[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1994
  • Last Modified:

WSUS 3.0 Update issues

I have a WSUS 3.0 server that has several groups of clients where I have approved several updates.  All clients have reported status back to the wsus server today.

For some reason, when I run a "wuauclt /detectnow" the client reports that there are 0 updates needed even when the WSUS server shows several approved updates that are ready to install.

I have verified there are no firewalls running
I can telnet from the client to the wsus server on port 8530
rsop.msc reports no errors applying my wsus gpo
the registry key at HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate has keys pointing to my wsus server

Below are the results from running the MS WSUS clientdiag tool on the client as well as the contents of the windows update log after running a
wuauclt /resetauthorization /detectnow

WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Policy settings

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
                WUServer = http://manage2.xxx.com:8530
                WUStatusServer = http://manage2.xxx.com:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
        Connection to server. . . . . . . . . . . . . . . . . . PASS
        SelfUpdate folder is present. . . . . . . . . . . . . . PASS

ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://manage2.xxx.com:8530/ClientWebService/client.asmx
Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = xxxx.xxxx.xxxx.com
Server URL = http://xxx.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
WARNING: Failed to evaluate Installed rule, updateId = {6DE1BCC5-79E0-43F7-9146-BA4D3BA5D790}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {9B765177-CAD2-4901-8BEA-AD58ED8CF289}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {2ADE0371-D580-4B7A-8740-E3B48292A4A6}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {B97F3C64-3B2B-4DB9-927C-6CD68EDB98C1}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {7C1C2C32-30E5-44CD-8A74-ECCB75C77BA0}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {962A4718-740F-45BB-85AE-187E0008B823}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {65DA1810-3EA2-4AFE-B394-DFD66B588B73}.51, hr = 80041017
* Found 0 updates and 53 categories in search; evaluated appl. rules of 522 out of 1261 deployed entities
**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
>>##  RESUMED  ## AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
 # 0 updates detected
##  END  ##  AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
Featured notifications is disabled.
Setting AU scheduled install time to 2011-03-03 06:00:00
REPORT EVENT: {94CFFDE6-7683-4EA3-8696-169DC5362CBB}      2011-03-02 23:13:09:541-0000      1      147      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Software Synchronization      Windows Update Client successfully detected 0 updates.
      REPORT EVENT: {E0B75A3D-2C2A-4510-A99E-ABEF0AA3ECB2}      2011-03-02 23:13:09:541-0000      1      156      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Pre-Deployment Check      Reporting client status.
  • 13
  • 11
1 Solution
Donald StewartNetwork AdministratorCommented:
You say that " I have a WSUS 3.0 server that has several groups of clients "

and in your log your target group is missing

target group = , DNS name

Target groups need to match in both group policy and in the WSUS console.

During setup, did you select "use group policy or registry settings"?

tferro999Author Commented:
Under options I currently have it set to use the update services console.  The clients are present in their respective groups.

What would cause the target group to be missing?  If I remove them from the group and re-add will it help?

I forgot to mention that this WSUS server had been working perfectly for months.  Recently the machine was in a weird state and had to be bounced, afterwards the updating issues started.
tferro999Author Commented:
I must not have copied enough of the log, I do see the target group

2011-03-03      03:01:08:680      2024      e48      PT      WARNING: Cached cookie has expired or new PID is available
2011-03-03      03:01:08:680      2024      e48      PT      Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = site01.staging.xxx.com
2011-03-03      03:01:08:680      2024      e48      PT        Server URL = http://manage2.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Uploading 2 events using cached cookie, reporting URL = http://manage2.xxx.com:8530/ReportingWebService/ReportingWebService.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Reporter successfully uploaded 2 events.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Donald StewartNetwork AdministratorCommented:
No, you confirmed for me "Under options I currently have it set to use the update services console."

so you wont see the target group in your logs.

I wanted to first make sure that target groups wasnt the issue.

Have the approved updates finished downloading to the WSUS server?

Have you tried running wsusutil reset ?
Donald StewartNetwork AdministratorCommented:
Do you have client side targeting enabled in group policy? <<< you shouldnt since you are using the console for grouping.
Donald StewartNetwork AdministratorCommented:
Are there any WSUS related errors in the eventvwr application log?
tferro999Author Commented:
I have confirmed that client side targeting is not enabled in my WSUS GPO, just the standard update location and time/frequency settings under.

computer config >> policies >> windows settings >> admin templates >> windows components >> windows updates

nothing wsus related in the logs of the client or server

I have not run wsustil reset.  I read that it can cause other problems.  One suggestion was to try
Donald StewartNetwork AdministratorCommented:
"I have not run wsustil reset.  I read that it can cause other problems."


I have never seen or heard of that command causing any issues.

wsustil reset checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.

Clearing out the BITs cache cant hurt.
tferro999Author Commented:
I think I have identified the issue.  Although the updates had been approved, they had never finished downloading.

After looking at some other forums, it appears that the "network service" account did not have full access permissions to my local wsuscontent folder.  I'm applying these permissions now and will let you know if downloads resume after a reboot.
Donald StewartNetwork AdministratorCommented:
Did you miss ?


"Have the approved updates finished downloading to the WSUS server?"

tferro999Author Commented:
Donald StewartNetwork AdministratorCommented:
tferro999Author Commented:
its taking forever to apply the file permissions but i'll give it a chance to finish.
Donald StewartNetwork AdministratorCommented:
Here's an article to compare your settings with

tferro999Author Commented:
I've looked at the registry and IIS permissions and it looks correct.

I added network service to the wsuscontent root folder.

Still no joy downloading updates.  The machine does have external access.

If I do a manual synchronization it should start the download process right?
tferro999Author Commented:

Read some info here, cant see any errors in my event viewer or the softwaredistribution.log
Donald StewartNetwork AdministratorCommented:
wsusutil reset
tferro999Author Commented:
wsus admin console is having intermittent issues loading and i'm seeing some disk i/o errors in event viewer.

The drive with the wsus content is on our SAN and it looks like this may be due to some issues with the HBA or switch.
Donald StewartNetwork AdministratorCommented:
Is this drive local to your WSUS server ?
Donald StewartNetwork AdministratorCommented:
It is not a supported configuration.

The reason is that all file content is downloaded/written to the filesystem
via the BITS service, which is properly configured to run in the Local
System context.

The "Local System" account will not have write permissions to NAS, in most


Any comment concerning WSUS made by Lawrence Garvin should be taken to heart
tferro999Author Commented:
The SAN presents the LUN to the server as if it was a local resource.  I read a few posts about people trying to store the wsus content on a NAS file share.

This was working for months prior to this.  The only recent change was moving to a new fiber switch.  I'll let you know what I find.
Donald StewartNetwork AdministratorCommented:
You would be better off adding drive space to existing WSUS server(If space is needed) and moving the content there.
Donald StewartNetwork AdministratorCommented:
Yeah, I see that it's doable...but have you read the warning ?

By storing content on a network attached drive, network traffic will be doubled (since the data must be transfered from the iSCSI target host to the WSUS host, before being distributed to the client). This may degrade network performance, so consider your situation. Additional resource demands on the fileserver must also be considered, as the iSCSI commands must be interpreted at both ends, in addition to the data transfer.

This is a completely unsupported configuration, and you will probably not recieve any assistance from Microsoft if you configure your server in this manner.

tferro999Author Commented:
I think we are good, this is on a Fiber based SAN, not iSCSI.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 13
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now