I’ve been puzzling over this for a while so I thought I’d create a post at least to document the question.On a domain-joined Server 2022 21H2 virtual machine, I know there is an optional update waiting from running a PowerShell script. For example, this one-liner:
(New-Object -ComObject Microsoft.Update.Session).CreateupdateSearcher().Search("IsHidden=0 and IsInstalled=0").Updates | Select-Object Title
shows that this update is pending:
SQL Server 2019 RTM Cumulative Update (CU) 26 KB5035123
Using my PowerShell script to get the update details, I see that KB5035123 has BrowseOnly set to True, i.e. it’s an optional update.
However when I go to the Windows Update UI, I do not see the “View optional updates” hyperlink, so I can’t find and install that update.
The machine is managed by Windows Update for Business (WUFB). There is a new policy Enable optional updates. According to this article and the GPO, it requires Windows 11 22H2:
According to this article, it works for Windows 10 as well (version unspecified). The latest update to Windows Server 2022 is 21H2, so I guess it doesn’t apply.
I did try temporarily renaming the WindowsUpdate registry key, which should disable WUFB, but I still don’t see the optional update. (HKLM\Policies\Microsoft\Windows\WindowsUpdate)
I tried completely resetting the Windows Update components. That also didn’t help.
I got a excited for minute this morning when I saw a SQL security update ready to install on the server. Alas, the optional Cumulative Update is still not available:
Sure enough, the security update KB5036335 is not flagged as optional:
I used Get-WindowsUpdateLog and tried deciphering the log. I do see KB5035123 in the log, identified by its ID bb4336f5-ba8e-4a23-9f8d-040053fe425d (also from the details script). I can’t figure out why it’s not getting installed. Here’s how the log ends after installing all the pending updates—the optional update is found (see “UpdateID” between *RESUMED* and *END*), but is not presented in the UI:
2024/04/22 09:05:59.9323162 2888 6880 Agent * START * Finding updates CallerId = MoUpdateOrchestrator Id = 11 (cV = 1UIo7kH4kEyR1wG8.0.1.1.0.2)
2024/04/22 09:05:59.9323193 2888 6880 Agent Online = Yes; Interactive = Yes; AllowCachedResults = No; Ignore download priority = No
2024/04/22 09:05:59.9323214 2888 6880 Agent Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsInstalled=0 and DeploymentAction='OptionalInstallation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""
2024/04/22 09:05:59.9323244 2888 6880 Agent ServiceID = {8B24B027-1DEE-BABB-9A95-3517DFB9C552} Third party service
2024/04/22 09:05:59.9323261 2888 6880 Agent Search Scope = {Machine}
2024/04/22 09:05:59.9323292 2888 6880 Agent Caller SID for Applicability: S-1-5-21-1991108170-3617364629-736776668-1115
2024/04/22 09:05:59.9324196 2888 6880 Agent ProcessDriverDeferrals is set
2024/04/22 09:05:59.9453127 5348 1228 ComApi *RESUMED* Search ClientId = MoUpdateOrchestrator, ServiceId = 7971F918-A847-4430-9279-4A52D1EFE18D (cV = 1UIo7kH4kEyR1wG8.0.1.0.0)
2024/04/22 09:05:59.9624364 5348 1228 ComApi UpdateId=BB4336F5-BA8E-4A23-9F8D-040053FE425D.201, DeploymentID=58578551, ClientMetadata: audience=(null), admin=(null), update=(null)
2024/04/22 09:05:59.9624447 5348 1228 ComApi * END * Search ClientId = MoUpdateOrchestrator, Updates found = 1, ServiceId = 7971F918-A847-4430-9279-4A52D1EFE18D (cV = 1UIo7kH4kEyR1wG8.0.1.0.0)
2024/04/22 09:06:00.0856982 2888 6880 SLS Get response for service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 - forceExpire[False] asyncRefreshOnExpiry[False]
2024/04/22 09:06:00.0857029 2888 6880 SLS path used for cache lookup: /SLS/{8B24B027-1DEE-BABB-9A95-3517DFB9C552}/x64/10.0.20348.2402/0?CH=867&L=en-US&P=&PT=0x7&WUA=10.0.20348.2400&MK=Microsoft+Corporation&MD=Virtual+Machine
2024/04/22 09:06:00.0863942 2888 6880 Misc Got 8B24B027-1DEE-BABB-9A95-3517DFB9C552 redir Client/Server URL: https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx""
2024/04/22 09:06:00.0875789 2888 6880 Misc Token Requested with 0 category IDs.
2024/04/22 09:06:00.1082022 2888 6880 Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
2024/04/22 09:06:00.1124443 2888 6880 Misc *FAILED* [80070057] Method failed [AuthTicketHelper::AddTickets:1236]
2024/04/22 09:06:00.1124478 2888 6880 Misc *FAILED* [80092004] Method failed to get auth token. [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1674]
2024/04/22 09:06:00.1125487 2888 6880 Misc Acquired new token from Server
2024/04/22 09:06:00.1126893 2888 6880 Misc Got service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 plugin Client/Server auth token of type 0x00000001
2024/04/22 09:06:00.1143290 2888 6880 WebServices Proxy Behavior set to 2 for service url https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
2024/04/22 09:06:00.1267047 2888 6880 SLS Get response for service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 - forceExpire[False] asyncRefreshOnExpiry[False]
2024/04/22 09:06:00.1267090 2888 6880 SLS path used for cache lookup: /SLS/{8B24B027-1DEE-BABB-9A95-3517DFB9C552}/x64/10.0.20348.2402/0?CH=867&L=en-US&P=&PT=0x7&WUA=10.0.20348.2400&MK=Microsoft+Corporation&MD=Virtual+Machine
2024/04/22 09:06:00.1395184 2888 6880 SLS Get response for service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 - forceExpire[False] asyncRefreshOnExpiry[False]
2024/04/22 09:06:00.1395230 2888 6880 SLS path used for cache lookup: /SLS/{8B24B027-1DEE-BABB-9A95-3517DFB9C552}/x64/10.0.20348.2402/0?CH=867&L=en-US&P=&PT=0x7&WUA=10.0.20348.2400&MK=Microsoft+Corporation&MD=Virtual+Machine
2024/04/22 09:06:00.2924666 2888 6880 Driver Skipping printer driver 3 due to incomplete info or mismatched environment - HWID[(null)] Provider[Microsoft] MfgName[Microsoft] Name[Remote Desktop Easy Print] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]
2024/04/22 09:06:00.3073771 2888 6880 Driver Skipping printer driver 6 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]
2024/04/22 09:06:00.9858818 2888 6880 Agent PopulateCUpdateDetectInfoAdditionalMetadata: Populated 0 driver additional metadata from map into DetectInfoList.
2024/04/22 09:06:00.9869119 2888 6880 ProtocolTalker ServiceId = {8B24B027-1DEE-BABB-9A95-3517DFB9C552}, Server URL = https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
2024/04/22 09:06:00.9901675 2888 6880 ProtocolTalker OK to reuse existing configuration
2024/04/22 09:06:00.9901717 2888 6880 ProtocolTalker Existing cookie is valid, just use it
2024/04/22 09:06:00.9903503 2888 6880 ProtocolTalker DeviceAttributes[URI]: E:FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWindows%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_8d8d2cb282c1bda6%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0.20348.2400&ProcessorIdentifier=Intel64%20Family%206%20Model%20167%20Stepping%201&FlightIds=FX%3A124117A5%2CFX%3A12E71092&OEMModel=Virtual%20Machine&TimestampEpochString_21H1=1713742427&ProcessorManufacturer=GenuineIntel&InstallDate=1689634192&OEMModelBaseBoard=Virtual%20Machine&BranchReadinessLevel=CB&OEMSubModel=None&GStatus_21H1=2&IsCloudDomainJoined=0&Bios=2020&DeferFeatureUpdatePeriodInDays=120&FX_FlightIds=FX%3A124117A5%2CFX%3A12E71092&DL_OSVersion=10.0.20348.2402&IsDeviceRetailDemo=4294967295&FlightingBranchName=&OSUILocale=en-US&WUfBClientManaged=1&DeviceFamily=Windows.Server&ProcessorClockSpeed=2808&WuClientVer=10.0.20348.2400&IsFlightingEnabled=0&OSSkuId=7&TotalPhysicalRAM=6144&SecureBootCapable=1&ProcessorCores=1&App=WU_OS&CurrentBranch=fe_release&In
2024/04/22 09:06:00.9931736 2888 6880 ProtocolTalker ProductAttributes: PN=Microsoft.Edge.Stable.amd64&Repairable=1&V=0.0.0.0;PN=Microsoft.NETFX.amd64&V=2018.12.2.0;PN=Server.OS.amd64&Branch=fe_release_svc_prod1&PrimaryOSProduct=1&Repairable=1&V=10.0.20348.2402;PN=Windows.Appraiser.amd64&Repairable=1&V=10.0.20348.740;PN=Windows.AppraiserData.amd64&Repairable=1&V=10.0.20348.1;PN=Windows.EmergencyUpdate.amd64&Repairable=1&V=10.0.20348.2402;PN=Windows.UpdateStackPackage.amd64&Name=Update Stack Package&Repairable=1&V=10.0.20348.2402;PN=DefenderPlatform.amd64&V=4.18.24030.9;PN=DefenderSignature.amd64&V=1.409.443.0;PN=Hammer.amd64&Source=UpdateOrchestrator&V=0.0.0.0;PN=MSRT.amd64&Source=UpdateOrchestrator&V=0.0.0.0;PN=SedimentPack.amd64&Source=UpdateOrchestrator&V=0.0.0.0;PN={1e6d517d-274f-5f72-aac8-a8efd0922e55}_amd64&V=0.0.0.0&Source=SMBIOS;PN={27793478-b19b-57b6-9b0b-17fd52bb3e83}_amd64&V=0.0.0.0&Source=SMBIOS;PN={4df1fb0a-e4c2-54ef-92bd-77e33b683b49}_amd64&V=0.0.0.0&Source=SMBIOS;PN={6d4071db-0b8f-520b-806c-81e804431336}_amd64&V=0.0.0.0&S
2024/04/22 09:06:00.9931776 2888 6880 ProtocolTalker CallerAttributes: E:Interactive=1&SheddingAware=1&Id=MoUpdateOrchestrator&
2024/04/22 09:06:00.9963022 2888 6880 EEHandler EE: ProductReleaseInstalled name=Server.OS.amd64, version installed=10.0.20348.2402, metadata=10.0.20348.2402, dirty=False, currentVersionOnly=False.
2024/04/22 09:06:01.0953742 2888 6880 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 1007; does use network; is at background priority
2024/04/22 09:06:01.0954578 2888 6880 WebServices Auto proxy settings for this web service call.
2024/04/22 09:06:01.4977289 2888 6880 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 1007) stopped; does use network; is at background priority
2024/04/22 09:06:01.4990897 2888 6880 Agent *FAILED* [80070057] file = onecore\enduser\windowsupdate\client\engine\agent\protocoltalker.cpp, line = 1260
2024/04/22 09:06:01.4991044 2888 6880 Agent *FAILED* [80070057] file = onecore\enduser\windowsupdate\client\engine\agent\protocoltalker.cpp, line = 1260
2024/04/22 09:06:01.4994573 2888 6880 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 1008; does use network; is at background priority
2024/04/22 09:06:01.6711248 2888 6880 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 1008) stopped; does use network; is at background priority
2024/04/22 09:06:01.6712230 2888 6880 ProtocolTalker SyncUpdates round trips: 2
2024/04/22 09:06:01.9868157 2888 6880 Agent PrepareSearchCallbackInfo: Additional Driver Metadata size=0 present.
2024/04/22 09:06:01.9868821 2888 6880 Agent Found 0 updates and 8 categories in search; evaluated appl. rules of 74 out of 74 deployed entities
2024/04/22 09:06:01.9893440 2888 6880 Agent * END * Finding updates CallerId = MoUpdateOrchestrator, Id = 11, Exit code = 0x00000000 (cV = 1UIo7kH4kEyR1wG8.0.1.1.0.2)
2024/04/22 09:06:01.9955173 2888 6880 IdleTimer WU operation (CSearchCall::Init ID 11, operation # 997) stopped; does use network; is not at background priority
2024/04/22 09:06:02.0234443 5348 1228 ComApi *RESUMED* Search ClientId = MoUpdateOrchestrator, ServiceId = 8B24B027-1DEE-BABB-9A95-3517DFB9C552 (cV = 1UIo7kH4kEyR1wG8.0.1.1.0)
2024/04/22 09:06:02.0241735 5348 1228 ComApi * END * Search ClientId = MoUpdateOrchestrator, Updates found = 0, ServiceId = 8B24B027-1DEE-BABB-9A95-3517DFB9C552 (cV = 1UIo7kH4kEyR1wG8.0.1.1.0)
Oddly I did manage to see an optional update on a non-domain-joined Server 2022 machine. Anyone know how to get optional updates to appear on a domain-joined Server 2022?