question

StephenAtkins-7552 avatar image
0 Votes"
StephenAtkins-7552 asked RitaHu-MSFT edited

WSUS shows updates not installed but computer shows no updates available

I've got 15 computers on my ADDC and I've got WSUS installed on one of the domain controllers. I've created a group policy to have those machines check WSUS for updates. All the computers have reported in to WSUS. WSUS shows that there are updates needed and not installed on all of the machines. When I go to any of those machines and run a check for updates it says there are none. Some updates do show but it's not consistent from what I can tell. I have yet to get any of those machines to actually download the updates from WSUS. I can force them to go to the Microsoft site to get them and they download and install no problem. After telling the machine to check for updates, WSUS doesn't show that those just installed updates are actually installed.

Is it possible that there is a permissions problem on my WSUS machine? I've tried all kinds of scripts and command line options but nothing has worked so far.

Thanks for the help.

windows-server-update-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StephenAtkins-7552
Any updates of the case? Please feel free to keep us in touch if there are any questions. Remember to mark the answer if it is helpful

Have a good time.

Regards,
Rita

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@StephenAtkins-7552
Thanks for your posting on Q&A first.

I would like to confirm the below questions before moving on:
1. Have you approve the needed updates for the clients? It is the first step if you want the clients to get updates from WSUS server. We have to approve the updates for the clients.
2. I can force them to go to the Microsoft site to get them and they download and install no problem.
According to the above distribution, you click the check online for updates from Microsoft Update option and the clients did download and install some updates. Am I right?

Reference picture:
100888-41.png


If so, it seems that the clients did miss some updates to be installed. Please try to apply the below picture policy for the clients first and approve the needed updates for the clients. Wait for a while and see whether the clients will download and install the approved updates.
100887-42.png

Note that it is not recommended to install the WSUS on the DC.

Hope the above will be helpful. Please keep us in touch if there are any updates of the case.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


42.png (90.6 KiB)
41.png (15.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephenAtkins-7552 avatar image
0 Votes"
StephenAtkins-7552 answered RitaHu-MSFT commented

1) Yes I've approved the updates for all computers in each group.
2) Yes, if I click on the "Check online..." they will get the updates from Microsoft and install them.

I do not see this option in Group Policy/Computer Configuration/Administrative Templates/Windows Components/Windows Update. Am I looking in the wrong place?

WSUS is running on a DC that I made as a second DC incase the first one goes down for some reason. I know it doesn't make much difference in AD as either one may answer when someone logs in.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StephenAtkins-7752
The path of the Do not allow update deferral policies to cause scans against Windows Update policy is correct. Please review the below picture one more time to confirm whether the policy is placed in the correct place:
101829-44.png

In my opinion, the clients did not scan updates from WSUS server. So the clients did not detect the approved updates. We could enable the Do not allow update deferral policies to cause scans against Windows Update policy to prevent the clients from scanning updates from the Internet and scan updates from WSUS server.

Hope the above will be helpful. Please keep us in touch if there are any updates of the case :)


0 Votes 0 ·
44.png (140.8 KiB)
StephenAtkins-7552 avatar image
0 Votes"
StephenAtkins-7552 answered RitaHu-MSFT edited

I don't have that option. By the looks of it, I'm missing a lot of options you have. I'm running Server 2019.102049-capture.png



capture.png (94.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StephenAtkins-7552
Please refer to this link to update the Administrative Templates files. Then we could try to apply the policy for the clients.

This link may be helpful. Please feel free to keep us in touch if you have any questions.

Have a nice weekend.

Regards,
Rita

0 Votes 0 ·