WSUS fails to download monthly Cumulative Update for Windows 11 Version 22H2

Topic

New Reply

Hello,

I looked here and also on the Microsoft site for a better understanding of this issue, but am not finding much relative to this issue when it involves WSUS. So I am posting this here. My apologies if I missed something in the searches I did here if this is already answered.

My current conclusion based on the history I detail below is this:

WSUS cannot download the monthly Cumulative Update for Windows 11 Version 22H2, so it never appears as an option on the Client.

I am an admin of the server with WSUS, but mainly each month I read your recommendations, and release the updates accordingly. Thank you for providing this great service!

However, I don’t know much about fixing these kinds of issues – yet. (The person who normally deals with it is away for a month or so.)

Here is some background and history in case this helps: (You can get the gist of it by just reading the bold parts if you like.)

On 12 computers all running Windows 11 Pro (the machines are various brands) the same thing happens no matter what I try.

First I make sure the third party automated maintenance program has run. Then I use the troubleshooter, and SFC and DISM commands on the clients, etc., but none of these usual update solutions helped. I tried this on at least half of the 12 machines.

I approved it in WSUS but it has been failing for 3-4 months now. I have resorted to the Catalog and the stand-alone installer works fine, but I don’t want to keep doing that given the constantly increasing number of Win11 machines replacing older Win10 ones.

I checked Products and Classifications in WSUS and those are marked correctly (as far as I can tell) for Windows 11, Security updates, etc.

Windows 10 has no issues with the monthly cumulative on about 100 computers.

Also the .NET cumulative always comes through to the Windows 11 Clients as does all the MS Office updates each month.

I have looked for the solution online, but have not found it.

I have two ISOs (version 22H2) – one for EN-US and one for EN-UK and they both fail on the Win11 machines they were successfully originally installed on.

We have a mix of versions – the Windows 11 machines all came with Pro already installed, so I leave them as is other than joining them to the domain, updating them, etc. Some are EN-US others are EN-UK, and I may use the USBs mentioned above to update them if WSUS is not responding.

However, others are sometimes installed using the W11 Pro Multi-Language version from MS VLSC.com. This mix has never made a difference with Windows 10 and WSUS. But perhaps it does with W11?

I can upgrade to a new Version from a USB iso no problem, just not from WSUS. I also can download the latest 09-2023 Cumulative Update for Windows 11 Version 22H2 online – but we have severe bandwidth limitations here, so it is not a viable option for the growing number of W11 machines.

However, I finally noticed in WSUS a small summary message for the above Cumulative saying that the WSUS download has failed due to missing files (or something like this). (The original message status got nuked once I tried restarting the download, which is still running, and will likely timeout at some point, and that original message will re-appear probably.)

I am also now downloading via WSUS being on a VPN to bypass any firewall issues, but that is taking hours. The standalone exe was only 400+ MB from the MS Catalog, and that was small enough to readily download, and install successfully on one W11 machine.

I have started to look at what I can do on the server that houses WSUS, and after some review, thought it best to write this post before going into maintenance since it is not my expertise – though I can get around on the server (albeit slowly and carefully) if I can get a good starting recommendation of what I might do to hopefully permanently fix this issue.

Thank you for any light you can shed on this – much obliged!

Best to you,

Bruce

 

Reply | Quote

Replies

What categories and products do you have selected?

Also I really recommend biting the bullet and purchasing WSUS Automated Maintenance | AJ Tek Corporation

But getting back to your situation it sounds like that the machines will update because they are getting the .net patches, but just not being offered the Windows 11 updates.

Why are you connecting via a VPN?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bruce23

Reply | Quote

For Windows 11 Products:

I only have “Windows 11” checked.

For Classifications:

Everything is checked except for Drivers and Feature Packs.

We do subscribe to WSUS Automated Maintenance from AJ Tek so our WSUS database is well-maintained, though I will have it run again. I did contact them with this detail first, and the support person did not think it was related to WAM, and suggested a post on the MS site.

That is when I came here to post because I had already explored the various suggested fixes on MS, but they were almost all relative to consumer issues with the updates and the usual aspects that the Troubleshooter deals with resetting, etc., and I had already exhausted that avenue.

It was only when I saw the fine print at the bottom of the WSUS screen about each KB # that I realized this 2023-09 Cumulative was not able to download to WSUS. I won’t be skipping those details again!

Interestingly, many posts were particular about the monthly Cumulative not being able to download. Of course, that is the largest one generally, and subject to more problems.

Re: VPN use, because of our very limited bandwidth given our location, we cannot have various Stores (Apple and MS) and other types of websites (especially streaming ones) open during regular hours of our service. For various tasks that are critical, we sometimes use a VPN to bypass these firewall settings.

Normally for WSUS this has not been necessary, especially since it does BITS, but adding Windows 11 to our support requirements, has resulted in this issue. Using the VPN in this situation with WSUS downloading is because I wanted to eliminate the firewall as an issue. I don’t think it helped with my current situation though.

However, W11 when checking for updates, takes a very long time, so I tried the VPN, and it is much faster in checking, and finding what is available in WSUS.

I am thinking since various MS sites (mainly the Store) are blocked during the day here, this lack of access slows down the client Update checking very significantly.

I don’t understand why the internet is even required by the client after the machine is setup to access WSUS, but when I turn on a VPN, the client is seemingly able to bypass something that is blocked and Win11 must need (or possibly eventually times out and bypasses when no VPN is used and then finally displays WSUS updates). This has never been an issue with Win10.

It is also clear from installing a W11 machine that the internet is required from the get-go – like with Macs. Windows 10 has never required the internet to start up the computer with an admin account in my experience.

Regarding the Catalog update, that also shows that the Cumulative Update is recognized by the client, and it also appears in the client’s Update History.

It does make me wonder if there is a way to insert a Catalog update that I downloaded for one machine into WSUS.

Thank you very much for your response.

Bruce

Reply | Quote

Yes there is a way to insert a catalog patch into wsus.

In the synchronization section does it show successful?

 

Troubleshoot Windows Server Update Services (WSUS) synchronization and import issues – Configuration Manager | Microsoft Learn

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bruce23

Reply | Quote

It turns out that after 24 hours of WSUS pulling down the 2023-09 Cumulative (using the VPN approach), WSUS finally got rid of the message that said it had not downloaded yet.

After that, the first W11 client I checked now shows this Cumulative as a needed update. But upon trying to download it from WSUS, it gets stuck at 100% downloading and finally fails with an error message about it missing files, etc.

So I ran an update fixer on the Client (it does the same as Troubleshooter does), and am now seeing if it can download the cumulative cleanly. I will try a DISM restorehealth as well.

I will also look into the Catalog patch insertion into WSUS if this fails again – because I know the Catalog version was able to install on other Clients.

Today’s synchronizations say successful, and also did so after a Manual sync 3 days ago when about 1600 updates were checked and synced.

Thanks for the tips!

Bruce

Reply | Quote

Just circling back to this – it is still an issue for me with the October 2023 updates. I have a WIn 11 22H2 VM that has been up for several months now and I still cannot WSUS to serve updates to it.

As of this moment – WSUS is aware of all available updates for all my Win 10 targets – but if I go to all listed updates and examine everything for Win 11 – like KB5031358 – WSUS is reporting this is not needed for ANY targets – while WSUS also lists my Win 11 VM as being “right up to date” (big checkmark in the Installation Status column in the Computers view.

Whatever is going on here started a few months back and I am not using a Windows 2022 server that was upgraded from 2016 or 2019.

The only way I was able to update this VM last month was to “re-enable” access to Windows Update and do it the oldfashioned way – manually from the main WU.

And ideas on where to start troubleshooting?

Sonic

1 user thanked author for this post.

Bruce23

Reply | Quote

You are the same person as Bruce?

Normally WSUS just works.  Is there anything on your firewall blocking IP ranges/countries/ etc?

What are the BITS logs telling you on that WSUS server?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hi Susan

Different person 🙂

Odd thing is – this Win 11 VM WAS working with WSUS just fine up to maybe the July Patch Tuesday window – now nothing. August, September and now October are simply not offered at all.

Have not checked BITS logs yet – but will now. And will report back.

S

Reply | Quote

I think I’m seeing what you are seeing.   This month’s 11 security updates are called “dynamic updates” and while they are approved in the system, the 11 workstations are not indicating that they are needing these updates.

Hang loose while I ask on the patchmanagement.org list if others are seeing this as well.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Exactly.

I also just did a complete WU reset on this VM, restarted and then reimported my standard registry settings to “reintroduce” this device back to WSUS

The machine does report into WSUS normally and appears in the computer listing like all the others.

I then ensured that manual approvals were on KB 5031225 and KB 5031323 to be available to this device.

But when I go into the VM – clicking “Check for Updates” a few times in the Windows Updates settings panel – it comes back clean – saying it does not need anything.

WSUS is also saying this device does not need anything either. There is definitely something else going on here.

S

 

Reply | Quote

Well – after 24 hours now – my Win 11 22H2 VM still sees nothing and is acting as if it’s right up to date.

I also went deep into the articles circulating from MS attributing this issue to “missing” mime types (Windows 2022 servers specifically) on the IIS instance that drives WSUS.

My WSUS is running on Windows Server 2019 Core and I checked it yesterday – all the mime types that MS says are missing – are just fine on my WSUS IIS instance – so that cannot be the cause.

Looking forward to any other intel from the field because this is really strange.

Sonic

 

Reply | Quote

Enable Scan Source Policies

The second, more permanent fix is to ensure the UseUpdateClassPolicySource is being set. I have confirmed with the Windows Update team that Scan Source policies are the intended method for controlling the update source. One option for doing so is by creating a Group Policy to configure and enable the ‘Specify source service for specific classes of Windows Update’ (docs) policy and configuring each update type to point at WSUS:

Windows 11 Fails to Detect Updates After July’s Cumulative Update – Patch Tuesday Blog

Once I enabled the scan source policies in a test Windows 11 via local group policy, it found the Windows 11 updates from WSUS.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bruce23

Reply | Quote

Susan

While this all makes sense – none of it is applicable to my scenario. WSUS in a small WORKGROUP scenario where we have never used WUfB – or ever used ConfMgr or any other tools.

After spending an extraordinary amount of non-productive time on this – I finally decided that enough was enough and finally began a planned transition to using Powershell (PSWindowsUpdate) to handle our updates for the future.

I inherited this rickety old WSUS layout some time ago and it’s clear that since MS is not exactly showing WSUS any further long term love – neither can I. Making sure our little community office is properly updated is more of a priority than troubleshooting WSUS.

For the small amount of client machines (15) in my scenario – using PSWindowsUpdate is fast, furious and completely hands off (once I got my script exactly the way I wanted it).

Thanks for the updates and continued success.

Cheers

Sonic.

 

 

Reply | Quote

If you used any of those feature deferral group policy/registry stuff that is seen as “Windows update for business”

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

P.S. I saw this in a pure WSUS setting, no config manager.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan

Understood – however there are clearly some things going on in the “deep” background that are making this ever so slightly more difficult every month that goes by.

If I have learned one thing while using WSUS – is that when something does go wrong – it is almost an impossible task to track it down due to the obscure nature of the components in play, the massive number of variables at play (at any given time) and an aging component stack that MS is clearly moving away from.

As your article suggested (via Bryan Dam) how would anyone know even where to start – let alone come to a conclusion that zapping July’s Cumulative Update would somehow open a door to solving this?

Now – knowing what I know AFTER reading that article – I can confirm that my two Windows 11 PCs (that would not accept any updates) DID have the old “DisableDualScan = 1” DWORD set in the registry.

That said – while this “appears” to have something to do with issue AND the end solution – this registry key has been in place on these two machines for as long as Windows 11 has been installed – which is easily over a year.

But all of a sudden – out of the blue – MS decides to change something super obscure and the results is WU failure. And of course, this sends us admin types into panic mode – trying to figure out – where – in the abyss that is WSUS – where to even start looking for clue.

This is the kind of stuff that makes me boil. No warnings, no assistance, no documentation saying “Hey – if any of your Win 11 machines are still using the following WSUS client settings – the July Update will make your life miserable in the not-too-distant future”.

For a small scenario like mine – it makes no sense to chase this stuff down when all I really want to do is get a dozen or so machines updated correctly.

Powershell does this with no components, no variables and literally a two-line script.

SOnic.

Reply | Quote

I think you misunderstood my recommendation.

All I did on this misbehaving WSUS server was to change the group policy on the Windows 11 to have that source location set to it would look to WSUS.

Once I set that one group policy, rebooted then the workstations received updates.  I didn’t uninstall anything.  I don’t disagree with your “these machines have been in place for X” but clearly our Redmond overlords made an undocumented change.

Their future is WU for business/Intune and WSUS is dead and thus no one is connecting the dots to realize when they break things.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bruce23

Reply | Quote

Hi Susan,

Thank you for this information and link! I tried to set up a local group policy on the WSUS server as described, but our WSUS server is 2012 R2 and the local group policy does not have the “Manage updates offered from Windows Server Update Service”.

We will be updating the server very soon, but in the meantime, is there another way to configure a local group policy to get W11 clients updated by changing the server’s local group policy, i.e., its source for getting updates?

To buy some time, and given it is only 13 machines on W11 currently, I am updating them via the online MS Servers, especially the monthly Cumulatives.

Thank you!

Sincerely,

Bruce

Reply | Quote

You have to add the 11 group policy admx files up to the server that is handing out group policy — or just log on to each 11 and set that machine’s local policy using edit local group policy.

 

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bruce23

Reply | Quote

UPDATE: I just checked WSUS and the Cumulatives for Windows 10 and 11 are appearing under the filters Unapproved and Failed/Needed. I have no idea how all these updates got Unapproved – and apparently automatically. The good news is, once I approved the September Cumulative update for the test W11 machine, it is now showing up on the Client, and Downloading is at 25%. That the Windows 10 Cumulatives are also now Unapproved, is very odd, as those have all been installed on about 85 machines. Hopefully the AJ Tek program will clean this up. These now unapproved Cumulatives date back to the 2022 but do indicate a reasonable number of machines that may need those.

Written earlier today and quite possibly obsolete given the above update:

I set up a local group policy on one Win11 client, as shown in the screenshot below. I also made sure the location of WSUS was placed twice in the first item called “Specify intranet Microsoft update service location” (after I did the screenshot though).

This same server also shows up in the Registry setting: HKLM\Software\Policies\Microsoft\WindowsUpdate

I rebooted, then ran gpupdate /force AND wuauclt /detectnow

I then ran check for updates and it still says I am uptodate. I checked the History and nothing new is there.

Thank you for your help.

Reply | Quote

I have installed this solution on 4 Win11 machines now, and they are now updating fine.Very good news given it has been several months since they were updated fully.

It does seem to help after the reboot to use the gpupdate /force and perhaps the wuauclt /detectnow commands.

I did update one machine by copying the hidden .pol file under Windows\System32\GroupPolicy\Machine to the same location on another Win11 machine and that worked fine. But until you actually go into Edit Group Policy, the GroupPolicy folder is empty. But just going in creates the subfolders necessary for User or Machine depending on which Configuration you choose.

But this was also on new machines that have no local machine group policies yet. Supposedly a copy will ask if you want to append to an already existing .pol file, but I did not try that.

Given it is only 13 machines, I will likely just go through the Edit Group Policy for each – and load in the two settings – one for the location of the WSUS server, and the other for the Scan Source Settings. This will also be the safest approach given this is new to me.

So once our network person is back on site, he will set up a global policy relative to Windows 11 machines that will make these local ones unnecessary.

I wonder if I should delete these local ones once this is working globally or are they just redundant and don’t really matter?

Also, I read that these local group policies are actually loaded into the Registry. Does my getting rid of the local ones, rid them from the Registry, and these will then be reloaded by the Global Policy once that is completed? I can also research this if needs be.

I will see if the AJ Tek program will now clear out all those old Cumulatives that somehow got unapproved. Fortunately, it was only the Cumulatives that got Unapproved – the very items that Windows 11 would not load via WSUS until your solution was implemented on these machines.

So this query is now answered as far as my original question goes. A very big thanks once again Susan! Much obliged!

Bruce

Reply | Quote