WSUS – Updates available but clients are up to date

Recently I started playing around with WSUS and after getting everything setup, I was finding that clients were reporting into WSUS & WSUS was showing that updates were available, but when I would click “Check for Updates” in the Windows 10 client it would come back with “Your device is up to date!”

If you ever run into this issue, I have a solution. 2 things to know:

  1. If you are not using client side targeting in your GPO, your computer gets automatically added into the “Unassigned Computers” computer group.
  2. WSUS works on it’s own magic schedule. Even though you manually pressed “Check for updates”, unless it’s time for your computer to refresh in WSUS, it won’t pickup any group changes that were made.

In my case, this was the issue. I would domain join, computer would get put into the “Unassigned Computers” group which had no approved updates, I would then move the computer and press “Check for Updates” and it would take about 30-60 minutes for the computer to actually show there are updates.

If you read your Window Update Logs you will see an entry that goes something like this “Cookie still valid, continuing”. This essentially means that your computer is caching the setting it last used from WSUS, and is not seeing those updates. You need to force it to update by doing “wuauclt /resetauthorization /detectnow” This tells the computer to clear it’s cache, and re-detect updates from WSUS.

As soon as I did this, my client OS was able to pick up updates without a problem.

Alternatively – If you use the client side targeting GPO you won’t run into this problem, since your computer will be automatically added into the appropriate pool, and your initial sync will be accurate.