The WSUS server downloads updates from Microsoft Update and distributes the updates to servers and clients in your network. Often enough we can find WSUS clients that are unable to download updates or aren’t installing them correctly. Recently we had some issues with our servers that can’t get Windows updates using WSUS. The error message that we were getting was as follows:

Windows Update We couldn’t connect to the update service. We’ll try again later, or you can check now..

Here are some insights of our troubleshooting and the steps we took attempting to solve the issue:

  1. Perform a backup for the Windows Update key:
    • run Registry Editor as administrator
    • collapse HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
    • right-click on WindowsUpdate → Export

  2. Reset Windows Update Agent
  3. Check if there are any proxy setting
  4. Disable Dual Scan
    What is Dual Scan:

    Dual Scan appears when the computer will try to scan for updates on Microsoft Update (online) even if it is managed by WSUS or SCCM and the access to Microsoft Updates is blocked by network configuration. In this case, the computer won’t get updated or the scan for updates will take very long.

    This is caused by the following policies, even if the policies are set to 0. The policies need to be set to “Not Configured” to avoid the Dual Scan behavior.

    • Select when Quality Updates are received
    • Select when Feature Updates are received
    • Do not include drivers with Windows Updates

    If any of these policies are present in the registry – even if they are set to 0 – then WUfB Dual Scan is enabled.

    • DeferQualityUpdates
    • DeferQualityUpdatesPeriodInDays
    • PauseQualityUpdates
    • DeferFeatureUpdates
    • DeferFeatureUpdatePeriodInDays
    • PauseFeatureUpdates
    • ExcludeWUDriversInQualityUpdate
    • DeferUpdatePeriod
    • PauseDeferrals
    • DeferUpgradePeriod
    • BranchReadinessLevel

    The registry keys are found in the below locations:

    [code language=”shell”]
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
    HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
    [/code]

    They can be also found by using Powershell as administrator:

    [code language=”shell”]
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
    reg query HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update
    reg query HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
    [/code]

    On Windows 10 1607 and Windows 10 1703 and Server 2016

    To avoid Dual Scan we need to set a policy, more exactly “Do not allow update deferral policies to cause scan against Microsoft Update”. This policy has been introduced with the CU of August 2017. Enabling this policy will let updates get pushed through SCCM/WSUS but will allow at the same time the users to scan for update online if possible to access.

    The “Check online for updates from Microsoft Updates” will trigger an online scan. At the same time the registry key is there and will not block the scan against Microsoft Update.

    The GPO Domain “Do not allow update deferral policies to cause scan against Microsoft Update” can be found in the ADMX for Windows 10 1709.

    • https://www.microsoft.com/en-us/download/details.aspx?id=56121
    • After updating the WindowsUpdate.adml\admx, open Command Prompt as administrator and run: gpupdate /force
    • Run Group Policy Management as administrator and in the Servers node
      • Right-click on your WSUS-Group → Edit
      • Computer Configuration → Administrative Templates → Windows Componentes → Windows Update
      • Enable the policy Do not allow update deferral policies to cause scan against Microsoft Update
      • Open Command Prompt as administrator and run this command: gpupdate /force on all the AD servers
  5. On the WSUS Server from an administrative command prompt run the following commands:

    [code language=”shell”]
    cd "\Program Files\Update Services\Tools"
    WsusUtil.exe postinstall /servicing
    WsusUtil.exe usecustomwebsite false
    WsusUtil.exe usecustomwebsite true
    net stop wsusservice & net start wsusservice
    iisreset
    WsusUtil.exe checkhealth
    [/code]

    Check on your AD servers if the problem is still present. If the problem does still exist continue with the following action.

    WARNING: It is strongly advised to perform a backup of the AutoUpdate before performing the following changes!
  6. Remote the following two registry values, AcceleratedInstallRequired and IsOOBEInProgress:

    [code language=”shell”]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
    AcceleratedInstallRequired = 1
    IsOOBEInProgress = 1
    [/code]

    Restart and check on your AD servers if the problem is still present. If the problem does still exist continue with the following action.

  7. Recover the WU Agent from the OOBE in progress:
    1. Download Windows Update PowerShell Module (PSWindowsUpdate.zip) from Link #1 or Link #2 to the machine having the issue.
    2. Copy the whole module folder (after extracting) to %WINDIR%\System32\WindowsPowerShell\v1.0\Modules
    3. Start up PowerShell ISE as administrator from admin tools and execute the following commands:
      1. [code type=”shell”]
        Set-ExecutionPolicy RemoteSigned
        Import-Module PSWindowsUpdate
        Get-WUInstall
        [/code]

        When asked accept all conditions

      2. The rest should be automated with some prompts, Please let it run for some time.
      3. Once you receive the prompt Select [A] Yes to All. And all the updates will run in the machine.
  8. Make sure that the following setting are configured on your AD servers, if not, configure them restart the Windows Update service to have them in place:
    1. [code]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
      “DisableDualScan”=dword:00000001
      “DoNotConnectToWindowsUpdateInternetLocations”=dword:00000001
      [/code]

    2. [code]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
      “AllowMUUpdateService”=dword:00000000
      [/code]

    3. From Group Policy Management in the Servers node, right-click on your WSUS-Group → Edit disable Configure Automatic Updates
    4. Run Command Prompt as administrator and run this command:

      [code language=”shell”]gpupdate /force[/code]

    5. Check if the settings are still in place

Note: We need to mention that the success of the troubleshooting process depends on having a good understanding of the problem. Therefore, performing a thorough data gathering is in order, on both WSUS and client server, to identify where the issue is located.


Reference:
Improving Dual Scan on 1607 by Steve Henry
WSUS Troubleshooting Survival Guide by Yuri Diogenes