WSUS: Updates on client but no installation

Bernd Leutenecker 6 Reputation points
2020-07-20T14:25:35.753+00:00

Hello!

Our Windows 10 enterprise-clients (1809) receive their Windows- and Office-updates from our WSUS. But in too many cases and for a long time now we or users noticed that updates are downloaded on the clients but not installed. Some users receive (or notice) a notification, click on the icon in the information-tray and can see a often very long list of missing updates (which are downloaded on the client but not installed). The users themselves can start the installation process.
Windows Update itself (checking for updates against MS-server) is disabled by policy.
We are using a WSUS-client-tool which is part of our software- (and hardware-) managing tool (Matrix42 Empirum). It seems that other customers don't have that problem. Usually every Tuesday this tool is automatically started - to check several times for updates and install them.

Is there a possible reason for that behaviour?

Thank you!

Regards

Bernd Leutenecker

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,083 questions

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bernd Leutenecker 6 Reputation points
    2020-07-22T09:42:17.273+00:00

    Hi Rita,

    no, there is no error-message.
    The updates are just downloaded and waiting to be installed. This problem didn't and still doesn't occur with our Win7-clients (with ESU), so whenever we triggered our WSUS-package (usually weekly at 0:01 o'clock) updates were downloaded and installed. And this we repeate every two hours until 8:00 o'clock to make sure that all updates are installed even if some might trigger an immediate restart.

    Regards,

    Bernd

  2. Bernd Leutenecker 6 Reputation points
    2020-07-27T12:39:13.22+00:00

    All clients are connected to the internet. Lots of updates (including many important ones) are already downloaded on the clients from our WSUS but not installed.
    Direct access to Windows update is prohibited by gpo. Users too have of course no administrative rights to install software. But these already downloaded updates can be installed by clicking on the corresponding button by any user.
    What we need is an automatic installation right after updates have been 'deployed' (are locally downloaded from our WSUS-server to our client-PCs.
    As this is only a problem with our around 900 clients, the software-manufacturer of the WSUS-client-programm we are using to trigger the download and installation only at specific days and times cannot help us - other customers don't have this problem. And it is still working with our remaining Win7-clients.

    The attached hardcopy shows the upper part of a long list of downloading but not installed updates (shown to all users).
    I try to translate the Geman text:
    red, 'Einige Einstellungen ...': 'Some settings are controlled by your organisation.'
    blue, 'Konfigurierte ...': 'Show configured update-policies'
    red, 'Auf Ihrem Gerät ...': 'On your PC important security- and quality-updates are missing.'
    This list ends with a button 'Install now' (translated from the German buttontext), between the list of updates and this button is this text (again translated to my best knowledge from German): 'Updates will be automatically installed when this computer is not in use. You too might install updates right away.'
    13877-updates-downloaded-awaiting-installation.jpg

    There are several policies set:
    13942-configured-update-policy-1.jpg
    13884-configured-update-policy-2.jpg
    13770-configured-update-policy-3.jpg

    0 comments
  3. F. McLion 1 Reputation point
    2020-07-27T15:12:33.52+00:00

    I faced the very same about a month ago. I changed some of the GPO settings, although these settings worked a treat for about 2 years. I'm still observing how it works out with new updates coming in.
    I suspect that an update - probably from May - caused this bug. However, that has (of course) never been confirmed.

  4. Andrei Stoica 11 Reputation points Microsoft Employee
    2020-07-27T18:08:07.983+00:00

    Hi,

    could you please post an export of the registry key below?
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    The right policies are set, but we do not see which values they have in the screenshot:
    13839-image.png

    As soon as the installation time comes, the updates will be installed. This can be delayed/postponed if the installation time is at night and the computers are never left on. For such cases we recommend to switch the installation time to be during the working day.

    HTH,
    Andrei

  5. Rita Hu -MSFT 9,626 Reputation points
    2020-07-28T03:22:13.09+00:00

    Hi BerndLeutenecker-4033,

    I noticed that many of the updates detected by the client required a computer restart after installation. This may conflict with the client activation hours. Please check the client activation hours. For my further analysis, please provide the approved time. Here is a screenshot of the active hour on the client for your reference:

    14031-%E5%AE%A2%E6%88%B7%E7%8E%AF%E5%A2%83.png

    In addition, I recommend to approve updates outside of the activation hour on the client.

    Regards,
    Rita