Important update for WSUS 4.0 (KB 3095113)

Most of you know that we released the Windows 10 1511 feature update, which is the first in-place upgrade for Windows 10, to WSUS in December 2015.  To fully enable this deployment scenario, we shipped a patch to WSUS for WS12 and WS12R2 (KB 3095113) in October 2015.  Following this release, we received some questions regarding the applicability of this update.  Such questions included:

  • Is this patch required to support Windows 10?
  • What happens if I don’t install it?
  • Should I wait for the DLC or other non-Hotfix release?
  • Are there any known issues with the release?


The simple translation of "Support Windows 10"

You might be asking whether WSUS can recognize, sync/import, and distribute Windows 10 updates without having to receive a patch itself to enable this functionality.  If this is your concern, then you will not need any patches to enable this behavior.  While Windows 10 is indeed a monumental release in our history, from the WSUS perspective it's just another product in the list, and there's nothing new to Windows 10 updates (including security updates) that requires WSUS to be modified in order to handle them.  Administrators of WSUS 3.0 SP2 (including SBS 2011) and unpatched WSUS 4.0 will be able to deploy Windows 10 updates, but not feature updates.


Our preferred translation of "Support Windows 10"

One feature that makes Windows 10 special is delivering Windows as a service.  For the WSUS or Configuration Manager administrator, this means enabling feature updates to a new build of Windows.  These feature updates will be processed just like the usual quality updates, except that once they are approved for installation on WSUS/ConfigMgr-managed machines, they upgrade the entire build, not just some of its binaries.  If you're a member of the Windows Insider Program, then you've already been using this technology for a while (though not via WSUS).  Wiping and loading images in order to refresh your Windows builds can be nothing but a memory, and that's what is offered here.  It's especially useful because new Windows 10 builds will be released much more frequently than on the one-to-three-year release cycle to which you might be accustomed.  In order for WSUS to support these feature updates, it needs to install a patch.  Feature updates introduce a new update content file type (and classification, called Upgrades) that will likely only be apparent to the WSUS admin: we've done our best to abstract the details from non-enterprise users.


As for the quality

Some folks are cautious about updates like KB 3095113 being released with boilerplate text that include verbiage such as “do not install unless you are experiencing this issue.”  Hotfix is our most expedient release vehicle, and we wanted to provide as much time to deploy this ahead of the Windows 10 1511 feature update release to WSUS as possible.  We have tested it the same as we would any Windows Update release, so there is no reason to wait to install the update on your WSUS 4.0 servers.  For your convenience, we’ll be releasing the update more broadly to DLC and Catalog, as well as to WSUS itself, in the first quarter of 2016.  If you prefer to wait for those releases, then please review the caution described next.


Important caution

WSUS may be able to see the Windows 10 1511 feature update even if it can’t properly download and deploy the associated packages.  The feature updates will become visible as soon as the “Upgrades” classification is checked in the WSUS options for Products and Classifications.  If you attempt to sync any Upgrades without having first installed the recent patch, then you will populate the SUSDB with unusable data that must be cleared before Upgrades can be properly distributed.  This situation is recoverable, but the process is nontrivial and can be avoided altogether if you make sure to install the update before enabling sync of Upgrades.  If you have encountered this issue, then please stay tuned for an upcoming KB article that details the recovery steps.


What this means for you

If you are content to wipe and load images for Windows 10 in order to stay on a current build, then simply do not enable sync of Upgrades in your WSUS, and do what you usually do to upgrade your Windows builds.  However, if you ever intend to deploy Windows 10 and fully enable Windows as a service for your enterprise, then you'll want to deploy the recent patch.  Furthermore, the safest route is to enable sync of Upgrades in your WSUS only after you have installed this patch on all WSUS 4.0 servers that service Windows 10 machines in your environment.


Your 1511 upgrade experience

The Windows 10 1511 feature update is available via WSUS today, and it will apply to Windows 10 RTM as well as Windows 7 and Windows 8.1 machines.  If you are upgrading from Windows 10 RTM, then the process is highly automated: it will skip the application provisioning stage and all setup steps that require user interaction, and will preserve file associations and other settings by default.  Upgrading from Windows 7 and Windows 8.1 via WSUS will require some end user interaction because the entire platform is changing, not just a build.


Feel free to post any questions below, and we'll clarify as needed.

Comments (157)
  1. Todd Meyers says:

    If WSUS is used to install updates during an MDT or ConfigMgr OSD task sequence, does the 1511 feature upgrade interfere in any way, or does it install without breaking OSD?

  2. Harry Johnston says:

    My WSUS server is running Windows 2008 R2. Where does that leave me?

  3. Sir Francis Bacon Mmm... Bacon says:

    Can you clarify the last paragraph please? Does this mean Windows 10 will be deployed to Windows 7 and Windows 8.1 (with said user interaction) via WSUS if the computers’ client target group has the update approved?

  4. Sandy Wood says:

    I build images with MDT 2013 and have been using 1511 as my base Win 10 OS to deploy. I use WSUS to patch these deployments and wonder if I’ll need to install KB3095113 to get updates to my 1511 images.

  5. Todd: The 1511 feature upgrade carries a EULA that must be approved by the WSUS administrator before it can be installed on managed clients. This won’t happen automatically. With that said, a managed client has to scan WSUS in order to determine that it
    has the 1511 upgrade available for installation. If the managed client is busy doing other setup tasks because of ConfigMgr or MDT, then it will finish those first, and then consider the 1511 feature upgrade not applicable when it does get around to scanning.

    Harry: WS08R2 SP1 can only run WSUS 3.0 SP2, so you’d be in that boat as described. We’ve got another post coming for folks in your situation that should illuminate your options and our recommendations here. Not sure what you mean by your other question.

    Sir Francis: It means the 1511 feature upgrade can target Win7 and Win8.1 systems. If the WSUS administrator approves installation to those computer groups AND those computers are not marked to defer upgrades (they must be on the "CB train" to get this), then
    yes, the behavior will be as you describe.

    Sandy: The update applicability is determined by build, and is agnostic to how the build was installed on the machine. If you’re running 1511 on your Win10 machines, then not only do you not need this upgrade via WSUS, you won’t even be able to install it because
    it will show as not applicable to those machines. However, should you want to change your deployment approach in the future, you could use WSUS instead of MDT.

  6. Todd Meyers says:

    Steve: To clarify, we are using the "Install Updates" step in MDT to install all outstanding approved Windows and Office updates during OSD. I’m just wondering if the 1511 upgrade will install like a normal update during that task sequence step, or if
    installing a new build of Windows as part of the task sequence breaks OSD. That scenario must have been tested already.

  7. Glenn says:

    We only have Enterprise. No other edition of Windows. We’re probably going with LTSB on all systems when we upgrade to Windows 10, and we’ll do it via Wipe/Reload. Do we still need this patch?

  8. PeterAUS says:

    This is great and all but we have seen Windows uninstall AV for example Trend office scan 10.0.2995 SP1 which is Windows 10 compatible, after the upgrade has taken place.
    This control needs to be given back to the IT admin.

  9. Thorsten5 says:

    Does KB3095113 depend on KB2938066?

  10. Jon says:

    RE: 2008 R2 options. I’m looking forward to that post. We have a 2008 R2 server using a remote SQL server for the database and finding clear info to migrate this scenario is tough.

  11. Will the "Upgrades" classification hold in an environment in which WSUS 4.0 is integrated with SCCM 2012 R2? Or will Configuration Manager vNext be needed?

  12. anonymouscommenter says:

    212 Microsoft Team blogs searched, 50 blogs have new articles. 175 new articles found searching from

  13. ML49448 says:

    So in order to ensure 1511 upgrade only applies to Windows 10 computers, I need to have separate WSUS groups for Windows 7/8 and Windows 10? I have about 20 groups in WSUS for different departments so now that means I need twice as many groups in WSUS.

  14. Jonathan says:

    What are the steps to cleanup the database if the "upgrades" classification was checked before the patch was applied?

  15. Brian Hoyt says:

    Ditto what Anthony said + Edu SKU.

  16. David says:

    A few of us seem to be having issues with download failures from the clients. Issue appears to be with the way the clients Windows update downloads the install.esd file (content/D3/5EDACCE1…2150D3.esd from the wsus server. I manually went to the location
    and copied it to the c:/Windows/softwaredistribution/download/72e71…84eeed folder and renamed the file to what it was expecting according to the Windows update log. Then restarted the system and told it to retry the 1511 installation and it completed as

  17. David says:

    Guess I should add that I am currently using server 2016 tp4 build 10586.29 currently as the wsus server.

  18. So if I sync it before install the hotfix, upgrade clssification is gone in Software Update, how can fix it? how to clear the SUSDB

  19. HimuraCC says:

    Same problem of David.
    All the Windows 10 Pro clients have an issue to download the update.
    WSUS on Windows 2012 Server Standard with patch KB3095113 installed before the ‘Upgrades’ category.

    Thank you.

  20. Henri says:


    You state: "Administrators of WSUS 3.0 SP2 (including SBS 2011) and unpatched WSUS 4.0 will be able to deploy Windows 10 updates, but not feature upgrades".

    Since the "WSUS patch" you refer to applies ONLY to Win2012 and not to SBS2011/WSUS 3.2, must we assume then SBS2011/WSUS3.2 will NEVER be able to support WIn20 Upgrades?


  21. CurtK-CA says:

    Me too, same problem as David and Himura, Windows 2012R2 WSUS already patched before checking the Upgrades feature in WSUS. It downloaded to the server fine. I created a Windows 10 Upgrades container and a Windows 10 workstations (for those already on
    W10). I approved the 1511 upgrade in those two containers and put some test PC’s in. I did receive the EULA on the management station and agreed. The ESD is in the D3 directory. The test PC’s all show a failed upgrade to Windows 10 1511 and the Windows 10
    PC’s also fail. It shows a failure to download with error code 80244019. This seems to be on any Windows 7, 8.1 or 10 machine. Is there something we can do to fix the server to get the right name to download?

  22. lavee45 says:

    When I go to try and download the KB3095113 file, I get the message "Sorry, the page you requested is not available". Is there another link we can use to get it? is what shows in the address after I click the download hotfix button.

  23. Todd: I’ve contacted the MDT owners to confirm the expected behavior in this scenario, which I’ll post as soon as I have it.

    Glenn: You needn’t be so quick to rule out CB/CBB in your environment. LTSB will also be eligible for a one-way upgrade to the CB/CBB servicing trains, and you may want this functionality somewhere down the road. It doesn’t hurt to patch your WSUS now, just
    so you don’t run into problems later. Also, the patch fixes an issue where Windows 10 machines display as "Windows Vista" in the WSUS console, so it’s worth getting for that reason, too.

    PeterAUS: What the upgrade does when it’s on the box is not up to WSUS, so I unfortunately can’t comment on this uninstall behavior you’re seeing. I’ve sent your note to the appropriate team, though, and will let you know when I get an answer.

    Thorsten: KB2938066 should be installed on every WSUS server in order to ensure proper functioning (and secure operation). With that said, there is no hard-coded prerequisite for this specific KB.

    Kevin: You’ll need Configuration Manager vNext to support deployment of feature upgrades, though you might see them in your SUM console today because that view is based on what WSUS can see. I recommend you do not sync Upgrades if you cannot deploy them.

    Anthony: When deployment is complete (in progress at the moment), you’ll see version 1511 upgrades for Pro, Education, and Enterprise in your WSUS.

    Michael: The 1511 upgrade only targets Windows 7, 8.1, and 10. Any groups with Windows 8 machines need not be duplicated from your existing environment. With that said (and without knowledge of your environment), you might consider creating a new group of all
    your Windows 10 machines, to be used only for the purpose of deploying an upgrade, and then continue with your current groups for update management.

  24. Jonathan/Sandy: We’ll be posting a KB article that describes how to fix your SUSDB if you happened to miss the warning in this blog post to patch first. Maybe we’ll use bigger font next time. =]

    Tim: The licensing download issue is one we haven’t seen. I’m having someone look into this, and will let you know via this blog (and possibly KB) when a workaround is available. Can you share the download error you’re seeing in windowsupdate.log when this
    occurs? Any event log entries to go with it?

    Henri: Stay tuned for a more comprehensive treatment of the WSUS 3.2 topic regarding Windows 10 servicing.

    CurtK-CA/Himura: Have you checked your windowsupdate.log to see whether the file it’s expecting matches the filename in your SUSDB? If there is a mismatch, then you might review David’s post above. I can’t comment on our official workaround until we’ve had
    a chance to take a look ourselves.

    lavee45: Can you try again? I get an "Accept Terms" page when I click the link you provided, and am able to download the hotfix afterward.

  25. Steve Henry, I didn’t miss the waring. 🙂 I setup 4 test labs, use one of them to test "sync before hotfix", just curious how to fix it, it is kind of instersting to fix things. 🙂

  26. Anonymous says:

    (This comment has been deleted per user request)

  27. Remy Monsen says:

    I can confirm Alexx80’s solution. I had just figured out the same myself, and was went here to post about it. By default, IIS throws 404 for unknown mime types, and I assume .esd is a new type not used by windows update in the past, since I haven’t seen this
    problem before.
    Anyway, thanks for sharing, If I hadn’t figured it out already, your post would have done it.

  28. Dale says:

    same here, upgrades for Windows 10 Pro version 1511 only. I did 2 sync’s in the last hour as well.

  29. lavee45 says:

    Steve…I generally use FF/Chrome and that’s why it wasn’t working…opened the link in IE and it works…lol. Also just noticed your other comment about how this hotfix fixes Win10 showing up as Vista in WSUS…wish I would have known that sooner…I
    just went and manually fixed it! :sigh: 😀

  30. Please post here if you’re still seeing ESD download failures after using Alexx80’s solution. We were about to recommend something similar via PowerShell scripts.

    Regarding the visible upgrades, we are investigating existing publishing issues (which didn’t occur when we released this internally), and hope to have Education and Enterprise published soon. This is our first time pushing upgrade content to WSUS externally,
    so it’s a bit rockier than it will be in future releases. We appreciate your patience and willingness to look for solutions to the new challenges that have arisen. We will finalize the release for the remaining editions as soon as we’ve worked out these issues.

  31. Anthony says:

    Window 10 Enterprise 1511 showed up in WSUS tonight. I approved it and it downloaded. Create a Windows 10 container and placed my test Windows 10 RTM machines in there. Ran a manually Windows Update check from one of these machines and it did not find
    the update. Check WSUS and saw the test machines come up as Approval: Install and Status Not Applicable. What did I miss?

  32. Siroj says:

    Hi everybody!
    Running SCCM v1511 with required KB installed on Server 2012 R2 fully updated.

    Downloads of the 1511 upgrade files (every lang) on our server results in:
    "Error: Failed to download content id 16777266. Error: Invalid certificate signature"
    PatchDownloader.log reads:
    "Authentication of ***.tmp failed, error 0x800b0004"
    "ERROR: DownloadContentFiles() failed with hr=0x80073633"

    Downloading of regular updates work fine.
    Any idea anyone?

  33. Siroj, I have same kind of problem:
    Cert revocation check is disabled so cert revocation list will not be checked.
    To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation
    Authentication of file C:UsersxxxxxxxAppDataLocalTempCABB805.tmp failed, error 0x800b0004
    ERROR: DownloadContentFiles() failed with hr=0x80073633

  34. jonatnav2 says:

    Am I to understand that the 1511 update for existing Windows 10 Enterprise installs will also update all of my existing Windows 7 and Windows 8.1 machines? The update came through last night and is being marked as needed by every computer that reports
    to WSUS. Will an update just for Windows 10 machines become available? Given the way we have clients assigned to groups from group policy and with the way our AD is structured, we can’t separate machines out based on OS.

  35. Siroj says:

    Just to rule out any leftovers from previous versions, on a secondary server i have installed a fresh standalone SCCM v1511 server with SQL and i am experiencing the exact same issue of not able to download the Enterprise upgrade files and same 0x800b0004
    and 0x80073633 errors as mentioned above.

  36. Siroj says:

    To clarify, the failing downloads i am mentioning in previous posts are happening on the SCCM server, not on the clients!

  37. CurtK-CA says:

    So I checking in the windowsupdate.log file to see and I did find the line where it’s failing, but not so good at interpreting these logs. It kind of appears that the download in not happening correctly, although it does say it resumes, but issues a warning:

    2015-12-11 04:33:09:759 500 1270 DnldMgr Failed job file: URL = http://stratos:8530/Content/D3/5EDACCE15EFC2DA352903D4A32EB53752F2150D3.esd, local path = C:WINDOWSSoftwareDistributionDownload72e71a052404de5be507e0b8fa84eeed10586.0.151029-1700.th2_release_CLIENTPRO_RET_x64fre_en-us.esd

    2015-12-11 04:33:09:915 500 12d0 AU # WARNING: Download failed, error = 0x80244019

    All our testing machines are failing in this way. One thing I have noticed as well is that I used to have an Upgrades section under Updates in the WSUS mgr, but that’s now gone. I did install the patch well before ever checking that box and allowing sync (was
    days in between actually). But it no longer appears in the list.

    Everything still shows failing no matter what the client.

  38. CurtK-CA says:

    Just as follow up, trying out the ESD/Mime type fix as well…now I receive WindowsUpdate_8007139F error, so different than before. Actually got a pop up box asking if I want to upgrade now or schedule for later. Then it started and failed.

  39. Anthony says:

    So a follow up for why my clients did not see the upgrade. I had previously turned on "Turn off the upgrade to the latest version of Windows through Windows Update" back in the summer. Since then I have moved on to Windows 10 admx templates. I guess Microsoft
    removed that GPO setting so I didn’t see it any more in Group Policy Manager. So what I did was grabbed a Windows 8.1 WindowsUpdate.admx file and placed it in my central store. Then set it to not configured. My clients see the upgrade now. One of them is in
    the process of upgrading now. Let’s see if I get any other errors.

  40. Joe says:

    i have sccm 2012R2 ver: 5.0.7958.1000
    I trying to figure out the upgrade process
    Do I need to install the May 2015 SP1 CU1 and then this latest 1511 or can I just jump to the 1511

    also when do I install the hotfix, before doing any upgrades or after

  41. siegeld says:

    Well, I accidentally checked the upgrade box before I installed the patch. What do I do to recover from this?

  42. Joe says:

    from further reading it appears I will need to install configmgr 2012 R2 sp1 as a first step, would that be correct

  43. fr says:

    When are the details of how to recover from enabling Upgrades without the hotfix going to be posted? Like many people I didn’t see this blog post in time.

  44. John says:

    Thank you for these details. We wish we had this information when KB3095113 was first released. We are anxiously waiting for the details behind the nontrivial process to recover from syncing any Upgrades without having first installed KB3095113. We are
    even more eager to learn about what can be done for an enterprise that is running WSUS mostly from Server 2008R2.

    Finally, does Microsoft expect an enterprise to upgrade all of its WSUS servers to Server 2012 or better and also install KB3095113 on all of its WSUS servers before enabling the ‘Upgrade’ option?

    If so, that’s going to severely impact Win10 deployment at some enterprises who may begin to look for some WSUS alternatives from other vendors.

  45. reto says:

    • WSUS on Windows Server 2012 – Windows 10 Pro Clients
    • The WSUS Hotfix Update KB3095113 is already installed and "Upgrades" section is visible.
    • The Updates "Upgrade to Windows 10 Pro, Version 1511, 10586" is ready to install.

    • All Windows 10 clients get same error: Download failed.

    • IIS: Add a MIME type on IIS for *.esd as application/octet-stream

    (Many thanks to:

    Test Result
    • Windows Update download completed successfully.
    • Installation of Windows 10 Pro 1511 finished after 25min. without errors.

    But unfortunately our Windows 7 Enterprise Clients still get Windows update error. Code 80244019.

  46. bcweis says:

    Adding the MIME type got me past the download error… but then the client goes into "Preparing to Install" and errors out at 50%. I’m not quite sure what error, as it dumps a ton in the logs. How to decipher what is relevant??

  47. Siroj says:

    New upgrade files appeared today with added "Volume" and "Retail" description, unfortunately still the same error when downloading.
    Patchdownloader.log shows the new entry refers to the same file as before.

  48. anonymouscommenter says:

    みなさま、こんにちは。WSUS サポート チームです。
    先日 Windows Server 2012 / 2012 R2 の WSUS に適用可能な更新プログラム KB 3095113 がリリースされましたが

  49. nick says:

    Yes the retail and volume editions show as applicable to the same machines.

  50. John says:

    Hi Steve, can you ask someone on the WSUS team to expire the KB3114409 update please?

  51. Andy says:

    If the Upgrades Classification was enabled and a sync has been done before applying the hotfix you say "This situation is recoverable, but the process is nontrivial and can be avoided altogether if you make sure to install the update before enabling sync
    of Upgrades."

    Is this non-trivial process documented – I feel I might be in need of it!

  52. bcweis says:

    +Andy — I too am patiently awaiting this… keeping this blog page open and refreshing it every hour!

  53. Andre Christiansen says:

    i am running mad. Yesterday we updated a customer from SCCM 2012 R2 SP2 to SCCM 1511. All fine. The new "Upgrades" synced. But download fails as described above. But this is not my problem. The Problem is my lab. I updated my lab also to 1511. I installed the
    wsus hotfix and WSUS is showing the "Upgrades". But the Upgrades category is not synced to SCCM. So i cant see the Upgrades in SCCM. I tryed reinstalling WSUS / SCUP, but it comes up with old WSUS 7 SCUP configuration. Any idea?

    Best regards, Andre

  54. anonymouscommenter says:

    Season’s Greetings from the AskPFEPlat PFEs!
    A solid Mailbag today with items from Paul Bergson

  55. johnredd says:

    This is all well and good but there is no mention of how to update Server 2008. Can anybody provide more information on that? Stop assuming that everybody is running Server 2012, please.

  56. CurtK-CA says:

    So, any word on this? It looks like my WSUS server has 4 different 1511 builds on it now, all of which fail to upgrade Win 7/8.1/10 clients. All the clients fail still…

  57. Steve says:

    Hoping for a possible answer to an upgrade question: We have a number of Enterprise 1507 installs that activate to our campus KMS — not using MAK activation — that are "standalone" systems — they do not connect to a WSUS or ConfigManager or any other
    central patch management — they just get their updates through Windows Update. My understanding is *MAK* activated systems like this — are now seeing the 1511 update. Does anybody have any idea if/when KMS-activated systems would see the 1511 update? Thanks
    a bunch!

  58. Bob Sullivan says:

    I guess I need to wait for the KB article that describes how to fix our SUSDB. I only found the hotfix after having other issues, so I don’t know how I would have know not to attempt testing the upgrade first.

  59. Timothy Reider says:

    Steve, any update you may have for those of us with the error "Failed to download content id 16851217. Error: Invalid certificate signature" . I am running a Windows Server 2012 WSUS server with KB KB 3095113 installed. in SCCM 1511 we are seeing over
    512 Windows 10 updates available and not one of them will download without the aforementioned certificate error. I had the KB installed before checking the Upgrades box.

    I understand this is a new process, but the silence coming from the teams is getting pretty frustrating when we just want to update our environment.

  60. Jason says:

    We need a way to deploy the 1511 upgrade *only* to machines that currently have Windows 10 10240 Enterprise installed. We absolutely do not want to upgrade our Windows 7 Enterprise and Windows 8.1 Enterprise users to Windows 10 using WSUS.

  61. Steve at U of M says:

    My request is the same as Jason’s: KMS-activated machines need to be able to see 1511 in Windows Update — direct from Microsoft (like MAK-activated machines do!)

  62. Joe says:

    I have sccm 2012R2 ver: 5.0.7958.1000
    I trying to figure out the SCCM upgrade process from here

    from reading it appears I will need:

    1- Install configmgr 2012 R2 sp1
    2- Install the WSUS hotfix
    3- Install the sccm 1511

    can anyone verify this for Me

  63. Jason R says:

    This 1511 upgrade needs to target Windows 10 machines only. It’s absolutely ridiculous that what appears to be a version upgrade patch for Windows 10 also happens to upgrade Win 7/8 machines. I approved this and ended up inadvertently upgrading a whole
    bunch of Windows 8 stations. Also, the reboot behavior for Windows 10 where it does not abide by specified GPO based reboot times NEEDS TO BE FIXED!!

  64. fr says:

    Agree there should be an update that only targets Windows 10 machines, and a separate clearly marked update should be offered for 7/8 upgrades. The current situation is unexpected behaviour that could trick WSUS admins into accidentally upgrading PCs that
    are not ready to be upgraded.

  65. CurtK-CA says:

    So any progress at all on this? I have the 1511 failing for every machine that tries it, Win 7/8.1/10. All fail or show needed still…would love for this to work, would make life so much easier.

  66. HeyAdmin says:

    Has this limitation been increased? We are using a third-party patching tool that publishes updates to WSUS using the API, but we’re running up against a hard limit of 100 categories.

  67. JDAnderson says:

    For those who synchronised the “Upgrades” categories before installing the KB, I just restored the WSUS database to “before” the synchronisation and it fixed the problem.
    No need to uninstall / reinstall the KB in my case.

    Unfortunately I have multiple WSUS servers where I can’t restore the DB so a fix from Microsoft would be helpfull!

    PS: Updating W7, W8 and W10 with the same package is a nonsense and you will have tons of clients running down on you in the coming month Oo

  68. John says:

    Uninstalled WSUS, removed database, reinstalled WSUS, checked that all patches were installed. Resynced to SCCM and still get the "Authentication of file C:WindowsTEMPCAB8BA3.tmp failed, error 0x800b0004" in patchdownloader.log

  69. Greg Lambert says:

    This manual DB cleanup process worked for me. I’m writing a chunk of it from memory though, so I could be missing something.

    Warning: I have no idea what long-term repercussions there could be from performing this procedure. It may or may not work for anyone else. In my case, it was against a temporary lab WSUS server that was built just to test W10 1511 upgrades. You should definitely
    test yourself, and take backups of everything first. Consider yourself warned.

    1. Record the update ID (GUID) from within the console (in my case, 5BEAEC8F-FE8F-4A81-830E-B1AAAAF6A76C for Enterprise 1511 en-US Volume)

    2. Decline update for all computer groups

    3. Stop the "WSUS Service" service in SCM

    4. Run a SQL query against the WSUS database to find the local update ID (integer value): *
    select localupdateid from tbUpdate where UpdateID = ”
    (command if using WID: SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "select localupdateid from tbUpdate where UpdateID = ”" )

    5. Run a SQL query against the WSUS database to delete the update from the DB:
    exec spDeleteUpdate @localUpdateId=
    (command if using WID: SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "exec spDeleteUpdate @localUpdateId=" )

    6. Start "WSUS Service" service

    7. Run Server Cleanup Wizard (I left all options selected)

    8. Run a synchronization (I don’t remember if I bounced the service again or not)

    9. Re-approve update

    * If you’re using WID and don’t have SSMS, you can install SQL Server Native Client and the SQL Server Command Line Utilities from – by default, SQLCMD will be in c:program filesMicrosoft SQL Server110ToolsBinn

  70. Greg Lambert says:

    Looks like these forums don’t escape gt/lt signs. Here are the queries from steps 4 and 5 again:

    4. Run a SQL query against the WSUS database to find the local update ID (integer value): *
    select localupdateid from tbUpdate where UpdateID = ‘GUID from step 1’
    (query if using WID: SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "select localupdateid from tbUpdate where UpdateID = ‘GUID from step 1’" )

    5. Run a SQL query against the WSUS database to delete the update from the DB:
    exec spDeleteUpdate @localUpdateId=Integer ID value from step 4
    (query if using WID: SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "exec spDeleteUpdate @localUpdateId=Integer ID value from step 4" )

  71. John says:

    Any news of support with WSUS on 2008 R2 Operating System ?

  72. Hi folks, and thanks again for the patience around these deployment issues. We have refreshed the Professional edition upgrades. Please sync the latest, try these downloads again, and report your results here, along with the edition that you’re attempting
    to deploy.

    The mitigation (i.e., KB article) for "I clicked Upgrades before installing the hotfix" is in the works, and should be published soon.

    Another blog post is coming regarding WSUS on 2008/R2 systems. Our focus has been on resolving the pressing issues with the 1511 release to WSUS.

    No current version of Configuration Manager is capable of downloading feature upgrades from WSUS. In order to deploy this content with Config Manager, you need to use task sequences. This gap is under investigation, and the team is working on bridging it in
    a near-future release, though exact timelines are unknown at this point.

    Finally, as you may have noticed, we expired the original 1511 release from WSUS because it did not distinguish between Retail and Volume licenses. You should now see a clear distinction between these options in the title of the upgrades available in WSUS.
    Note that the applicability is the same, only the license is different.

  73. guy says:

    I’m seeing Windows 10 extracting to the C:$WINDOWS.~BT but it doesn’t seem to run, when you run it manually it says it’s missing the boot.wim file, I cannot see either boot.wim or boot.esd (f that exists) any hints of what I’m doing wrong?

  74. CurtK-CA says:

    This still seems to fail for us, one machine is now permanently in a state of Restart for Updates. We got the Install Now or Schedule for later pop up, we chose Install Now, and it restarted, but comes right back to 8.1 with a pending restart in the windows
    update panel. Can’t see new updates, can’t upgrade, totally nerfed. We’re going to reset that PC and start all over from scratch.

    We have Revision 201 approved for the test group, Pro, Retail and all other versions not approved. Our machines are all on the Pro release, en-us, non-volume. Should be as plain as it comes…

  75. bill says:

    We have a number of systems that have been upgraded to Windows 10 from OEM versions of Windows 7. Currently none of these systems are being offered the 1511 upgrade by WSUS.

    A manual upgrade to 1511 is possible, either online or via cd/usb, after which WSUS will happily offer the rollup packages to 1511.

    Am I missing something somewhere?

  76. Michael Lin says:

    Our WSUS 4.0 server with KB 3095113 applied is missing "Upgrade to Windows 10 Enterprise version 1511, 10586 -en-us, Volume" but we do have "en-gb" version. The en-gb version does not apply to US version of Windows 10. Is there a problem with our WSUS
    4.0 server or Microsoft does not have the enterprise en-us version ready?

  77. ML49448 says:


    I just installed WSUS on Windows Server 2012 (without R2) with the Hotfix. I have set the update settings in the WSUS GPO to "Auto download and notify for install" and Windows 10 reflects this as "Notify for install".

    This actually works and I am informed in Action Center about new updates. However, there is no Option to install the updates at reboot and shutdown – Windows shows just the normal shutdown and reboot options. "Fast Shutdown" is already disabled.

    Is there a way to get this functionality working? On Windows 7 we are installing all updates during shutdown which is especially important for 3rd party updates like Java and Flash which cannot be installed during a browser is running.


  78. Quinn says:

    We’re in the process of upgrading our SCCM environment from 2007 to 2012 1511. We have not hashed out our plan on upgrading to Windows 10 and what service method we will adopt. So would it be best to just add the hotfix during the initial server updates,
    roles and features installs but leave the Upgrade classification unchecked until we have decided on the update strategy?

  79. CurtK-CA says:

    So we’re in a holding pattern right now until something changes. Newest batch of updates on WSUS for our Windows 10 server aren’t working because the 1511 update has failed. So no Windows 10 machines are getting updates now, which is bad. Is there any
    idea on how to fix this? We’re just using WSUS.

    I’ve kind of given up hope on having WSUS upgrade Windows 7/8.1 (which would’ve been fantastic) but I do need the normal already at Windows 10 machines to get their updates.

  80. Garry Trinder says:

    I’ve got Hotfix 3095113 via MS-Linkmail (Windows8-RT-KB3095113-v2-x86.msu), but installation fails with error 0x80070003. Typical solutions for this error doesn’t work. Any idea?

  81. ivan says:

    So, after waiting a month, I though "to heck with with, lets enable Upgrades" 🙂

    Fortunately I was plenty prepared by reading all the blog posts and comments, though it took a while to fully understand the Windows Servicing Models (well documented) in combination with Windows Update for Business (documentation on this really sucks, as well
    as the pre-coverage – it’s basically just a GPO us). So i prepared my ActiveDirectory OUs, created one for CurrentBranch and for CurrentBranchForBusiness, added the GPO tweaks and WSUS targeting, and here we go …
    Everything went as planned, except I’m stuck at installing the 1511 Upgrade:

    -Windows Update Error on the machine: There were problems installing some updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help:

    – Event ID 20 Error on the machine: Installation Failure: Windows failed to install the following update with error 0x8024200D: Upgrade to Windows 10 Pro, version 1511, 10586 – en-us, Retail.

    any suggestions?

  82. jonatnav2 (11 Dec)/Jason (23 Dec): The upgrade (and all future upgrades) will apply to down-level as a matter of our servicing policy. This is primarily to reduce the number of entries in your WSUS/ConfigMgr consoles, especially considering that the end
    result is the same regardless of the targeted platform. You can quickly create a new Computer Group, then sort All Computers by Operating System, and finally right-click your Win10 machines and "change membership" to the new group. This will allow you to target
    just the Win10 machines without restructuring your AD/GP hierarchy.

    Joe (12-13 Dec)/Timothy (22 Dec)/Paul (8 Jan): As Mike helpfully mentioned, there is now a hotfix available for Config Manager that allows feature upgrades to be downloaded from the SUSDB as expected. Please install to address the "invalid certificate signature" errors mentioned here.

    HeyAdmin: Although unrelated to this topic, the limitation you mention is fixed at 100 categories. Please ensure that you are not creating duplicate entries in the local publishing catalog–each pair of Vendor Name + Product Name will generate a new entry toward
    this 100-item limit.

    Bill: Have you checked the deferral settings on these machines? Clients that are configured only to pick up CBB (i.e., have the "defer upgrades" policy enabled) will consider the 1511 upgrade not applicable/needed.

    Michael (13 Jan): After you’ve downloaded the upgrades, they will install in the background and trigger an automatic restart after a fixed amount of time. By default, your machines should restart and complete the upgrade process at the next 3 AM opportunity.
    In Win10, you won’t see the "Install updates and restart" for these upgrades because a special type of restart is required, and it can’t be manually launched.

    Quinn: Definitely recommend adding the WSUS hotfix now, before you get into a situation where you might be synching Upgrades to your server. If you use Config Manager, then you’ll want to consider that hotfix, as well, but the WSUS fix is crucial–plus it fixes
    the issue where Windows 10 machines appear as "Windows Vista" in the UI.

    CurtK-CA: Thanks for confirming that you’re still having issues. Can you reach out to me directly (email blog author) so that we can properly troubleshoot your situation?

    Klaus: I’m not sure why you’re installing the x86 version of this hotfix, since WS12/R2 servers are always x64. Can you try using the x64 package instead?

    Ivan: Have you already added the MIME-type as suggested by alexx80? It looks like you haven’t downloaded the full package before launching installation.

    Please submit all new issues with 1511 deployment via WSUS to the appropriate forum:

  83. ML49448 says:

    Hi Steve,

    thanks for the info on the "install updates and shutdown" question. Actually, I was not referring to Feature Upgrades in particular but to the option in general.

    However, I now learned that the classic option to install updates during shutdown (what we know from Windows 7) seems to have already been removed from Windows 8, as this article and member of Microsoft writes:

    You bring up a good point about the frequency and long times to complete installations during shutdown. I agree this can be frustrating especially when you are in hurry. On win8, we set out to strike a balance between always allowing user to have a choice and
    securing the system in a timely manner. We have done a few things here that cumulatively will improve the experience of updating during shutdown. 1) WU will install all updates before the 3 day pending restart message is shown and hence only the system re-initialization
    and pending file renames for the updates will be left to be completed during shutdown. This will shorten the time taken to “update and shutdown” compared to Win7/Vista where WU also does the installation during shutdown. 2) Since we are consolidating the restarts
    with the security updates, you should see the “Update and Shutdown” only when there is a pending restart (day 2 and day3 after a pending restart message is shown in login screen) ie 2 days in a month. In addition, on day 1 after the restart message is shown
    in login screen, you still have a choice to do just a “shutdown”. The intent here being that you can take the proactive action to restart the machine at your convenience.


    Just for clarification in case other users are going to read my question. To repeat The option as it it was in Windows 7 is gone and updates must be either scheduled for installation or installed completely manually. The "Install and Shutdown" option in the
    start menu is only displayed in case an update has already been installed and requires a reboot.


  84. Garry Trinder says:

    Hi Steve,
    thank you. Download-Client was x86, so I had to change choice of downloadplatform.

  85. Garry Trinder says:

    Hotfix is installed; IIS .esd-entry is made; upgrade is downloaded and approved on wsus; Win10-Client has downloaded upgrade -> but Installation is failed with error 8007007E (.esd has no decrypt Information)

    Requested file 10586.0.151029-1700.th2_release_CLIENTENTERPRISE_VOL_x64fre_de-de.esd has no decrypt information
    Installer completed. Process return code = 0x8007007E, result = 0x8007007E, callback pending = False
    Exit code = 0x8007007E

  86. Ivana says:

    @Klaus: I’ve done same but also restarted IIS to make sure. Upgrades are working for Windows 10 RTM machines, but Windows 7 Pro machines show now update in GUI. The WindowsUpdate.log shows this error:

    -01-18 15:14:32:757 768 131c AU #############
    2016-01-18 15:14:32:757 768 131c AU ## START ## AU: Install updates
    2016-01-18 15:14:32:757 768 131c AU #########
    2016-01-18 15:14:32:757 768 131c AU # Initiating deadline install
    2016-01-18 15:14:32:757 768 131c AU WARNING: There are no approved updates to install
    2016-01-18 15:14:32:757 768 131c AU # Exit code = 0x8024000C
    2016-01-18 15:14:32:757 768 131c AU #########
    2016-01-18 15:14:32:757 768 131c AU ## END ## AU: Install updates
    2016-01-18 15:14:32:757 768 131c AU #############
    2016-01-18 15:14:32:757 768 131c AU WARNING: InitiateInstall failed, error = 0x8024000C
    2016-01-18 15:14:32:757 768 131c AU Successfully wrote event for AU health state:0
    2016-01-18 15:14:32:757 768 12f8 AU Getting featured update notifications. fIncludeDismissed = true
    2016-01-18 15:14:32:757 768 12f8 AU No featured updates available.
    2016-01-18 15:14:32:773 768 948 Report Uploading 4 events using cached cookie, reporting URL =
    2016-01-18 15:14:32:804 768 948 Report Reporter successfully uploaded 4 events.
    2016-01-18 15:14:32:804 768 948 Report REPORT EVENT: {31CC4CF4-1EEB-4A9F-9317-7D3DA3A200BC} 2016-01-18 15:14:32:757+0100 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates
    are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Montag, ‎18. ‎Januar ‎2016 at 15:14: – Upgrade auf Windows 10 Pro, Version 1511, 10586 – de-de, Volume
    2016-01-18 15:14:32:804 768 948 Report REPORT EVENT: {4129ADEA-1429-4083-968E-B71EADF3026E} 2016-01-18 15:14:32:757+0100 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates
    are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Montag, ‎18. ‎Januar ‎2016 at 15:24: – Upgrade auf Windows 10 Pro, Version 1511, 10586 – de-de, Volume
    2016-01-18 15:16:30:162 768 131c AU AU received policy change subscription event
    2016-01-18 15:17:46:810 768 12f8 AU Getting featured update notifications. fIncludeDismissed = true
    2016-01-18 15:17:46:810 768 12f8 AU No featured updates available.

  87. bill says:

    Thanks for your comment. I’ve disabled "Defer Upgrades" via Group Policy for WSUS, and have verified that the computers are receiving the policy. WSUS is still not detecting that the 1511 upgrade is applicable to anything. Any other ideas?

  88. rodrigo says:

    Hi, I need help. The WindowsUpdate.log shows this error:

    2016/01/18 16:52:24.8834984 1160 10828 DownloadManager Suspended update 031F8849-0770-402B-A8E1-C76DDC569252 for reason 0x40000
    2016/01/18 16:52:24.8835078 1160 10828 DownloadManager Attempted to resume update 031F8849-0770-402B-A8E1-C76DDC569252 for reason 0x40000, update is no longer suspended afterward.
    2016/01/18 16:52:24.8835230 1160 10828 DownloadManager BITS job {5E4E4037-7A9A-4858-BF0B-6EA1F25649C0} failed, updateId = 031F8849-0770-402B-A8E1-C76DDC569252.201, hr = 0x80190194. File URL = http://svlpadm04:8530/Content/68/DDA51DDFA9A529B44CEAF3728FF3F71553F26E68.esd,
    local path = C:WINDOWSSoftwareDistributionDownloadfb84e0d0d6d9a6fe9db93d89b0965fb110586.0.151029-1700.th2_release_CLIENTPRO_RET_x64fre_pt-br.esd
    2016/01/18 16:52:24.8837468 1160 10828 DownloadManager Progress failure bytes total = 2652794046, bytes transferred = 37149904
    2016/01/18 16:52:24.8845391 1160 10828 DownloadManager CUpdateDownloadJob::GetNetworkCostSwitch() Neither unrestricted or restricted network cost used, so using current cost
    2016/01/18 16:52:24.9748050 1160 10828 DownloadManager Error 0x80244019 occurred while downloading update; notifying dependent calls.
    2016/01/18 16:52:24.9772885 1160 10828 DownloadManager DownloadManager SecsInADay = 86400.
    2016/01/18 16:52:24.9802561 1160 6776 DownloadManager * END * Download Call Complete Call 39 for caller UpdateOrchestrator has completed; signaling completion.
    2016/01/18 16:52:25.0176560 1160 252 ComApi *RESUMED* Download ClientId = UpdateOrchestrator
    2016/01/18 16:52:25.0176578 1160 252 ComApi Download call complete (succeeded = 0, succeeded with errors = 0, failed = 1, unaccounted = 0)
    2016/01/18 16:52:25.0176613 1160 252 ComApi Exit code = 0x00000000; Call error code = 0x80240022

  89. Garry Trinder says:

    @ Ivana
    Restart of IIS/Server doesn’t fix the problem.
    Client seems not to be able decrypting the .esd-file.

  90. rodrigo says:

    I added the MIME-type as suggested by alexx80 and worked. Tks

  91. anonymouscommenter says:

    As indicated in a previous post , we are making changes to WSUS 4.0 and later that will provide a smoother

  92. rodrigo says:

    I tried again, and work just with Windows 10 workstations. Windows 7/8.1 not worked.

  93. Dan Wilkins says:

    Any news on the KB article for those of us who ticked Upgrades before applying the hotfix? Seeing as WSUS installs as a role under 2012 R2 (we built a new server to replace WSUS 3.0 on 2008 R2), I don’t see how we were expected to know a hotfix even existed
    before WU updated the server and gave the new features such as Upgrades. Of course some of us were going to tick the box, never before have I stopped to think "before I enable this cool new feature to push out the Windows 10 November update, I should check
    for a WSUS blog and potential hotfix". Silly me!

  94. Heiko says:

    Silly me, too.

  95. This Drove me Mad says:

    For those of you waiting for the article who ticked Upgrades before applying the patch.

    After many hours and days getting irate, this is what i have just done to solve mine:

    (Note: Deleting just the upgrade files that i had approved and tried to download didnt solve it for me as per the instructions previously provided in the comments section, i had to remove the lot of them!!

    1. Untick the Upgrades classication
    2. Decline all 32 Windows 10 Upgrade files
    3. Stop the WSUS Service
    4. Open SQL Management Studio and run the following 2 queries againt the SUSDB database

    select tbu.localupdateid, up.*
    from [PUBLIC_VIEWS].[vUpdate] up
    join tbUpdate tbu on tbu.updateid = up.UpdateId
    where up.DefaultTitle like ‘upgrade to windows 10%’

    This should pull back all 32 upgrade files with the UpdateID for each one


    exec spDeleteUpdate @localUpdateId=

    Copy the above exec sp command 32 times, put the UpdateID in for each listed from the first command and execute all 32 in one go – remove the <> obviously!

    5. Start WSUS Service
    6. Run Server Clean Up WIzard leaving all boxes ticked
    7. Restart WSUS Service
    8. Re-tick Upgrade Classification
    9. Restart WSUS Service
    10. Do a manual Sync
    11. Re-approve what upgrades are applicable to your appropriate Computer Group
    12. Wait for your Windows Update on the client PC to grab the Upgrade

    Hope this helps somebody else!!!

  96. FCW says:

    Thank you very much "This Drove me Mad", great post. This worked for me.

    If you don’t have SQL Management Studio installed you can use SQLCMD.exe in step 4.

    SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "select tbu.localupdateid, up.* from [PUBLIC_VIEWS].[vUpdate] up join tbUpdate tbu on tbu.updateid = up.UpdateId where up.DefaultTitle like ‘upgrade to windows 10%’" -o wsusdata.csv -W -w 1024 -s

    This will give you a CSV file with ";" as the separator, (you can’t use "," as it is used inside the fields).

    Then use:

    SQLCMD.exe -S \.pipeMicrosoft##WIDtsqlquery -d "SUSDB" -Q "exec spDeleteUpdate @localUpdateId=137014"

    Replacing 137014 with the localupdateid from the wsusdata.csv file and do this for every entry.

    Follow all the other steps in the "This Drove me Mad" post.


  97. jdk says:

    When I try to decline the upgrade I can do all but the one I approved. Both the Accept and Decline are grey out.
    Any suggestions?

  98. ALRC says:

    This script creates the output for the 2nd script that ‘This Drove me Mad’ helpfully provided.

    select ‘exec spDeleteUpdate @localUpdateId=’ + cast(up.updateid as varchar(MAX))
    from [PUBLIC_VIEWS].[vUpdate] up
    join tbUpdate tbu on tbu.updateid = up.UpdateId
    where up.DefaultTitle like ‘upgrade to windows 10%’

  99. TDmM says:

    select ‘exec spDeleteUpdate @localUpdateId="’ + cast(tbu.localupdateid as varchar(MAX)) + ‘"’
    from [PUBLIC_VIEWS].[vUpdate] up
    join tbUpdate tbu on tbu.updateid = up.UpdateId
    where up.DefaultTitle like ‘upgrade to windows 10%’

  100. Windows Internal Database Win10 Upgrade issue says:

    In regards to "This Drove me Mad", I thank you for sussing this out ^_^ pun intended
    and also FCW, would there be a similar script for the Windows Internal Database (WID) flavour?

    I knew I should have gone the MS SQL path!!!! grrrr

  101. Windows Internal Database Win10 Upgrade issue says:

    Nevermind, found some info on page 5 "Greg" – …"* If you’re using WID…"

  102. Scripted says:

    Thanks to everyone here for this help. I scripted it into a single sql procedure with some a little bit of verbose output.

    –declare variables
    declare @tmp table (localupdateid int, DefaultTitle nvarchar(max))
    declare @currentid int, @currentTitle nvarchar(max)

    –insert into tmp table
    insert into @tmp
    select tbu.localupdateid, up.DefaultTitle
    from [PUBLIC_VIEWS].[vUpdate] up
    join tbUpdate tbu on tbu.updateid = up.UpdateId
    where up.DefaultTitle like ‘upgrade to windows 10%’

    –debug output
    select * from @tmp

    –loop through records found
    while ((select count(*) from @tmp) > 0)
    –get current row data
    set @currentid = (select top 1 localupdateid from @tmp)
    set @currentTitle = (select top 1 DefaultTitle from @tmp where localupdateid = @currentid)

    –debug output
    select (‘Deleting ‘ + convert(varchar(20), @currentid) + ‘ – ‘ + @currentTitle)

    –run WSUS stored procedure to delete update
    exec spDeleteUpdate @localUpdateId= @currentid

    –delete from our temp table
    delete from @tmp where localupdateid = @currentid


  103. Hi folks, and apologies for the delay in getting this out there. We have published official guidance on how to resolve the issue where you synched Upgrades before installing the patch:

    We are not fond of directly editing the SUSDB, but we do encourage independent thought, so we’ll leave the workarounds (none of which we have confirmed or tested) in the comments section for posterity. We hope that the new post introduces you to the convenience
    that is PowerShell, if you’re not already familiar.

    Thanks to those who were willing to share their expertise to help their WSUS community. For anyone still experiencing issues with the 1511 upgrade, please email us directly (Email blog author). We’ll share the known issues and workarounds in a future post,
    ideally with better turnaround time!

  104. Jesper Johag says:

    My WSUS-server is configured to download only approved updates/upgrades.
    I did check the Upgrade classification before installing the patch, but I did not approve the upgrades before installing the patch.
    Does this mean my WSUS-system is A-OK?
    I can upgrade Enterprise Windows 10 RTM to 1511, but not Windows 7 or Windows 8.

    (Get-WsusServer).SearchUpdates(“version 1511, 10586”) | Where-Object -FilterScript {$PSItem.IsApproved -eq $true} | Select-Object ArrivalDate, UpdateClassificationTitle, Title

    ArrivalDate, UpdateClassificationTitle, Title
    2015-12-16 06:23:30, Upgrades, Uppgradera till Windows 10 Enterprise, version 1511, 10586 – sv-se, Volume
    2016-01-07 18:23:32, Upgrades, Uppgradera till Windows 10 Pro, version 1511, 10586 – sv-se, Retail
    2016-01-07 22:23:27, Upgrades, Uppgradera till Windows 10 Pro, version 1511, 10586 – sv-se, Volume

  105. bill says:

    Still not working for me, none of the updates are being marked as needed/applicable in my environment. Either for Win7/8.1 or lower iterations of Win10.

    Even ran the fix that Steve linked without changing anything.

  106. bill says:

    Finally got it figured out. The culprit turned out to be "DisableOSUpgrade" policy setting from an older version of the WSUS policy, just hanging around. Doesn’t even show up if you’re editing the current policy.

    I had to restore an older version of the wsus.admx & adml, disable that old setting, and reinstall the current wsus.admx & adml.
    Helpful article here:

  107. Rob says:

    For those of you waiting for word on WSUS 3, here it is:

    So no support I guess

  108. Joe N says:

    I am uncertain where exactly the KB3095113 needs to be applied. In our environment the Primary Site Server is still at WinSvr2008 R2 (and 2008r2 is supported for SCCM 1511). Our Primary site server does NOT have the Software Update Point Role (instead
    that is on a different server which has WinSvr2012 R2).

    My question is this… How does it work with Primary Site Server (with WSUS 3.2 console only) and Software on a different server with WinSvr2012 plus WSUS 4, and KB3095113 patch.

    Where I am mixed up is Svr2008 supported for SCCM 1511, but the Software Update Role only compatible on WinSvr2012. Can this combination work as long at the latest and greatest is on the server with the SUP role? Or is there a problem leaving the Primary Site
    Svr at 2008R2 despite it being supported.


    1. Tatsumi says:

      Joe N: Did it work for you with Primary site server on 2008R2 and SUP on a 2012R2? I’m having the same scenario.

  109. Brian says:

    Thanks Greg. That worked for me!

  110. Mike Mott says:

    So, where does this hotfix and such fit in CM 1511? What should I see or not see in the console around the SUP and products?

  111. This Drove me Mad says:

    I have the opposite issue to Bills comments at the end of Page 7.

    I dont have the DisableOSUpgrade policy installed (infact i declined both updates in WSUS (KB3065987 and KB3065988) as per this MS article

    For all my Windows 7 clients they all refuse to pick the upgrade up even though the WIndowsUpdate.log says its found the upgrade applicabel to it – it always just says No updates available.

    I manually add in the following reg key and voila the WIn 7 machines start to see the upgrade and install it.


    Then a DWORD (32bit) value of AllowOSUpgrade and set it to a value of 1

    Really Microsoft it should not be this hard and tiresome to upgrade from 7 to 10

  112. Brian says:

    Thanks "This Drove me Mad". I agree with you, it shouldn’t be this hard. I don’t know why we have to be adding registry values. How did you ever figure that out?

    Wonder if Steve Henry has any comment on this?

    It worked for me by the way!

  113. Steve G4 says:

    Thanks @ThisDroveMeMad!!!!

    I’ve been trying to solve that exact problem for the last two days & adding the reg key is what finally prompted the Win 10 upgrade to show up on my test clients…Seems like they made the same mistake here as they did with that Outlook Safe Mode update a couple
    months back.

  114. ThisDroveMeMad says:

    Well this is the KB that handles the Win10 upgrades from 7 and 8 –

    However it does not apply to enterprise editions nor any domain doined editions.

    The config for the GWX.exe shows that it has a value of "false" set again "enabledomainjoined" so it stops any domain joined machines from seeing the Upgrade icon in there system trays and manually intstalling the update themselves – which is a good thing………until
    it comes to those who want to stage the upgrades through WSUS – of which that KB has never been released to WSUS servers.

    Piss up in brewery.

    I just wonder what testing in domain lab environments MS actually did for 7/8 to 10 upgrading. Because from where i sit it doesnt appear to be an awful lot!!!

    PS – the way around it is to add the registry key in via GPO but why the hell should we!

  115. Jesper: As indicated in, the issue occurs at the metadata level, specifically with parsing the metadata. Regardless of whether you actually approve the upgrades for installation,
    you’ll need to go through the steps on that page to delete the content and resync after you’ve installed the patch.

    Joe N: This KB needs to be applied on every WSUS with which you intend to distribute upgrades. With that said, we recommend installing it on every WS12/R2 WSUS server you have, since there is no major risk to doing so.

    Mike Mott: Since Config Manager depends on WSUS for its metadata parsing, you’ll need this hotfix for any WSUS that supports CM 1511. Note that Config Manager does not support upgrade from Windows 7/8.1 to 10 via this mechanism (because that upgrade involves
    user interaction, and all CM operations are run without UI as SYSTEM): for that deployment, you’ll need to resort to your existing OS Deployment tasks, MDT, or image-based refresh.

    Brian: Yes, this key is unexpectedly interfering with the WSUS deployment scenario, but this one key isn’t the whole story. I’ve kept it under my hat for the time being because we aren’t done testing the recommended settings that you’ll need to change in order
    to unblock the Windows 7/8.1 upgrades to Windows 10. Stay tuned for another post once we’ve gotten all the known nuances worked out for this scenario.

    ThisDroveMeMad: We feel your pain! It’s equally frustrating for us to light up a new and exciting scenario for the enterprise, only to have it impeded by factors outside WSUS’s control. We’re working on clarifying this scenario for you, and will have something
    as soon as we’re confident in the solution. The way it’s going now, unfortunately it doesn’t look like there’s any way around making GPO modifications. More details next week, if not sooner.

    Oh, and Todd Meyers: We might not have conclusively answered your earlier question regarding MDT. We have tested the scenario, and we recommend keeping the two deployment technologies separate; i.e., either leverage in-place upgrades via WSUS or use your MDT
    to deploy a new OS, but not both on a given machine. The two can coexist, but not without occasionally interfering with one another, so it’s best to keep them separate.

  116. This Drove Me Mad says:

    We feel your pain! It’s equally frustrating for us to light up a new and exciting scenario for the enterprise, only to have it impeded by factors outside WSUS’s control. We’re working on clarifying this scenario for you, and will have something as soon
    as we’re confident in the solution. The way it’s going now, unfortunately it doesn’t look like there’s any way around making GPO modifications. More details next week, if not sooner.

    Did you find anything Steve? Thankyou

  117. Ugh, sorry for the delay on providing that guidance, folks: getting sick is not fun. Resuming the investigation this week…

    Stay tuned,

  118. Scott says:

    Does anyone have any information on how this relates to the free upgrade deadline? Will computers upgraded through WSUS not active after the deadline?

  119. Dan Wilkins says:

    We’ve started seeing machines today, which are domain members and managed by WSUS, prompted to install Windows 10….when I haven’t even approved it yet. What is going on?

  120. Everyone: You may have noticed that KB 3095113 is now available via WSUS and Catalog. This is the same content that was shipped in the original hotfix in October last year, so if you already have it, then there’s no need to deploy this patch. For those
    that were waiting for the direct release to WSUS, the wait is over.

    Scott: We in WSUS have no information on the free upgrade deadline at this time. That’s a high-level policy that will likely affect many aspects of our business, but for now we’re continuing to ship upgrades that apply to Windows 7/8.1 machines through WSUS.
    Bear in mind that any upgrades applying to Volume-licensed devices are not part of this free offering, so essentially the only affected edition is Professional in the WSUS scenario.

    Dan: What you’re seeing is the UI for "Get Windows 10," which is a client-side effort to migrate down-level machines to Windows 10. It has nothing to do with WSUS-approved content, and if you click through that UI, you will download the upgrade from an external
    Microsoft site, not from WSUS. If bandwidth is a concern, then I recommend deploying the upgrade only through WSUS. For more information on this, check out Keep in mind that any settings you change could affect future upgrades via WSUS, and may have to be reverted if you decide to deploy these upgrades
    at a later date.

    This Drove Me Mad: Haven’t forgotten your question or our commitment to provide guidance here.

  121. This Drove Me Mad says:

    Thankyou Steve

  122. David Weston says:

    On a Server 2012 (not R2) system that was previously patched with the hotfix, we had the March 15 KB 3095113 update through WSUS repeatedly failing. Removing the hotfix version then allowed the WSUS update to succeed. This may be a local issue or maybe
    there is something wrong with the 2012 version of the update. (Another 2012 R2 server installed the WSUS update without incident.)

  123. Ariel Abaca says:

    My Windows 8.1 box has picked up the upgrade, but it keeps restarting to Windo es 8.1 instead of restarting to the Windows 10 gorgeous setup interface. What can I be doing wrong? Thanks from an ignorant argentinian.


  124. Jesse R says:

    Steve — Your comment of…

    Scott: We in WSUS have no information on the free upgrade deadline at this time. That’s a high-level policy that will likely affect many aspects of our business, but for now we’re continuing to ship upgrades that apply to Windows 7/8.1 machines through WSUS.
    Bear in mind that any upgrades applying to Volume-licensed devices are not part of this free offering, so essentially the only affected edition is Professional in the WSUS scenario.

    I’m hoping that’s a misprint or incorrect statement. I’ve not found anything from MS that states the free upgrade doesn’t allow to Volume Licensing?! I have read that it won’t apply to Enterprise versions, but Home and Professional versions (regardless of OEM,
    retail, or volume licenses) are still eligible for the free Windows 10 upgrade I was lead to believe?

    Please clarify, thanks.

  125. FCW says:

    Thanks for fixing it.
    I assume it was a metadata problem.

    I expect you will delete this;)

  126. Licha says:

    Hi everybody. I have the following error.
    I’ve migrated de WSUS to a Windows 2012, V.6 of WSUS, and Clients (computers) can’t synchronize with WSUS UNLESS i push MANUALLY the button of "Search Upgrades". If not, wuauclt.exe /resetauthorization /detectnow or just wuauclt.exe /detecnot doesn’t work.
    It happens to me on computers with Windows 10, 8, 7, etc. Can anybody help me with this?? I’ve already done the same migration of another WSUS for SERVERS (Windows 2012, 2008, 2003) and it worked fine.

    Thank you very much.

  127. Randy Hollenbeck says:

    I have WSUS on my 2012 (not R2) server and I am trying to install KB3095113 and it keeps failing with the 0x8000FFFF error. I have tried to install it both from Automatic Updates and manually downloading the file and running it and both time it fails.

    I have tried running it as the Local admin and domain admin

    I have verified the KB3095113 update was not previously installed.

    Attempting to use the WindowsUpdateDiagnostic program results in an error as well and looks like it might be an Elevation issue which is odd given the admin is running it (both local and domain) and there is no option to run in elevated mode right clicking.

    Please advise as we would like to be able to offer the Upgrade Category in WSUS for Windows 10 and have not checked the box for it.

  128. christoph says:

    Hello Together,
    I read the comments well but could not find a solution to my Problem yet:

    We are running our WSUS on Windows Server 2012 R2.
    I have two Windows 10 Pro Clients (Build 10240) which don’t apply the 1511 Upgrade.

    The WSUS has the hotfix 3095113 installed. The Upgrades, e.g. "Upgrade to Windows 10 Pro, Version 1511, 10586 – de-de, Retail" are available and approved for a test Group in which both Clients are located.

    Now neither the Clients are finding this update nor is the WSUS showing any Computers which require the 1511 upgrade.
    On the Clients I already ran wuauclt /detectnow, /reportnow, searched for updates and rebooted several times.
    WindowsUpdateLog schows only "0 Updates found"

    Since I can’t say for sure if I installed KB3095113 after I enabled the Upgrade download, I performed the suggested steps (deactivate Upgrades, delete Upgrade files, activated Upgrades again).

    Thanks for help,

  129. SteveG says:

    Jesse R

    I’m hoping that’s a misprint or incorrect statement. I’ve not found anything from MS that states the free upgrade doesn’t allow to Volume Licensing?!…

    Everything I’ve heard from the licensing team at my VAR and VL support confirms what Steve said. There have been a lot of fights on Reddit/Spiceworks about this with people saying they’ve been told things both ways, but I can say that I’ve confirmed with four
    different people (account manager + 3 different calls to Microsoft) and they’ve all told me the process when it comes to VL free upgrades is as follows:

    1) If you purchased VL Windows and it has active SA, you’re good to go under those SA rights you can upgrade to 10.

    2) If you purchased a machine with an OEM license and left the OS alone (i/e it’s still running that OEM Windows) you can upgrade under the free offer because you have an OEM instance of Windows 7/8 which is eligible.

    3) If however you purchased a machine licensed with OEM, and then re-imaged it with your VL re-imaging rights you can NOT get the free upgrade in it’s current state. Because a VL key was used to activate the machine it’s not eligible under the upgrade offer
    which only applies to retail & OEM.
    In this situation you’re supposed to revert the machine back to it’s OEM state, perform the free upgrade which creates the digital entitlement, after which you can re-image the machine with VL 10 as long as you meet the other re-imaging requirements for Win
    10, yes that does mean three OS installs and lots of wasted time.

    I know, that last part sucks, it’s the situation I’m in too which is why I really wanted to disprove it, but I’ve yet to find a legitimate source that says otherwise. A lot of people will point you to a word doc that can be downloaded from Microsoft’s site
    & signed by a VLSC admin, but all that says is it entitles you to use VL media to complete the upgrade rather than download it from Windows Update, you still have to be starting from an OEM/Retail instance of the OS.

  130. rodrigo says:

    Hi Steve. Any news about update from Windows 7 / 8.1? Upgrade from Windows 10 is working, but Windows 7 not.
    And any news abou the post who you promissed?

  131. Thinh says:


    Do i need to install 3095113 on all servers where WSUS role is installed for only on the server with WSUS database?


    1. All WSUS servers that will process the Upgrades classification need to have KB3095113 installed, or they will not sync the content correctly.

  132. superhl says:

    What a mess. I have applied the patch to my server and 10240 will not upgrade 1511. This has been a pain!!! I thought something was wrong with my 2012r2 virtual server. I deleted the virtual machines and started over. Now I am manually re-installing window 10.

    1. Where are you seeing the failure? Is WSUS delivering the content to the clients? We’ve found a number of corner cases in the setup portion of the upgrade process (which WSUS doesn’t control), so it’s possible you’re running into one of those.

  133. Daniel Wilkins says:

    AT LAST!!! After suffering the pains of this not working for months, I built a fresh Server 2012 R2 box and installed the WSUS role, followed by the hotfix (before ticking Upgrades). Thinking this would work, I was feeling confident. But no! Ah, I hadn’t put the .esd MIME type into IIS on this new server. Silly me. But no! That still didn’t work! Arrgghh. What else could it be? Fresh clean server, hotfix, MIME type….that’s everything, surely? Then after much web-searching I found reference to an AllowOSUpgrade key (and a potential DisableOSUpgrade key, but we didn’t have that set). I set the AllowOSUpgrade key to 1, rebooted and then went into Windows Update. I didn’t even have to check Check for updates, as in the middle of the screen was the prompt to Get started on upgrading to Windows 10. FINALLY! I haven’t yet started the upgrade, as in my excitement I wanted to post on here in case anyone needs to make the same change. The registry key by the way is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\ and the AllowOSUpgrade key needs changing from 0 to 1. Hope this helps someone at least 🙂

  134. Squuiid says:

    Folks, if your machines are domain joined the following key MUST be present for the updates to show up. Even if you’ve never set this key before.
    Set DisableOSUpgrade to 0

  135. Rodrigo says:

    My WSUS Server downloaded new upgrades today. What is the changes?

    1. This is a media refresh of the 1511 upgrade that shipped last year. Essentially, it’s that bundle plus the latest cumulative update. If you’ve already deployed version 1511, then you need only install the cumulative update to be fully current.

  136. Rodrigo says:

    The end date from free upgrade is coming, but Wsus still not working to fully automatic upgrade from Windows 7/8 to Windows 10. Is possible run any script to upgrade automatically?

    1. You can only upgrade from Windows 7 and 8.1 to Windows 10 (not from Windows 8). Are you using Configuration Manager? If so, then you can deploy more rapidly using OS deployment tasks. If not, then we might have a different solution for you.

      1. Chris Golden says:

        Thank you for helping with this issue! We are having the same problem. I looked up the article with the powershell commands.

        Would I just run the scripts and that’s it? Or is there something I need to do before that?

        Your comment: “Again, be sure that you perform the deletion step on the WSUS server that is highest in your hierarchy first, and then work your way down; otherwise, your deletions may be replaced by the USS on the next sync attempt.”

        Does this step need to be done first before running the scripts or does the ps scripts take care of that?

        I can decline and run the cleanup before running this if that is what you mean.

        Please let me know,
        Thanks again for your efforts!

        1. There is no script, exactly, just a sequence of PowerShell commands that will delete a given update. The guidance is to use these commands on your top-level WSUS server first, before going downstream. You’re welcome to make a script out of these steps, in which case you’d want to run it at the USS first, as well. Does that help?

  137. Joerg says:

    I am trying to approve an update for ‘removal’ with Win10 Client and WSUS 3.2 on Server 2008R2. The client does not get this removal request.
    Is this feature removed in Win10 or do I need to upgrade to WSUS4?

    1. This functionality is unchanged, and should work irrespective of client platform. Are you still not able to issue a removal approval?

      Also, we’d never pass up an opportunity to encourage you to migrate to a newer WSUS version. Since Windows Server 2016 is just around the corner, you might even try out Technical Preview 5.

      1. Joerg says:

        No, it is still not possible. I just tried to unapprove KB3174060, but my Win10 Clients don’t see it. With Windows 7 and Windows 8.1 uninstall works.

        1. Joerg says:

          The Windows 7 and Windows 8.1 does the uninstall with other updates. Not with KB3174060 because it is WIn10 only.
          The problem raises while trying to uninstall custom updates, but the problem also occurs with MS Updates.

  138. Stephen Kane says:

    Upgrade to Windows 10 Home, version 1511, 10586 – Error 0x80070003

    I get this everyday. It ties up my pc and it’s driving me crazy. FIX IT!

    This came with my new Dell and this has been going on since I bought it.

    1. The Home editions are not compatible with WSUS–you need at least Professional to deploy updates via this server. Does the same error occur when you scan against Windows Update?

  139. Mothilal_V says:

    We have Upstream running with Win2012 (WSUS 4.0) and few downstream servers with Win2008 (WSUS 3.2) and few are with Win 2012(WSUS 4.0), Applying this fix KB 3095113 on Upstream servers would create any issues with the Downstream?

    1. If you plan to distribute feature updates (Upgrades) in your environment, then we strongly encourage that you migrate all servers to a version of WSUS that can handle this sort of traffic. To answer your question, if you never sync the Upgrades content to the WSUS 3.2 server, then it should be fine; however, any future attempt to do so must be expected to fail.

      Additionally, you’ll want to install KB3159706 – – and follow the steps outlined in that KB in order to fully enable your servers to sync and distribute this content.

  140. ParameshKR says:

    Hi, we are trying to deploy feature upgrade to 1703 using windows servicing in our env, But we are having issue in deploying the created service plan. We are able to create the service plan, files are getting downloaded and distributed to dp’s. Those steps are fine.
    But the created service plan is not displaying in software center in the end machines. All the end machines are windows 10 1607.
    Our sccm infra is 2012 CB 1703 and WSUS is 4.0.
    kindly help.

    1. This is a question about Configuration Manager; we recommend asking it at the Configuration Manager blog for best results.

  141. Folks,

    I’m planning to setup the SCCM CB 1702 on Windows Server 2012 R2 and installed WSUS role. But when I try to install this update , its getting “Update not applicable” error then I open the case with Microsoft so they are saying that I need to install first SCCM then install this update but not sure, how it works ?

    Can someone or Microsoft clarify this ?

Comments are closed.

Skip to main content