question

BerndLeutenecker-4033 avatar image
1 Vote"
BerndLeutenecker-4033 asked abbodi86-0005 commented

WSUS: Updates on client but no installation

Hello!

Our Windows 10 enterprise-clients (1809) receive their Windows- and Office-updates from our WSUS. But in too many cases and for a long time now we or users noticed that updates are downloaded on the clients but not installed. Some users receive (or notice) a notification, click on the icon in the information-tray and can see a often very long list of missing updates (which are downloaded on the client but not installed). The users themselves can start the installation process.
Windows Update itself (checking for updates against MS-server) is disabled by policy.
We are using a WSUS-client-tool which is part of our software- (and hardware-) managing tool (Matrix42 Empirum). It seems that other customers don't have that problem. Usually every Tuesday this tool is automatically started - to check several times for updates and install them.

Is there a possible reason for that behaviour?

Thank you!

Regards

Bernd Leutenecker

windows-server-update-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Bernd Leutenecker,


Is there any error code on Windows Update? If convenient, please consider providing a screenshot of the error.


Regards,
Rita

0 Votes 0 ·
BerndLeutenecker-4033 avatar image
0 Votes"
BerndLeutenecker-4033 answered BerndLeutenecker-4033 edited

Hi Rita,

no, there is no error-message.
The updates are just downloaded and waiting to be installed. This problem didn't and still doesn't occur with our Win7-clients (with ESU), so whenever we triggered our WSUS-package (usually weekly at 0:01 o'clock) updates were downloaded and installed. And this we repeate every two hours until 8:00 o'clock to make sure that all updates are installed even if some might trigger an immediate restart.

Regards,

Bernd

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi BerndLeutenecker-4033,


Whether the clients are connected to the Internet or not. If they are, please check for updates online from Microsoft Update. It seems that the clients have missed some important updates.


Regards,
Rita

0 Votes 0 ·
BerndLeutenecker-4033 avatar image
0 Votes"
BerndLeutenecker-4033 answered BerndLeutenecker-4033 edited

All clients are connected to the internet. Lots of updates (including many important ones) are already downloaded on the clients from our WSUS but not installed.
Direct access to Windows update is prohibited by gpo. Users too have of course no administrative rights to install software. But these already downloaded updates can be installed by clicking on the corresponding button by any user.
What we need is an automatic installation right after updates have been 'deployed' (are locally downloaded from our WSUS-server to our client-PCs.
As this is only a problem with our around 900 clients, the software-manufacturer of the WSUS-client-programm we are using to trigger the download and installation only at specific days and times cannot help us - other customers don't have this problem. And it is still working with our remaining Win7-clients.

The attached hardcopy shows the upper part of a long list of downloading but not installed updates (shown to all users).
I try to translate the Geman text:
red, 'Einige Einstellungen ...': 'Some settings are controlled by your organisation.'
blue, 'Konfigurierte ...': 'Show configured update-policies'
red, 'Auf Ihrem Gerät ...': 'On your PC important security- and quality-updates are missing.'
This list ends with a button 'Install now' (translated from the German buttontext), between the list of updates and this button is this text (again translated to my best knowledge from German): 'Updates will be automatically installed when this computer is not in use. You too might install updates right away.'
13877-updates-downloaded-awaiting-installation.jpg


There are several policies set:
13942-configured-update-policy-1.jpg
13884-configured-update-policy-2.jpg
13770-configured-update-policy-3.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

McLion avatar image
0 Votes"
McLion answered BerndLeutenecker-4033 commented

I faced the very same about a month ago. I changed some of the GPO settings, although these settings worked a treat for about 2 years. I'm still observing how it works out with new updates coming in.
I suspect that an update - probably from May - caused this bug. However, that has (of course) never been confirmed.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Which GPO-settings did you change?

Thank you!

Bernd

0 Votes 0 ·
andreiztm avatar image
0 Votes"
andreiztm answered abbodi86-0005 commented

Hi,

could you please post an export of the registry key below?
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

The right policies are set, but we do not see which values they have in the screenshot:
13839-image.png

As soon as the installation time comes, the updates will be installed. This can be delayed/postponed if the installation time is at night and the computers are never left on. For such cases we recommend to switch the installation time to be during the working day.

HTH,
Andrei


image.png (54.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I will report the contents of that registry key later after checking on an affected computer at work.

The installation time is set for all computers for the same time (00:01 o'clock on Thursdays) and users are asked to leave there computers on without beeing logged in. The tool we are using is set to repeat the check and for updates several time and to make up for any missed date the next time a computer is turned on. Hence this is not the problem and other customers of the tool mentioned don't have the problem with downloaded but not installed updates on the client-computers.

Bernd

0 Votes 0 ·

Attached you'll find the requested registry-key.

14986-hklm-windowsupdate-policiesreg.txt


0 Votes 0 ·
abbodi86-0005 avatar image abbodi86-0005 BerndLeutenecker-4033 ·

You should not use Feature Update / Quality Update Deferral policies with WSUS

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered BerndLeutenecker-4033 edited

Hi BerndLeutenecker-4033,


I noticed that many of the updates detected by the client required a computer restart after installation. This may conflict with the client activation hours. Please check the client activation hours. For my further analysis, please provide the approved time. Here is a screenshot of the active hour on the client for your reference:

14031-%E5%AE%A2%E6%88%B7%E7%8E%AF%E5%A2%83.png

In addition, I recommend to approve updates outside of the activation hour on the client.


Regards,
Rita


客户环境.png (11.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Active hours are 8:00 to 17:00 (8 a.m. to 5 p.m.).
The WSUS-client-tool we are using is active between 0:01 and 8:59 a.m. - so there are at least 59 minutes within the active hours.

0 Votes 0 ·
BerndLeutenecker-4033 avatar image
0 Votes"
BerndLeutenecker-4033 answered BerndLeutenecker-4033 edited

Sh..oot, I just lost my reply after clicking backspace without the cursor beeing inside this field ...
Once again now:

What do you mean by 'I recommend to approve updates outside of the activation hour on the client'? All updates are approved on our WSUS and on our clients we run a special tool as already mentioned to control date and time for Windows-updates (every Thursday, starting at 00:01, repeated every two hours until 8:00, missed jobs are set to be run the very next time a computer is started). Users are monthly asked to keep their computers running over night usually for every Wednesday until Thursday after the MS-patchday.

But I will check the 'active hours'-settings when I am back at work.

Anyway, this - indeed severe - problem of only downloading but not installing updates prevented us from another new problem:
Users that noticed the update-problem were told to click on 'install now' and to do so until no new updates are downloaded but not installed - as I did last week with a newly installed test-computer. This computers are then updated to Windows 10 1903 - although this upgrade is not allowed on our WSUS!?!
We couldn't yet finish the migration from Win7 to Win10 1809 and therefore haven't started yet to check hard- and software against a newer build of Win10. We want of course keep control of the version on our client-computers but now it seems that MS is circumventing our WSUS-settings and forcing our clients to upgrade to v1903!?

OK, it's Sunday, I'll stop working for now ;-)

Regards,

Bernd

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered

Hi BerndLeutenecker-4033,


Thanks for your response.


Could we try to apply the following policy on the client to try to solve the issue?

15171-6.png

[Specify deadline for automatic updates and restarts]
(Location: Local Group Policy Editor\Computer Configuration\Administrative Templates\Windows Components\Windows Update)

Regards,
Rita


6.png (63.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

andreiztm avatar image
0 Votes"
andreiztm answered

Hi Bernd,

sorry I could not reply earlier.

You have scheduled an installation time, but if AUOptions is not set to option 4, this is not taken into account:
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:0000000c
"ScheduledInstallEveryWeek"=dword:00000001

22770-image.png


Update this to number AUOptions=4 and then the installation should happen as indicated. No auto reboot with logged on users is also not having an effect if AUOptions is not 4:
22806-image.png

HTH,
Andrei


image.png (29.9 KiB)
image.png (43.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BerndLeutenecker-4033 avatar image
0 Votes"
BerndLeutenecker-4033 answered BerndLeutenecker-4033 edited

Sorry - I just forgot to reply timely.

A colleague answered this as I asked for a check of this policy-settings:
This policy applies to Windows Server 2016 or Windows 10 build 1903 - we are using build 1809.

And today I checked a users client again and found that exactly this problem still exists - updates are downloaded but not installed.

Any more hints?

Regards

Bernd

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.