question

Tutek avatar image
0 Votes"
Tutek asked ViniciusDellAglio-5279 answered

WSUS not show updates to install

Hi,
I have configured WSUS, in Products I have checked "Windows 10" and my Windows Servers 2012, 2016, 2019.
Now I see that on WSUS page neither critical nor security updates are available,
87557-no-updates.jpg

when I click on client computer check updates then I have System is Up to date.
But when I click check updates in Windows Update Online, then computer start to download new security patches.

87613-windows-online-updates-available.jpg


Second example:

Windows 2012 R2 not connected to WSUS, report now that two security patches are ready to download:
87631-windows2012-update-available.jpg

Windows Server 2012 R2 connected to WSUS do not have any updates available:
87632-windows2012-wsus-no-updates-on-wsus.jpg


windows-server-update-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered

@Tutek
Here are several comments of mine about this issue:
1. Please tick the Windows 10, version 1903 and later products if there are windows 10 1903 and later version computers pointed to the WSUS Server.

Reference picture:
87652-14.png

Sync updates successfully on the WSUS console first.

  1. We could filter out updates by building a New Updates View.
    Here is reference picture to build a New Update View:
    87653-15.png

  2. Make sure that all the computers shown on the WSUS console reported correctly
    87596-17.png

87628-18.png

  1. It is recommended to disable Dual Scan on windows 10 computers. Dual Scan means that the clients which scan for updates both from WSUS Server or Microsoft online but it will accept the updates from Internet.
    It is recommended to apply the Do not allow update deferral policies to cause scans against Windows Update policy to prevent scaning updates from the Internet.
    87519-13.png

Hope the above will be helpful. Please keep us in touch if there are any questions.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


14.png (30.4 KiB)
15.png (28.3 KiB)
17.png (25.3 KiB)
18.png (7.6 KiB)
13.png (31.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Yes, "Windows 10" is not enough. You need to use "Windows 10, version 1903 and later"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Tutek avatar image
0 Votes"
Tutek answered RitaHu-MSFT rolled back

Hi,
something is wrong with my WSUS, I have checked in Classifications "Upgraes"
88073-classifications.jpg


On products I have checked, "Windows 10, 1903 and Later"
88030-products.jpg


On WSUS I have accepted upgrades to Windows 20H2 version:
87950-upgrades-approved.jpg

Now on my clients which are 1909 when I click find any updates, I have status that system is up to date:
87996-no-updates-for-1909.jpg



classifications.jpg (71.4 KiB)
products.jpg (114.3 KiB)
upgrades-approved.jpg (341.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Which version did the computers want to upgrade to? 20H2?

In my opinion, approving the specified feature updates for the specified computer group will be OK. There is no needed to approve all the feature updates.
88453-29.png

As the above picture, there are three feature updates at different release date. Approve the needed feature update for the computer groups.

0 Votes 0 ·
29.png (50.9 KiB)
Tutek avatar image
0 Votes"
Tutek answered

I checked in Automatic Approvals to automatically approval Critical and Security Updates, after click OK, WSUS begin to download mass of updates, my C:\Wsus folder has grown to almost 200GB. I declined all these updates because I don't need most of these, then I did Wsus server Cleanup with all options checked. But unfortunately WSUS did not removed all updates that was downloaded, my c:\WSUS folder is still almost 200GB, is any way to remove these non needed updates?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@Tutek
It is not recommended to enable Automatic Approvals Rules and it will approve many non-needed updates. Please follow the below steps:

  1. Disable the Automatic Approvals Rules

  2. Change all the Approved updates to Not Approve
    Filter out all the Approved updates
    88571-31.png

  3. Change the Approved updates to Not Approved
    88505-32.png

Note that we could hold down the Shift to select multiple updates.

4.Clean up the non-needed updates
All the approved updates will be downloaded into WsusContent folder. We could delete all the approved updates

88538-33.png

5.Approve the specified updates manually

Hope the above will be helpful.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


31.png (19.6 KiB)
32.png (58.4 KiB)
33.png (57.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Tutek avatar image
0 Votes"
Tutek answered Tutek edited

Hi,
I Unapproved all updates, then deleted content on "WsusContent" folder, now my WSUS folder is empty.
Now I'm manually do approval of updates, but on main WSUS screen where download status is, it do not download any manually approved packeges.
I have all the time 0 files needed for download:
88626-no-updates-to-download.jpg


When I enable in column "File Status" then I see that WSUS showing that all Not approved packages are already on disk, but they aren't (I removed it):
88584-file-status.jpg


Looks like that WSUS database think that packages are on disk, but I deleted it so there is a problem.



file-status.jpg (135.4 KiB)
file-status.jpg (136.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

You need to perform a wsusutil reset - follow the parts regarding the WsusContent folder here:

https://www.ajtek.ca/wsus/what-do-i-do-when-i-run-out-of-space-on-a-wsus-server/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Tutek avatar image
0 Votes"
Tutek answered Tutek edited

After I did this command wsusutil reset. I do not have any updates from computers, on main screen where updates are shown, these update numbers do not change at all, 24 hours later I have exact the same numbers. Earlier before I removed WsusContent folder and did wsusutil reset command, these numbers was updated.
88697-no-updates-from-computers.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

My question then goes to "Are the clients actually reporting properly to WSUS?"

https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered

@Tutek
The clients which enabled the Do not allow update deferral policies to cause scans against Windows Update policy will prevent scanning updates from Internet. It will be helpful if you configure the WSUS server on the internal environment.

In addition, according to your issue, I just want to confirm the following questions:
1. Please help to confirm whether all the clients showing on the WSUS console report correctly.
2. Please help to approve the latest and needed cumulative updates and service stack updates for the clients first. Here are several reference picture for your to approve the needed updates:
90275-11.png

90276-12.png

I'm sorry that the reference picture is used for windows 8.1. All the needed updates in windows 10 are approved on my environment.

In fact, the security updates is cumulative in windows 10. So we could approve the latest cumulative updates and all the superseded updates will be included.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


11.png (52.6 KiB)
12.png (127.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.