Scenario

As I explained in earlier posts, accepting new updates for MS Windows too early can be quite dangerous these days.

Example of the moment: KB3189866 causes problems regarding the download of later updates from WSUS.

E.g. you might have started a client setup from a fresh Win10 1607 ISO, you see it downloads some updates and installs them, but at some time it keeps trying to download updates and never finishes. Get-WindowsUpdateLog does not contain any error messages.

Solution

Download KB3193494 and install it manually (WSUS would not make much sense in this case; as alternative, use a GPO script. An interesting approach is described here). Afterwards, you should see Windows 10 download updates from WSUS again.

UPDATE 2017-01-23, my recommended solution at the moment for Win10 1607 clients which do not get updates:

  1. Download KB3194798 and this registry patch, move them to a public readable network share.
  2. In your group policy management, create a WMI filter “win10 1607 without updates” and with this WMI command:

    1. (Note: We use a certain file’s last modification date from which we know it will be updated when KB3194798 is installed. So the WMI filter returns true if the file is too old on the client, i.e. no updates were installed)
  3. Create a new GPO “Win10 1607 update bugfix” and apply the WMI filter.
  4. Under Computer Configuration, create a startup script “installUpdate.bat” and activate (add) it. The content can look like:

    1.  
  5. Add the RegistryPatch.msi file to the GPO’s software installation area.
  6. Reboot your client(s).

Note that installing the 2 patches can take some time and it might not always work the first time. Basically, if you do not see “wusa.exe” in Task Manager any more, the system is ready to reboot.

 

  honeyp[email protected]