The WSUS Support Team Blog

Tips for troubleshooting WSUS Agents that are not reporting to the WSUS server

jchornbe — Tue, 17 Nov 2009 17:00:50 GMT

The WSUS client agent may not report to the WSUS server for many reasons. Here I'll go through some
of the reasons and how you can troubleshoot the process. There are also some situations you may run into where some or all clients stop reporting to the server and these steps will also help for those scenarios as well.

1. Make sure that the client has the proper WSUS settings

On the client run gpresult or rsop.msc to make sure that the details of the WSUS server exist. If not then a couple possible causes include:

The system does not have the group policy from the Domain.

The Group Policy is not been targeted to the client system.

To address this, you need to make sure that the group policy is successfully updated on each client and that
the WSUS setting is properly configured. For more information on this see the following TechNet documentation:

Configure Automatic Updates by Using Group Policy

In case you are using a registry modification or local policy make sure that the same is applied. The registry location where the WSUS server configuration is stored is below:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"=" http://<WSUSSERVER:PORT>""
"WUStatusServer"=http://<WSUSSERVER:PORT> …etc

Further options on the WSUS Agent settings are available here:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:0000000X …etc

You can find more details on how you can use scripts to configure the WSUS settings from the following link:

http://msmvps.com/blogs/athif/archive/2005/09/14/Manually_Configure_WUA.aspx

Once you have made sure that the WSUS settings are configured correctly you can move on to next step.

2. Make sure that the agent services are up and running

You need to make sure that the WSUS agent service (Automatic Updates) and BITS (Background Intelligent Transfer Service) are running. The System\Application event viewer events can help you identify and troubleshoot this issue. If you suspect your issue may be related to issues with the Automatic Update or BITS services, here are few links that can be helpful in troubleshooting these types of issues:

KB331716 - List of known issues for Background Intelligent Transfer Service (BITS)

KB969632 - Background Intelligent Transfer Service (BITS) does not start in Windows XP, and you receive a message in the System log: "The Background Intelligent Transfer Service service terminated with service-specific error 2147500037 (0x80004005)"

KB883614 - You receive a "Windows Update has encountered an error and cannot display the requested page" error message when you try to install an update

KB959894 - Error message: “The necessary service "Automatic Updates" (WUAUSERV) is not started or Background Intelligent Transfer Service (BITS) is disabled. Error 0x8DDD0018” or Error codes 0x80244019 or 0x80070422 when attempting to install updates.

3. Make sure the WSUS server is reachable from the client

Make sure that you can access the site /iuident.cab">/iuident.cab">/iuident.cab">http://<WSUSSERVER:port>/iuident.cab and download the file without errors. If this fails then some possible reasons include:

There is a name resolution issue on the client.
There is network related issue (e.g. there's a proxy configuration issue, etc.).

One of the most common issues we see is the proxy issue. For that you can check the windowsupdate.log (C:\windows\) and see if there are any proxy related errors. If yes then you can run the proxycfg command to check the win http proxy settings. For more information on the proxycfg command you can check the following link:

http://msdn.microsoft.com/en-us/library/ms761351(VS.85).aspx

Most of the clients will have the proxycgf utility but if not then you can download it here:

KB830605 - The Proxycfg.exe configuration tool is available for WinHTTP 5.1

If you are finding proxy errors then what you can do is go to Internet Explorer –> Tools -> Connections –> LAN Settings and configure the correct proxy and make sure you can reach the WSUS URL specified. Once done you can copy these user proxy settings to the win http proxy settings using the proxycfg –u command.

Once the proxy settings are specified you can run wuauclt /detectnow and check the windowsupdate.log for errors.

4. Make sure the agent is healthy and working

If you still have errors you can check the windows update agent version. The details on how to do this are here:

http://technet.microsoft.com/en-us/library/bb680319.aspx

If you find that the agent is not up to date then you can update the windows update agent to the latest here:

KB949104 - How to obtain the latest version of the Windows Update Agent to help manage updates on a computer

For more information see http://technet.microsoft.com/en-us/library/bb932139.aspx

You can also use the utility provided in KB971058 that will help you to sort out most of the issues with the agent. Once you've run the fix or updated the agent you can run wuauclt /detectnow and check the windowsupdate.log to make sure there is no issues.

5. Automatic Update Agent Store is corrupted

When we have issues with the ability to download updates and we're experiencing errors relating to the software distribution store then try the following on the client:

a. Stop the Automatic Updates service
b. Rename the software distribution folder (i.e. C:\Windows\SoftwareDistribution).
c. Restart the Automatic Update service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow

6. Clients with the Same SUSclient ID

This issue can happen when we image systems and the clients end up having the same SUSclientID. The result is that only one among these clients will appear in the console. You may also see that out of a group of these clients, only one appears at a time but the exact one that does appear may change over time. For those clients that are not registering due to the SUS GUID issue we can use the following:

a. Stop the automatic service
b. Delete the SUSclientID reg key

HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

c. Restart the automatic service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow

Hope this helps,

Sudheesh Narayanaswamy | Support Engineer

New WSUS Category for Expression Web 3

jchornbe — Tue, 17 Nov 2009 14:06:00 GMT

Looks like there's been a new category addition to WSUS:

There is a new product category being added to the WSUS Products and Classifications dialog under the product family “Expression”. The new product category is for Expression Web 3.

The Expression Web 3 product category will include updates for Expression Web 3, including service packs, incremental and cumulative updates.
For additional information on the Expression product family, see http://www.microsoft.com/expression.
Microsoft will also be releasing a service pack for Expression Web 3 in the coming months.

For all the details see http://blogs.technet.com/wsus/archive/2009/11/16/new-category-for-expression-web-3.aspx

J.C. Hornbeck | Manageability Knowledge Engineer

Questions and Answers from the November 2009 Security Bulletin Webcast

jchornbe — Mon, 16 Nov 2009 15:36:16 GMT

The good folks at the Microsoft Security Response Center announced that the questions and answers from the November Security Bulletin webcast have been posted along with the video from the webcast itself.

You can get all the details at http://blogs.technet.com/msrc/archive/2009/11/13/november-2009-security-bulletin-webcast.aspx.

J.C. Hornbeck | Manageability Knowledge Engineer

Microsoft Security Advisory 977544 Released

jchornbe — Mon, 16 Nov 2009 15:24:42 GMT

Just in case you missed it, last Friday we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol.

You can read all the details here.

J.C. Hornbeck | Manageability Knowledge Engineer

Summary of Microsoft’s Security Bulletin Release for November 2009

jchornbe — Wed, 11 Nov 2009 15:41:41 GMT

Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.

For all the details see http://blogs.technet.com/msrc/archive/2009/11/10/november-2009-security-bulletin-release.aspx

J.C. Hornbeck | Manageability Knowledge Engineer

Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP) Now Available!

jchornbe — Tue, 10 Nov 2009 16:10:47 GMT

I know this isn’t WSUS specific but I thought it was something you’d appreciate hearing about nonetheless. The Solution Accelerator team is pleased to announce the immediate availability of the Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP). Designed to simplify and streamline the IT infrastructure planning process across multiple scenarios through network-wide automated discovery and assessments, this tool provides a quick and complete inventory of the current IT environment of any organization, hardware and device compatibility assessment, and actionable reporting of recommended hardware upgrades for migration.

The MAP Toolkit 5.0 CTP includes these new features:

· Heterogeneous Server Environment Inventory for Technologies including Windows Server, Linux, UNIX and VMware.

· Ability to determine usage of deployed System Center Configuration Manager, a member of the Core Client Access License Suite.

· Readiness assessment for migration or upgrade to Microsoft Office 2010.

Over 800,000 Microsoft customers and partners including Costco Wholesale Corporation, Continental Airlines, and Pella Corporation have already downloaded and used this toolkit to help plan for their server and PC deployments.

Additional MAP Toolkit Features include:

• Windows 7 Hardware and Device Compatibility Assessment.
• Windows Server 2008 R2 Hardware and Device Compatibility Assessment.
• Virtualization Candidates Assessment for Hyper-V Server Consolidation.
• Inventory of VMware Server Hosts and Guests.
• Enhanced Usability and Improved Inventory Performance.
• SQL Server Instance Discovery.
• Desktop Security Assessment for Anti-virus and Anti-malware Programs Installation.
• Forefront Client Security/NAP Readiness Assessment.

To give you a quick sample, here are a couple MAP 5.0 Inventory and Assessment Wizard screenshots:

Here’s what the System Center Configuration Manager Server Report looks like:

Next Steps

· Register for the MAP Toolkit 5.0 CTP and download. (Live ID required)

· Want to influence the future of MAP? Complete the survey and receive a free 4GB Solution Accelerator branded Memory Stick.* (Live ID required)

· Download other Windows Server 2008 R2 and Windows 7 Solution Accelerators for your IT planning, deployment, and management needs.

Enjoy!

J.C. Hornbeck | Manageability Knowledge Engineer

Advance Notification for the November 2009 Security Bulletin Release

jchornbe — Thu, 05 Nov 2009 22:57:38 GMT

Just a heads up but the folks at the MSRC just announced their Advance Notification for the November 2009 Security Bulletin Release:

To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.

To read all the details see http://blogs.technet.com/msrc/archive/2009/11/05/november-2009-bulletin-release-advance-notification.aspx

J.C. Hornbeck | Manageability Knowledge Engineer

Automatic FixIt: You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

jchornbe — Thu, 05 Nov 2009 21:29:45 GMT

I asked the FixIt team for this a while back and they have delivered. Now if you ever run into the symptoms below the chances are good we can automatically fix it with just a few clicks of the mouse:

The Symptoms: When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:

HTTP 401.1 – Unauthorized: Logon Failed

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

The Cause: This issue occurs when the web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

The Fix: If you happen to come across any symptoms like this then take a look at the following Knowledge Base article:

896861 - You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

The cool part is that this KB article contains a link to a Wizard that will fix this issue for you automatically. All you have to do is download and run it. This Loopback issue impacts almost any product that uses IIS, including your very own favorite, WSUS.

Jarrett Renshaw | Content Quality Program Manager

Update released for MS09-054

jchornbe — Tue, 03 Nov 2009 13:29:32 GMT

From the MSRC blog:

Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages.

For all the details see http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx

J.C. Hornbeck | Manageability Knowledge Engineer

Upgrading WSUS Service Pack 1 to Service Pack 2

jchornbe — Mon, 02 Nov 2009 22:53:03 GMT

I get this question every once in a while so I thought I’d share what I learned here. We have two options to upgrade WSUS SP1 to SP2:

1. As an offer from Microsoft Update

KB972455 is the WSUS SP2 update. If you want to see SP2 in the list of updates make sure you have selected Service Packs in the Classification list. Custom view has been added for Service Packs in the below screenshot.

For WSUS SP2 to be offered on the server running WSUS SP1, the following conditions should not be true:

1. SQL is running remote

2. Server is running MOM version of SCE

We are checking for the following registry keys to know if above conditions are met. If SP2 is not offered on the server running SP1 we may need to install SP2 manually in these scenarios.

“HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo" Data="6.0.1251.0"

"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Microsoft Operations Manager\3.0\Setup" Value="ServerVersion" Comparison="EqualTo" Data="6.0.5000.0"

"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Update Services\Server\Setup" Value="SqlInstanceIsRemote" Comparison="EqualTo" Data="1"

"HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\System Center Essentials\2.0\Setup\Components" Value="SERVER-VERSION" Type="REG_SZ"

If the above conditions are not true, SP2 will be offered to any server running SP1 if the following conditions are true:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup”

Value="Version" Comparison="EqualTo" Data="3"

Value="ServicePackLevel" Comparison="EqualTo" Data="1"

Value="VersionString" Comparison="EqualTo" Data="3.1.6001.65"

If SP2 is offered for the server running SP1 then we can approve the update for the installation. This update is not for the WSUS Clients. Following are some of the screenshots showing the SP2 installation through WSUS.

Note: SP2 upgrade is not a silent process, Admin intervention is required.

If WSUS SP2 is offered through WSUS, the installation process will first backup the SUSDB and we will see the following line in the WSUSSetup.log.

2009-09-06 02:40:39 Success MWUSSetup Creating database backup...

2. Manual Upgrade

As mentioned earlier, if SQL is on a remote machine we have to download the SP2 setup from the below link and run the upgrade manually on the server. Before running the setup you need to backup the SUSDB manually from the remote SQL box as the upgrade process will not take any backup of the database.

http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylang=en

Once the setup is finished, the regular configuration wizard will start which can be ignored by clicking cancel.

How to check if Upgrade was Successful?

The installation of SP2 can be verified from Add/Remove Programs:

or from the Console:

or via the Registry:

Note: Administrative Tools will not show any Service Pack version at this time.

Hope this helps,

Mohammed Tajammul Hussain | Technical Support Lead

New WSUS Product Category for Microsoft System Center Virtual Machine Manager 2008 R2

jchornbe — Mon, 26 Oct 2009 14:03:16 GMT

In case you missed the announcement on Friday, there will be a new product category added to the WSUS server Products and Classifications dialog under the existing System Center Virtual Machine Manager family called Microsoft System Center Virtual Machine...(read more)

Troubleshooting and data gathering for WSUS

jchornbe — Wed, 21 Oct 2009 19:08:28 GMT

I was working with the Windows Server Update Services (WSUS) support team a few months back looking for a way that we could help reduce the amount of time it takes to resolve a case as well as reduce the number of incidents we get, and one of the things...(read more)

Questions and answers from the October security bulletin webcast

jchornbe — Wed, 21 Oct 2009 14:16:31 GMT

The folks at the MSRC have posted the questions and answers from the security bulletin webcast we conducted on October 14 at this link . It was clear from all of the questions concerning MS09-062 (the GDI+ update) that there is some confusion on how to...(read more)

The System Center Online Desktop Manager beta is coming soon

jchornbe — Wed, 14 Oct 2009 13:40:17 GMT

You’ve heard about it and read about and now you’ll soon have the chance to try it out yourself. The System Center Online Desktop Manager beta is coming soon: The System Center Online team has been working hard in preparation for its next beta release...(read more)

October 2009 Security Bulletin Release

jchornbe — Wed, 14 Oct 2009 13:26:48 GMT

Below is the summary of Microsoft’s Security Bulletin Release for October 2009: This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance...(read more)