Windows Server 2016 Not Getting Updates After August 2025: SSU Prereqs and WSUS Fix

BornCity’s report that some Windows Server 2016 installations have not been offered updates since August 2025 landed as a practical alarm for administrators running aging on‑premises servers: several readers and community posts describe machines that stopped seeing cumulative updates and new servicing‑stack updates (SSUs) after July/August, showing “Your device is up to date” while newer KB packages were known to exist. This article summarizes the available evidence, verifies the relevant Microsoft technical bulletins, explains the plausible root causes, and provides a prioritized, actionable remediation checklist for IT teams facing the same symptom.

Background / Overview​

Windows Server 2016 remains in extended support and Microsoft continued to publish cumulative and servicing updates for the 1607 codebase through 2025. Administrators reported that some Server 2016 hosts — including Essentials SKU instances — stopped being offered updates after July/August; affected servers showed older servicing stack versions (for example KB5062799 from July 2025) and did not receive the August cumulative rollup (KB5063871) or the September SSU (KB5065687) via Windows Update or WSUS. BornCity collected multiple first‑hand reports and community threads that describe identical behavior on physically distinct and virtualized hosts.
At the same time, Microsoft’s August 2025 update wave introduced a number of delivery‑path and compatibility regressions (WSUS delivery errors, Known Issue Rollback artifacts, and MSI/UAC changes), and Microsoft reissued or published out‑of‑band packages to remediate some problems. Those events changed how enterprise update flows behaved in August and September, and they created multiple operational cookbooks for administrators who relied on on‑premises update infrastructure.

---

What the public record shows (verification)​

• Microsoft published a cumulative update for the Windows 10/Server 1607 family on August 12, 2025 (KB5063871); the KB documentation explicitly explains prerequisites and known issues tied to servicing‑stack prerequisites. This update exists and is listed in Microsoft’s support pages.
• Microsoft also published a servicing‑stack update (SSU) on July 8, 2025 (KB5062799) and later shipped an updated SSU on September 9, 2025 (KB5065687). Microsoft support pages warn that until the latest SSU is installed, some cumulative updates will not be offered to the device. In short: a missing SSU can prevent the client from seeing subsequent rollups.
• A September 9, 2025 cumulative rollup for the 1607 family (OS Build 14393.8422, KB5065427) was published and documented by Microsoft; the presence of this KB confirms that Microsoft produced updates for the 1607/Server 2016 channel in September even if some clients did not receive them automatically.
• Microsoft publicly acknowledged a delivery problem in mid‑August where certain August rollups failed when deployed through WSUS/SCCM and provided Known Issue Rollback (KIR) artifacts and a re‑release for WSUS to fix the 0x80240069 error. That WSUS disruption impacted enterprise delivery channels and left some administrators temporarily holding off on automatic pushes.

Taken together: Microsoft produced updates for the Server 2016 (1607) branch through August and September 2025, but several documented mechanics — SSU prerequisites, WSUS metadata/delivery problems and KIRs — explain why a given Server 2016 host might report “up to date” while updates exist on the Catalog. These points are independently verifiable in Microsoft KB pages and the community reporting aggregated by BornCity.

---

Why servers might not be offered updates: probable causes explained​

Below are the most common root causes observed in the field and referenced by Microsoft’s guidance and the community reporting. Each explains a legitimate mechanism that will make a machine not see an update even though Microsoft has published it.

• Missing or outdated Servicing Stack Update (SSU) prerequisite. Microsoft’s KBs state explicitly that certain cumulative packages will not be offered until the latest SSU is present on the device; an out‑of‑date SSU can block future rollups from being presented. If a system is stuck on an older SSU (for example KB5062799) and the new LCU requires the September SSU (KB5065687), Windows Update may not surface the LCU. This is the single most common and easily overlooked explanation for “no updates offered.”
• WSUS metadata/delivery re‑release or Known Issue Rollback (KIR). August 2025 delivered a high‑profile WSUS delivery regression that caused a re‑release and a KIR on some product lines; on affected WSUS chains, clients may see nothing until the upstream WSUS server is re‑synchronized, a KIR is applied, or the administrator imports the corrected package. If the WSUS server has not pulled the corrected metadata or an update is declined/superseded in WSUS, clients will not be offered the new LCU.
• Client or server update configuration and policy (Group Policy, Windows Update for Business, or registry tweaks). Some organizations silently shift configuration (defer feature/quality updates, exclude product categories, or limit servicing channels). A misapplied policy can make a device “up to date” against its configured baseline while more recent catalog entries exist. WSUS product/classification selections and languages also matter for what the server synchronizes and offers.
• Superseded/declined updates on WSUS or corrupted local WSUS cache. WSUS approval state matters; if an update is mistakenly Declined or the WSUS content store is missing the file, clients won’t be offered the package — even though it exists on Microsoft Update Catalog. Running WSUS server maintenance and resynchronization may be necessary.
• Intermittent Microsoft infrastructure or transient bugs. Microsoft’s August and subsequent OOB updates included remedial packages to repair service and recovery regressions. Transient errors at Microsoft’s distribution endpoints can produce short windows where particular SKUs stop being offered updates until the backend is corrected and WSUS servers re‑sync. Community reporting indicates previous, similar incidents in 2025.
• End‑of‑support confusion or misclassification. While Windows Server 2016 is in extended support and still receives security updates (extended end date: January 12, 2027), some administrators mistakenly treat the October 2025 Windows 10 support milestones as a signal to change update behavior for 1607‑based products; this can lead to incorrect update policies or postponed servicing. Always cross‑check the product lifecycle for Server SKUs.

---

Practical, prioritized remediation checklist (for admins)​

This is a triaged, sequential plan to diagnose and fix a Server 2016 host that is not being offered updates.

• Confirm the facts (do not assume an outage).
• Check the server’s currently installed SSU: run PowerShell Get‑HotFix or check the Windows Update history UI. If the last SSU equals KB5062799 (July 2025), the machine may need the newer SSU. Microsoft makes explicit that without the latest SSU some LCUs will not be offered.
• Install the latest SSU manually and reboot.
• Download the current SSU for your platform (Server 2016, x64) from Microsoft Update Catalog and install it manually. SSUs are non‑removable and update the servicing stack; they are commonly the gating factor for subsequent LCUs. After installing the SSU, reboot, then re‑check Windows Update. Microsoft’s KB pages for both the July and September SSUs describe this prerequisite behavior.
• If WSUS is in use: resynchronize and check approvals.
• On the WSUS server: manually synchronize, check that the August/September 2025 updates are present and Approved for the target computer groups. If you suspect missing content or corrupt metadata, run wsusutil reset on the WSUS server to force re‑download of files. Importing the update from the Microsoft Update Catalog into WSUS (via the WSUS console import) is a valid fallback.
• Force a client scan and check client logs.
• On Server 2016 clients run the Update Session Orchestrator to force detection: usoclient.exe StartScan (or use documented PowerShell COM detection lines). Collect the Windows Update diagnostic logs (Get‑WindowsUpdateLog converted file, and check C:\Windows\WindowsUpdate.log or the Event Viewer) to inspect failure codes and whether the client is called to WSUS or Microsoft Update. Note: wuauclt is deprecated for 10/Server 2016; usoclient and PowerShell AutoUpdate COM are the practical tools.
• If WSUS clients still show no updates: try manual MSU install.
• Download the relevant cumulative update SSU/LCU MSU package from the Microsoft Update Catalog and install it manually. BornCity explicitly recommends manual catalog downloads as a reliable workaround when automatic delivery fails; manual installation also proves whether the package itself is incompatible on the host.
• Check Group Policy / Windows Update policy settings.
• Verify that Group Policy (or MDM) is not directing clients to a deferral calendar, different branch, or a non‑synchronizing WSUS server. Check registry keys used by Windows Update if necessary. If the host is targeted by maintenance windows that block detection at the time you test, adjust accordingly.
• Escalate: collect evidence and open a Microsoft support case.
• If multiple machines stop seeing updates after you have validated SSU, WSUS, and manual installability, collect WindowsUpdate logs and WSUS synchronization logs and open a support case. Because these symptoms can sometimes be caused by Microsoft distribution issues, a case provides visibility into whether your subscription/region was affected by a re‑release or backend incident.

---

Recommended commands and quick reference snippets​

• Check installed updates (PowerShell):
• Get‑HotFix | Where‑Object {$_.HotFixID ‑like "KB*"} — lists installed KBs.
• Force client scan on Server 2016:
• Start an elevated CMD and run: usoclient.exe StartScan (or use the PowerShell COM object: (New‑Object ‑ComObject Microsoft.Update.AutoUpdate).DetectNow()).
• WSUS server: resync and reset content:
• In an elevated prompt on the WSUS server: wsusutil reset
• Manually install updates:
• Download the relevant SSU and LCU .msu from Microsoft Update Catalog and run them interactively or via msu command line.

Note: usoclient.exe is an internal utility (undocumented for public consumption); it works in practice on Server 2016/Windows 10 families to trigger detection, download, and install actions, but behavior may vary across builds and servicing stack versions. Use these commands as diagnostic steps and prefer manual SSU installation when feasible.

---

Strengths, tradeoffs and risks​

• Strengths / positive findings
• Microsoft continued to publish updates for the Server 2016 channel in August and September 2025; the patches exist and can be acquired via the Microsoft Update Catalog or WSUS (once synchronized). That means an organization still on Server 2016 can receive security mitigations — the infrastructure is there.
• The diagnostic path is generally straightforward: install the SSU, resync WSUS, and the machine will normally be offered the LCU. In most community reports manual SSU installation and manual LCU installation have restored patching.
• Risks / downsides / operational costs
• Visibility risk: a machine reporting “up to date” may be silently out of policy and unpatched — a dangerous and stealthy failure mode for security posture and compliance reporting.
• Operational friction: manually updating SSUs and LCUs on many servers is labor‑intensive, requires reboots and testing, and may be impossible with constrained maintenance windows.
• WSUS complexity: enterprise WSUS hierarchies and replica chains can hide re‑release or metadata problems; a fix at Microsoft’s backend does not always immediately propagate to all WSUS parents and replicas without explicit resynchronization and content resets.
• Compatibility caveats: some administrators delayed deploying August packages because that update wave included compatibility regressions (MSI/UAC prompts and other regressions). That caution is reasonable but increases the number of servers that remained on older servicing stacks — and therefore not offered later updates.

---

How to make your patching process more resilient (operational recommendations)​

• Make SSU validation part of patch‑day checkpoints. Add a quick verification that all production images have the latest SSU before expecting cumulative updates to be offered; automated inventory queries (Get‑HotFix or SCCM/Intune reports) work well.
• Treat WSUS as stateful; script sanity checks for approvals and content presence. After major Microsoft re‑releases, schedule a scripted WSUS content and approval audit (list of KBs vs approved state). If you rely on replicas, ensure upstream servers are synchronized and that approvals have propagated.
• Automate a manual‑fallback path for critical servers. Create a tested automation to download and install SSU + LCU from the Catalog for priority hosts when automatic delivery stalls; include pre/post checks and rollback plans.
• Improve telemetry and alerting for “no updates offered.” Don’t equate “no new updates found” with “healthy.” Adjust monitoring to alert on long periods without available security updates or when an endpoint’s servicing stack lags the fleet baseline.
• Keep lifecycle dates and vendor guidance visible to business stakeholders. Windows Server 2016 remains entitled to security updates through January 12, 2027, but that window is finite; long‑term plans to move to a supported platform reduce risk and operational overhead.

---

Final assessment and cautionary notes​

BornCity’s community evidence and Microsoft’s KBs together paint a clear picture: updates for Windows Server 2016 were published in August and September 2025, but delivery obstacles and prerequisite servicing‑stack rules created windows where some servers would not be offered those updates automatically. The most defensible explanation for the “no updates since August” symptom is a missing SSU combined in some environments with WSUS metadata or approval problems — not an intentional Microsoft cessation of updates for Server 2016. Administrators who encountered this problem restored patch availability by installing the SSU manually, re‑synchronizing WSUS, or applying the update directly from the Microsoft Update Catalog.
Two cautionary points:

• If you see identical symptoms across many hosts in different networks, do not assume a single local misconfiguration; collect logs, verify SSU versions, and confirm whether your WSUS upstreams have the updated metadata and approved packages.
• Some claims in community threads describing total blockages or “Microsoft stopped sending updates to 2016” are anecdotal in scope; they describe real operational pain but are not proof of an intentional halt in support. Treat community reports as alerts that require technical verification against Microsoft’s published KBs and your inventory.

---

Quick checklist — immediate actions to run now​

• Verify SSU version on an affected server. If older than the latest SSU, download and install the current SSU and reboot.
• If you use WSUS: synchronize the server, confirm approvals for the August/September KBs, and run wsusutil reset if files appear missing.
• Force a client scan using usoclient.exe StartScan (Server 2016/Windows 10) and examine WindowsUpdate logs to capture error codes and delivery path.
• If auto delivery still fails, download the LCU and SSU from the Microsoft Update Catalog and install manually on priority hosts.

---

The operational lesson is simple: when an update goes missing from Windows Update or WSUS for an actively supported product, assume a prerequisite or delivery metadata problem first — check the servicing stack, WSUS approvals, and Microsoft’s Release Health notes — and apply the safe manual fallback (SSU then LCU from the Catalog) to restore protection quickly. BornCity’s reporting flagged a real community problem; the combination of Microsoft’s KB guidance and practical WSUS/SSU mechanics explains why affected admins saw “up to date” while newer patches existed.

---

Source: BornCity Windows Server 2016: Doesn't get updates since August 2025 | Born's Tech and Windows World