Resolving the duplicate SUSClientID issue, or “Why don’t all my clients show up in the WSUS console?”

Resolving the duplicate SUSClientID issue, or “Why don’t all my clients show up in the WSUS console?”

  • Comments 11
  • Likes


A common issue we seem to get calls on again and again is the issue where a customer has WSUS configured but when he or she goes to the admin console some clients appear and others do not.  You may even notice that it seems to change on a random basis, where today some clients appear and others don’t, and then tomorrow the ones that were there yesterday are now gone and the ones that were missing have now appeared. 

So what’s going on?  99% of the time this happens because the clients in question have duplicate SUSClientID values.  This can happen for a couple different reasons (see KB903262 for one example) but either way, duplicate SUSClientID values are likely the problem.

Fortunately the fix is pretty painless:

1. Create a batch file named ResetSUSClientID.bat using the text below:

Rem - Batch script to delete duplicate SusClientIDs
Rem - Implement this script as a "Startup" or "Logon"  script
Rem - Script creates an output file called %Systemdrive%\SUSClientID.log
Rem - If the %Systemdrive%\SUSClientID.log is already present, then the script simply exits

@Echo off
if exist %systemdrive%\SUSClientID.log goto end
net stop wuauserv
net stop bits
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f  > %systemdrive%\SUSClientID.log 2>&1
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f  >> %systemdrive%\SUSClientID.log 2>&1
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f  >> %systemdrive%\SUSClientID.log 2>&1
net start wuauserv
wuauclt.exe /resetauthorization /detectnow         


2. Run this script directly on the problem client, or copy the batch file to a domain share and create a Domain/OU level GPO to launch it as Startup or Logon script on the affected clients:


That’s it. 

Note that several days after doing this there may be some WSUS client computers that will show up in the WSUS Console as not having checked in for xx amount of days.  This is because the old SUSClientIds are no longer there and are not checking in.  If you start seeing this, run the Server cleanup wizard in order to clean old records but remember that it may take up to 90 days to clean all records completely.

J.C. Hornbeck | Manageability Knowledge Engineer

Special thanks to Joao Madureira and Greg Cottingham for contributing to this article.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi,

    There is a tool for solving Duplicate SID and Duplicate WSUS ID's on your network.

    It called DSM (Duplicate SID Monitor), the good thing about it that it will monitor your network all the time and not just the one time you ran the script to solve a problem.

    Link to the tool:

  • I know this is an old post, but could you please clear something up for me?  I noticed that you stopped the bits service, but did not restart it.  Should the bits service be restarted when the wuauserv service is started?


  • The BITS Service is normally set to manual and is started by other processes or services "on demand" .So it is not neccessary to restart the BITS service as the AU service will invoke it when it is needed.

  • Brilliant article, the batch file resolved this annoying issue, thank you a lot!

  • Should I delete the log file before running the bat file. I tried it on machines where log file already exists and it does not do anything but if I delete the log file then the batch runs okay.

  • Is this needed on Windows XP and 2000 or also on Vista/7/8?

  • Thanks ,Nice idea to think

  • Thanks ,Nice idea to think

  • I am a 1 man IT shop so after realizing that i had done this, I was extremely happy to find your step-by-step instructions J.C. There are a lot of people that try to help others out here in the IT world but don't take into consideration the various levels of expertise. I truly appreciate you making my life a lot easier. Tested the script and it works great!

  • Above script will not execute properly on 64 bit machines, this script is redesigned to run in mixed 32 and 64 bit enviromentd and it also sets WsusIdResetOK value so it runs only once...


    set src=%windir%\system32

    if exist %windir%\sysnative\ set src=%windir%\sysnative

    %src%\REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v WsusIdResetOK

    if %errorlevel%==0 goto exit

    net stop wuauserv

    %src%\REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f

    %src%\REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f

    %src%\REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

    net start wuauserv

    wuauclt /resetauthorization /detectnow

    %src%\REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v WsusIdResetOK /t REG_SZ /d 1


  • Nice idea! This is the answer I was looking for. Thanks.