We help IT Professionals succeed at work.

WSUS Updates Not Distributing - Computers are reporting back at 99%

Medium Priority
1,015 Views
Last Modified: 2012-05-06
I have recently set up an WSUS to distribute Microsoft updates to my network. I have gotten the GPO set up correctly and I see the computers reporting their status back. Problem is doing all this seems to have affected nothing. For example:

I was individually updating each computer with a string of updates found via automatic updates, then decided to set up the WSUS server. I have approved all of the updates necessary but for some reason they do not seem to distribute to the computers. I know this because I logon to the local machines as Admin and run Windows Updates and it is still detecting all the same updates I needed for the computers BEFORE I set up WSUS. So I'm not sure what WSUS is distributing but it seems to have affected nothing.

Any ideas of where to look and what could not be configured correctly?
Comment
Watch Question

Commented:
There are GPOs to set up the clients to point to the server for WSUS. These sound good, otherwise the clients wouldn't report in.

Then, there are GPOs that tell the clients what to do with the updates when they are approved and ready for download. Sounds like these GPOs are not configured for your LAN.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23817960.html
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
DonNetwork Administrator
CERTIFIED EXPERT
Commented:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Here's a step by step guide for configuring the group policy portion of wsus.

Author

Commented:

Do the computers have to be rebooted or something for the updates to take effect? I have attached a screenshot of the GPO settings. I just now enabled the bottom two and am testing for results. Let me know if theres something else I need to do as well.
 

GPOScreen.doc
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
No, you could wait for the GPO to refresh itself on your computer or reboot and the settings take effect imediately.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
You should only need to run gpudate /force on the client computers
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
After gpupdate run wuauclt /detectnow

Author

Commented:
Ok I did the gpupdate /force and the other command. What's the second command do? "wuauclt /detectnow" ?
I haven't seen any change since I ran both, should I expect the yellow shield in the corner or for my automated install time of 3AM to now be in effect?

Commented:
what is your detection frequency? I see you have that enabled.
DonNetwork Administrator
CERTIFIED EXPERT
Commented:
"wuauclt /detectnow" tells the computer to query wsus for needed updates>
 
DId you run the clientdiag tool to ensure that all your settings are correct?

Author

Commented:
The results of that tool show this:
 

WSUS Client Diagnostics Tool
Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.2.6001.788. . . . . . . . . . . . PASS
                This version is WSUS 2.0
Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Control Panel
Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use
Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
        UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

Author

Commented:
Frequency of detection is set at 22 hours

Commented:
For the GPOs you have, you will not see the yellow shield in the system tray. You told it to go to the WSUS server at 3AM and download, then install the updates. The problem is, if the system is OFF during the 3AM scheduled install, it will wait until a 3am window it is turned on.

One other thing I would like to add, Some antivirus applications can mess with installs of certain updates. Some AV programs prevent from editting the registry, or block operating system intrusive files (like .msi, or .exe) from running from a remote location. So, it is best to try these updates on one machine. Then, sometimes it is best to download the files and not force install. Then, school your users when they see the yellow shield in systray to select "install updates and shutdown computer" when shutting down. Downloading the updates happens when the update is available. So, you will see more updates installed this way, than a force install of the updates.


Author

Commented:
So as opposed to setting the automatic install I should just leave it at the setting to allow non-administrative users to install the updates as well?
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
"wuauclt /detectnow" will do the detection right away(yellow shield)
 
AU does not have Policy Set
AU does not have Policy Set
       UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
 
 your computers may not be under the gpo you have set.
 
You should also enable client side targeting, unless you want to configure this in the wsus console.
 
 
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
If they are in correct GPO, reboot(clients) and check settings again

Author

Commented:
I only have one GPO for WSUS and all the computers are reporting back so I don't see how they're not also part of the same group for distribution.
I ran that client tool on the server, was I supposed to run it on the client? :)
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
on client
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
same with "wuauclt /detectnow" on clients

Author

Commented:
Running the client tool on the actual client (duh) showed all passes with some saying none, no failures.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Then it's probably a matter of your approval and classifications setting in the wsus console
DonNetwork Administrator
CERTIFIED EXPERT
Commented:
Run the below command on a client
 
save as fixwsus.cmd

%Windir%\system32\net.exe stop bits 
%Windir%\system32\net.exe stop wuauserv
 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
 
 
 
if exist %Windir%\system32\atl.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\atl.dll  
if exist %Windir%\system32\jscript.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\jscript.dll 
if exist %Windir%\system32\softpub.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\softpub.dll  
if exist %Windir%\system32\wuapi.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuapi.dll 
if exist %Windir%\system32\wuaueng.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng.dll  
if exist %Windir%\system32\wuaueng1.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng1.dll  
if exist %Windir%\system32\wucltui.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wucltui.dll  
if exist %Windir%\system32\wups.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups.dll  
if exist %Windir%\system32\wups2.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups2.dll  
if exist %Windir%\system32\wuweb.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuweb.dll  
if exist %windir%\system32\iuengine.dll %windir%\system32\regsvr32.exe /s iuengine.dll
if exist %windir%\system32\wuauserv.dll %windir%\system32\regsvr32.exe /s wuauserv.dll
if exist %windir%\system32\cdm.dll %windir%\system32\regsvr32.exe /s cdm.dll
if exist %windir%\system32\msxml2r.dll %windir%\system32\regsvr32.exe /s msxml2r.dll
if exist %windir%\system32\msxml3r.dll %windir%\system32\regsvr32.exe /s msxml3r.dll
if exist %windir%\system32\msxml.dll  %windir%\system32\regsvr32.exe /s msxml.dll
if exist %windir%\system32\msxml3.dll %windir%\system32\regsvr32.exe /s msxml3.dll
if exist %windir%\system32\msxmlr.dll %windir%\system32\regsvr32.exe /s msxmlr.dll
if exist %windir%\system32\msxml2.dll %windir%\system32\regsvr32.exe /s msxml2.dll
if exist %windir%\system32\qmgr.dll %windir%\system32\regsvr32.exe /s qmgr.dll
if exist %windir%\system32\qmgrprxy.dll %windir%\system32\regsvr32.exe /s qmgrprxy.dll
if exist %windir%\system32\iuctl.dll %windir%\system32\regsvr32.exe /s iuctl.dll
 
 
rd /s /q %windir%\softwareDistribution
sleep 5
%Windir%\system32\net.exe start bits 
%Windir%\system32\net.exe start wuauserv 
 
 
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
 
sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
 
exit /B 0 

Open in new window

Commented:
How's it going boss? I was thinking with a 22 hour detection frequency, you may not have waited enough time for them to all pop up and get updates. I know we are really close.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
"wuauclt /detectnow" WILL skip the 22 hour detection and do it now

psexec \\*   -s wuauclt /detectnow
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
The fixwsus.cmd will also start a instant detection

Author

Commented:
It's interesting, some computers I see the yellow shield on now (when users are logged in), some show the green shield saying a recent update has been installed that required an update, and others show nothing and still show many updates when running MS Updates manually. I'm going around to each station and using these commands as I see it. This is nuts! Haha...  Definitely seems to be pushing me in the right direction. :)
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
That is what you want to see!!
Commented:
Not all updates from the MS site are downloaded to the WSUS server for distribution. You actually have to go into WSUS console and design a plan to download the correct updates for OS's and various windows.

Usually I get all critical updates (done by default)

Then, I go in and get all OS updates.

I choose the third party drivers for dell and others. So, I don't get the drivers.

Then, when you click an update in WSUS you can tell your computer to AUTO Approve these products. Auto approval prevents you from having to go in and approve all updates. I usually like to do this with critical updates only, because I test other updates prior to passing them down to my clients. I simply have way too many clients to get a bad update on and don't want to ruin the integrity of the network.
I have WSUS set to approve any updates but services pack. to download and install a 3 am on Wednesdays.
Some computers show 99% some others 100%. So if I have 100% on at least one computer within the  client, then I know the GPO is fine.
What else is preventing the 100%
The all have the same antivirus.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.