WSUS shows 0 needed, windows update shows updates ready to install

Michael McNally 1 Reputation point
2020-12-02T19:35:23.073+00:00

I have a recently set up WSUS server running on Windows Server 2019 Standard. Several servers are set to use WSUS by Group Policy settings.
Currently, several servers are showing 0 needed in WSUS. However, when opening Windows Update locally, several updates are listed as ready to install. How is this possible? How do I make sure that updates are all reporting correctly in WSUS?
Another interesting thing is that Update history shows "No updates have been installed yet". This is false. Get-hotfix lists 5 updates which have been installed. The last 3 were installed from the WSUS server.

I have so far tried: stop and disable wuauserv, delete all from Windows\SoftwareDistribution folder, restart wuauserv, run wuaclt /detectnow /reportnow.
On the Wsus server, I have run wsusutil.exe checkhealth. The event log entry states "WSUS is working correctly".

I have also run Get-WindowsUpdateLog on one of the affected servers. The log shows this line: ComApi Download call complete (succeeded = 1, succeeded with errors = 0, failed = 0, unaccounted = 0) It appears that one update was downloaded. The log file references it by GUID, I know of no way to determine the KB # from this.

WSUS still shows 0 needed for this server, Windows update on the server itself shows 3 updates waiting.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,099 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Adam J. Marshall 9,386 Reputation points MVP
    2020-12-02T19:46:19.637+00:00

    This blog article is specifically for this reason.

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    0 comments No comments

  2. Michael McNally 1 Reputation point
    2020-12-02T22:31:07.417+00:00

    Thanks, I'll take a look and try the suggested actions.

    I do wish "Client Machines Not Reporting to WSUS Properly" was more clearly defined (as in specific symptoms). In my case, the server does show in WSUS and the Last Status Report time matches the date and time of the last entry in the WindowsUpdate.log. It's not clear to me still whether this is a problem with the WSUS server or the clients, or why it has affected all 7 of the servers that are 2016 or 2019, but none of the 2012 servers. I'll have a look at the steps in the article and report back.

    0 comments No comments

  3. Rita Hu -MSFT 9,641 Reputation points
    2020-12-03T02:50:42.077+00:00

    Hi MichaelMcNally,

    Thank you for posting on this forum.

    In my opinion, we could use the Last Status Report time on the WSUS console to confirm whether the clients report correctly. Here is a related screenshot for your reference:
    44510-5.png

    As your distribution above, the clients can get updates from the WSUS Server and the report is correct. So the connection between the clients and the WSUS server is normal. As to the WSUS show 0 needed, it is recommended to confirm that following steps:

    1. The products and classifications are ticked correctly.
    2. Synced successfully
    3. All the clients reported normally
    4. All the clients did missed some essential updates. We could also click the check online for updates from the Microsoft option on the client to confirm whether the clients need some essential updates.

    Please help to confirm the above. If there are any feedback, please inform me.

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Michael McNally 1 Reputation point
    2020-12-06T19:53:32.037+00:00

    Found my answer at https://www.bocoprimeit.com/troubleshooting-wsus-synchronization-issues/.

    In short, I needed to set "Do not allow update deferral policies to cause scan against Microsoft Update". Once that policy setting updated on each server, they reported in correctly to WSUS at next cycle.

    0 comments No comments

  5. Rita Hu -MSFT 9,641 Reputation points
    2020-12-07T02:21:54.007+00:00

    @Michael McNally

    That's correct. The Do not allow update deferral policies to cause scan against Microsoft Update policy does help to prevent the clients from dual scan. As you said above, these updates which get from not from the WSUS Server are all from the Windows Update. It is helpful if we apply policy on the client.

    Thanks for your sharing on this forum. It is helpful for the bros who have the same issue. If the issue has been resolved, please consider marking the answer to help the others. Of course, if there are any issues, please feel free to ask on this forum.

    Thanks for your time and wish you have nice day.

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.