[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 642
  • Last Modified:

Automating client update installations with WSUS 3.0, Im confused!


Please excuse my ignorance on this but I am still new to WSUS server and am trying to find my feet!

I have WSUS 3.0 installed on an SBS 2003 server, clients are connecting in and displaying status. This is all great except they don't appear to actually be installing any updates. The WSUS console shows the computers require updates and under the 'installed/not applicable' status indicator show 99%.

Group policy settings are as follows;

Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 10:00
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://server1:8530 
Set the intranet statistics server: http://server1:8530 
(example: http://IntranetUpd01)

I have checked the log files at c:\windows\windowsupdate.log and can find no errors, the wau contacts the server and the server reports no updates required as below;

'* Found 0 updates and 32 categories in search; evaluated appl. rules of 461 out of 677 deployed entities'

Yet the console shows many updates are required!

This is starting to drive me nuts, if anyone can help me it would be greatly appreciated!
Adam Graham
Adam Graham
  • 7
  • 7
1 Solution
Apologies if this is stating the obvious, but have you approved the updates for installation in WSUS?

You have to go into the updates section and approve the updates manually for installation, or set the relevant automatic approval options..
Adam GrahamEnterprise ArchitectAuthor Commented:
Yeah, I have all updates approved. I wish it was that simple :(
Are you using client-side targeting? If not, then ensure that your approval & installation options are set to the same for the groups you have set up in WSUS.

Also - another obvious one, have you waited for the correct time for installation? ie 10am?

If you manually go to a specific machine and change the state of an update to Install, does it work?

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Adam GrahamEnterprise ArchitectAuthor Commented:
Ok, when running the client side diag tool from microsoft it gives the following error;

WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.0.6000.374. . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Policy settings

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
                WUServer = http://server1:8530
                WUStatusServer = http://server1:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
        Connection to server. . . . . . . . . . . . . . . . . . PASS

WinHttpDownloadFileToMemory(szURLDest, NULL, 0, NULL, NULL, NULL, &downloadBuffe
r) failed with hr=0x80072f8f

A security error occurred

I have googled this but can't find any good info?
Did you try the steps on:
Adam GrahamEnterprise ArchitectAuthor Commented:
Thanks for the assistance but I think I've actually got it solved.

I didnt realise but one of the virtual directories in IIS had SSL required when it shouldn't. As soon as I had this corrected the client diag tool completed successfully!

I am going to leave the question open in the meantime to see how things go tomorrow when the clients connect to the WSUS server for sync.

Ahh.. yes I thought you were actually intending to use SSL... that time-based sync error seems to only affect SSL connections... let me know how it goes tomorrow...
Adam GrahamEnterprise ArchitectAuthor Commented:
I would actually like to use SSL as although the clients are within the perimeter network someone suggested a possibility of a hacker changing DNS records to point to a spoof WSUS server in order to download malicious code.

But, our SBS server uses a purchased SSL cert which has our external facing dns name on it. I 'think', due to this when I set the required virtual directories to use the cert but tell the GPO object for the clients to point to the internal server name ie https://servername:8531 the cert and the server name arent a match and therefore it fails.

Once I am happy that it is working fine without using SSL I will concentrate on getting it working with it!
Adam GrahamEnterprise ArchitectAuthor Commented:
Oh, and I did try using the external dns name on the GPO object, but that didnt work either!
Hmm.. I tend not to use SSL for WSUS, so I'm afraid I don't have a lot of first-hand experience with the above issues.

I know that use of SSL is a good idea but I tend to find that encrypting local traffic is more overhead than I really want, plus I do secure all networks with excellent perimeter defences as well. I'm aware that that doesn't necessarily help solve your problem, but first let's see if the updates work out OK tomorrow...

Do you encrypt all your LAN traffic as well?
Adam GrahamEnterprise ArchitectAuthor Commented:
The SSL cert was purchased really just to stop the certificate mis-match error when connecting to RWW and OWA etc. That said though it was also required for our Windows mobile 5 devices as they needed a trusted cert. Tried many ways of importing the server generated cert but could never get it to work, besides with SSL certs for that kind of thing being available for $19.99 why bother with the hassle!

So in answer, no we don't encrypt our LAN traffic. I would however be keen to use the encryption for WSUS, I know there is an overhead with the traffic but our server is under used at the minute anyhow so I can't see it causing a problem.
Yup, the bit about SSL certs for WM5, OWA, RWW etc certainly makes sense and that's what I normally do as well.

Any luck with the client updates?
Adam GrahamEnterprise ArchitectAuthor Commented:
Yeah, looks like the clients are pulling down the updates nicely! Only one doesnt seem to be working, theres always one!

Have to start working on the SSL side of things once the clients are fully updated.

No objection, I think 18526 answered his question himself ...despite my best efforts :-)
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now