Share via

Server 2016 servers bypassing WSUS, other server editions working as expected

Tim Butterworth 41 Reputation points
2023-06-14T11:37:02.6533333+00:00

Hi All,

I wonder if someone can offer me some advice. I recently inherited a server farm consisting of Server 2012, 2012 R2, 2016, 2019 and 2022 VMs. For some reason I cannot figure out why, the Server 2016 servers ALL appear to be bypassing WSUS and getting updates directly from Windows Update online. However, all the other servers are working as expected and waiting on approved WSUS updates.

All the servers are being configured for WSUS with the same group policy settings. The registry keys for HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and \AU are identical on all servers. They all have the WSUS server correctly specified in the WUServer and WUStatusServer keys and all have UseWSUerver set to "1".

WSUS is seeing the 2016 servers without issue and can see that the unapproved updates are installed on them.

After doing some digging, it looks like adding in the Do not connect to any Windows Update Internet locations setting will probably fix the problem, but I'd like to understand why this issue is happening and why it's only happening on the Server 2016 boxes.

Our previous network admin has left the organisation, so I'm unable to ask any questions as to any changes made over the years.

Thanks for the help,

Tim

Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tim Butterworth 41 Reputation points
    2023-06-14T13:53:28.8366667+00:00

    Hi All,

    I think I may have got to the bottom of the problem. Some research took me to this website:

    https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

    And when I checked the entries in the server versions I spotted that the Server 2016 was missing entries that were in the 2019 and 2022. The circled entries were not on the Server 2016 servers.

    User's image

    This suggested that Dual Scan is enabled on the Server 2016 servers, meaning they check Windows Updates instead of WSUS.

    I then went here:

    https://www.hashmat00.com/disable-dual-scan/

    And found that running the first powershell command on Server 2016 showed that Windows Update was set as default update method.

    $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$status = $MUSM.Services 
$status | select name, IsDefaultAUService

    Adding in the following registry key with value "1" changes the default to WSUS, confirmed by running that PowerShell command a second time.

    User's image

    Hopefully that'll do the trick!

    Tim

    0 comments
  2. Adam J. Marshall 10,356 Reputation points MVP
    2023-06-14T19:07:59.2533333+00:00

    Dual Scan is the issue. The actual fix should be to REMOVE THE DUAL SCAN SCENARIO, and not add another policy that quazi-negates it.

    My guide will get you to the point of REMOVING the dual scan scenario.

    https://www.ajtek.ca/wsus/dual-scan-making-sense-of-why-so-many-admins-have-issues/

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.