WSUS (Win 7 x64) Code 8024401F

(I apologize if this is the wrong zone.  I can't seem to find the WSUS zone.)
OK here's a new problem that I discovered recently.  I am getting the above error in Start\Control Panel\Windows Update - clicked on Install updates -
Now, from the same error screen, if I click on the Check online for updates from Windows Update I am able to download and install the update.  So, this is telling me there is some sort of communication error between my Win 7 client and my Wsus server.  I am currently running Wsus 3.0 SP2 on a Windows Server 2003 Std R2 x64 with SP1.  I have attached the error print screens and a copy of the Windowsupdate.log file from the Win 7 client for your examination.  Only Windows 7 x64 clients connected to the domain and is attempting to get updates on the Wsus server is getting this error.  Any help on this is greatly appreciated.   WindowsUpdate.log
WinUpdate-Error.doc
Report.wer.txt
WilmetteAsked:
Who is Participating?
 
ded9Connect With a Mentor Commented:

The main problem is, that WSUS creates folder with correct permissions, but has no tool to repair permissions, if something goes wrong.
In addition, WSUS has tool to check its functionality:

wsusutil checkhealth

This tool can only report wrong permissions, but not which permissions are missing. Also, there is no /PleaseRepairPermissions switch, which is a bit un-professional from MS.

So, what you need to do is:

FIRST, check if all permissions are set correctly, following the guides here:
http://technet2.microsoft.com/windowsserver/en/library/94d1385f-4872-4c29-8822-3a4ec5e45ae41033.mspx?mfr=true

SECOND, if your \WSUS folder is NOT on your Windows SYSTEM drive, you need to add READ permissions for NETWORK SERVICE to the whole drive, where \WSUS folder resides.
This is a bug from .NET FrameWork, which does not update permissions on non-system drives.

THIRD, if you still get ERROR The permissions on directory \WSUS\WsusContent are incorrect, try this workaround, which I invented by myself:


    * go to folder \WSUS\WsusContent and create a blank file, named ContentFolderAclsCheck.txt
    * assign Read/Write/Modify permissions to this file for NETWORK SERVICE account
    * then restart Update Services service
    * run wsusutil checkhealth from command-line and then check Application event log; there should be no WSUS-related errors anymore
    * also, ContentFolderAclsCheck.txt file should vanish from \WSUS\WsusContent folder


Ref
http://forum.hostmachine.net/viewtopic.php?t=142&sid=772fc9ceaa2358fbf6817e2fe76c1e1f



These servers also suddenly began to fail its synchronization from the upstream server. Strangely, they all had been working fine for a few weeks after the upgrade. The solution is to modify the directory permissions as follows:

    * The root folder of the local content directory must have at least Read permissions for the Users security group and the NT Authority\Network Service account. In other words, if the WSUS content directory is D:\WSUS\WSUSContent, the D:\WSUS directory must have the correct permissions. The BITS service will fail if these permissions are not set.
    * The content directory itself (in the above example, the WSUSContent directory) must have Full Control permissions for the NT Authority\Network Service account.
    * The temporary ASP.NET directory (%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files) must have Full Control permissions for the NT Authority\Network Service account.
    * The system %TEMP% directory (usually %windir%\TEMP) must have Full Control permissions for the NT Authority\Network Service account.

After the permissions have been set correctly restart the Update Services service and check the Application event log for errors. You should be able to perform a synchronization successfully now


Ref
http://www.expta.com/2008/01/fixing-incorrect-directory-permissions.html



Ded9
0
 
ded9Commented:
Is there some kind of proxy server. Check your proxy server setting.


Ded9
0
 
WilmetteAuthor Commented:
Nope, no proxy at all.  Now, there is a GPO that specifies Local Intranet zones, but no proxy.

NoProxy.doc
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
ded9Commented:
Based on the windows update log just want to confirm  bits is started and automatic.



Ded9
0
 
ded9Commented:
First run system readiness tool and then restart the computer and check

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=914fbc5b-1fba-4bae-a7c3-d2c47c6fcffc


By that time i will check the windows update log files.


Ded9
0
 
ded9Commented:
Do you have any antivirus software installed in your computer.


Ded9
0
 
WilmetteAuthor Commented:
Initially, I did have SEP 11.6 installed, but after searching I was told to temporarily disabled or remove firewall and anti-virus.  So currently, I do not have any anti-virus software installed, and firewall is disabled as part of our domain's GPO.  

From your other post, what do you mean by bits?  

I am running the readiness tool now and will post the results.
0
 
ded9Commented:
Launch services.msc and check for background intelligent services. Check whether its started or stopped.

You cannot disable firewall because it run in the kernel mode.

Can try clean boot but still you cannot disable firewall.


Clean Boot Process
Click Start-msconfig-click on services tab -put a check on hide all microsoft services and then click disable all. Click on startup tab and disable all.

Restart the computer. Enable two service and startup at a time. Restart the computer during this process to find out which software is creating this problem.



Ded9
0
 
ded9Commented:
Its not firewall .... its the Antivirus ...you cannot disable it.

Ded9
0
 
ded9Commented:
Restart the computer after running combofix ...if possible post the checksur.log. Check for any errors.


Ded9
0
 
ded9Commented:
Opps sorry .. sorry


Restart the computer after running system readiness ...if possible post the checksur.log. Check for any errors.
0
 
WilmetteAuthor Commented:
OK, I ran the readiness tool and it installed the hotfix for kb947821 - was there anything else related to this readiness tool that I need to obtain?

What is combofix?  Are you talking about the combination of readiness tool and msconfig?  I am getting ready to run the msconfig ..

to be continued...
0
 
ded9Commented:
Restart the computer after running system readiness ...if possible post the checksur.log. Check for any errors.

combofix was mistyped ...i am sorry....i meant system readiness tool.


Ded9
0
 
WilmetteAuthor Commented:
OK, readiness installed, and msconfig was set.  The only service that was supposed to run was TightVNC, but I have disabled that per your instructions.  And below is what I got from the checksur.log

=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 11.0
2011-03-29 10:16

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Summary:
Seconds executed: 405
 No errors detected
Customer Experience report successfully uploaded.  Thank you for participating.  For more information, see the Microsoft Customer Experience Improvement Program on the Microsoft web site.

Error is still there.  I really think there is a communcation problem between my Windows 7 x64 client and my WSUS server via port 8530.  The client can connect online (Microsoft's update site), download and install updates.  It's just the connection to the server is the problem.  I have also tested my Windows XP x86 clients, and all updates, whether via online or WSUS, are OK.
0
 
ded9Commented:
Check your security software setting for port 8530 . I think the problem lies with your security software. You can enable all services since the problem is not resolved.

Check your security software.


Ded9
0
 
WilmetteAuthor Commented:
I am not really sure what security software you are talking about.  However, I think the problem has something to do with rights to the WsusContent folder.  A couple of days ago, I moved the Wsus update files its local drive to a network location (basically to another server using UNC path).  I believe the security settings at this new location is incorrect.  Also, I am getting this event on my WSUS server:

The permissions on directory \\servername\apps\WSUSUpdateFiles\WsusContent are incorrect.

Can you let me know what permissions are needed for this to work correctly.  This folder, currently, has Domain Users with modify rights and Administrators (of that server, which includes Domain Admins) with full control.  

Thanks,
0
 
ded9Commented:
Any luck ?????


Ded9
0
 
DonNetwork AdministratorCommented:
0
 
WilmetteAuthor Commented:
I tried all of the references from ded9 above with no luck.  I am not sure if WSUS allows update files to be stored on a network location - different member server within the same domain.  Due to lack of time and other pressing tasks, I decided to move the content folders back, using the wsusutil movecontent command with the skipcopy switch, to the local hard disk.  After the move and synchronization of update files, I tested my Win7 client and it was able to find, download and install all required updates.  When time permits, I will try to recreate this case and go over the steps above a bit more thorough to see if I missed anything.  I would think storing update files on a network location wouldn't be a problem
Thank you for all of your help...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.