Is New Windows Server 2025 and Windows 11 24H2 Updates Fail from WSUS? Here’s the Essential Registry Fix You Need

Why Are Windows Server 2025/Windows 11 24H2 Updates Failing from WSUS? Solving This Critical Configuration Problem.

Some administrators are finding that Windows Server 2025 and Windows 11 version 24H2 are not receiving updates from Windows Server Update Services (WSUS). The issue often stems from conflicting registry settings that prevent the new operating systems from correctly communicating with the WSUS server. This problem can be resolved by modifying specific registry keys to ensure the devices look exclusively to WSUS for their updates.

Understanding the WSUS Environment

For many years, businesses have relied on Windows Server Update Services (WSUS) to manage and distribute Microsoft updates. It acts as a local update library for your company’s network. Instead of every computer reaching out to Microsoft’s servers over the internet, they connect to your internal WSUS server. This gives administrators control over which updates are approved and when they are installed. It also saves a significant amount of internet bandwidth, especially in large organizations.

Microsoft has stated that WSUS will not receive new feature developments. However, it is important to know that the service is not being discontinued. The WSUS server role is still included in Windows Server 2025 and will be supported for the life of the product. This means you can continue using your existing WSUS infrastructure to manage updates for your servers and client computers, including the latest versions. This assurance is crucial for IT departments that have built their patch management strategies around this established tool. The problem is not with WSUS itself, but with how the new operating systems are configured to find updates.

The Problem in Detail

System administrators have started reporting a specific, confusing behavior. They have a fully patched Windows Server 2022 machine running the WSUS role. When they add new Windows Server 2025 machines to their network, everything appears to work correctly at first.

• The new Windows Server 2025 computers show up correctly within the WSUS administration console. They are properly identified with the correct operating system name.
• Administrators approve the necessary updates for the new servers, which are categorized under a label like “Microsoft Server Operating System Version 24H2.”
• Despite these correct steps, the Windows Server 2025 instances never find or install the approved updates. They report that they are up to date, even though they are missing patches.

This issue is not isolated to Windows Server 2025. The same problem has been observed with Windows 11 clients running the version 24H2 feature update. Meanwhile, older operating systems on the same network, like Windows Server 2022 and Windows Server 2019, continue to pull updates from WSUS without any issues. This inconsistency makes the problem difficult to diagnose, as it suggests the WSUS server itself is working correctly.

Finding the Source of the Conflict

The key to understanding this issue lies in how a computer decides where to look for updates. Modern Windows operating systems can be configured to check multiple locations. They can look at your internal WSUS server, but they can also check the public Windows Update servers online. This capability is sometimes called “dual scan.” It is part of a larger framework that allows devices to be managed by more than one tool, such as being co-managed by an on-premises tool like Configuration Manager (SCCM) and a cloud-based tool like Microsoft Intune.

The problem arises when registry settings related to this dual-source capability are misconfigured. Windows 11 24H2 and Windows Server 2025 seem to interpret these settings differently than older versions. Even if you do not use co-management or Intune, leftover or incorrectly set policy settings can create a conflict. These settings can effectively tell the operating system to prioritize or check a source other than your WSUS server, or they can create a state of confusion where no updates are retrieved at all. Administrators investigating the issue discovered new registry entries on their Windows Server 2025 machines, such as DeferFeatureUpdate, which were set to a value of 0. This pointed to a configuration conflict happening directly on the client machine, not on the WSUS server.

How to Fix the Update Problem

The solution is to correct the registry on the affected client machines (the Windows 11 24H2 and Windows Server 2025 computers) to remove any confusion about where to get updates. By making these changes, you are giving the computer a single, clear instruction: get all your updates from the WSUS server specified in your Group Policy.

Important: Editing the registry can cause system problems if done incorrectly. It is wise to back up the registry before making any changes. You should be comfortable using the Registry Editor to proceed.

1. Open the Registry Editor. On the affected computer, press the Windows key, type regedit, and press Enter. You will need administrative privileges to make changes.
2. Navigate to the Windows Update Policy Key. In the Registry Editor, go to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
3. Check for Conflicting Policies. Look for the registry values listed below. These values might be forcing your computer to look for updates online instead of from your WSUS server. If you find any of them, the recommended action is often to delete them. Deleting them allows the settings from your Group Policy Objects (GPOs) for WSUS to take full effect without conflict.
   • TargetReleaseVersion
   • TargetReleaseVersionInfo
   • ProductVersion
   • UpdateServiceUrlAlternative
   • SetPolicyDrivenUpdateSourceForFeatureUpdates
   • SetPolicyDrivenUpdateSourceForQualityUpdates
   • SetPolicyDrivenUpdateSourceForDriverUpdates
   • SetPolicyDrivenUpdateSourceForOtherUpdates
4. Verify the AU Subkey. Go to the subkey located at: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
5. Confirm the WSUS Setting. Inside the AU key, look for a value named UseWUServer. This value should be set to 1. This setting explicitly tells the Automatic Updates client to use the server specified in your WSUS Group Policy. If this value is 0 or is missing, your client will not use WSUS.
6. Restart the Windows Update Service. After making the registry changes, you need to restart the Windows Update service for them to take effect. You can do this by opening a Command Prompt as an administrator and running the following commands one by one:

   net stop wuauserv
   net start wuauserv

7. Check for Updates Again. On the client machine, go to Settings > Windows Update and manually check for updates. The computer should now successfully contact your WSUS server and begin downloading the updates you have approved.

By cleaning up these conflicting registry entries, you resolve the ambiguity that prevented the new operating systems from communicating correctly with WSUS. This direct approach ensures your patch management policies are enforced as intended.