Troubleshooting WSUS synchronization issues

bocoprimeit.com/troubleshooting-wsus-synchronization-issues

admin August 20, 2018

The WSUS server downloads updates from Microsoft Update and distributes the updates to servers and
clients in your network. Often enough we can find WSUS clients that are unable to download updates or
aren’t installing them correctly. Recently we had some issues with our servers that can’t get Windows
updates using WSUS. The error message that we were getting was as follows:

Windows Update We couldn’t connect to the update service. We’ll try again later, or you can check
now..

Here are some insights of our troubleshooting and the steps we took attempting to solve the
issue:

1/8
 I. Perform a backup for the Windows Update key:
run Registry Editor as administrator
collapse
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
right-click on WindowsUpdate → Export

II. Reset Windows Update Agent

III. Check if there are any proxy setting
https://marckean.com/2010/12/17/run-internet-explorer-as-the-local-system-account/
Do you get any results for the command?

1 netsh winhttp show proxy

2/8
IV. Disable Dual Scan
What is Dual Scan:
Dual Scan appears when the computer will try to scan for updates on Microsoft Update (online)
even if it is managed by WSUS or SCCM and the access to Microsoft Updates is blocked by
network configuration. In this case, the computer won’t get updated or the scan for updates will take
very long.

This is caused by the following policies, even if the policies are set to 0. The policies need to be set
to “Not Configured” to avoid the Dual Scan behavior.

Select when Quality Updates are received

Select when Feature Updates are received
Do not include drivers with Windows Updates
If any of these policies are present in the registry – even if they are set to 0 – then WUfB Dual
Scan is enabled.

DeferQualityUpdates
DeferQualityUpdatesPeriodInDays
PauseQualityUpdates
DeferFeatureUpdates
DeferFeatureUpdatePeriodInDays
PauseFeatureUpdates
ExcludeWUDriversInQualityUpdate
DeferUpdatePeriod
PauseDeferrals
DeferUpgradePeriod
BranchReadinessLevel
The registry keys are found in the below locations:

1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
2 HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
3 HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
4

They can be also found by using Powershell as administrator:

1 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s

2 reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
3 reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
4

On Windows 10 1607 and Windows 10 1703 and Server 2016

To avoid Dual Scan we need to set a policy, more exactly “Do not allow update deferral policies
to cause scan against Microsoft Update”. This policy has been introduced with the CU of August
2017. Enabling this policy will let updates get pushed through SCCM/WSUS but will allow at the
same time the users to scan for update online if possible to access.

The “Check online for updates from Microsoft Updates” will trigger an online scan. At the same
time the registry key is there and will not block the scan against Microsoft Update.

The GPO Domain “Do not allow update deferral policies to cause scan against Microsoft
Update” can be found in the ADMX for Windows 10 1709.

https://www.microsoft.com/en-us/download/details.aspx?id=56121

3/8
After updating the WindowsUpdate.adml\admx, open Command Prompt as administrator
and run: gpupdate /force
Run Group Policy Management as administrator and in the Servers node
Right-click on your WSUS-Group → Edit
Computer Configuration → Administrative Templates → Windows Componentes
→ Windows Update
Enable the policy Do not allow update deferral policies to cause scan against
Microsoft Update
Open Command Prompt as administrator and run this command: gpupdate /force on
all the servers

4/8
V. On the WSUS Server from an administrative command prompt run the following commands:

1 cd "\Program Files\Update Services\Tools"

2 WsusUtil.exe postinstall /servicing
3 WsusUtil.exe usecustomwebsite false
4 WsusUtil.exe usecustomwebsite true
net stop wsusservice & net start wsusservice
5
iisreset
6 WsusUtil.exe checkhealth
7
8

Check on your servers if the problem is still present. If the problem does still exist continue with the
following action.

WARNING: It is strongly advised to perform a backup of the AutoUpdate before performing the following changes!

5/8
VI. Remote the following two registry values, AcceleratedInstallRequired and IsOOBEInProgress:

1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
2 Update]
3 AcceleratedInstallRequired = 1
IsOOBEInProgress = 1
4

Restart and check on your servers if the problem is still present. If the problem does still exist
continue with the following action.

VII. Recover the WU Agent from the OOBE in progress:

a. Download Windows Update PowerShell Module (PSWindowsUpdate.zip) from Link #1 or
Link #2 to the machine having the issue.
b. Copy the whole module folder (after extracting) to
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules
c. Start up PowerShell ISE as administrator from admin tools and execute the following
commands:

1 Set-ExecutionPolicy RemoteSigned
2 Import-Module PSWindowsUpdate
3 Get-WUInstall
i. 4

When asked accept all conditions

ii. The rest should be automated with some prompts, Please let it run for some time.
iii. Once you receive the prompt Select [A] Yes to All. And all the updates will run in the
machine.

6/8
VIII. Make sure that the following setting are configured on your AD servers, if not, configure them
restart the Windows Update service to have them in place:

1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
2 “DisableDualScan”=dword:00000001
3 “DoNotConnectToWindowsUpdateInternetLocations”=dword:00000001
a. 4

1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
2 “AllowMUUpdateService”=dword:00000000
b. 3

c. From Group Policy Management in the Servers node, right-click on your WSUS-Group →
Edit disable Configure Automatic Updates

d. Run Command Prompt as administrator and run this command:

1 gpupdate /force

e. Check if the settings are still in place

7/8
Note: We need to mention that the success of the troubleshooting process depends on having a good
understanding of the problem. Therefore, performing a thorough data gathering is in order, on both
WSUS and client server, to identify where the issue is located.

Reference:

Improving Dual Scan on 1607 by Steve Henry

WSUS Troubleshooting Survival Guide by Yuri Diogenes

8/8