/client.asmx'.2019/08/30 13:19:19.8805521 936 6116 WebServices WS error: There was an error receiving the HTTP reply.
2019/08/30 13:19:19.8805580 936 6116 WebServices WS error: The operation did not complete within the time allotted.
2019/08/30 13:19:19.8805829 936 6116 WebServices WS error: The operation timed out
2019/08/30 13:19:19.8805894 936 6116 WebServices Web service call failed with hr = 8024401c.
2019/08/30 13:19:19.8805580 936 6116 WebServices WS error: The operation did not complete within the time allotted.
2019/08/30 13:19:19.8805829 936 6116 WebServices WS error: The operation timed out
2019/08/30 13:19:19.8805894 936 6116 WebServices Web service call failed with hr = 8024401c.
I'm confused, because I can't seem to find the IIS logs for the WSUS website, the "Logs" icon is missing from the IIS admin console? Any ideas on how to proceed with troubleshooting this issue?
↧
How to get Windows 10 to install updates immediately after updates are downloaded from WSUS
Hello experts,
I would like to get Windows 10 Pro clients to install updates immediately after new updates have been made available from WSUS.
What are the recommended Group Policy settings to use in in combination with the value of 4 for auto download/install ?
Any help will be greatly appreciated.
Thanks and Regards,
Massimiliano
↧
WSUS/GPO/Windows 10 1809
Hello and thank you for taking the time to read this.
Currently i'm working on setting up WSUS for the company that i work for. I set up the WSUS server, configured the GPO, found the clients, approved the updates... so far so good :). Since there are always need employees we have a mix of versions ranging from 1703 to 1903. Ideally I would like to install updates and reboot every Saturday at 22:00 so i set up the GPO as such.
I also configured "Allow Automatic Updates immediate installation" to Enabled, "No auto-restart with logged on users for scheduled automatic updates installations" to Disabled, "Always automatically restart at the scheduled time" to Enabled (15 minutes) and "Turn off auto-restart for updates during active hours " to enabled (9am to 7pm).
The schedules shouldn't overlap and it should install/reboot i thought.
Unfortunately it didn't. I have PCs with Reboot pending, my own pc (with v 1903) had the updates and were stuck on Install Now.
So my questions are as follow:
Is there any additional configuration needed for wsus to download/install/reboot the pcs on a schedule?
From this part of information i understand that the 22:00 applies to v1809 and higher:
But that doesn't explain why no PCs have rebooted (they should have done so at 3:00 AM since they are lower) and also why didn't my v1903 didn't restart at 22:00. Could you please tell me?
Thank you,
Bogdan
↧