I have a Windows Server 2008 R2 WSUS server which is currently working fine with a mix of Windows Server 2008/2012 R2 client servers. All report in and download/install updates as expected.
I've recently added two Windows Server 2016 (1607) clients to the network which just didn't want to communicate consistently with the WSUS server giving me just the two errors 80248014 & 8024500C repeatedly within the Windows Update Client event log.
I initially noticed high CPU/memory on the WSUS server following the addition of these 2016 servers and found an article that explained the reasons and provided a solution. This involved hotfix KB4039929 for WSUS 3.0 SP2 and some other suggestions to change the ASP.NET timeout & configure IIS to stop recycling the WsusPool AppPool. I also found some other suggested changes as follows:
- Queue Length: 25000 from 1000
- Limit Interval (minutes): 15 from 5
- Response: TcpLevel from HttpLevel
This did get rid of high CPU usage and error 8024401c from the event log but not 80248014 & 8024500C mentioned above.
I've updated ADMX templates in the Central Store just to ensure all settings are available and I'm not missing any obvious settings that could be affecting this.
Both the following GPO settings have been changed to the value specified:
"Install updates for other Microsoft products" - Enabled
"Do not connect to any windows update internet locations" - Disabled
I've tried the following suggestion Resetting the Windows Update Server and Components along with running the following command: wuauclt /resetauthorization /reportnow /detectnow
None of the above has addressed the issues I'm seeing unfortunately.
I'm having some issues generating the WindowsUpdate.Log file atm with the error "No Format Information found", so am currently looking into that in order to investigate further.
One thing I've noticed but pretty sure it's just cosmetic is that after joining the domain, the Windows Update Service changed it's display name to wuauserv. This doesn't happen on any other versions of Windows, however, the service appears to start/stop fine.
Finally, I ran the free Solarwinds Diagnostic Tool for the Windows Server Update Service on these 2016 endpoints which reported that the Windows update agent version is currently 6.2.14393.3085 and that it needs updating. After investigating on how to do this, I can see that the latest Windows 2016 CU KB4507459 will contain all required updates to date, including WU Agent updates, and so has been installed. The WU agent wauaeng.dll is now reporting 10.0.14393.3085 however, the Solarwinds tool is still reporting the old out-of-date version still but think this may simply be a red herring. I'm not seeing any way of manually updating the agent so a CU update seems to be the only way as far as I can see.
I finally found the problem and looks to be working now.
I managed to open the WindowsUpdate.log in the end and found the below errors occurring repeatedly.
&
I then found this super helpful MS article Issues related to firewall configuration which indicated that disabling of the Windows Firewall service is not supported and seems is a dependency for the Windows Update service to function correctly. As soon as I re-enabled this service and started it again, the updates began pouring down and WSUS reporting everything working fine.
Disabling the actual windows service was never an issue on older operating systems and just a process we always did for new domain servers. Windows system components are obviously more integrated than before so one to remember. The process here now is to simply disable the firewall profiles via GPO.
Anyway, thanks for looking if you did and hopefully this'll be helpful for any others experiencing this same issue.