The WSUS client agent may not report to the WSUS server for many reasons. Here I'll go through some
of the reasons and how you can troubleshoot the process. There are also some situations you may run into where some or all clients stop reporting to the server and these steps will also help for those scenarios as well.
1. Make sure that the client has the proper WSUS settings
On the client run gpresult or rsop.msc to make sure that the details of the WSUS server exist. If not then a couple possible causes include:
- The system does not have the group policy from the Domain.
- The Group Policy is not been targeted to the client system.
To address this, you need to make sure that the group policy is successfully updated on each client and that
the WSUS setting is properly configured. For more information on this see the following TechNet documentation:
Configure Automatic Updates by Using Group Policy
In case you are using a registry modification or local policy make sure that the same is applied. The registry location where the WSUS server configuration is stored is below:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"=" http://<WSUSSERVER:PORT>""
"WUStatusServer"=http://<WSUSSERVER:PORT> …etc
Further options on the WSUS Agent settings are available here:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:0000000X …etc
You can find more details on how you can use scripts to configure the WSUS settings from the following link:
http://msmvps.com/blogs/athif/archive/2005/09/14/Manually_Configure_WUA.aspx
Once you have made sure that the WSUS settings are configured correctly you can move on to next step.
2. Make sure that the agent services are up and running
You need to make sure that the WSUS agent service (Automatic Updates) and BITS (Background Intelligent Transfer Service) are running. The System\Application event viewer events can help you identify and troubleshoot this issue. If you suspect your issue may be related to issues with the Automatic Update or BITS services, here are few links that can be helpful in troubleshooting these types of issues:
KB331716 - List of known issues for Background Intelligent Transfer Service (BITS)
KB969632 - Background Intelligent Transfer Service (BITS) does not start in Windows XP, and you receive a message in the System log: "The Background Intelligent Transfer Service service terminated with service-specific error 2147500037 (0x80004005)"
KB883614 - You receive a "Windows Update has encountered an error and cannot display the requested page" error message when you try to install an update
KB959894 - Error message: “The necessary service "Automatic Updates" (WUAUSERV) is not started or Background Intelligent Transfer Service (BITS) is disabled. Error 0x8DDD0018” or Error codes 0x80244019 or 0x80070422 when attempting to install updates.
3. Make sure the WSUS server is reachable from the client
Make sure that you can access the site /iuident.cab">/iuident.cab">/iuident.cab">http://<WSUSSERVER:port>/iuident.cab and download the file without errors. If this fails then some possible reasons include:
- There is a name resolution issue on the client.
- There is network related issue (e.g. there's a proxy configuration issue, etc.).
One of the most common issues we see is the proxy issue. For that you can check the windowsupdate.log (C:\windows\) and see if there are any proxy related errors. If yes then you can run the proxycfg command to check the win http proxy settings. For more information on the proxycfg command you can check the following link:
http://msdn.microsoft.com/en-us/library/ms761351(VS.85).aspx
Most of the clients will have the proxycgf utility but if not then you can download it here:
KB830605 - The Proxycfg.exe configuration tool is available for WinHTTP 5.1
If you are finding proxy errors then what you can do is go to Internet Explorer –> Tools -> Connections –> LAN Settings and configure the correct proxy and make sure you can reach the WSUS URL specified. Once done you can copy these user proxy settings to the win http proxy settings using the proxycfg –u command.
Once the proxy settings are specified you can run wuauclt /detectnow and check the windowsupdate.log for errors.
4. Make sure the agent is healthy and working
If you still have errors you can check the windows update agent version. The details on how to do this are here:
http://technet.microsoft.com/en-us/library/bb680319.aspx
If you find that the agent is not up to date then you can update the windows update agent to the latest here:
KB949104 - How to obtain the latest version of the Windows Update Agent to help manage updates on a computer
For more information see http://technet.microsoft.com/en-us/library/bb932139.aspx
You can also use the utility provided in KB971058 that will help you to sort out most of the issues with the agent. Once you've run the fix or updated the agent you can run wuauclt /detectnow and check the windowsupdate.log to make sure there is no issues.
5. Automatic Update Agent Store is corrupted
When we have issues with the ability to download updates and we're experiencing errors relating to the software distribution store then try the following on the client:
a. Stop the Automatic Updates service
b. Rename the software distribution folder (i.e. C:\Windows\SoftwareDistribution).
c. Restart the Automatic Update service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow
6. Clients with the Same SUSclient ID
This issue can happen when we image systems and the clients end up having the same SUSclientID. The result is that only one among these clients will appear in the console. You may also see that out of a group of these clients, only one appears at a time but the exact one that does appear may change over time. For those clients that are not registering due to the SUS GUID issue we can use the following:
a. Stop the automatic service
b. Delete the SUSclientID reg key
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
c. Restart the automatic service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow
Hope this helps,
Sudheesh Narayanaswamy | Support Engineer
Looks like there's been a new category addition to WSUS:
There is a new product category being added to the WSUS Products and Classifications dialog under the product family “Expression”. The new product category is for Expression Web 3.
The Expression Web 3 product category will include updates for Expression Web 3, including service packs, incremental and cumulative updates.
For additional information on the Expression product family, see http://www.microsoft.com/expression.
Microsoft will also be releasing a service pack for Expression Web 3 in the coming months.
For all the details see http://blogs.technet.com/wsus/archive/2009/11/16/new-category-for-expression-web-3.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
The good folks at the Microsoft Security Response Center announced that the questions and answers from the November Security Bulletin webcast have been posted along with the video from the webcast itself.
You can get all the details at http://blogs.technet.com/msrc/archive/2009/11/13/november-2009-security-bulletin-webcast.aspx.
J.C. Hornbeck | Manageability Knowledge Engineer
Just in case you missed it, last Friday we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol.
You can read all the details here.
J.C. Hornbeck | Manageability Knowledge Engineer
Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).
As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.
For all the details see http://blogs.technet.com/msrc/archive/2009/11/10/november-2009-security-bulletin-release.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
I know this isn’t WSUS specific but I thought it was something you’d appreciate hearing about nonetheless. The Solution Accelerator team is pleased to announce the immediate availability of the Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP). Designed to simplify and streamline the IT infrastructure planning process across multiple scenarios through network-wide automated discovery and assessments, this tool provides a quick and complete inventory of the current IT environment of any organization, hardware and device compatibility assessment, and actionable reporting of recommended hardware upgrades for migration.
The MAP Toolkit 5.0 CTP includes these new features:
· Heterogeneous Server Environment Inventory for Technologies including Windows Server, Linux, UNIX and VMware.
· Ability to determine usage of deployed System Center Configuration Manager, a member of the Core Client Access License Suite.
· Readiness assessment for migration or upgrade to Microsoft Office 2010.
Over 800,000 Microsoft customers and partners including Costco Wholesale Corporation, Continental Airlines, and Pella Corporation have already downloaded and used this toolkit to help plan for their server and PC deployments.
Additional MAP Toolkit Features include:
• Windows 7 Hardware and Device Compatibility Assessment.
• Windows Server 2008 R2 Hardware and Device Compatibility Assessment.
• Virtualization Candidates Assessment for Hyper-V Server Consolidation.
• Inventory of VMware Server Hosts and Guests.
• Enhanced Usability and Improved Inventory Performance.
• SQL Server Instance Discovery.
• Desktop Security Assessment for Anti-virus and Anti-malware Programs Installation.
• Forefront Client Security/NAP Readiness Assessment.
To give you a quick sample, here are a couple MAP 5.0 Inventory and Assessment Wizard screenshots:
Here’s what the System Center Configuration Manager Server Report looks like:
Next Steps
· Register for the MAP Toolkit 5.0 CTP and download. (Live ID required)
· Want to influence the future of MAP? Complete the survey and receive a free 4GB Solution Accelerator branded Memory Stick.* (Live ID required)
· Download other Windows Server 2008 R2 and Windows 7 Solution Accelerators for your IT planning, deployment, and management needs.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
Just a heads up but the folks at the MSRC just announced their Advance Notification for the November 2009 Security Bulletin Release:
To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.
To read all the details see http://blogs.technet.com/msrc/archive/2009/11/05/november-2009-bulletin-release-advance-notification.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
I asked the FixIt team for this a while back and they have delivered. Now if you ever run into the symptoms below the chances are good we can automatically fix it with just a few clicks of the mouse:
The Symptoms: When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:
HTTP 401.1 – Unauthorized: Logon Failed
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number
The Cause: This issue occurs when the web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
The Fix: If you happen to come across any symptoms like this then take a look at the following Knowledge Base article:
896861 - You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
The cool part is that this KB article contains a link to a Wizard that will fix this issue for you automatically. All you have to do is download and run it. This Loopback issue impacts almost any product that uses IIS, including your very own favorite, WSUS.
Jarrett Renshaw | Content Quality Program Manager
From the MSRC blog:
Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages.
For all the details see http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
I get this question every once in a while so I thought I’d share what I learned here. We have two options to upgrade WSUS SP1 to SP2:
1. As an offer from Microsoft Update
KB972455 is the WSUS SP2 update. If you want to see SP2 in the list of updates make sure you have selected Service Packs in the Classification list. Custom view has been added for Service Packs in the below screenshot.
For WSUS SP2 to be offered on the server running WSUS SP1, the following conditions should not be true:
1. SQL is running remote
2. Server is running MOM version of SCE
We are checking for the following registry keys to know if above conditions are met. If SP2 is not offered on the server running SP1 we may need to install SP2 manually in these scenarios.
“HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo" Data="6.0.1251.0"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo" Data="6.0.5000.0"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Update Services\Server\Setup" Value="SqlInstanceIsRemote" Comparison="EqualTo" Data="1"
"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\System Center Essentials\2.0\Setup\Components" Value="SERVER-VERSION" Type="REG_SZ"
If the above conditions are not true, SP2 will be offered to any server running SP1 if the following conditions are true:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup”
Value="Version" Comparison="EqualTo" Data="3"
Value="ServicePackLevel" Comparison="EqualTo" Data="1"
Value="VersionString" Comparison="EqualTo" Data="3.1.6001.65"
If SP2 is offered for the server running SP1 then we can approve the update for the installation. This update is not for the WSUS Clients. Following are some of the screenshots showing the SP2 installation through WSUS.
Note: SP2 upgrade is not a silent process, Admin intervention is required.
If WSUS SP2 is offered through WSUS, the installation process will first backup the SUSDB and we will see the following line in the WSUSSetup.log.
2009-09-06 02:40:39 Success MWUSSetup Creating database backup...
2. Manual Upgrade
As mentioned earlier, if SQL is on a remote machine we have to download the SP2 setup from the below link and run the upgrade manually on the server. Before running the setup you need to backup the SUSDB manually from the remote SQL box as the upgrade process will not take any backup of the database.
http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylang=en
Once the setup is finished, the regular configuration wizard will start which can be ignored by clicking cancel.
How to check if Upgrade was Successful?
The installation of SP2 can be verified from Add/Remove Programs:
or from the Console:
or via the Registry:
Note: Administrative Tools will not show any Service Pack version at this time.
Hope this helps,
Mohammed Tajammul Hussain | Technical Support Lead
In case you missed the announcement on Friday, there will be a new product category added to the WSUS server Products and Classifications dialog under the existing System Center Virtual Machine Manager family called Microsoft System Center Virtual Machine Manager 2008 R2. This new category will allow all classifications of updates to be offered to the Microsoft System Center Virtual Machine Manager 2008 R2 product.
For more information see http://blogs.technet.com/wsus/archive/2009/10/23/new-product-category-for-microsoft-system-center-virtual-machine-manager-2008-r2.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
I was working with the Windows Server Update Services (WSUS) support team a few months back looking for a way that we could help reduce the amount of time it takes to resolve a case as well as reduce the number of incidents we get, and one of the things that was suggested at the time was a site explaining some of the initial troubleshooting and data gathering steps we traditionally do for the majority of our cases. That way you can get a head start on any issue you’re calling about, plus we might end up resolving some issues before the call is even made.
It took a lot of time and a lot of effort by quite a few people but the site was eventually born:
http://blogs.technet.com/wsuscallback/
Since implementing the site back in March we’ve received a lot of great feedback so I thought it was about time that we broadcast this information here on the blog. If you’re looking for help troubleshooting an issue this is a great resource to bookmark. The site includes resources such as:
- Information on the WSUS logs and how to use them for troubleshooting
- An automatic fix for most client issues
- Prerequisites for each WSUS version
- Upgrade requirements and recommendations
- Known issues
- Information on Windows 7 and Windows Server 2008 R2 support
- How to troubleshoot common issues
- How-To articles
- Much much more
As always, this isn’t a site for requesting technical assistance but if you ever find yourself working on an issue with WSUS then this is a great place to start.
J.C. Hornbeck | Manageability Knowledge Engineer
The folks at the MSRC have posted the questions and answers from the security bulletin webcast we conducted on October 14 at this link. It was clear from all of the questions concerning MS09-062 (the GDI+ update) that there is some confusion on how to apply the update when you have a combination of SQL Server and Windows 2000 clients.
For all the details and to watch the video see http://blogs.technet.com/msrc/archive/2009/10/20/october-2009-security-bulletin-webcast-questions-and-answers.aspx
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
You’ve heard about it and read about and now you’ll soon have the chance to try it out yourself. The System Center Online Desktop Manager beta is coming soon:
The System Center Online team has been working hard in preparation for its next beta release of System Center Online Desktop Manager, expected in the fall of this year. This exclusive beta will only be available to a select number of customers. Our last beta was only offered to a small audience and resulted in a lot of great feedback from the customers who participated. This time we are widening the scope to include a few hundred customers.
Here's what will be included in the upcoming release:
- Updates Management Workload: Manage the Microsoft updates from a web-based console. Review available updates, choose updates and deploy to selected computers or groups of computers. Imagine WSUS from the cloud.
- Policy Workload: Provides the ability to configure operational settings of the Windows Update and Anti-Malware agents installed on the client computers.
- Anti-malware Workload: Review anti-malware, anti-virus status and remedial actions from the SCODM console. Ensure managed computers have up-to-date signatures.
- Assets Workload: Collect detailed hardware and software inventory on managed computers. View this information in reports. Use the License reconciliation feature to load your Microsoft volume license agreement information and compare installed application quantities with licensed quantities.
- Alerts Workload: Helps you quickly and easily find problems (or potential) on your computers. You can also get help on how to solve the problem or how to start troubleshooting.
We are looking for customers who are interested in participating in the fall beta! If you are an IT Pro who manages an IT environment and are interested in participation, we'd like to hear from you.
For all the details see http://blogs.technet.com/systemcenteronline/archive/2009/09/23/system-center-online-desktop-manager-beta-is-coming-soon.aspx
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
Below is the summary of Microsoft’s Security Bulletin Release for October 2009:
This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.
To continue reading see http://blogs.technet.com/msrc/archive/2009/10/13/october-2009-security-bulletin-release.aspx
J.C. Hornbeck | Manageability Knowledge Engineer
