• Bruce23

    Bruce23

    @bruce23

    Viewing 5 replies - 1 through 5 (of 5 total)
    Author
    Replies
    • I have installed this solution on 4 Win11 machines now, and they are now updating fine.Very good news given it has been several months since they were updated fully.

      It does seem to help after the reboot to use the gpupdate /force and perhaps the wuauclt /detectnow commands.

      I did update one machine by copying the hidden .pol file under Windows\System32\GroupPolicy\Machine to the same location on another Win11 machine and that worked fine. But until you actually go into Edit Group Policy, the GroupPolicy folder is empty. But just going in creates the subfolders necessary for User or Machine depending on which Configuration you choose.

      But this was also on new machines that have no local machine group policies yet. Supposedly a copy will ask if you want to append to an already existing .pol file, but I did not try that.

      Given it is only 13 machines, I will likely just go through the Edit Group Policy for each – and load in the two settings – one for the location of the WSUS server, and the other for the Scan Source Settings. This will also be the safest approach given this is new to me.

      So once our network person is back on site, he will set up a global policy relative to Windows 11 machines that will make these local ones unnecessary.

      I wonder if I should delete these local ones once this is working globally or are they just redundant and don’t really matter?

      Also, I read that these local group policies are actually loaded into the Registry. Does my getting rid of the local ones, rid them from the Registry, and these will then be reloaded by the Global Policy once that is completed? I can also research this if needs be.

      I will see if the AJ Tek program will now clear out all those old Cumulatives that somehow got unapproved. Fortunately, it was only the Cumulatives that got Unapproved – the very items that Windows 11 would not load via WSUS until your solution was implemented on these machines.

      So this query is now answered as far as my original question goes. A very big thanks once again Susan! Much obliged!

      Bruce

    • UPDATE: I just checked WSUS and the Cumulatives for Windows 10 and 11 are appearing under the filters Unapproved and Failed/Needed. I have no idea how all these updates got Unapproved – and apparently automatically. The good news is, once I approved the September Cumulative update for the test W11 machine, it is now showing up on the Client, and Downloading is at 25%. That the Windows 10 Cumulatives are also now Unapproved, is very odd, as those have all been installed on about 85 machines. Hopefully the AJ Tek program will clean this up. These now unapproved Cumulatives date back to the 2022 but do indicate a reasonable number of machines that may need those.

      Written earlier today and quite possibly obsolete given the above update:

      I set up a local group policy on one Win11 client, as shown in the screenshot below. I also made sure the location of WSUS was placed twice in the first item called “Specify intranet Microsoft update service location” (after I did the screenshot though).

      This same server also shows up in the Registry setting: HKLM\Software\Policies\Microsoft\WindowsUpdate

      I rebooted, then ran gpupdate /force AND wuauclt /detectnow

      I then ran check for updates and it still says I am uptodate. I checked the History and nothing new is there.

      Thank you for your help.

      W11-Local-GPO_20231020-ScanSources-WSUS

    • Hi Susan,

      Thank you for this information and link! I tried to set up a local group policy on the WSUS server as described, but our WSUS server is 2012 R2 and the local group policy does not have the “Manage updates offered from Windows Server Update Service”.

      We will be updating the server very soon, but in the meantime, is there another way to configure a local group policy to get W11 clients updated by changing the server’s local group policy, i.e., its source for getting updates?

      To buy some time, and given it is only 13 machines on W11 currently, I am updating them via the online MS Servers, especially the monthly Cumulatives.

      Thank you!

      Sincerely,

      Bruce

    • It turns out that after 24 hours of WSUS pulling down the 2023-09 Cumulative (using the VPN approach), WSUS finally got rid of the message that said it had not downloaded yet.

      After that, the first W11 client I checked now shows this Cumulative as a needed update. But upon trying to download it from WSUS, it gets stuck at 100% downloading and finally fails with an error message about it missing files, etc.

      So I ran an update fixer on the Client (it does the same as Troubleshooter does), and am now seeing if it can download the cumulative cleanly. I will try a DISM restorehealth as well.

      I will also look into the Catalog patch insertion into WSUS if this fails again – because I know the Catalog version was able to install on other Clients.

      Today’s synchronizations say successful, and also did so after a Manual sync 3 days ago when about 1600 updates were checked and synced.

      Thanks for the tips!

      Bruce

    • For Windows 11 Products:

      I only have “Windows 11” checked.

      For Classifications:

      Everything is checked except for Drivers and Feature Packs.

      We do subscribe to WSUS Automated Maintenance from AJ Tek so our WSUS database is well-maintained, though I will have it run again. I did contact them with this detail first, and the support person did not think it was related to WAM, and suggested a post on the MS site.

      That is when I came here to post because I had already explored the various suggested fixes on MS, but they were almost all relative to consumer issues with the updates and the usual aspects that the Troubleshooter deals with resetting, etc., and I had already exhausted that avenue.

      It was only when I saw the fine print at the bottom of the WSUS screen about each KB # that I realized this 2023-09 Cumulative was not able to download to WSUS. I won’t be skipping those details again!

      Interestingly, many posts were particular about the monthly Cumulative not being able to download. Of course, that is the largest one generally, and subject to more problems.

      Re: VPN use, because of our very limited bandwidth given our location, we cannot have various Stores (Apple and MS) and other types of websites (especially streaming ones) open during regular hours of our service. For various tasks that are critical, we sometimes use a VPN to bypass these firewall settings.

      Normally for WSUS this has not been necessary, especially since it does BITS, but adding Windows 11 to our support requirements, has resulted in this issue. Using the VPN in this situation with WSUS downloading is because I wanted to eliminate the firewall as an issue. I don’t think it helped with my current situation though.

      However, W11 when checking for updates, takes a very long time, so I tried the VPN, and it is much faster in checking, and finding what is available in WSUS.

      I am thinking since various MS sites (mainly the Store) are blocked during the day here, this lack of access slows down the client Update checking very significantly.

      I don’t understand why the internet is even required by the client after the machine is setup to access WSUS, but when I turn on a VPN, the client is seemingly able to bypass something that is blocked and Win11 must need (or possibly eventually times out and bypasses when no VPN is used and then finally displays WSUS updates). This has never been an issue with Win10.

      It is also clear from installing a W11 machine that the internet is required from the get-go – like with Macs. Windows 10 has never required the internet to start up the computer with an admin account in my experience.

      Regarding the Catalog update, that also shows that the Cumulative Update is recognized by the client, and it also appears in the client’s Update History.

      It does make me wonder if there is a way to insert a Catalog update that I downloaded for one machine into WSUS.

      Thank you very much for your response.

      Bruce

    Viewing 5 replies - 1 through 5 (of 5 total)