Windows 11 EULA's not syncing - MECM SUP repair process

Steve 401 Reputation points

If the primary SUP role needs to be removed and re-added in a site that also has a downstream SUP to troubleshoot EULA's not syncing for Windows 11 feature updates (other non-feature Win11 updates sync fine), what are all the steps to do this safely without having to reinstall WSUS and delete recreate the SUSDB?

The main concern is potentially losing all existing software update deployments and ADR's if WSUS is reinstalled and the SUSDB needs to be delted and re-recreated. Clients may lose their correct WSUS server registry entry if the SUP role is removed for more than an hour when policy refreshes, but can I assume they will gain back once the SUP is healthy again and not point to the downstream WSUS/SUP server instead?

Unfortunately, running wsusutil reset on the WSUS/SUP servers does not resolve the EULA's from syncing, even after unchecking all the update categories and resyncing. All IIS settings, SUSDB, file share, NTFS, and registry permissions have been double checked on both SUP's and it's only Windows 11 feature updates that EULA's are not syncing. The required MIME types for UUP are added, and all 3 check boxes in the WSUS console for Automatic Approvals are selected in the Advanced tab.

There appears to be no way to accept the EULA's or accept updates in the WSUS console ("This update cannot be approved for installation because its Microsoft Software License Terms are still downloading. Error result when trying to approve: "Unable to display the Microsoft Software License Terms for this update; the update will not be approved"), is there a way to manually download the EULA's or specific instructions to accept the EULA in WSUS v10?

If WSUS needs to be rebuilt including deleting and re-creating the SUSDB, are existing ADR's and software deployments lost and need to be re-created?

What are the implications of reinstalling the SUSDB when updates for third-party (e.g. Dell, Lenovo) are not being expired after being unchecked in the SUP settings and sync is ran, and can't be cleared out of the DB before the reinstall (hash errors, duplicates, etc.)?

Microsoft Configuration Manager
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Steve 401 Reputation points

    The solution was to enable the Windows Firewall service on the SUP/WSUS server which allowed the EULA .txt files to download after running a wsusutil.exe reset, then syncing software updates.

    Also, even when using SSL, make sure to uncheck the ‘Require SSL’ option on the below WSUS/SUP IIS virtual directories when the SUP is syncing to Microsoft update:

    ·        ApiRemoting30

    ·        ClientWebService

    ·        DSSAuthWebService

    ·        ServerSyncWebService

    ·        SimpleAuthWebService

    1 person found this answer helpful.
    0 comments No comments

  2. AllenLiu-MSFT 42,826 Reputation points Microsoft Vendor

    Hi, @Steve

    Thank you for posting in Microsoft Q&A forum.

    Usually, run wsusutil reset will force it to redownload all EULAs.

    Did you run wsusutil reset on the system hosting your top-level WSUS instance?

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

  3. Adam J. Marshall 9,121 Reputation points MVP

    Have you tried to open WSUS on the downstream, switch the configuration to Autonomous mode, run wsusutil reset, and then switch it back to replica mode?

    0 comments No comments