Server 2016 WSUS on 2008 AD not showing PC

Question

Ran into an issue that I am drawing a blank on. Running WSUS on Server 2016 standalone domain server. Loaded from 2016 Roles/Features. Here's the kicker, on a 2008 AD.

I have the OU set up and the GPO and one test PC is under GPO control for windows update.

I added the OU group to WSUS but the PC is not listed (Win10 Pro, 1803). Its been the weekend and no update.

Options setting in WSUS is to user Group Policy. Am I missing a new setting or something to get the PC to show up on Server 2016 WSUS?

UPDATE:

You haven't given us nearly enough details. `Running WSUS on Server 2016 standalone domain server.` - That's a confusing statement. Is this server joined to the domain or not? `I have the OU set up and the GPO and one test PC is under GPO control for windows update.` - What settings did you specifically configure in the GPO? `I added the OU group to WSUS but the PC is not listed.` - What OU group? Did you configure the WSUS group name in the GPO? Did you create the corresponding group in WSUS? Did you configure the GPO to direct client machines to the WSUS server? — joeqwerty, May 21 '18 at 20:00
Yes the server is joined to the domain. The OU group in WSUS is the same one created in AD for this purpose. Policy is Computer Config\AdminTemp\WindowsComponent\WindowsUpdate\ 3 - ConfigureAutoUpdates,SpecifyIntranetMSupdateServLocation, EnableClient-sideTargeting. I post an update to the OP in a few with some screen shots. And yes I believe its configured correctly in both place unless I missed something. — htm11h, May 21 '18 at 20:06
The target group in WSUS isn't an actual AD security group. It's simply a name so that clients know which WSUS target group to populate. You need to configure the GPO to specify the WSUS target group name and you need to create the target group in WSUS. — joeqwerty, May 21 '18 at 20:14
Please see the images uploaded isn't that what is displayed? — htm11h, May 21 '18 at 20:16
We need to see the GPO settings that you configured for Windows Updates. We also need to see the WSUS computer groups in the WSUS console. — joeqwerty, May 21 '18 at 20:23
To clarify, GPO is running on domain controller, WSUS is not. Added more images. Also WSUS server is specified with port 8530, no SSL. — htm11h, May 21 '18 at 20:38
OK, the GPO setting "Enable client-side targeting` - What do you have that set to? The "Specify intranet Microsoft update service" setting - What do you have that set to? Can you show us those settings? — joeqwerty, May 21 '18 at 20:48
OK. So check a couple of things: 1. Does the test computer show up under Unassigned Computers in WSUS? 2. Can the test computer connect to that URL from a web browser? 3. Have you verified that the correct GPO is being applied to the client? You can run gpresult to verify it. — joeqwerty, May 21 '18 at 20:58
No the computer does not appear under Unassigned Computers, or anywhere else in WSUS. That is the issue of this post. The computer can connect to the URL but nothing appears at that port, the IIS page loads when using just the server name. The GPO is being applied that is the first image stating that they are being managed by admin. — htm11h, May 22 '18 at 15:32
The first image shows that Windows Updates are being managed but it doesn't confirm that the correct GPO is being applied and is the one managing Windows Updates. It very well could be another GPO that's being applied and enforced. Verify that your GPO is being applied and that the settings in that GPO are being applied by running gpresult. — joeqwerty, May 22 '18 at 15:39
Only one GPO has been set up and I did review gpresult /z and gpresult /v only the local policy was not applied. The first image was not being displayed on this test PC until after gpupdate \force was invoked. But I do not see the Windows Update policy explicitly listed in any of the results. Its not even listed in the RSoP for user. — htm11h, May 22 '18 at 16:35
Following GPOs were not applied because they were filtered out: Local Group Policy, WSUS_computers Filtering: Denied (Security) — htm11h, May 22 '18 at 17:01
Not sure I understand where the security restriction is established in this instance. — htm11h, May 22 '18 at 17:02
OK, so we've identified the problem. The GPO is not being applied because of security filtering. What is the Security Filtering set to in the GPO? — joeqwerty, May 22 '18 at 18:05
@htm11h - As the problem has been identified, which is the problem related to Security filtering of your WSUS based GPO, I'd suggest you to check this link and verify step by step carefully: https://community.spiceworks.com/topic/741753-applying-gpo-to-a-group-containing-computer-objects. Hope it helps you, :) — Am_I_Helpful, May 23 '18 at 17:18

score 0 · Answer 1 · answered May 21 '18 at 22:35

0

Once you have all of your GPO settings in and double-checked, you'll probably need to issue "gpupdate /force" from an Administrative command prompt on your windows machine. The machine will likely reboot, after which it should show (at least initially) in the "uncategorized" WSUS computers group.

Sometimes a computer won't show if another instance of Windows with the same name (either the same machine from a different install or a different machine altogether) had previously existed on the WSUS server. Your best bet then is to delete the old WSUS registration and re-run the GPO update. If that doesn't work, there ought to be an error message in the Event Viewer related to why.

answered May 21 '18 at 22:35

Rob Pearson

419
2
12

So there is no OLD installation here, this is a new set up, and only one test PC ever added. I have tried to run gpudate /force a number of times over the past few days and have rebooted both WSUS server and client, not the domain GPO server though as the GPO is being applied. – htm11h May 22 '18 at 15:35
In that case, do you have any messages in Event Viewer related to GPO processor or WSUS? On either client or server? – Rob Pearson May 22 '18 at 17:52

Server 2016 WSUS on 2008 AD not showing PC

1 Answers1