WSUS client shows 0 missing patches but WSUS console shows needed patches

Hello Everyone,

I’m currently facing an issue with WSUS in a non-domain (workgroup) setup and would appreciate your guidance.

We recently set up WSUS on Windows Server 2022. Our environment does not use Active Directory, so each client server is configured manually using registry entries for WSUS connectivity and update configuration.

We have several Windows Server 2016 and 2019 clients. These clients are appearing in the WSUS console with their last contact time updating regularly, indicating that communication is working correctly.

In WSUS, we have selected the appropriate products and classifications (Windows Server 2016 and 2019, Security Updates, Critical Updates). We have approved all relevant updates from the past 12 months.

However, an issue arises where clients report "0 updates needed"—even though we know they are missing recent cumulative or security updates. For example, one server has only the June cumulative update and the related SSU installed, but no further updates are detected.

What we've verified:

• No firewall or proxy is blocking communication.
• WSUS is reachable on port 8530.
• Registry keys on clients are correctly configured (WUServer, WUStatusServer, etc.).
• We’ve used wuauclt /reportnow and usoclient StartScan to force scans.
• Client logs (WindowsUpdate.log, CBS.log) show contact with WSUS, but updates are not being detected.
• WSUS synchronization completes successfully and metadata appears intact.

Despite all this, WSUS shows the client as "up to date", even though it clearly is not.

We've been troubleshooting this for over two weeks, including reviewing Microsoft documentation and community posts, but haven't found a resolution.

If anyone has experienced a similar issue or can offer suggestions, your input would be greatly appreciated.

Thank You