- Start with three high-value checks when a WSUS client is not reporting: effective WSUS policy in the registry, client-to-server reachability, and the Windows Update service state. The WSUS server never initiates contact with clients – the client initiates everything.
- By default, Automatic Updates performs scheduled detection roughly every 22 hours with a randomized offset. A new or re-pointed client may legitimately be absent for most of a working day. Use forced detection to confirm the problem before concluding something is broken.
- Work in order: registry (WUServer + WUStatusServer + UseWUServer) → GPO application → connectivity (ports 8530/8531,
/iuident.cab, ReportingWebService) → service state → logs → forced detection and report. wuauclt /detectnowis removed on modern Windows Server and should not be relied on for Windows 10/11. UseMicrosoft.Update.AutoUpdate.DetectNow()in PowerShell instead, then request report submission withwuauclt.exe /reportnow.- Only reset SusClientId when policy and connectivity are confirmed healthy AND the cloning fingerprint is present: clones appear and disappear in the console, or only one of a group is visible at a time.
This article covers clients that are missing from the WSUS console or showing a stale “Last Status Report” / “Not Yet Reported” status when the WSUS server itself is healthy and synchronizing.
Does not cover: server-side sync failures → WSUS Sync Failed; update files not downloading to clients → WSUS Not Downloading Updates; WSUS console slow or crashing → wsus-console-slow (forthcoming); initial GPO configuration and computer group design → WSUS Configuration.
When a WSUS client is not reporting to the server, the machine is either missing from the WSUS console entirely or stuck on a stale “Last Status Report” date while the server itself is healthy and syncing. This guide walks the diagnostic in the correct order – policy and registry, then GPO application, then connectivity, then services and logs, then a forced check-in – with the imaging/cloning identity branch kept where it belongs: last, and only when the evidence points there. A WSUS client not reporting is almost always a client-side or client-to-server problem once the server health is confirmed.
Assumed server state for this guide: WSUS is healthy, IIS is running, wsusutil.exe checkhealth produces no WSUS health errors in the Application log, and the server is synchronizing with its upstream. If some clients report normally and others do not, start with the affected clients and their network path, while keeping server-side capacity and policy segmentation as secondary branches. If the server is not syncing at all, start with WSUS Sync Failed instead.
Detection vs. Reporting – What the Console Actually Shows
Detection and reporting are separate operations. Identifying the failed stage first prevents unnecessary resets and shortens the diagnostic. The pattern is consistent: a WSUS client not reporting usually fails at exactly one layer, and the layers build on each other.
Detection is the client contacting the WSUS ClientWebService, synchronizing update metadata, and evaluating which approved updates apply to the machine. The client only appears in the WSUS console the first time it successfully completes this contact. The server never reaches out to the client. Per Microsoft’s Automatic Updates settings documentation, the default detection frequency is 22 hours with a randomized offset to prevent simultaneous client storms. A new or re-pointed client can legitimately be absent for most of a working day.
Reporting is a separate call to the ReportingWebService. The client detects, queues reporting events, and then flushes them to the server, which processes them into the database before they surface in the console. A client can detect and install updates correctly while failing to report status – which produces the “everything installs fine but shows Not Yet Reported / stale date” symptom.
What each pattern looks like in the console, and where to start:
| Console symptom | Start with |
|---|---|
| Client missing entirely | Policy registry (Step 1) → scan source → connectivity |
| Not Yet Reported | Reporting endpoint → logs → server load |
| Stale Last Status Report | Service state → proxy/TLS → logs |
| Clones replacing one another | SusClientId branch (Step 7 below) |
A client that is missing entirely has never completed detection. A client showing “Not Yet Reported” has detected but reporting is not landing. A stale “Last Status Report” usually means a service, connectivity, or proxy change appeared after initial registration. Machines that appear and disappear – or where only one of a cloned group is visible at a time – point to the SusClientId duplication branch in Step 7.
Step 1 – Verify WSUS Policy in Registry
The effective WSUS configuration on any client is written under two registry paths. Read both with PowerShell:
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'Three values must be present and correct.
WUServer – the WSUS server URL, including the explicit port. For a default HTTP deployment: http://wsus.contoso.local:8530. Omitting the port will not fall back to 8530.
WUStatusServer – the reporting URL. In a standard single-server WSUS deployment this should be identical to WUServer. Microsoft’s Group Policy reference for Automatic Updates states: “This policy is paired with the WUServer policy and must also be set to use automatic updates to the intranet server.” They should differ only when update and reporting services have been intentionally separated on different hosts.
UseWUServer (under the \AU subkey) – must be 1. Without UseWUServer set to 1, the WUServer value is not respected and the client goes to public Windows Update.
Configuration notes: prefer an FQDN over a short hostname for predictable DNS and TLS behavior. Avoid a trailing slash in the URL. If these values are absent or wrong, fix the GPO – not the registry directly. On a domain-joined machine, hand-editing these keys is temporary: the next gpupdate overwrites them.
Windows 10/11: verify the scan source policy
On Windows 10 version 2004 and later, and on Windows 11, also check Specify source service for specific classes of Windows Updates under:
Computer Configuration → Administrative Templates → Windows Components
→ Windows Update → Manage updates offered from Windows Server Update ServiceThis policy can route Feature, Quality, Driver, and Other Microsoft product updates independently to either WSUS or Windows Update. If it is configured, verify every update class intended for on-premises management points to WSUS. Correct WUServer, WUStatusServer, and UseWUServer values alone do not rule out a conflicting scan-source policy on these client OS versions.
If the setting is deployed through Group Policy, review its effective GPO state. If scan-source values were written directly to the registry, Microsoft also requires UseUpdateClassPolicySource – direct registry configuration is not recommended. For CSP-managed devices, configure all applicable SetPolicyDrivenUpdateSourceFor... policies instead. Do not assume identical behavior on Windows Server based on this Windows 10/11 documentation; validate the specific server version and deployment method in your environment. See Microsoft’s guidance on using Windows Update client policies and WSUS together for the current policy matrix.
Step 2 – Confirm GPO Is Applying
If the registry values are absent or stale, confirm the WSUS policy is actually reaching the client. Dump the resultant set of policy:
gpresult /r
gpresult /h "%TEMP%\gpresult.html"Under the computer-side “Applied Group Policy Objects” list, confirm the GPO carrying your WSUS settings appears. If it is not there at all, the client is not in the right OU or security group, or there is a domain-connectivity problem at policy processing time – generic GPO territory outside this article’s scope.
Force a refresh and re-read the registry from Step 1:
gpupdate /forceFor evidence that policy processing completed, open Event Viewer at Applications and Services Logs → Microsoft → Windows → GroupPolicy → Operational. Event 4016 marks the start of processing a client-side extension and lists the applicable GPOs. Event 5016 marks completion and includes elapsed time. These confirm that policy processing ran – not that WSUS-specific values were correct, but that the infrastructure delivered them.
Step 3 – Test Client Connectivity to WSUS Server
Policy is confirmed correct. Now confirm the client can reach the WSUS server. Start with a TCP port test:
Test-NetConnection -ComputerName wsus.contoso.local -Port 8530 -InformationLevel Detailed
# TLS-enabled deployment - also test 8531
Test-NetConnection -ComputerName wsus.contoso.local -Port 8531 -InformationLevel DetailedTcpTestSucceeded : True confirms the port is open end to end. For a TLS-enabled deployment, confirm both ports respond before moving to the endpoint tests. If a port test fails: check Windows Firewall on the server, a network-perimeter firewall, a host-based security agent, or VLAN segmentation. Confirm DNS resolves the WSUS hostname to the correct A record from the client before assuming a firewall block.
For the basic WSUS reachability test, Microsoft’s client-agent troubleshooting documentation uses this URL from a browser or HTTP client on the affected machine:
http://wsus.contoso.local:8530/iuident.cabBeing prompted to download the file confirms basic HTTP reachability to that WSUS resource. It does not prove that ClientWebService or ReportingWebService calls succeed. (An older self-update path in some references uses /selfupdate/wuident.cab – do not combine the two paths.)
In a TLS-enabled deployment, test the metadata web service separately:
https://wsus.contoso.local:8531/ClientWebService/client.asmxPer Microsoft’s WSUS TLS configuration guidance, TLS should be required for ClientWebService and several other metadata services, but not for SelfUpdate, Content, Inventory, or ReportingWebService.
For clients with stale status or “Not Yet Reported” – the WSUS client not reporting symptom: if detection is working but status is not landing, test the reporting endpoint derived from the effective WUStatusServer value:
$wuPolicy = Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate'
$reportingBase = $wuPolicy.WUStatusServer.TrimEnd('/')
$reportingUrl = "$reportingBase/ReportingWebService/ReportingWebService.asmx"
Invoke-WebRequest -Uri $reportingUrl -UseBasicParsingA successful response confirms basic DNS, TCP, proxy, and IIS reachability to the reporting virtual directory. It does not prove that the client’s SOAP status submission succeeds. If the client still does not report, check the WSUS server IIS logs for requests from the affected client to /ReportingWebService/ReportingWebService.asmx and record the HTTP status and substatus.
Proxy check: before any reset, inspect the current WinHTTP proxy:
netsh winhttp show proxyCompare the result to the intended network path. Only if direct access is expected and an incorrect proxy is confirmed:
netsh winhttp reset proxyA blanket reset can break clients in environments where an explicit WinHTTP proxy is required.
For HTTPS (port 8531): if connectivity tests pass but WSUS-specific operations fail with TrustFailure or certificate errors in the logs, the client does not trust the complete certificate chain. The root CA must be in Trusted Root Certification Authorities and any intermediate CA in Intermediate Certification Authorities in the Local Computer stores. The hostname in the WSUS URL must also match the certificate subject or SAN.
Step 4 – Check the Windows Update Service
For a pure reporting symptom, wuauserv is the service that matters.
Get-Service wuauserv
sc.exe query wuauservIf stopped, restart it:
Restart-Service wuauservBITS (bits) is commonly stopped when idle – that is normal behavior. Treat a stopped BITS service as worth investigating only when payload download or transfer errors are also present alongside the reporting failure. For deeper service-failure patterns, Windows Server service failures covers the recovery workflow.
To inspect the BITS service configuration without changing it:
sc.exe qc bitsOnly reconfigure the BITS service account if the query returns something other than LocalSystem and there is specific evidence that an account change caused the failure.
Step 5 – Read the Windows Update Logs
This is where guessing stops. On Windows 10/11 and Windows Server 2016 and later, Windows Update uses Event Tracing for Windows rather than writing a live text log. Per Microsoft’s documentation on Windows Update log files, the ETL traces land in C:\Windows\Logs\WindowsUpdate\. Decode them into a readable file:
Get-WindowsUpdateLogThis produces WindowsUpdate.log on the desktop – a point-in-time snapshot. Re-run to refresh. On Windows 7 and Server 2008 R2/2012 R2, the log at %windir%\WindowsUpdate.log is live.
In the generated log, confirm which server the client is pointing to by searching for the WSUS hostname. Search for ERROR to find failure blocks. Component tags tell you which subsystem is speaking: PT (ProtocolTalker – client-server synchronization), REPORT (reporting events), AGENT (Windows Update agent core).
For a faster read, go directly to the event log at Applications and Services Logs → Microsoft → Windows → WindowsUpdateClient → Operational. Common events to look for (event usage can vary by Windows build – confirm message text and error code):
- Event ID 25 (Error – Check for Updates): detection failed. The error code is the lead. Routes back to connectivity or registry.
- Event ID 26 (Information – Check for Updates): scan completed successfully. Verify the endpoint in the generated log to confirm this scan used the intended WSUS server, not public Windows Update.
- Event ID 16 (Warning – Connection): the client cannot reach the automatic updates service. Routes back to Step 3.
- Event ID 31 (Error – Download): a download failure pointing to content/BITS rather than reporting. See WSUS Not Downloading Updates.
Two error codes that commonly appear in WSUS client communication problems: 0x8024401C is HTTP status 408 – the server timed out waiting for the client’s request. 0x80244010 is WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS, exceeded maximum round trips per session. Both codes justify checking network and proxy behavior and the health of the WSUS server – specifically WsusPool memory limits and SUSDB maintenance state. The codes identify a condition; they do not by themselves prove database bloat or a specific server-side cause. 0x80244010 points primarily to the scan and metadata-synchronization path rather than proving a ReportingWebService failure. For event log reading technique, Windows Server event log troubleshooting covers the workflow.
Step 6 – Force Detection and Reporting
Once policy, connectivity, services, and logs check out, skip the 22-hour wait and force the client to check in. This step is where most WSUS client not reporting investigations either confirm the problem or resolve it outright.
- The internet is full of instructions to run
wuauclt /detectnowwhen troubleshooting a WSUS client not reporting. - Microsoft documents
wuauclt.exe /detectnowas removed and unsupported on modern Windows Server. Do not rely on it on Windows 10/11 either. - It may return no useful feedback – and the absence of any error message is exactly why operators run it, see nothing happen, and conclude the whole WSUS chain is broken.
- Use
Microsoft.Update.AutoUpdate.DetectNow()instead and verify the result in the event log.
The documented replacement for /detectnow on modern Windows:
$autoUpdates = New-Object -ComObject 'Microsoft.Update.AutoUpdate'
$autoUpdates.DetectNow()Confirm the scan ran by checking WindowsUpdateClient/Operational for Event ID 25 (failure) or Event ID 26 (success). Per Microsoft’s WSUS client verification guidance, a new client normally appears in the WSUS console within about 20 minutes after a successful scan. Reporting data may take longer to process on a busy server.
After detection has completed and reporting events are queued, request their submission:
wuauclt.exe /reportnow/reportnow is a legacy trigger that Microsoft still references in WSUS troubleshooting guidance. Treat it as a request to submit queued events and verify the result through Windows Update logs, IIS requests, and the WSUS console – do not treat a silent command return as proof of successful reporting.
On legacy systems (Windows 7, Windows Server 2008 R2 and 2012 R2), wuauclt /detectnow followed by wuauclt /reportnow is still the correct sequence.
Step 7 – Client Identity Duplication: Imaging and Cloning Branch
Enter this branch only when all of the following are true: policy is confirmed applying (Step 2), the client can reach the WSUS server (Step 3), and the symptom specifically matches identity collision. Do not lead with this.
The cloning fingerprint. Out of a group of machines, only one or two appear in the WSUS console at a time, and which machine is visible changes over time. Or freshly imaged machines never appear while the source image did. This happens because WSUS uses SusClientId as the unique device identifier. When multiple machines carry the same SusClientId, the server keeps overwriting a single computer record’s hostname with whichever clone checked in most recently.
The root cause is a process gap during image preparation. The SusClientId is generated the first time a machine contacts any Windows Update service. If the golden image was allowed to reach Windows Update or WSUS before being sealed, every deployed clone inherits the same identifier. Do not assume that Sysprep will clear a SusClientId that was already created before image capture. Historical Microsoft documentation confirms that a pre-existing SusClientId can survive Sysprep. The safe image workflow is to prevent the reference image from contacting an update service before sealing, or to explicitly clear the WSUS client identity before capture.
Cloned VMs disappearing from the console after deployment. A commonly reported production pattern: a team deploys a batch of VMs from a single template. Within a day, only one or two appear in the WSUS console and the visible hostname changes with each console refresh. The template contacted Windows Update before sealing, so the SusClientId was baked into every clone. The clients are detecting and installing updates correctly – they are just overwriting each other’s single database record.
The identity reset – run only after policy and connectivity are confirmed:
Stop-Service wuauserv -Force
Remove-ItemProperty `
-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' `
-Name SusClientId `
-ErrorAction Stop
Start-Service wuauserv
wuauclt.exe /resetauthorization
$autoUpdates = New-Object -ComObject 'Microsoft.Update.AutoUpdate'
$autoUpdates.DetectNow()
wuauclt.exe /reportnowThis removes SusClientId and lets the Windows Update Agent generate a fresh unique identity on the next check-in. The identity registry keys live under ...\CurrentVersion\WindowsUpdate (the agent’s hive) – separate from the policy keys at ...\Policies\Microsoft\Windows\WindowsUpdate checked in Step 1. After all affected clones have received unique SusClientId values and checked in, remove any stale duplicate computer records from the WSUS console.
What this reset does not do: it does not repair a corrupted Windows Update datastore. If log evidence points to datastore corruption rather than identity duplication, rename the SoftwareDistribution folder as a separate evidence-driven step:
Stop-Service wuauserv, bits -Force
$backup = "SoftwareDistribution.old-$(Get-Date -Format yyyyMMdd-HHmmss)"
Rename-Item "$env:SystemRoot\SoftwareDistribution" $backup
Start-Service bits, wuauservThe permanent fix is to ensure the golden image never contacts an update service before it is sealed. Every deployed clone should carry a freshly generated SusClientId from its first boot.
Version Reference – Commands by Windows Version
Do not use one script across all OS versions. The detection trigger differs, and using the wrong one produces no error and no result.
| Task | Windows 10/11, Server 2016/2019/2022/2025 | Windows 7, Server 2008 R2 / 2012 R2 |
|---|---|---|
| Trigger detection | $au = New-Object -ComObject 'Microsoft.Update.AutoUpdate'; $au.DetectNow() |
wuauclt /detectnow |
| Request report submission | wuauclt.exe /reportnow |
wuauclt /reportnow |
| Reset group membership cookie | wuauclt.exe /resetauthorization then trigger detection |
wuauclt /resetauthorization /detectnow |
| Generate readable update log | Get-WindowsUpdateLog (decodes ETL from C:\Windows\Logs\WindowsUpdate\) |
Read %windir%\WindowsUpdate.log directly |
| Check service state | Get-Service wuauserv; sc.exe query wuauserv |
sc.exe query wuauserv |
| Check port connectivity | Test-NetConnection -ComputerName <wsus> -Port 8530 |
Server 2012 R2: Test-NetConnection; Windows 7/2008 R2: telnet <wsus> 8530 (if installed) |
| Verify WSUS policy | Get-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' |
same |
Windows 7, Server 2008 R2, and Server 2012 R2 are no longer under standard support. Server 2008 R2 and 2012 R2 may be covered under Extended Security Updates (ESU). Validate support status before applying procedures to these platforms in production. The legacy column is included for existing environments only.
Microsoft explicitly documents /detectnow as removed on modern Windows Server and provides Microsoft.Update.AutoUpdate.DetectNow() as the replacement. Current WSUS troubleshooting guidance still references /reportnow and /resetauthorization, but their result should be verified through Windows Update logs, IIS requests, and the WSUS console rather than assumed from a silent command return.
FAQ
Why is my WSUS client not reporting status even though updates install correctly?
When a WSUS client is not reporting status, detection and reporting must be checked separately. Installing updates confirms detection and download work. Reporting is a distinct call to the ReportingWebService and can fail independently – typically a timeout (0x8024401C), a WUStatusServer mismatch, or an IIS/server processing lag. Start by verifying that WUServer and WUStatusServer are both present and match in the client registry, then test the ReportingWebService endpoint from the client (Step 3), trigger a forced report with wuauclt.exe /reportnow after running detection, and check WindowsUpdateClient/Operational for the outcome.
How long should I wait for a new client to appear before investigating?
The default detection frequency is roughly 22 hours with a random offset, so a newly pointed client may not appear for several hours after the GPO lands. In an active troubleshooting session, do not wait – trigger detection with Microsoft.Update.AutoUpdate.DetectNow() and verify the result in the event log. After a successful scan, Microsoft states a new client normally appears in the WSUS console within about 20 minutes. The forced method gives you a definitive signal rather than waiting for the scheduled cycle.
Is wuauclt /detectnow still the right way to force a client check-in?
Only on Windows 7 and Server 2008 R2/2012 R2. Microsoft documents wuauclt.exe /detectnow as removed and unsupported on modern Windows Server. Do not rely on it on Windows 10/11 either – use Microsoft.Update.AutoUpdate.DetectNow() instead. /reportnow is a legacy trigger that Microsoft still references in WSUS troubleshooting guidance. Treat it as a request to submit queued events and verify the result in logs; do not treat a silent return as proof of successful reporting.
Should I reset SusClientId when a client is not reporting?
Only when the cloning fingerprint is present: machines appearing and disappearing in the console, or only one of a deployed group visible at a time, with policy and connectivity already confirmed healthy. Resetting SusClientId on a machine whose real problem is a blocked port or a missing WUStatusServer value fixes nothing and can leave stale computer records in the WSUS console.
WSUS was deprecated – is troubleshooting this still relevant?
Yes. Microsoft announced WSUS deprecation on September 20, 2024, meaning no new features will be added. The role still ships in Windows Server 2025 with no removal planned for in-market versions. Windows Server 2025 mainstream support runs to November 13, 2029, and extended support to November 14, 2034 (per Microsoft’s Windows Server 2025 lifecycle page). WSUS reporting visibility remains relevant for patch compliance tracking for the duration of that lifecycle.
Most WSUS client not reporting problems trace to one of a handful of layered causes – and this guide has covered each one in order. The diagnostic order in this guide exists because each layer confirmed either fixes the problem or eliminates a class of dead ends – so by the time you reach the identity reset, the evidence has earned it. Trigger detection the modern way, verify through logs rather than waiting for the console to refresh, and reserve SusClientId changes for the cases that actually match the cloning fingerprint.
WSUS on Windows Server
Installation & Configuration · Maintenance · Sync Failures · Content Download · Client Reporting · Console Recovery