Windows Server Update Services, Windows Update, Automatic Updates

MSFAN 9551 1 Reputation point
2022-06-14T10:22:31.16+00:00

Hi

Domain network with WSUS, Server 2019. Worked well until April 2022 . No workstation in the organization has been able to download updates from the WSUS since. Updates are currently installed by using scripts, from file share.

Workstations Reports to WSUS, does not download any updates. Update groups and approvals are in-place. Error received on workstations, "Windows Update failed to check for updates with error 0x80072F8F" or 0x80244010 or 0x80070013, in any order by all of them, loop.

Built new WSUS, no success. Rolled back OS and .Net patch levels for WSUS to February 2022 no success. (Windows Update on WSUS cannot find updates on the same host)

IIS WSUS site Configured as General > Queue lenght to 25000. CPU > Limit Interval 15, Processor Affinity Enabled - True. Process Model > Maximum Worker Processes - 0, Ping Enabled - False. Rapid-Fail Protection > "Service Unavailable" Response - TcpLevel, Failure Interval (minutes) - 30. Recycling > Private Memory Limit (KB) - 0

Windows Update Services state:
Windows Update - Autostart
BITS- Autostart
Cryptography - Autostart
TrustedInstaller - Autostart
Application Identity - Autostart
Application Info - Autostart
Delivery Optimization - Autostart
Software Protection - Autostart
Update Orchestrator - Autostart
Windows Installer - Manual

Registry Keys removed or configured:
ThresholdOptedIn, AdvertisingInfo, WindowsUpdate (Several locations), WindowsSelfHost, PendingXmlIdentifier, NextQueueEntryIndex, AdvancedInstallersNeedResolving, AUState, LastWaitTimeout, DetectionstartTime, NextDetectionTime, RebootRequired, Results, SamplingValue, ReregisterAuthorizationCab, IsConvergedUpdateStackEnabled, UxOption, CopyFileBufferedSynchronousIo, RegistrySizeLimit

Files/Folders deleted:
Temp directory in user and systemroot
pending.xml, WindowsUpdate.log, Downloader\qmgr*.dat, SoftwareDistribution, catroot2, Caches

Repaired permissions sc.exe sdset on Wuauserv and Bits.
Registered (Regsvr32) the relevant 38 Dlls
Reset Winsock and Proxy, incl DNS (We do not use any proxy)

Checked Firewall settings, Checked default update provider (States WSUS)

$(New-Object -ComObject "Microsoft.Update.ServiceManager").Services | Select-Object Name, IsDefaultAUService
Name IsDefaultAUService

Performed SFC and DISM fixes

WUAUCLT /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

We do have Intune, Intune has no setting configured stating another update service is to be used.

WMI traffic allowed
Allow Automatic Updates immediate installation - Enabled
Turn on recommended updates via Automatic Updates - Enabled
Turn on Software Notifications - Enabled
Configure Automatic Updates - Enabled ( Auto download and notify for install)
Allow signed updates from an intranet Microsoft update service location - Enabled
Automatic Updates detection frequency - Enabled (8 Hours)
Do not connect to any Windows Update Internet locations - Disabled (Should only affect compatibility with Microsoft Update and not determine update source)
Specify intranet Microsoft update service location - Enabled (http://WSUS:8530)
Set the intranet statistics server - Enabled (http://WSUS:8530)
Do not enforce TLS certificate pinning for Windows Update client for detecting updates - Enabled
Select the proxy behavior for Windows Update client for detecting updates - Allow user proxy to be used as a fallback if detection using system proxy fails
Internet Zone set to Intranet
Delivery Optimization > Download Mode - (0) HTTP only (Setting to 1 or 2 makes no difference)

Any help in getting this WSUS debacle resolved?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,661 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Rita Hu -MSFT 9,646 Reputation points
    2022-06-15T09:00:37.563+00:00

    @MSFAN 9551
    Thanks for your posting on Q&A.

    IIS WSUS site Configured as General > Queue lenght to 25000. CPU > Limit Interval 15, Processor Affinity Enabled - True. Process Model > Maximum Worker Processes - 0, Ping Enabled - False. Rapid-Fail Protection > "Service Unavailable" Response - TcpLevel, Failure Interval (minutes) - 30. Recycling > Private Memory Limit (KB) - 0

    Please try to follow the below Official Recommended Document to configure the IIS Application Pool first and rule out the misconfiguration.
    Reference link:
    https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices

    Please follow the link above and then run the Server Cleanup Wizard manually. Then we could check whether issue stays or not.

    In addition, we could check the connection between the affected devices with WSUS Server. Open the IE browser and print the following URL according to your environment:

    http://your WSUS:8530/selfupdate/iuident.cab  
    

    You will get a iuident.cab file if the connection is OK.

    Best regards,
    Rita


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. MSFAN 9551 1 Reputation point
    2022-06-20T05:43:49.02+00:00

    Hi Rita

    All of it tried and tested. None of it resolved the problem

    0 comments No comments

  3. Rita Hu -MSFT 9,646 Reputation points
    2022-06-20T06:31:33.227+00:00

    @MSFAN 9551
    Opps. Sorry for missing the point.

    Delivery Optimization > Download Mode - (0) HTTP only (Setting to 1 or 2 makes no difference)

    In fact, the devices use the Bits service to download the updates from WSUS or MECM. It seems that Download Mode confirgure incorrectly. Please convert the option to 100 =Bypass Mode as the below screenshot. And then we could check whether the issue will be resolved.
    212824-6.png

    Best regards,
    Rita


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.