All Server 2016 servers failing to report to WSUS

Question

Hi, I've recently setup a new WSUS server on Windows Server 2022 in my work's environment, but we're having some issues with all of the 2016 editions of Windows Server not reporting their update status to WSUS (literally all of them). We have 21 servers reporting to this WSUS server, of which 15 are 2016. We have one Server 2012 and a few Server 2022 that all work fine (including one 2016 server that was upgraded to 2022, but we did not attempt to add it to WSUS until after the upgrade, so I don't know if it would have had the same issues or not). It should be noted that WSUS sees the servers (they appear in the list and have a recent Last Contact date), it's just they're not reporting their update status.

I already found this article and ran through it, which included removing the 2016 servers from WSUS and running some scripts, then letting them repopulate (did not help): https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

The 2016 servers can connect to the WSUS server via browser and successfully download the .cab file (http://wsusserver.domain.local:8530/selfupdate/iuident.cab) as well as access the client web service URL (http://wsusserver.domain.local:8530/ClientWebService/client.asmx).

The 2016 servers do say they are set to default to WSUS.

Manually checking for updates from the 2016 servers will result in one of two errors (it seems to switch back and forth): either 0x8024401F or 0x8024401C. I'm attaching two excerpts from windowsupdate.log for these.

272586-error-0x8024401f.txt
272597-error-0x8024401c.txt

I've seen some references to "dual scanning" in relation to Windows Update for Business GPO settings. I've double checked and we have all of those set for Not configured.

And as I'm sure someone will want to see it, GPO report from one of the 2016 servers (uploaded as txt file due to site attachment limitations; just change the extension to htm to view).
272537-gpo.txt

I'm obviously looking for any further input and help into solving this.

Thank you! :)

Answer 1

Hi, @FotS

Thank you for posting in Microsoft Q&A forum.

You may try to configure the "Advanced Settings" of WsusPool as below to see if it helps:

GENERAL

Start Mode: AlwaysRunning

CPU

Limit (percent): 60

Rapid-Fail Protection

"service unavailable": TCPLevel

Failure interval (minutes):30

Maximum Failures: 120

Process Model

Maximum worker Processes: 0

Recycling

Private Memory Limit (KB): 6000000

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Are you performing the proper WSUS maintenance including but not limited to running the Server Cleanup Wizard (SCW), declining superseded updates, running the SQL Indexing script, etc.?

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

To quote myself:

Just because you’ve installed a new WSUS server, doesn’t mean that it’s clean or optimized; it just means that it’s NEW!

I agree, I don't see any WUfB entries in your gpresult, so that's good. I also don't see any reasons for dual scan. Also, your PowerShell output shows WSUS as the handler for your updates, so that's good.

"Turn on recommended updates via Automatic Updates" - this doesn't actually apply to anything past Server 2012 R2 as noted in the Supported On section - safe to turn it off