Client computers not updating using WSUS

bryanchandler
bryanchandler used Ask the Experts™
on
I setup WSUS for the first time on a Windows SBS 2003 r2 server & was able get all of my client PCs listed, but for some reason after I approve updates for them they aren't updating in a timely fashion.  I had set a separate linked GPO (enforced) for them to run Windows Update every night at 3am & install the updates, but it looks like it's not propagating.  I gave it weeks to & ran gpupdate /force on one of the client systems but it still hasn't come through.
I'm a WSUS & GPO n00b so please forgive any ignorance I might show.
Please let me know any information that I need to provide.
Thanks for the help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Try this on a single client machine, see if you notice any changes
net stop wuauserv
Del c:\windows\windowsupdate.logs (XP Client)
net start wuauserv
wuauclt.exe /resetauthorization /detectnow

Also can you check the event logs on a client and WSUS server, as see if you get any errors?

Check out this article; it goes over some known issues
http://www.wsuswiki.com/ClientFAQ 
DonNetwork Administrator

Commented:
Go thru this step by step guide to see if you missed anything


http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx

 check your client settings with clientdiag

Author

Commented:
naykam,
I did as you suggested.
Here's a client log from a system I just reinstalled XP Pro on 2 weeks ago with 45 post SP3 updates:

2010-01-28      11:53:39:342      1028      edc      Misc      ===========  Logging initialized (build: 7.4.7600.226, tz: -0600)  ===========
2010-01-28      11:53:39:342      1028      edc      Misc        = Process: C:\WINDOWS\System32\svchost.exe
2010-01-28      11:53:39:342      1028      edc      Misc        = Module: C:\WINDOWS\system32\wuaueng.dll
2010-01-28      11:53:39:342      1028      edc      Service      *************
2010-01-28      11:53:39:342      1028      edc      Service      ** START **  Service: Service startup
2010-01-28      11:53:39:342      1028      edc      Service      *********
2010-01-28      11:53:39:389      1028      edc      Agent        * WU client version 7.4.7600.226
2010-01-28      11:53:39:389      1028      edc      Agent        * Base directory: C:\WINDOWS\SoftwareDistribution
2010-01-28      11:53:39:420      1028      edc      Agent        * Access type: No proxy
2010-01-28      11:53:39:420      1028      edc      Agent        * Network state: Connected
2010-01-28      11:53:57:983      1028      920      Agent      ***********  Agent: Initializing Windows Update Agent  ***********
2010-01-28      11:53:57:983      1028      920      Agent      ***********  Agent: Initializing global settings cache  ***********
2010-01-28      11:53:57:983      1028      920      Agent        * WSUS server: http://oakserver1:8530
2010-01-28      11:53:57:983      1028      920      Agent        * WSUS status server: http://oakserver1:8530
2010-01-28      11:53:57:983      1028      920      Agent        * Target group: oakhill
2010-01-28      11:53:57:983      1028      920      Agent        * Windows Update access disabled: No
2010-01-28      11:53:57:999      1028      920      DnldMgr      Download manager restoring 0 downloads
2010-01-28      11:53:58:015      1028      920      DnldMgr      Retrieved 1 persisted download jobs
2010-01-28      11:53:58:015      1028      920      DnldMgr      ***********  DnldMgr: Restoring download [no. 0]  ***********
2010-01-28      11:53:58:015      1028      920      DnldMgr        * BITS JobId = {0A4B0C06-EE07-4E14-B29C-9AEE96139913}
2010-01-28      11:53:58:015      1028      920      DnldMgr        * ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2010-01-28      11:53:58:311      1028      920      DnldMgr        * UpdateId = {A18CC936-DA41-421F-9AD9-303D806EC128}.113
2010-01-28      11:53:59:749      1028      920      DnldMgr        * Restored download job.
2010-01-28      11:53:59:765      1028      920      AU      ###########  AU: Initializing Automatic Updates  ###########
2010-01-28      11:53:59:765      1028      920      AU      AU setting next sqm report timeout to 2010-01-28 17:53:59
2010-01-28      11:53:59:765      1028      920      AU        # WSUS server: http://oakserver1:8530
2010-01-28      11:53:59:765      1028      920      AU        # Detection frequency: 22
2010-01-28      11:53:59:765      1028      920      AU        # Target group: oakhill
2010-01-28      11:53:59:765      1028      920      AU        # Approval type: Scheduled (Policy)
2010-01-28      11:53:59:780      1028      920      AU        # Scheduled install day/time: Every day at 17:00
2010-01-28      11:53:59:780      1028      920      AU        # Auto-install minor updates: Yes (Policy)
2010-01-28      11:53:59:796      1028      920      AU      Setting AU scheduled install time to 2010-01-28 23:00:00
2010-01-28      11:53:59:843      1028      920      AU      Initializing featured updates
2010-01-28      11:53:59:843      1028      920      AU      Found 0 cached featured updates
2010-01-28      11:54:00:046      1028      920      Report      ***********  Report: Initializing static reporting data  ***********
2010-01-28      11:54:00:046      1028      920      Report        * OS Version = 5.1.2600.3.0.65792
2010-01-28      11:54:00:155      1028      920      Report        * Computer Brand = Dell Computer Corporation
2010-01-28      11:54:00:155      1028      920      Report        * Computer Model = Dimension 2350
2010-01-28      11:54:00:171      1028      920      Report        * Bios Revision = A01
2010-01-28      11:54:00:171      1028      920      Report        * Bios Name = Phoenix - AwardBIOS v6.00PG
2010-01-28      11:54:00:171      1028      920      Report        * Bios Release Date = 2002-12-17T00:00:00
2010-01-28      11:54:00:171      1028      920      Report        * Locale ID = 1033
2010-01-28      11:54:00:358      1028      920      AU      AU finished delayed initialization
2010-01-28      11:54:00:358      1028      edc      AU      #############
2010-01-28      11:54:00:358      1028      edc      AU      ## START ##  AU: Search for updates
2010-01-28      11:54:00:358      1028      edc      AU      #########
2010-01-28      11:54:00:468      1028      edc      AU      <<## SUBMITTED ## AU: Search for updates [CallId = {A4896EE0-CDF2-46EB-8DCB-32AC71F09151}]
2010-01-28      11:54:00:483      1028      920      AU      Triggering AU detection through DetectNow API
2010-01-28      11:54:00:483      1028      920      AU      Will do the detection after current detection completes
2010-01-28      11:54:02:187      1028      138      Agent      *************
2010-01-28      11:54:02:187      1028      138      Agent      ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2010-01-28      11:54:02:202      1028      138      Agent      *********
2010-01-28      11:54:02:202      1028      138      Agent        * Online = No; Ignore download priority = No
2010-01-28      11:54:02:202      1028      138      Agent        * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
2010-01-28      11:54:02:218      1028      138      Agent        * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2010-01-28      11:54:02:218      1028      138      Agent        * Search Scope = {Machine}

WSUS reports that there's 45 updates.  It's been 2 weeks, and nothing has installed.
I ran the WSUS client diag tool.  It reported no failures.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Commented:
Odd...this reports that the computer wants to install the updates automatically at 5pm (17:00).

Just to get more information the computers are showing up in the WSUS console?

What is your GPO set to do?

Where is the GPO being applied?


I can assist more with that information.
DonNetwork Administrator

Commented:

Author

Commented:
This file is report of the GPO I created for WSUS.
I also installed the latest windows installer
I did set the update to occur at 5pm, not 3am as I stated before.  I was trying to avid the machine being turned off somehow by someone overnight.
Small-Business-Server-WSUS-Polic.htm

Author

Commented:
FYI:
I've checked this clients AU setting from Control Panel & it shows the same settings that I assigned in this GPO, but when I run gpedit on the client system, the GP item is blank.
DonNetwork Administrator

Commented:
Did you reboot?

Commented:
Running gpedit will not show your group policy settings. Gpedit.msc will show you your local policy settings only.
To see if the policy is applying to clients (which I suspect it is) you run a gpresult and that will tell you if your policy is being applied or not.
Couple more questions.....
 Why are you using client-side targeting in the GPO? Unless you have a specific need for this I would turn this setting off.
I think I may know what the problem is but it requires a tool called bitsadmin
Download and read about it here:
http://msdn.microsoft.com/en-us/library/aa362813(VS.85).aspx
Once you have the tool run a bitsadmin /list /allusers from any machine not receiving updates.
Let me know if your queue of 10 jobs is filled with transient errors.
 
VERY IMPORTANT!
 
If you approved any updates while the database was syncing with Microsoft you essentially approved an incomplete download so it will not apply and it will corrupt your Windows Internal Database....so to speak.
If you do remember doing this I would suggest starting over from scratch and not approving any updates until your database is completely up to date with the most current updates.
DonNetwork Administrator

Commented:
"If you approved any updates while the database was syncing with Microsoft you essentially approved an incomplete download so it will not apply and it will corrupt your Windows Internal Database....so to speak."

WHAT????  Where's this documentation ?

The updates just wont be available until the download is finished, they will be reported as "Updates needing files"

Also there would be absolutely no reason here to start over from scratch. If updates did happen to get corrupt you can run "Wsusutil reset" which Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.

There's very good reasons to use client side targeting!! You usually dont want your servers updated the same way as your workstations. You sometimes want also have a test group as well.


DonNetwork Administrator

Commented:
bryanchandler,


Take a look here, there are similarities to your issue

http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/bfdf88db-8e3e-4cb4-8247-81ccce9c0383

Commented:
It seems I did not put as much thought into this before posting previously.
I can see why you would want to use client side targeting if your updates are allowing non-administrators to install and are scheduled to auto-install.
I did in fact jump the gun in the response of WID becoming corrupted. I recently went through a disconnected WSUS setup in which the wsusutil /reset only made the problem worse.
 
If you are connected to the internet then dstewartjr is right in that a wsusutil /reset should be all you would need to do in the event you did approve updates while it was syncing.
 
Still at this point restarting and following Microsoft's instructions will still more then likely take less time then continuing to troubleshoot if the above proposed solutions do not work.
DonNetwork Administrator

Commented:
"...in the event you did approve updates while it was syncing."


This does not cause corruption.

Commented:
If done on an offline setup from which I was speaking about it does.

However if your WSUS is connected to the internet then you will be fine.

I know this from personal experience and not Microsoft guides

Author

Commented:
Thanks for the responses guys.
Just to let you know, I took over 5 server/networks from my former lead tech/boss who was as verbose as a corpse.  It's been 2 years & I'm still learning & trying to get full control of them.

 "Why are you using client-side targeting in the GPO?"
I don't have any concept of what that means, but if you say that it doesn't matter, it's fine.  

As I remember I let the sync complete before I started approving updates anyway.

drock1: I did reboot after installing the Windows installer on that PC.

I installed Windows XP SP2 support tools & ran "bitsadmin /list /allusers" & the result was "listed 0 jobs"

Here's the result of gpresults from a client PC that has 2 updates that aren't installing.

RSOP results for OAKHILL\bchandler on PAYROLL02 : Logging Mode
---------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 OAKHILL
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PAYROLL02,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=OakHill,DC=local
    Last time Group Policy was applied: 1/29/2010 at 10:31:27 AM
    Group Policy was applied from:      oakserver1.OakHill.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Small Business Server Domain Password Policy
        Small Business Server Windows Firewall
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PAYROLL02$
        Domain Computers
        SupervisorHOSTSBypas


USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=OakHill,DC=local
    Last time Group Policy was applied: 1/29/2010 at 10:33:25 AM
    Group Policy was applied from:      oakserver1.OakHill.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Folder Redirection
        Small Business Server Client Computer
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        GFI Monitoring Policy
            Filtering:  Denied (Security)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers




Author

Commented:
Bumped up the points to 200
DonNetwork Administrator

Commented:
Lets install/reinstall the latest windows update agent
x86-based versions of Windows: Download WindowsUpdateAgent30-x86.exe (http://go.microsoft.com/fwlink/?LinkID=100334).


x64-based versions of Windows: Download WindowsUpdateAgent30-x64.exe (http://go.microsoft.com/fwlink/?LinkID=100335).


be sure to install using the command line as below:
 
 WindowsUpdateAgent30-<platform>.exe /quiet /norestart /wuforce

Author

Commented:
I ran the isntaller using the switches you specified.
I attatched the WindowsUpdate.log file from the PC w/ 45 updates pending, but only from the last scheduled update/ install last night at 17:00
Does it look normal?
WindowsUpdate.log

Author

Commented:
Obviously what WSUS is reporting & what the client PC thinks it needs aren't the same.  WSUS still says the above system needs 45 updates, but the log shows it only found 1 update for IE8 compatibility list.
Another machine I'm testing out shows a Windows defender update needing to be installed in WSUS, but locally it doesn't show that update needing to be installed.
I'm really starting to think that the clients aren't reporting, or WSUS isn't receiving their reports correctly.
DonNetwork Administrator

Commented:
Double check that these updates are indeed approved for this target group

Author

Commented:
I looked at the report for this machine generated by WSUS.  I see that the 45 updates are not approved in the report, but under Update Services/Oakserver1/Updates/All updates, using the Unapproved/Failed or needed view it shows 0 updates.
I have refreshed the view to make sure.  Why would these updates show as being unapproved in the report, but not show up in the mentioned view?  Am I missing something here?
Network Administrator
Commented:
Try approving the 45 updates and see if it clears up, they could be already installed.

Author

Commented:
The computer in question was NOT joined to the group I had approved the update for.  When I initially approved the few hundered updates I only approved them for the group, not All Computers.  I'm assuming this will get these updates installed now.
However, this doesn't answer why the other machine I'm testing showing that it only needs 1 update, while WSUS shows that it needs 2, mainly a Windows Defender update.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial