?
Solved

WSUS Updates Not Distributing - Computers are reporting back at 99%

Posted on 2009-02-15
30
Medium Priority
?
867 Views
Last Modified: 2012-05-06
I have recently set up an WSUS to distribute Microsoft updates to my network. I have gotten the GPO set up correctly and I see the computers reporting their status back. Problem is doing all this seems to have affected nothing. For example:

I was individually updating each computer with a string of updates found via automatic updates, then decided to set up the WSUS server. I have approved all of the updates necessary but for some reason they do not seem to distribute to the computers. I know this because I logon to the local machines as Admin and run Windows Updates and it is still detecting all the same updates I needed for the computers BEFORE I set up WSUS. So I'm not sure what WSUS is distributing but it seems to have affected nothing.

Any ideas of where to look and what could not be configured correctly?
0
Comment
Question by:danielevans83
  • 14
  • 8
  • 5
  • +2
30 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23646428
There are GPOs to set up the clients to point to the server for WSUS. These sound good, otherwise the clients wouldn't report in.

Then, there are GPOs that tell the clients what to do with the updates when they are approved and ready for download. Sounds like these GPOs are not configured for your LAN.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23817960.html
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23646635
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 1000 total points
ID: 23646897
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23646963
Here's a step by step guide for configuring the group policy portion of wsus.
0
 

Author Comment

by:danielevans83
ID: 23652007

Do the computers have to be rebooted or something for the updates to take effect? I have attached a screenshot of the GPO settings. I just now enabled the bottom two and am testing for results. Let me know if theres something else I need to do as well.
 

GPOScreen.doc
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23652071
No, you could wait for the GPO to refresh itself on your computer or reboot and the settings take effect imediately.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652079
You should only need to run gpudate /force on the client computers
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652088
After gpupdate run wuauclt /detectnow
0
 

Author Comment

by:danielevans83
ID: 23652113
Ok I did the gpupdate /force and the other command. What's the second command do? "wuauclt /detectnow" ?
I haven't seen any change since I ran both, should I expect the yellow shield in the corner or for my automated install time of 3AM to now be in effect?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23652126
what is your detection frequency? I see you have that enabled.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 1000 total points
ID: 23652186
"wuauclt /detectnow" tells the computer to query wsus for needed updates>
 
DId you run the clientdiag tool to ensure that all your settings are correct?
0
 

Author Comment

by:danielevans83
ID: 23652218
The results of that tool show this:
 

WSUS Client Diagnostics Tool
Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.2.6001.788. . . . . . . . . . . . PASS
                This version is WSUS 2.0
Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Control Panel
Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use
Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
        UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
0
 

Author Comment

by:danielevans83
ID: 23652228
Frequency of detection is set at 22 hours
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23652232
For the GPOs you have, you will not see the yellow shield in the system tray. You told it to go to the WSUS server at 3AM and download, then install the updates. The problem is, if the system is OFF during the 3AM scheduled install, it will wait until a 3am window it is turned on.

One other thing I would like to add, Some antivirus applications can mess with installs of certain updates. Some AV programs prevent from editting the registry, or block operating system intrusive files (like .msi, or .exe) from running from a remote location. So, it is best to try these updates on one machine. Then, sometimes it is best to download the files and not force install. Then, school your users when they see the yellow shield in systray to select "install updates and shutdown computer" when shutting down. Downloading the updates happens when the update is available. So, you will see more updates installed this way, than a force install of the updates.


0
 

Author Comment

by:danielevans83
ID: 23652245
So as opposed to setting the automatic install I should just leave it at the setting to allow non-administrative users to install the updates as well?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652345
"wuauclt /detectnow" will do the detection right away(yellow shield)
 
AU does not have Policy Set
AU does not have Policy Set
       UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
 
 your computers may not be under the gpo you have set.
 
You should also enable client side targeting, unless you want to configure this in the wsus console.
 
 
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652355
If they are in correct GPO, reboot(clients) and check settings again
0
 

Author Comment

by:danielevans83
ID: 23652361
I only have one GPO for WSUS and all the computers are reporting back so I don't see how they're not also part of the same group for distribution.
I ran that client tool on the server, was I supposed to run it on the client? :)
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652385
on client
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652396
same with "wuauclt /detectnow" on clients
0
 

Author Comment

by:danielevans83
ID: 23652402
Running the client tool on the actual client (duh) showed all passes with some saying none, no failures.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23652445
Then it's probably a matter of your approval and classifications setting in the wsus console
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 1000 total points
ID: 23652472
Run the below command on a client
 
save as fixwsus.cmd

%Windir%\system32\net.exe stop bits 
%Windir%\system32\net.exe stop wuauserv
 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
 
 
 
if exist %Windir%\system32\atl.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\atl.dll  
if exist %Windir%\system32\jscript.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\jscript.dll 
if exist %Windir%\system32\softpub.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\softpub.dll  
if exist %Windir%\system32\wuapi.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuapi.dll 
if exist %Windir%\system32\wuaueng.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng.dll  
if exist %Windir%\system32\wuaueng1.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng1.dll  
if exist %Windir%\system32\wucltui.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wucltui.dll  
if exist %Windir%\system32\wups.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups.dll  
if exist %Windir%\system32\wups2.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups2.dll  
if exist %Windir%\system32\wuweb.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuweb.dll  
if exist %windir%\system32\iuengine.dll %windir%\system32\regsvr32.exe /s iuengine.dll
if exist %windir%\system32\wuauserv.dll %windir%\system32\regsvr32.exe /s wuauserv.dll
if exist %windir%\system32\cdm.dll %windir%\system32\regsvr32.exe /s cdm.dll
if exist %windir%\system32\msxml2r.dll %windir%\system32\regsvr32.exe /s msxml2r.dll
if exist %windir%\system32\msxml3r.dll %windir%\system32\regsvr32.exe /s msxml3r.dll
if exist %windir%\system32\msxml.dll  %windir%\system32\regsvr32.exe /s msxml.dll
if exist %windir%\system32\msxml3.dll %windir%\system32\regsvr32.exe /s msxml3.dll
if exist %windir%\system32\msxmlr.dll %windir%\system32\regsvr32.exe /s msxmlr.dll
if exist %windir%\system32\msxml2.dll %windir%\system32\regsvr32.exe /s msxml2.dll
if exist %windir%\system32\qmgr.dll %windir%\system32\regsvr32.exe /s qmgr.dll
if exist %windir%\system32\qmgrprxy.dll %windir%\system32\regsvr32.exe /s qmgrprxy.dll
if exist %windir%\system32\iuctl.dll %windir%\system32\regsvr32.exe /s iuctl.dll
 
 
rd /s /q %windir%\softwareDistribution
sleep 5
%Windir%\system32\net.exe start bits 
%Windir%\system32\net.exe start wuauserv 
 
 
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
 
sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
 
exit /B 0 

Open in new window

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23665741
How's it going boss? I was thinking with a 22 hour detection frequency, you may not have waited enough time for them to all pop up and get updates. I know we are really close.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23665984
"wuauclt /detectnow" WILL skip the 22 hour detection and do it now

psexec \\*   -s wuauclt /detectnow
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23665999
The fixwsus.cmd will also start a instant detection
0
 

Author Comment

by:danielevans83
ID: 23666383
It's interesting, some computers I see the yellow shield on now (when users are logged in), some show the green shield saying a recent update has been installed that required an update, and others show nothing and still show many updates when running MS Updates manually. I'm going around to each station and using these commands as I see it. This is nuts! Haha...  Definitely seems to be pushing me in the right direction. :)
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23666389
That is what you want to see!!
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1000 total points
ID: 23667178
Not all updates from the MS site are downloaded to the WSUS server for distribution. You actually have to go into WSUS console and design a plan to download the correct updates for OS's and various windows.

Usually I get all critical updates (done by default)

Then, I go in and get all OS updates.

I choose the third party drivers for dell and others. So, I don't get the drivers.

Then, when you click an update in WSUS you can tell your computer to AUTO Approve these products. Auto approval prevents you from having to go in and approve all updates. I usually like to do this with critical updates only, because I test other updates prior to passing them down to my clients. I simply have way too many clients to get a bad update on and don't want to ruin the integrity of the network.
0
 

Expert Comment

by:betotucho
ID: 36545900
I have WSUS set to approve any updates but services pack. to download and install a 3 am on Wednesdays.
Some computers show 99% some others 100%. So if I have 100% on at least one computer within the  client, then I know the GPO is fine.
What else is preventing the 100%
The all have the same antivirus.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question