How to manually trigger scan and install for Windows Server 2016, Windows Server 2019 and Windows Server 2022 with USOClient.exe?
You may want to initiate scan and install for Windows Server 2019 and 2022. Your first reaction to achieve this may be to run USOClient.exe StartScan and StartInstall.
However, USOClient.exe StartScan and StartInstall does NOT work on Windows Server 2022. For Windows Server 2022, you need to run USOClient.exe StartInteractiveScan, which will trigger scan and install for updates deployed with or without deadline.
For Windows Server 2019, you can still user USOClient.exe StartScan to trigger scan while StartInstall to trigger install. Alternatively, you can also simply use USOClient.exe StartInteractiveScan to trigger both.
For Windows Server 2016, just use USOClient.exe StartScan and StartInstall to trigger scan and install respectively. StartInteractiveScan does NOT work for Windows Server 2016.
KB5015684: Featured update to Windows 10, version 22H2 by using an enablement package
You can use enablement package KB5015684 to upgrade 2004, 20H2, 21H1, or 21H2 to Windows 22H2.
You can get this package from Windows Update and Microsoft update or WSUS.
How to get this update
Release Channel
Available
Next Step
Windows Update and Microsoft Update
Yes
None. This update will be downloaded and installed automatically from Windows Update. The update is named Feature Update to Windows 10, version 22H2.
Microsoft Update Catalog
No
This update is only available through the other release channels.
Windows Server Update Services (WSUS)
Yes
This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:Product: Windows 10Classification: Upgrades
To get it from WSUS, you need to configure Products and Classifications as follows:
Product: Windows 10, 1903 and later
Classification: Upgrades
Note that the official article says you need to check Windows 10 as Products, which is wrong actually. What you need is Windows 10, 1903 and later.
In Windows category, tick Microsoft Windows operating system 21H2 and Server 2022 hotpatch Category.
Click Apply and OK.
Note – Windows Server 2022 = Windows Server 21H2.
After making the changes, wait for the scheduled synchronization or manually initiate the WSUS sync. To initiate the WSUS synchronization, in the WSUS console, right click Synchronizations and select Synchronize Now.
You may have noticed that WSUS console sometimes does not show correct OS version as you expected. For example,
Why
That is because the Version columns WSUS console shows is the Windows Update Agent version, which comes from the file C:\Windows\System32\wuaueng.dll, and the Windows Update Agent file version and the client OS version does not always match.
How to get the real client OS version?
You can run this query in SUSDB.
select Name, concat(OSMajorVersion, '.', OSMinorVersion, '.',OSBuildNumber) as OSVersion from PUBLIC_VIEWS.vComputerTarget;
WSUS client reporting error 80240439 and “Request Entity Too Large”
ISSUE
WSUS client reporting error 80240439
[webserviceinfra] Unknown_cxx00 CNativeWebServiceBase::TraceProperties() - Service URL='http://contoso.lab.com:8530/ClientWebService/client.asmx'
[webserviceinfra] Unknown_cxx00 CProxyRetryContext::DetermineProxyConfiguration() - Proxy Behavior: 1, using user proxy..
[webserviceinfra] Unknown_cxx00 CProxyRetryContext::UseDefaultProxyIfAvailable() - Default proxy unavailable, using direct connection.
[webserviceinfra] Unknown_cxx00 CProxyRetryContext::DetermineProxyConfiguration() - Proxy Behavior: 1, using user proxy..
[webserviceinfra] Unknown_cxx00 CNwsHelper::PrintWsError() - Nws Failure: errorCode=0x803d0000
[webserviceinfra] Unknown_cxx00 CNwsHelper::PrintWsError() - WS error: ? 'http://contoso.lab.com:8530/ClientWebService/client.asmx' ???????????
[webserviceinfra] Unknown_cxx00 CNwsHelper::PrintWsError() - WS error: ??????????? 'Request Entity Too Large' ? HTTP ??? '413 (0x19D)'?
[webserviceinfra] Unknown_cxx00 CNwsHelper::PrintWsError() - WS error: ???? HTTP ???????
[webserviceinfra] Unknown_cxx00 CNativeWebServiceBase::MapToSusHResult() - MapToSusHResult mapped Nws error 0x803d0000 to 0x80240439
[webserviceinfra] Unknown_cxx00 CNativeWebServiceBase::OnCallFailure() - Web service call failed with hr = 80240439.
[webserviceinfra] Unknown_cxx00 CNativeWebServiceBase::OnCallFailure() - Current service auth scheme=0.
[webserviceinfra] Unknown_cxx00 CNativeWebServiceBase::OnCallFailure() - Current Proxy auth scheme=0.
[agent] Unknown_cxx00 CAgentProtocolTalker::AttemptRecovery() - PT: Attempting to recover, action=5
0x80240439 refers to
Error Code: 0x80240439 (2149844025) Error Name: WU_E_PT_INVALID_FORMAT Error Source: Windows Update Agent Error Message: The data received does not meet the data contract expectations.
SOLUTION
Go to directory C:\Program Files\Update Services\WebServices\ClientWebService
Backup Web.config file in this folder
Open Web.config file and modify the below 2 values to:
maxReceivedMessageSize=”2147483647″
maxBufferSize=”2147483647″
Save the file (if it does not allow you to save the modified file, just make a copy of the file elsewhere and drag it into the directory to replace it)
This issue happened on an offline internal WSUS server, which does not have internet access. Its data was imported from another internet-accessible external source WSUS server. How to export and import WSUS data, refer to – Synchronize software updates from a disconnected software update point
BEHAVIOUR
WSUS console shows:
The files for this update have not yet been downloaded. The update can be approved but will not be available to computers until the download is complete.
SoftwareDistribution.log shows and nothing else about bits download:
UTC Info WsusService.22 ContentSyncAgent.Download Item: ed4fe8f2-08e3-4533-baf9-824531bcae8b has been submitted to BITS for Download
SOLUTION
When I ran in an elevated command prompt this command
bitsadmin /list /allusers /verbose
to list all the jobs, I observed 10 jobs in failed state due to being unable to resolve the download address.
GUID: {B179C08E-B3A6-4E53-A67C-2216F753EE78} DISPLAY: 'ed4fe8f2-08e3-4533-baf9-824531bcae8b'
TYPE: DOWNLOAD STATE: TRANSIENT_ERROR OWNER: NT AUTHORITY\NETWORK SERVICE
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / UNKNOWN
CREATION TIME: 25/5/2022 5:28:27 PM MODIFICATION TIME: 26/5/2022 11:02:09 AM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3
RETRY DELAY: 600 NO PROGRESS TIMEOUT: 86400 ERROR COUNT: 107
PROXY USAGE: NO_PROXY PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: http://download.windowsupdate.com/c/msdownload/eula/useterms_t1c_2r_ed_client_volume_1_et-ee-0631e9b6-a6be-4014-a512-db457f7e7bfe.txt -> D:\WSUS\WsusContent\83\E1084A7E5C68A4D0774CDEF8E8D90EDEC36A2C83.txt
ERROR CODE: 0x80072ee7
ERROR CONTEXT: 0x00000005
DESCRIPTION: SUSFile
JOB FILES:
0 / UNKNOWN WORKING http://download.windowsupdate.com/c/msdownload/eula/useterms_t1c_2r_ed_client_volume_1_et-ee-0631e9b6-a6be-4014-a512-db457f7e7bfe.txt -> D:\WSUS\WsusContent\83\E1084A7E5C68A4D0774CDEF8E8D90EDEC36A2C83.txt
NOTIFICATION COMMAND LINE: none
owner MIC integrity level: SYSTEM
owner elevated ? true
This job is read-only to the current CMD window because the job's mandatory
integrity level of SYSTEM is higher than the window's level of HIGH.
Peercaching flags
Enable download from peers :false
Enable serving to peers :false
CUSTOM HEADERS: NULL
...
Listed 10 job(s).
It was apparent that some EULA license files are missing. I downloaded those 10 missing files and put them in the correct WsusContent subfolders. Again, updates download stuck. Running the bitsadmin command again to list all user jobs, I found another 10 missing EULA license files. Okay. I realized what went wrong. The copied content from the source WSUS server had missing EULA license files. To fix that once and for all, I did the following:
Go to the source WSUS server
Open an elevated command prompt
Navigate into C:\Program Files\Update Services\Tools
Run: .\WsusUtil.exe RESET
Copy all the folders again to the destination WSUS server
Restart bits service (PowerShell): Restart-Service BITS
Restart Wsus Service (PowerShell): Restart-Service WsusService
NOTE
By default, WSUS allows 10 simultaneous bits download jobs. This limit is defined in the table tbConfigurationB.
SELECT MaxSimultaneousFileDownloads FROM [SUSDB].[dbo].[tbConfigurationB]
If the first 10 jobs get stuck, all the remaining updates download will have to wait and show up in Downloading state, giving the impression that they are stuck. This is exactly what we are discussing in this article.
If you want more simultaneous jobs, you can change the setting in the database, eg. increase it to 20.
UPDATE [SUSDB].[dbo].[tbConfigurationB] SET MaxSimultaneousFileDownloads = 20
WSUS console shows Language Pack KB2839636 not installed
If you are using WSUS to push Windows language packs, eg. KB2839636 , to client computers, you will find that language packs always show up as not installed, though actually they have been installed.
English (United Kingdom) Language Pack – Windows Server 2012 R2 – (KB2839636) [en-GB_LP]
Successfully installed
WindowsUpdate.log print information like below.
Agent Update {2444413B-97BD-426B-8094-C0A15F185364}.200 will NOT be explicitly evaluated
Agent Update {2444413B-97BD-426B-8094-C0A15F185364}.200 will NOT be explicitly evaluated
Agent update {2444413B-97BD-426B-8094-C0A15F185364}.200 is not a match for update type criteria, failed PreEvalFilterUpdateForTopLevelMatch
Agent Update {2444413B-97BD-426B-8094-C0A15F185364}.200 will NOT be explicitly evaluated
Agent Update {2444413B-97BD-426B-8094-C0A15F185364}.200 will be explicitly evaluated
Agent Evaluating applicability for prereqs for update {2444413B-97BD-426B-8094-C0A15F185364}.200.
Agent Update {8B4E84F6-595F-41ED-854F-4CA886E317A5}.203 is Installed, prereq for update {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent Update {CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83}.100 is Installed, prereq for update {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent Update {04437CF2-2157-44C9-96DF-6CD88B0DC541}.203 is Installed, prereq for update {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent Update {59653007-E2E9-4F71-8525-2FF588527978}.100 is Installed, prereq for update {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent Evaluating applicability for Update 2444413B-97BD-426B-8094-C0A15F185364. Bundle contains 1 updates:
Agent * Update 8779063C-4360-4EDE-9990-5B77A338DD15
Agent Need to Evaluate Update 8779063C-4360-4EDE-9990-5B77A338DD15 for Bundle Package 2444413B-97BD-426B-8094-C0A15F185364
Agent Evaluating applicability for prereqs for update {8779063C-4360-4EDE-9990-5B77A338DD15}.200.
Agent Update {8B4E84F6-595F-41ED-854F-4CA886E317A5}.203 is Installed, prereq for update {8779063C-4360-4EDE-9990-5B77A338DD15}.200
Agent Evaluated Installed rule, updateId = {{8779063C-4360-4EDE-9990-5B77A338DD15}.200}, result = False
Agent Final detection state for update 116285 (updateId = {8779063C-4360-4EDE-9990-5B77A338DD15}.200) is "Installable"
Agent Evaluating applicability for Update 2444413B-97BD-426B-8094-C0A15F185364. Bundle contains 1 updates:
Agent Final detection state for bundle update 116321 (updateId = {2444413B-97BD-426B-8094-C0A15F185364}.200) is "Installable"
Agent Final detection state for update 116321 (updateId = {2444413B-97BD-426B-8094-C0A15F185364}.200) is "Installable"
Agent FilterUpdateForGenericMatch check for {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent FilterUpdateForGenericMatch check for {2444413B-97BD-426B-8094-C0A15F185364}.200
Agent Excluding update {2444413B-97BD-426B-8094-C0A15F185364}.200 from search results because it is only in excluded categories.
Agent Not returning update {2444413B-97BD-426B-8094-C0A15F185364}.200 because it is in an excluded category
Report Installable updates (PDC) Id: {2444413B-97BD-426B-8094-C0A15F185364}
Report Installable updates (PDC) Id: {2444413B-97BD-426B-8094-C0A15F185364}
Report Installable updates (PDC) Id: {2444413B-97BD-426B-8094-C0A15F185364
This is working as designed. In fact, whether to install a language pack is user behaviour. In another word, it is up to users to decide whether to install a language pack or not. If you made a language pack available to devices via WSUS, users can go to Settings to get the language pack which can be downloaded from WSUS. It is a “Pull” behaviour by users instead of “Push” bevaviour by WSUS.
There are also other discussions about this, for example –
Client computers show up in Unknown tab in Deployment status after updates deployment
One of the most common issues you ever come across is that client computers stay in Unknown tab in Deployment status in SCCM console. There are several reasons for this:
The client computer is turned off
The client computer is considered inactive by SCCM, though it is running actually as you observed
The client computer has an issue with updates scanning
The last probability is most seen. Recently I ran into such an issue caused by problematic updates scanning.
ScanAgent.log shows the following messages.
03-21-2022 16:43:40.123 ScanAgent 2928 (0xb70) ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJob::OnScanComplete -Scan Failed with Error=0x80240437
03-21-2022 16:43:40.139 ScanAgent 2928 (0xb70) ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80240437
0x80240437 means –
Error Code: 0x80240437 (2149844023)
Error Name: WU_E_PT_SECURITY_VERIFICATION_FAILURE
Error Source: Windows Update Agent
Error Message: There was a problem authorizing with the service.
This error code points out that the client has a communication security issue with the software update point. Looks like the client was rejected by the software update point server.
LocationServices.log reveals the wsus server it was trying to connecting to.
03-21-2022 16:43:35.295 LocationServices 2928 (0xb70) Calling back with the following WSUS locations
03-21-2022 16:43:35.295 LocationServices 2928 (0xb70) WSUS Path='https://contososup.test.lab:8531', Server='contososup.test.lab', Version='4241', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'
As you can see, the client was connecting to contososup.test.lab at port 8531. Testing the communication between the client and the software update point with TNC contososup.test.lab -Port 8531. All was good.
Then I captured two network trace files while triggering a Software Update Scan cycle from Configuration Manager client UI. The two network traces show the following interesting behaviour.
Client –
Server –
The client and server could establish TCP 3 handshake but failed with TLS 1.2 connection. At that moment, I suspected the server might not support TLS 1.2. However, SoftwareDistribution.log from the software update point server proved me wrong. The logs says TLS 1.2 is indeed enabled.
Remoting into the software update point server, I verified TLS 1.2 with IIS Crypto, a good free tool to check TLS settings.
What else to check? I launched WSUS console on the software update point server and caught sight of the following!
WSUS server was actually using port 8530 instead of 8531. Why the client was trying to connect at 8531? I went back to the client computer and check its wsus settings in the registry, which has the same information found in LocationServices.log.
As you know, SCCM sets local group policy to define WSUS settings. Is there something wrong about software update point role? With that thought, I went back to SCCM console and examined the software update point role settings. Voila, there is the answer: Require SSL communication to the WSUS server option is checked.
SOLUTION
Go to SCCM console
Navigate to the Software Update Point
Right click on it and then on Properties
Select General tab
Uncheck Require SSL communication to the WSUS server