Home > Production Story, Tips > The tail of WSUS Client who refused to sync

The tail of WSUS Client who refused to sync

I run Windows Server Update Services since the early days of this product. I find it a powerful time-saving tool and usually adopt new versions right after Microsoft release them.

All those years I hardly ever had a problem with clients not being updated. I use a Group Policy to configure the updates to different groups on my network (mainly separating PCs from Servers because of the reboot option) and it is working like a charm.

Recently I added a new Windows Storage Server 2003 R2 to my network. As I added it to the network I was surprised to see that instead of getting updates from WSUS it prompts to download the updates from Microsoft’s servers. Since I was busy with other more urgent problems I ignored it for a while and updated manually but this morning I found the time and digged into this issue.

When troubleshooting WSUS client there are two places you should start with:
WindowsUpdate.log and ClientDiag.exe

WindowsUpdate.log is a well documented report of any windows update related action taken on the computer. It does not require WSUS to be present or applied to the local computer and will show you everything.
To open the file type windowsupdate.log in the Start->Run command box.

ClientDiag.exe is (surprise, surprise) a diagnostic tool for WSUS client. This tool is only useful when WSUS is applied, it does not show as many parameters but it is focused at the point and I find it a better starting point for troubleshooting WSUS clients.

Another important tool when troubleshooting Group Policy related issues is RSOP, Result of Policy which shows the currently applied policies and their parameters. In this case, running rsop.msc proved that the policy is applied with the correct parameters.

This is my clientdiag.exe output:

C:\ClientDiag.exe

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 2 : Notify Prior to Download . . . . . . . PASS
Option is from Control Panel

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . .  NONE
Winhttp local machine ProxyBypass. . . . . . .  NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy
192.168.200.11:8080
User IE ProxyByPass
User IE AutoConfig URL Proxy . . . . . . . . .  NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

Obviously the next move was checking on UseWuServer is disabled, what does it stand for and why is it disabled?

I found out that the trigger for this FAIL message is a missing registry key.
WSUS client should have few keys under

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

and my server had nothing at this path. Not only it did not have the records, it did not exist. I found out that the best work around would be a registry import.
This is the registry import file for Windows Server 2003 (XP uses exactly the same file):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
“ElevateNonAdmins”=dword:00000001
“TargetGroupEnabled”=dword:00000001
“TargetGroup”=”SERVERS”
“WUServer”=”http://192.168.200.18&#8243;
“WUStatusServer”=”http://192.168.200.18&#8243;

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
“DetectionFrequencyEnabled”=dword:00000001
“DetectionFrequency”=dword:0000000c
“NoAutoUpdate”=dword:00000000
“AUOptions”=dword:00000003
“ScheduledInstallDay”=dword:00000000
“ScheduledInstallTime”=dword:00000003
“NoAutoRebootWithLoggedOnUsers”=dword:00000001
“UseWUServer”=dword:00000001
“NoAUShutdownOption”=dword:00000001

Running ClientDiag.exe after the keys import to registry showed a clean successful result:

C:\ClientDiag.exe

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . .  NONE
Winhttp local machine ProxyBypass. . . . . . .  NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy
192.168.200.11:8080
User IE ProxyByPass
User IE AutoConfig URL Proxy . . . . . . . . .  NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://192.168.200.18
WUStatusServer = http://192.168.200.18
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
Connection to server. . . . . . . . . . . . . . . . . . PASS
SelfUpdate folder is present. . . . . . . . . . . . . . PASS

Checking the list of computers under WSUS showed that the problem did not resolve and my server doesn’t connect to WSUS. It was time to check WindowsUpdate.log:

1794    AU    Triggering AU detection through DetectNow API
1794    AU    Triggering Online detection (non-interactive)
a78    AU    #############
a78    AU    ## START ##  AU: Search for updates
a78    AU    #########
a78    AU    <<## SUBMITTED ## AU: Search for updates [CallId = {F57B090B-2BEC-4C18-A89B-515F5A3EC48F}]

130c    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
130c    PT      + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
130c    PT    WARNING: PTWarn: Anonymous plug-in skipped for WU

130c    PT    +++++++++++  PT: Synchronizing extended update info  +++++++++++
130c    PT      + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx

130c    Agent      * Found 4 updates and 13 categories in search; evaluated appl. rules of 632 out of 1175 deployed entities
130c    Agent    *********
130c    Agent    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
630    AU    #############
630    AU    Featured notifications is disabled.

You can see that the update is still running via Microsoft’s server, not through my local server. The meaning of this is that the registry keys did not take effect (yet). Since it is a mission critical server I cannot restart it but there is another way to refresh the registry settings. When you change service related registry parameters, restarting the service – in this case the Automatic Updates service, will refresh the registry. So I’ve restarted the service and this is the updated log output:

194c    Agent      * WU client version 7.4.7600.226
194c    Agent      * Base directory: C:\WINDOWS\SoftwareDistribution
194c    Agent      * Access type: No proxy
194c    Agent      * Network state: Connected
100c    Agent    ***********  Agent: Initializing Windows Update Agent  ***********
100c    Agent    ***********  Agent: Initializing global settings cache  ***********
100c    Agent      * WSUS server: http://192.168.200.18
100c    Agent      * WSUS status server: http://192.168.200.18
100c    Agent      * Target group: SERVERS
100c    Agent      * Windows Update access disabled: No

100c    AU      # WSUS server: http://192.168.200.18
100c    AU      # Detection frequency: 12
100c    AU      # Target group: SERVERS
100c    AU      # Approval type: Pre-install notify (Policy)
100c    AU      # Auto-install minor updates: No (User preference)
100c    AU      # Will interact with non-admins (Non-admins are elevated (Policy))

1e40    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
1e40    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://192.168.200.18/ClientWebService/client.asmx
1e40    PT    WARNING: Cached cookie has expired or new PID is available
1e40    PT    Initializing simple targeting cookie, clientId = 5126d0cf-4515-43e4-b4f5-0abf02d8954b, target group = SERVERS, DNS name = ogstorage.ogsny.oscargruss.com
1e40    PT      Server URL = http://192.168.200.18/SimpleAuthWebService/SimpleAuth.asmx

You can see that the server is looking at the local WSUS and not at the microsoft.com address. Checking the console computer list show the server and confirm the solution.

Overall this is a simple troubleshooting process. WSUS offer great tools and it should not take too long to figure out the problem. My console is happy now, having a new guy around and I’m happy as I got one annoying task off my list.

About these ads
  1. Noah
    September 10, 2010 at 12:39 pm | #1

    This article was very very helpful. I did some extreme troubleshooting and it turned out to be that I simply needed to bounce the Automatic Updates service.

    Tip for others – I also was not able to use the WSUServer by hostname. Only by IP address! So this means you either must use the IP address or add an entry to your hosts file in c:\windows\system32\drivers\etc.

  2. ThatITChick
    April 10, 2010 at 3:13 pm | #3

    Nice, clear write up!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 44 other followers

%d bloggers like this: