Windows can not check for updates Code 800710DD

I have one workstation that is getting this message.  Windows can not check for updates Code 800710DD.  I couldn't find the solution.
J.R. SitmanIT DirectorAsked:
Who is Participating?
 
DonConnect With a Mentor Network AdministratorCommented:
this sounds like dns issues then
0
 
FayazCommented:

Run Following command to set security descriptor.(PLS run commandProperly).
 
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
IF Grroup policy is present follow this below path (Or ask Client to give access).
 
Start->Administrative Tools->Active Directory Users and Computers->Right Click on domain -> Select Properties-> Select Group Policy
 
In Group Policy Snap-in open folowing
Computer Configuration -> Windows Settings -> Security Settings -> System Services
 
Select Service named Authomatic Updates and click properties.
 
Click Edit Security and Just add Authenticated Users with read permissions to Group or user names.
 
Don't forget run gpupdate on your target computer
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
J.R. SitmanIT DirectorAuthor Commented:
I'm logged on as the user who is a local Admin and the AD Users and Computers is not in the Admin Tools.
0
 
DonNetwork AdministratorCommented:
follow this blog to repair permission errors on .NET


http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
0
 
J.R. SitmanIT DirectorAuthor Commented:
attached is the update log
WindowsUpdate.log
0
 
DonNetwork AdministratorCommented:
see ID:26159090 in case you missed it(above)
0
 
DonNetwork AdministratorCommented:
Another thing that works very well is use the Microsoft Fix it for me here


http://support.microsoft.com/kb/971058
0
 
J.R. SitmanIT DirectorAuthor Commented:
Did you see anything in my log
0
 
DonNetwork AdministratorCommented:
yes, did you try the microsoft fix it?
0
 
J.R. SitmanIT DirectorAuthor Commented:
Also I just tried to access the microsoft.net folder permissions on a computer that is not having the update problem and the permissions are exactly the same.  Administrator (none) users Read & execute, list and read.  So I think I was on the wrong track.  I don't think security is the issue.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I'll try the fix now and post results
0
 
J.R. SitmanIT DirectorAuthor Commented:
Fix didn't solve it.  Any other help would be GREATLY appreciated
0
 
DonNetwork AdministratorCommented:
did you reboot and check the latest entries in the log?
0
 
J.R. SitmanIT DirectorAuthor Commented:
Yes did a reboot.  Attached is the latest log.

WindowsUpdate.log
0
 
DonNetwork AdministratorCommented:
did you run the aggressive mode of the fix?


0
 
DonNetwork AdministratorCommented:
Your log is is now also reporting that 56 updates are found
0
 
J.R. SitmanIT DirectorAuthor Commented:
Ran the default fix.  Updates it needs or updates it did?
0
 
DonNetwork AdministratorCommented:
updates needed, run the aggressive mode
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok.  I'll get back to you as soon as it completes and I reboot
0
 
DonNetwork AdministratorCommented:
If that dont work, update/reinstall the latest windows update agent

http://support.microsoft.com/kb/949104


Install from the command line

WindowsUpdateAgent30-<platform>.exe /quiet /norestart /wuforce
0
 
J.R. SitmanIT DirectorAuthor Commented:
Didn't work.  I'll try the agent
0
 
J.R. SitmanIT DirectorAuthor Commented:
what goes in the command line <platform>
0
 
J.R. SitmanIT DirectorAuthor Commented:
ignore question about platform
0
 
J.R. SitmanIT DirectorAuthor Commented:
I ran the command line and it flashed quickly, no message.  I tried the Windows update, still not working.  I'll reboot just in case
0
 
J.R. SitmanIT DirectorAuthor Commented:
FYI there is one other Vista computer on our network with the exact same problem.  I've been doing your fixes on it also with the same negative results
0
 
J.R. SitmanIT DirectorAuthor Commented:
Reboot didn't help.  It shows the last update was 9/2009.  What about a system restore back that far?
0
 
J.R. SitmanIT DirectorAuthor Commented:
I just checked and you can't do a restore that far back.
0
 
DonNetwork AdministratorCommented:
are you using wsus?
0
 
J.R. SitmanIT DirectorAuthor Commented:
yes
0
 
DonNetwork AdministratorCommented:
post your clientdiag results


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE


and the result of (command line)

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s
0
 
DonNetwork AdministratorCommented:
Also remove the ":80" from your WSUS GPO, it is not required if on port 80
0
 
J.R. SitmanIT DirectorAuthor Commented:
Run the clientdiag on the workstation or server
0
 
DonNetwork AdministratorCommented:
workstation, hence the name clientdiag ;^)
0
 
J.R. SitmanIT DirectorAuthor Commented:
attached screen shot of diag
clientdiag.png
0
 
DonNetwork AdministratorCommented:
ok now we narrowed it to the wsus server

first remove the ":80" from the GPO and gpupdate /force(on client) and check again
0
 
J.R. SitmanIT DirectorAuthor Commented:
Screen shot of cmd line

regkey.png
0
 
DonNetwork AdministratorCommented:
You should verify your permissions/settings on your WSUS server

http://technet.microsoft.com/en-us/library/cc708545%28WS.10%29.aspx

also verify the existence of the selfupdate virtual folder on port 80
0
 
J.R. SitmanIT DirectorAuthor Commented:
I can't remember where the GPO is located?  Admin Templates or ?
0
 
DonNetwork AdministratorCommented:
Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update
0
 
J.R. SitmanIT DirectorAuthor Commented:
found it
0
 
J.R. SitmanIT DirectorAuthor Commented:
I had to add Network Services to the security.  Also see attached. I'm not sure if I'm doing this correctly, but I was trying to check the permissions for the regkey as per the artiicle.  Is the highlighted portion correct?
reg2.png
0
 
DonNetwork AdministratorCommented:
That looks the same as mine
0
 
J.R. SitmanIT DirectorAuthor Commented:
I appreciate you not giving up.  What now?  it's still not working?
0
 
DonNetwork AdministratorCommented:
Ok, you verified all your WSUS settings?

You changed the GPO ?

Did a gpupdate on client machine and checked clientdiag again?
0
 
DonNetwork AdministratorCommented:
Is your  " IUSR_ComputerName" still part of your users group?


http://support.microsoft.com/kb/920659
0
 
DonNetwork AdministratorCommented:
Also found this comment:



The 0x800710dd error, when occuring on all desktops, can be caused if the NT
AUTHORITY\Network Service account is not a member of the Users local group on
the WSUS server.

It can also occur if the /clientwebservice virtual directory does not have
anonymous access permissions enabled.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I verified the permissions, but I didn't verify every registry setting listed in the article.
Yes changed the GPO
Yes did gpudate
clientdiag give same error
0
 
J.R. SitmanIT DirectorAuthor Commented:
sorry, just saw your last two posts.  I thought you were gone.  I'll check into these
0
 
DonNetwork AdministratorCommented:
nope, still here

hopefully we'll get it for ya
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks for hanging in there.  I couldn't figure out how to verify or add the NT Authority/Network Service to Domain Users Account.  Can you give details.
Also I checked WSUS and every computer in our network stopped reporting in in Sept.  Maybe this will help you identify the problem.
0
 
DonNetwork AdministratorCommented:


Click Start, click Programs, click Administrative Tools, and then click Computer Management to open the Computer Management console.  
In the left pane, expand Local Users and Groups, and then click the Groups folder.  
In the right pane, right-click the Users group, and then click Properties.  
Click Add.  
In the Select Users or Groups dialog box, locate the Look in drop-down box, and then select the local computer.  
Select Authenticated Users, and then click Add.  
Select INTERACTIVE, and then click Add.  
Click OK, click Apply, and then click Close to close the properties for the Users group.  
In the left pane, expand Services and Applications, and then click Services.  
In the right pane, right-click IIS Admin Service, and then click Restart.  
In the Restart Other Services confirmation dialog box, click Yes.

0
 
DonNetwork AdministratorCommented:
Do you have your wsus gpo applied to "authenticated users" ?
0
 
J.R. SitmanIT DirectorAuthor Commented:
don't see local users.  see attachmenrt
local.png
0
 
DonNetwork AdministratorCommented:
sorry, you should go into dsa.msc (copy pasted the steps above)
0
 
J.R. SitmanIT DirectorAuthor Commented:
yes Authenticated users is in the filters
0
 
DonNetwork AdministratorCommented:
0
 
J.R. SitmanIT DirectorAuthor Commented:
Auth users and interactive were already there.  How much longer you going to be working?  Are you working tomorrow.  I'm getting Frustrated and need a break
0
 
J.R. SitmanIT DirectorAuthor Commented:
I was wondering if I remove the WSUS GPO do you think I can update the workstation then?
0
 
DonNetwork AdministratorCommented:
I'm at home and will stick with you till we get it.

What version wsus are you running? open console click help and then about
0
 
J.R. SitmanIT DirectorAuthor Commented:
3.2.7600
0
 
DonNetwork AdministratorCommented:
I highly suggest resolving your wsus issue, I've helped many get thru this. The error you were getting is one of the less common ones. If it were me I would uninstall IIS and ASP.NET uninstall WSUS and reinstall all.
0
 
J.R. SitmanIT DirectorAuthor Commented:
OK.  I'll uninstall all, reinstall and get back to you tomorrow.  Again, thanks for hanging with me.

Night.
0
 
DonNetwork AdministratorCommented:
good luck
0
 
DonNetwork AdministratorCommented:
Here are 2 links that should be very useful

How to manually remove all of WSUS

Then also( this step was missing from above link)
Go to command prompt and type in:
msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

Install WSUS 3.0 - Step-By-Step
0
 
J.R. SitmanIT DirectorAuthor Commented:
the new install and syncronization just completed.  How long before it stats adding computers?
0
 
DonNetwork AdministratorCommented:
Run wuauclt /resetauthorization /detectnow on them
0
 
J.R. SitmanIT DirectorAuthor Commented:
I did it on one.  Hasn't show up yet.  Shouldn't it detect them itself?
0
 
DonNetwork AdministratorCommented:
Its based on your detection cycle determined in group policy. How do your clientdiags look?
0
 
J.R. SitmanIT DirectorAuthor Commented:
Unbelievable the diags are exactly the same
0
 
J.R. SitmanIT DirectorAuthor Commented:
Onr thing that I didn't mention is after I followed the removal instructions and then tried to reinstall WSUS SP1 it said I had a newer version already installed.  So I installed SP2.  So I guess the intructions left something behind.

What's puzzling it that WSUS has worked for 2 years with out a problem.  I think the upgrade to SP2 might have caused the current issues.
0
 
DonNetwork AdministratorCommented:
Most likely, since you say machines hadn't reported since sept. Which I believe is when sp2 was released.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Can u help with a Complete uninstall
0
 
J.R. SitmanIT DirectorAuthor Commented:
Should I post anothe rquestion of how to completely uninstall WSUS SP2 or do you want to continue with this one.
0
 
DonNetwork AdministratorCommented:
Let's continue, will be home shortly. Did you follow the link I provided early on completely removing?
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok.  Yes I did and I'm doing it again.  However, this time I uninstalled SP2 from add/remove.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Good news, it's letting me install SP1 this time.  I'll keep you posted.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I spoke too soon.  
See attachment
sp1.png
0
 
J.R. SitmanIT DirectorAuthor Commented:
I tried to install WSUS no SP and get this attachment.
sp1a.png
0
 
DonNetwork AdministratorCommented:
Its not necessary to install earlier versions. Use sp2
0
 
J.R. SitmanIT DirectorAuthor Commented:
I did that this morning and it got the same clientdiag error, remember?
0
 
J.R. SitmanIT DirectorAuthor Commented:
waiting for your reply if I should try SP2 again
0
 
DonNetwork AdministratorCommented:
Try deleting

HKLM\Software\Microsoft\Update Services\Server\Setup key and try again so we can make sure all remnants of wsus are removed

0
 
DonNetwork AdministratorCommented:
Did you run the command....


msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

0
 
J.R. SitmanIT DirectorAuthor Commented:
just to confirm see attachment.  this is all that remains.  let me know to continue
server.png
0
 
J.R. SitmanIT DirectorAuthor Commented:
Just ran it and it say the action is only valid for products installed
0
 
DonNetwork AdministratorCommented:
that's correct
0
 
DonNetwork AdministratorCommented:
try setup again and post wsussetup.log if it fails
0
 
J.R. SitmanIT DirectorAuthor Commented:
SP2 or SP1
0
 
DonNetwork AdministratorCommented:
should have asked earlier is the server 64 bit?

if so the correct command was...

msiexec /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe
0
 
DonNetwork AdministratorCommented:
sp2, and do you have Microsoft Report Viewer Redistributable 2008 installed?
0
 
J.R. SitmanIT DirectorAuthor Commented:
OK.  Yes it's installed
0
 
J.R. SitmanIT DirectorAuthor Commented:
synchronizing.  it took several hours the first time.  I'll keep you posted
0
 
DonNetwork AdministratorCommented:
you should be able to do a clientdiag, but lets change your wsus gpo to use the server IP Address(rule out dns problem)
0
 
J.R. SitmanIT DirectorAuthor Commented:
so instead of http://servername, put 172.16.1.6 (server ip) in the intranet locations in the GPO
0
 
DonNetwork AdministratorCommented:
yes, also go over this paying special attention to IUSR and IWAM


http://support.microsoft.com/?id=271071
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok
0
 
DonNetwork AdministratorCommented:
Do you see the IUSR and IWAM accounts in the builtin\users group ?


Has the IP of the server recently changed?

Has the servername recently changed ?
0
 
J.R. SitmanIT DirectorAuthor Commented:
no and no
0
 
DonNetwork AdministratorCommented:
no IUSER or IWAM in users group?
0
 
J.R. SitmanIT DirectorAuthor Commented:
Sorry answered the wrong part of your question.  See attached
iusr.png
0
 
DonNetwork AdministratorCommented:
thats ok, what type of errors are in the eventvwr?
0
 
J.R. SitmanIT DirectorAuthor Commented:
still synchronizing
0
 
DonNetwork AdministratorCommented:
lets do this

1. Check the membership of the guests group. Remove the IUSR account from the members if it shows up under the guests group.  
2. Reset the IUSR account password:  
a. Open the AD Users and Computers console and select the container that holds the IUSR_<Server_Name>. This account is located under the Users container by default.  
b. Right click the IUSR account, select the option to change the password, and provide a new password for the account.  
c. Open a command prompt window run and change directories so that the prompt is on C:\inetpub\adminscripts.  
d. Then run:  
cscript adsutil.vbs set w3svc/anonymoususerpass <new password>  
Note: <new password> is the password provided in step 2b.  
e. Open the IIS management console and go into the properties for the website you are working with. Choose the directory security tab, click edit for Authentication and
Access Control. Make sure enable anonymous access is checked. If it is, the IUSR account will be selected. Reselect this account and specify the new password when setting the account. Specifically do this on the Default Website and the WSUS website .  
NOTE: If you have upgraded from WSS 2.0 to WSS 3.0 you should have a website named Sharepoint-80 in the IIS console. Please follow step 5 for the Sharepoint-80 website, because the WSUS selfupdate directory is hosted under the website listening on port 80.  
f. Try restarting the update service or run wsusutil checkhealth.  
g. Under the default website, the SELFUPDATE and CONTENT virtual directories should be configured to use Integrated Windows Authentication. Make sure that they dont have anonymous access enabled.  
h. Make sure SSL is not enabled on the SELFUPDATE virtual directory.  
i. Restart IIS.
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok.  Will later.  Family just arrived.  Going to dinner.  Sorry.  Don't bail on me.  I appreciate the help
0
 
DonNetwork AdministratorCommented:
Okie Dokie
0
 
J.R. SitmanIT DirectorAuthor Commented:
The article 271071 specifically warns to do use it unless you are doing it on a Web Server.
0
 
J.R. SitmanIT DirectorAuthor Commented:
When  I check "Guest" proerties it doesn't list IUSR as a member, but IUSR does list Guest as a member.  Should I remove Guest from the IUSR properties?
0
 
J.R. SitmanIT DirectorAuthor Commented:
I did everything in the steps you sent.  I didn't complete the steps in 271071 until I get confirmation it is necessary.  I don't like changing all the permissions on my DC.  FYI clientdiag is still showing the error.
I hope you're checking mail today.  Love to get this solved before they return to work on Monday.
0
 
DonNetwork AdministratorCommented:
on the server run from cmd

wsusutil /checkhealth


then post any errors/warnings from the eventvwr under application(only wsus specific)
0
 
J.R. SitmanIT DirectorAuthor Commented:
Error.  Windows cannot find "wsusutil
0
 
DonNetwork AdministratorCommented:
sorry about that, should have told you  WSUSutil.exe is located in the %drive%\Program Files\Update Services\Tools folder

0
 
J.R. SitmanIT DirectorAuthor Commented:
self update is not working
no client computers have contacted the server
the reporting web service is not working
the client web service is not working
the simpleauth web service is not working
0
 
DonNetwork AdministratorCommented:
I need the event ids, these sound like in the range of 13042 and so on
0
 
J.R. SitmanIT DirectorAuthor Commented:
in the same order
13042
13051
12002
12022
12042

0
 
J.R. SitmanIT DirectorAuthor Commented:
I'm begging to think this is a life long project.  You're very nice for sticking with it.  I guess that's why you're a Guru
0
 
DonNetwork AdministratorCommented:
i enjoy it and am very confident we can resolve this
0
 
J.R. SitmanIT DirectorAuthor Commented:
FYI I just installed WSUS SP1 on our DC at another location and it's already discovering computers.  Don't know if this helps.
0
 
DonNetwork AdministratorCommented:
i would then scrap this and have your gpo point to that server
0
 
J.R. SitmanIT DirectorAuthor Commented:
Sorry. they are not connected.  One in Long Beach (problem) one in Los Angeles (working)

where is the WSUSinstalldir
0
 
DonNetwork AdministratorCommented:
C:\Program Files\Update Services\setup\installselfupdateonport80.vbs
0
 
J.R. SitmanIT DirectorAuthor Commented:
I figured it out, but when I run the command I get "there is no file extension in "C"\program"  I tried twice
0
 
J.R. SitmanIT DirectorAuthor Commented:
meant C:\program
0
 
DonNetwork AdministratorCommented:
use quotes because of the space between update and services


"C:\Program Files\Update Services\setup\installselfupdateonport80.vbs"
0
 
J.R. SitmanIT DirectorAuthor Commented:
that worked moving to next step
0
 
J.R. SitmanIT DirectorAuthor Commented:
on the next step I typed cacls but it didn't work.  see attachment
cacls.png
0
 
DonNetwork AdministratorCommented:
Try

cacls "C:\Program Files\Update Services\selfupdate"

0
 
J.R. SitmanIT DirectorAuthor Commented:
worked.  so far everything is correct.  See attachment.  where is this?

iis.png
0
 
DonNetwork AdministratorCommented:
did cacls display everything as it should:

BUILTIN\Users:(OI)(CI)R
 
BUILTIN\Administrators:(OI)(CI)F
 
NT AUTHORITY\SYSTEM:(OI)(CI)F



adsutil.vbs
http://technet.microsoft.com/en-us/library/cc720489%28WS.10%29.aspx
0
 
J.R. SitmanIT DirectorAuthor Commented:
Yes it did
0
 
J.R. SitmanIT DirectorAuthor Commented:
when I run it I get This script does not work with Wscript.  I'm about ot give up.  What do you think about me instlling WSUS SP1 on a different server?
0
 
J.R. SitmanIT DirectorAuthor Commented:
I got a message if I wanted to register csript.  I did and then it worked.  attached are results
script.png
0
 
J.R. SitmanIT DirectorAuthor Commented:
sorry. here are the correct results
0
 
J.R. SitmanIT DirectorAuthor Commented:
forgot to attach
script2.png
0
 
DonNetwork AdministratorCommented:
goto the section

HTTP 401.1: DENIED BY INVALID USER CREDENTIALS:

http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx

also how does wsusutil /checkhealth look now?
0
 
J.R. SitmanIT DirectorAuthor Commented:
This may be helpful.  When I logged on to another server and tried to browse the network, the DC spcala08 does not show up
0
 
J.R. SitmanIT DirectorAuthor Commented:
checkhealth is the same
0
 
J.R. SitmanIT DirectorAuthor Commented:
I'm trying another server.  I'll get back to you tomorrow.  Thanks for sticking with it.

Nite
0
 
DonNetwork AdministratorCommented:
alright, last hurrah  

lets uninstall/reinstall everything again except this time .NET as well<<<removal tool here


0
 
J.R. SitmanIT DirectorAuthor Commented:
The new server installational is working and the clientdiag is perfect.  So you are correct it was a DSN problem.  How do you suggest I award points?
0
 
DonNetwork AdministratorCommented:
Glad to see we figured it out, did you also resolve your dns issue?

ID:26168386 would be the answer then
0
 
J.R. SitmanIT DirectorAuthor Commented:
Need your help on what I should accept to close this
0
 
DonNetwork AdministratorCommented:
not sure what you are missing
ID:26168386

was the comment mentioning DNS
0
 
J.R. SitmanIT DirectorAuthor Commented:
The DNS issue was causing the problems.  I need to resolve that.
0
 
DonNetwork AdministratorCommented:
I like to use this tool to diagnose problems

pbbergs.com/windows/downloads/ad_diag.hta

make sure you have dcdiag and netdiag installed
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.