Otdfbt

We have a WSUS server running on Windows Server 2016. WSUS detects and sends updates to all systems, including the 2012 servers. WSUS will detect but not send updates to any of the 2016 servers.

It shows 0 updates needed, all updates show "installed or not applicable". These are fresh server installs, they have just been installed straight from a disk image created November of last year.

If I run a report on one of the servers and I set the product filter to "Windows Server 2016" I get 31 updates installed or not applicable.

All 31 updates are set to approval "Install". The status for all of them is "Not Applicable" They are all Critical updates and Security Updates.

I have manually gone through the installed updates on one of the servers in question and verified that these "Not Applicable" updates are not installed.

All these servers are fresh installs and they are in an OU that prevents them from restarting themselves after an update install and I am the only one who manually restarts them. Since they have been installed they have gotten 0 updates. I have a hard time believing that there are 0 applicable updates for a fresh Windows Server 2016 install.

I have ensured that BITS and the Windows Update services are running. I have run the wuauclt /reportnow and wuauclt /detectnow. It doesn't seem to do anything. I have run the cleanup wizard to deny and remove all of the superseded updates. I have verified that the machines are in the correct groups in AD and in WSUS. I have verified in the registry on the affected machines that they are pointing to the WSUS server and it can be pinged. The client can be pinged from the WSUS server. There is no firewall or port blocker or anything like that. I created a completely new 2016 server installation with absolutely nothing installed on it; no roles, no firewalls no virus scanner no nothing, just a blank server and tried to force it to connect. WSUS detects that the server exists but that is about it.

Every other OS works fine, it is only the 2016 servers that have this problem. It is definitely a WSUS server problem; if I go into the registry and change it back to Microsofts server it finds updates.

Does anyone have any idea what might be causing the problem and how to fix it?

Thanks.

EDIT - UPDATE:
Still having problems. Tried installing a 2nd 2016 WSUS server, same problem, only with the 2016 servers.

I even tried installing 2019 server (though I don't think there are any differences...). No difference.

I even ruled out Group Policy. I put a 2016 test server all by itself in an OU with blocked inheritance. The only GPO I linked was the WSUS server setting which pointed to the 2019 server. The machine isn't getting any other policy. There isn't even a virus scanner or firewall configured on the test 2016 server, they are even on the same segment.

We are converting more and more of our servers from 2012 to 2016 which means this is more and more of a problem as NONE of them will get updates from WSUS... As much as I don't want to, I am going to have to call Microsoft...

If you scan the web you'll see all the things @Redwizard000 tried being suggested so it's clear @Redwizard000 tried really hard to solve this one (see https://serverfault.com/a/940236/203726 for how @Redwizard000 eventually solved the issue). Read on for my experience:

In my case the WSUS server was running on Windows Server 2012 R2, had all the patches, had run the VB cleanup script you see floating around, had been through the cleanup process (which took hours), could serve updates to Windows 10 machines but fresh Windows Server 2016 client machines would fail to fetch updates from WSUS and gave 0x8024401c error messages. The only thing that helped was on the WSUS server: increasing/removing some of the IIS Application Pool resource limits (e.g. Queue Length, Limit Interval, Private Memory Limit but there are others) for the WSUS App Pool as described in https://serverfault.com/a/835941 and https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/ and then restarting IIS. It seems that checking for updates required around 2GBytes of memory from IIS server and took about 8 minutes. After this the error message went away but...

..the client Windows Server 2016 machines would become stuck downloading 0% of the updates indefinitely. To get past this I had to manually download a recent cumulative update (on the client Windows Server 2016 machines) from http://www.catalog.update.microsoft.com/home.aspx (or use Microsoft's Windows update servers temporarily to fetch a cumulative update) and install that before changing settings to use WSUS.

Update: There's a MS support article called "Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016" that talks about how you have to update the Windows Update Agent on Windows 10/2016/2019 client machines past the RTM version (10.0.14393.0) before you are able to use WSUS. This sounds like what was effectively being done in the previous paragraph.

I had such a problem, 2016 would throw out the error: 0x8024401c,
and in WSUS would show 0% updated (not reported yet).

To fix this I changed the values of the WSUS Application Pool in IIS (Advanced Settings) and all 2016 servers.

Queue Length: 25000 from 1000
Limit Interval (minutes): 15 from 5
"Service Unavailable" Response: TcpLevel from HttpLevel

Then go to https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus
and copy paste the code as instructed.

1. Name it Clean-WSUS.ps1


2. Install the required software


3. Run .Clean-WSUS.ps1 -FirstRun
   


4. Finally, .Clean-WSUS.ps1 -DirtyDatabaseCheck
   

This guy definitely deserves a donation!

Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.

The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.

The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.

Here is what you have to do to fix it:
Run the following commands in Powershell on the offending server

$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

You will get something back like this:

Windows Update Standalone Installer - False 
Windows Server Update Service - False 
Windows Update - True

If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...

The first thing you have to do is make sure the following patches are installed on your server.

kb4103720 and kb4462928

You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.

These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.

Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)

Computer Configuration > Policies > Administrative Templates > System > Device Installation

Specify the search server for device driver source locations

Set to "Enabled" 
Select search order: "Do not search Windows Update"

Specify the search server for device driver updates

Set to "Enabled" 
Select Update Server: "Search Managed Server"

Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')

Set to "Enabled"

Turn off access to the Store

Set to "Enabled"

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Do not allow update deferral policies to cause scans against Windows Update

Set to "Enabled"

No auto-restart with logged on users for scheduled automatic updates installations

Set to "Enabled"

Specify intranet Microsoft update service location

Set to "Enabled" 
Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530" 
Set the intranet statistics server:"http://[YOUR SERVER]:8530" 
Set the alternate download server: "http://[YOUR SERVER]:8530" 
Uncheck the box Download files with no Url in the metadata if alternate download server is set

Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.

Run the above powershell commands again.

It should now say

 Name IsDefaultAUService 
------- -------------------------- 
Windows Server Update Service True 
Windows Update False

If you get "Windows Server Update Service" True, then it should work!

I hope this helps someone else. This has certainly been a frustrating issue...

I accept donations in unmarked bills, gold bars and scotch.

Same issue, same scenario. Uncheck "Upgrades" from the Classifications for your site servers software update point configurations.

Other suggestion was to do the command line

"c:Program FilesUpdate ServicesTools” “wsusutil.exe postinstall /servicing”

But I haven't gone back through that process yet as I'm waiting for more explanation from MS.

I had the same issue, here's how I fixed it.

1. In policy (whether this would be group policy or the local policy), enable the policy "Do not connect to any Windows Update Locations". This prevents the server from contacting Microsoft/Windows Update.


2. In policy, added an alternative Update Server in the "Specify Microsoft Update Location"- this was the same server as the reporting and update server.


3. In Windows Update- Advanced Options- unchecked the box for "defer feature updates"

After doing this, I was able to fully patch the server through WSUS- This has been confirmed on two servers in two different environments. It seems the most important change is the defer updates option to unchecked, but the other ones could also cause update issues based on what I've read around the net.