How to resolve the issue where Windows Server 2016 fails to connect to the local WSUS server after installing the KB5070247 update via WSUS?

Question

After installing the KB5070247 update via WSUS on Windows Server 2016, the server fails to connect to the local WSUS server. The connection worked properly before the KB5070247 installation. How should this issue be resolved? Could it be a problem with the update package? I have tested this on two servers and encountered the exact same issue.

Answer 1

To resolve the issue where Windows Server 2016 fails to connect to the local WSUS server after installing the KB5070247 update, you can follow these troubleshooting steps:

1. Verify WSUS Services: Ensure that the Update Services service and the World Wide Web Publishing Service are running on the WSUS server.
2. Check IIS Configuration: Make sure that the Default website or WSUS Administration website is running on the WSUS server. Review the IIS logs for any errors that might indicate configuration issues.
3. Review Error Codes: Check for specific HTTP error codes in the IIS logs. For instance, a 503 error indicates that the service is unavailable, which could be due to the WSUS application pool being stopped or memory limits being reached. If you encounter this, consider increasing the Private Memory Limit for the WSUS Application Pool to 4-8 GB.
4. Inspect Logs for Connectivity Issues: Look at the %Program Files%\Update Services\LogFiles\SoftwareDistribution.log file for any errors related to the connection attempt. Errors indicating that the connection was forcibly closed may suggest issues with TLS settings.
5. TLS Configuration: If the WSUS import functionality is failing, ensure that your server is configured to use TLS 1.2, as some endpoints may require this for secure connections. You may need to adjust the .NET Framework settings to enable TLS 1.2.
6. Network Configuration: Confirm that there are no network issues preventing the server from reaching the WSUS server. Check firewall settings and ensure that the server can communicate with the correct WSUS endpoint.

If these steps do not resolve the issue, consider rolling back the KB5070247 update if possible, or consult Microsoft support for further assistance regarding the specific update package.

Answer 2

Hello 华彪 袁,

The behavior you are seeing after KB5070247 is consistent with a regression introduced by that update in the Windows Update client on Server 2016. The update modifies the Windows Update Agent components, and in certain builds it breaks communication with WSUS when the server is configured to use SSL or specific proxy settings. That is why the connection worked fine before the patch and fails immediately after it is applied, and why you can reproduce it on multiple machines.

The first step is to confirm the failure in the WindowsUpdate.log. . On Server 2016, you can generate the log with Get-WindowsUpdateLog. Look for entries showing WU_E_PT_HTTP_STATUS_NOT_FOUND or WU_E_PT_SOAPCLIENT errors. If those appear only after KB5070247, the update is the cause.

Microsoft has acknowledged similar issues in past cumulative updates where WSUS communication was broken. The recommended remediation is either to uninstall KB5070247 until a fixed build is released, or to apply the servicing stack update and cumulative update that supersede it. Check the Microsoft Update Catalog for the latest cumulative update for Server 2016 released after KB5070247. Installing the newer package usually restores WSUS connectivity because the client binaries are corrected.

If you cannot immediately move to a newer CU, the temporary workaround is to remove KB5070247 (wusa /uninstall /kb:5070247 /quiet /norestart) and reboot. That will roll back the Windows Update Agent to the previous version, and WSUS communication should resume.

In short, this is not a misconfiguration on your side but a problem introduced by KB5070247. Either uninstall it or replace it with the most recent cumulative update for Server 2016. Monitor the Microsoft Update Catalog and Windows release notes for confirmation of the fix in the next CU cycle.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.