Windows Server 2016 not updating through WSUS
Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.
The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.
The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.
Here is what you have to do to fix it: Run the following commands in Powershell on the offending server
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" $MUSM.Services | select Name, IsDefaultAUService
You will get something back like this:
Windows Update Standalone Installer - False Windows Server Update Service - False Windows Update - True
If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...
The first thing you have to do is make sure the following patches are installed on your server.
kb4103720 and kb4462928
You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.
These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.
Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)
Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Set to "Enabled" Select search order: "Do not search Windows Update"
Specify the search server for device driver updates
Set to "Enabled" Select Update Server: "Search Managed Server"
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')
Set to "Enabled"
Turn off access to the Store
Set to "Enabled"
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
Set to "Enabled"
No auto-restart with logged on users for scheduled automatic updates installations
Set to "Enabled"
Specify intranet Microsoft update service location
Set to "Enabled" Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530" Set the intranet statistics server:"http://[YOUR SERVER]:8530" Set the alternate download server: "http://[YOUR SERVER]:8530" Uncheck the box Download files with no Url in the metadata if alternate download server is set
Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.
Run the above powershell commands again.
It should now say
Name IsDefaultAUService ------- -------------------------- Windows Server Update Service True Windows Update False
If you get "Windows Server Update Service" True, then it should work!
I hope this helps someone else. This has certainly been a frustrating issue...
I accept donations in unmarked bills, gold bars and scotch.
If you scan the web you'll see all the things @Redwizard000 tried being suggested so it's clear @Redwizard000 tried really hard to solve this one (see https://serverfault.com/a/940236/203726 for how @Redwizard000 eventually solved the issue). Read on for my experience:
In my case the WSUS server was running on Windows Server 2012 R2, had all the patches, had run the VB cleanup script you see floating around, had been through the cleanup process (which took hours), could serve updates to Windows 10 machines but fresh Windows Server 2016 client machines would fail to fetch updates from WSUS and gave 0x8024401c error messages. The only thing that helped was on the WSUS server: increasing/removing some of the IIS Application Pool resource limits (e.g. Queue Length, Limit Interval, Private Memory Limit but there are others) for the WSUS App Pool as described in https://serverfault.com/a/835941 and https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/ and then restarting IIS. It seems that checking for updates required around 2GBytes of memory from IIS server and took about 8 minutes. After this the error message went away but...
..the client Windows Server 2016 machines would become stuck downloading 0% of the updates indefinitely. To get past this I had to manually download a recent cumulative update (on the client Windows Server 2016 machines) from http://www.catalog.update.microsoft.com/home.aspx (or use Microsoft's Windows update servers temporarily to fetch a cumulative update) and install that before changing settings to use WSUS.
Update: There's a MS support article called "Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016" that talks about how you have to update the Windows Update Agent on Windows 10/2016/2019 client machines past the RTM version (10.0.14393.0) before you are able to use WSUS. This sounds like what was effectively being done in the previous paragraph.
I had such a problem, 2016 would throw out the error:
and in WSUS would show
0% updated (not reported yet).
To fix this I changed the values of the WSUS Application Pool in IIS (Advanced Settings) and all 2016 servers.
Queue Length: 25000 from 1000 Limit Interval (minutes): 15 from 5 "Service Unavailable" Response: TcpLevel from HttpLevel
Then go to https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus and copy paste the code as instructed.
- Name it
- Install the required software
This guy definitely deserves a donation!