Solved

SCCM 2012 / WSUS Software Updates not installing

Posted on 2014-04-06
67
13,522 Views
2 Endorsements
Last Modified: 2014-04-28
We have a WSUS server in our environment that works through Microsoft System Center 2012. I have a large amount of updates that I am attempting to send to a collection of PCs, but they do not seem to be deploying. I even set up the automatic deployment rule to allow it to operate outside of maintenance mode -- even though I don't have any maintenance  modes set for this collection.

They are not installing. Here are the logs from updatesdeployment.log. Please advise.

<![LOG[Assignment {5c1c90c9-e4ea-4cc9-bd3d-9949705b4977} has total CI = 145]LOG]!><time="18:52:06.805+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2440" file="updatesassignment.cpp:161">
<![LOG[Deadline received for assignment ({5c1c90c9-e4ea-4cc9-bd3d-9949705b4977})]LOG]!><time="18:52:06.805+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2440" file="updatesassignment.cpp:923">
<![LOG[Detection job ({5E8BA624-B208-4B4C-A4B5-99A28E773B10}) started for assignment ({5c1c90c9-e4ea-4cc9-bd3d-9949705b4977})]LOG]!><time="18:52:06.836+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2440" file="updatesassignment.cpp:1196">
<![LOG[Message received: '<?xml version='1.0' ?>
      <CIAssignmentMessage MessageType='EnforcementDeadline'>
          <AssignmentID>{9DDD6DCC-28DF-43DA-8678-F27B4453FD81}</AssignmentID>
      </CIAssignmentMessage>']LOG]!><time="19:00:00.065+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3156" file="cdeploymentagent.cpp:189">
<![LOG[Deadline received for assignment ({9DDD6DCC-28DF-43DA-8678-F27B4453FD81})]LOG]!><time="19:00:00.080+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3156" file="updatesassignment.cpp:923">
<![LOG[Enforcement trigger will be effective when the current action completes]LOG]!><time="19:00:00.096+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3156" file="updatesassignment.cpp:969">
<![LOG[Message received: '<?xml version='1.0' ?>
      <CIAssignmentMessage MessageType='Activation'>
          <AssignmentID>{5c1c90c9-e4ea-4cc9-bd3d-9949705b4977}</AssignmentID>
      </CIAssignmentMessage>']LOG]!><time="19:02:00.064+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3372" file="cdeploymentagent.cpp:189">
<![LOG[Assignment ({5c1c90c9-e4ea-4cc9-bd3d-9949705b4977}) received activation trigger]LOG]!><time="19:02:00.126+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3372" file="updatesassignment.cpp:729">
<![LOG[Operation (TriggerEnforce) already in progress. No need to activate.]LOG]!><time="19:02:00.126+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="2" thread="3372" file="updatesassignment.cpp:735">
<![LOG[CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event]LOG]!><time="22:00:00.051+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="assignmentsmanager.cpp:277">
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="22:00:00.082+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="cliuisettings.h:163">
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="22:00:00.082+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="deploymentutils.cpp:711">
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="22:00:00.082+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="deploymentutils.cpp:722">
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="22:00:00.097+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="assignmentsmanager.cpp:500">
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="22:00:00.097+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="updatesmanager.cpp:1558">
<![LOG[Attempting to install 0 updates]LOG]!><time="22:00:00.097+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="updatesmanager.cpp:1581">
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="22:00:00.097+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="updatesmanager.cpp:2914">
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="22:00:00.097+300" date="04-04-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3348" file="updatesmanager.cpp:1600">
<![LOG[CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event]LOG]!><time="00:00:00.115+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="assignmentsmanager.cpp:277">
<![LOG[CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event]LOG]!><time="00:00:00.115+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="assignmentsmanager.cpp:277">
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:00:00.146+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="cliuisettings.h:163">
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:00.146+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="deploymentutils.cpp:711">
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00.146+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="deploymentutils.cpp:722">
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:00:00.178+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="assignmentsmanager.cpp:500">
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:00:00.178+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="updatesmanager.cpp:1558">
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00:00.178+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="updatesmanager.cpp:1581">
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:00:00.178+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="updatesmanager.cpp:2914">
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00:00.178+300" date="04-05-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="864" file="updatesmanager.cpp:1600">
<![LOG[CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event]LOG]!><time="00:00:00.223+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="1256" file="assignmentsmanager.cpp:277">
<![LOG[CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event]LOG]!><time="00:00:00.224+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="assignmentsmanager.cpp:277">
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:00:00.244+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="cliuisettings.h:163">
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:00.244+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="deploymentutils.cpp:711">
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00.244+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="deploymentutils.cpp:722">
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:00:00.250+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="assignmentsmanager.cpp:500">
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:00:00.250+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="updatesmanager.cpp:1558">
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00:00.250+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="updatesmanager.cpp:1581">
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:00:00.250+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="updatesmanager.cpp:2914">
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00:00.250+300" date="04-06-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3416" file="updatesmanager.cpp:1600">
2
Comment
Question by:Firstcom
  • 40
  • 13
  • 13
67 Comments
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

You need to look at your selection rules and the patches themselves. The log is saying:
Attempting to install 0 updates
No actionable updates for install task

Effectively "nothing to see hear move along".

I generally start with one patch to one machine that is teachable and nearby (a VM even) to make sure everything is working as you expect, then add more patches.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Mike, I've double checked everything. The device in question is in the targeted Collection. It's deployed.

At the beginning of the log, it states: <![LOG[Assignment {5c1c90c9-e4ea-4cc9-bd3d-9949705b4977} has total CI = 145]LOG]!>

145 is the number of updates with this particular assignment.

I'll try it on a different PC, but everything looks right with the set up as far as the basic deployment is concerned.
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

Yes, please try just a single machine. If it doesn't work, try just one patch.
Things to check/consider:

If you have SCCM SP1 to fix this error go to the settings page in the Administration client in computer, computer agent "Additional software manages the deployment of applications and software updates" change to "NO"

If not, check these:

Is the GPO set to point WSUS to your SUP?
Is the format correct - http://your-sccm-box's-FQDN:8530
Is it being trumped by any other?
Are the patches even downloading to %windir%\ccm\cache?
Have you checked the local machine logs UpdatesDeployment.log and WindowsUpdate.log ? (the second one is the key as it shows what the agent does, although in this case 0 patches are selected)
Finally, can you deploy any other software to the same collection?
Are all roles in monitoring healthy, especially the MP?

If the answer to the last is no, you have much bigger problems.
When testing I also set the patch to required (meaning mandatory) and set the time to "as soon as possible" as a deadline. Office hours are default 9-5pm and I see the patches deploy after 5 or 10 mins tops.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Update: I've just now deployed this to another test PC that hasn't been touched yet. Checking shortly after the deployment, UpdatesDeployment.log shows this so far:

<![LOG[Assignment {bb255a00-e0ac-4913-8102-3b5bb036a033} has total CI = 145]LOG]!><time="07:56:46.432+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4212" file="updatesassignment.cpp:161">
<![LOG[Deadline received for assignment ({bb255a00-e0ac-4913-8102-3b5bb036a033})]LOG]!><time="07:56:46.432+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4212" file="updatesassignment.cpp:923">
<![LOG[Detection job ({AA999F6D-DBF1-4CFF-AF37-35B906D57613}) started for assignment ({bb255a00-e0ac-4913-8102-3b5bb036a033})]LOG]!><time="07:56:46.448+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4212" file="updatesassignment.cpp:1196">
<![LOG[User logoff system task]LOG]!><time="08:00:45.492+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5988" file="systemtasks.cpp:142">
<![LOG[User logon system task]LOG]!><time="08:09:42.866+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="280" file="systemtasks.cpp:90">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:10:04.390+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4608" file="updatesmanager.cpp:945">

CAS.log does show activity as well:

<![LOG[Saved Content ID Mapping Content_2f000c6e-509c-4db8-88a1-ddbc43057ed3.1, C:\WINDOWS\ccmcache\g]LOG]!><time="07:56:20.504+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_4911b995-81f1-414c-b61e-bb5656f22b96.1, C:\WINDOWS\ccmcache\7]LOG]!><time="07:56:20.562+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_301618a5-3f93-464f-804f-e7a780da20f4.1, C:\WINDOWS\ccmcache\4]LOG]!><time="07:56:20.570+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_51d0dc14-e402-4777-aaaf-615f9cbb54b9.1, C:\WINDOWS\ccmcache\5]LOG]!><time="07:56:20.576+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_4fb022f3-5d78-4fca-a695-10bb19c9525c.1, C:\WINDOWS\ccmcache\9]LOG]!><time="07:56:20.581+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_ad631e8b-db38-4e41-8c6b-11233b4075ea.1, C:\WINDOWS\ccmcache\c]LOG]!><time="07:56:20.592+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_e028e4a9-868c-4d28-b33d-df807a348024.1, C:\WINDOWS\ccmcache\a]LOG]!><time="07:56:20.596+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_612eb068-8692-4c64-b0df-9629d3551aa7.1, C:\WINDOWS\ccmcache\e]LOG]!><time="07:56:20.600+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_3e7cac16-fff8-492d-8702-82e5c2d3051d.1, C:\WINDOWS\ccmcache\2]LOG]!><time="07:56:20.605+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_9fce9061-9f76-460c-a0ec-268e3d909ee2.1, C:\WINDOWS\ccmcache\b]LOG]!><time="07:56:20.611+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_2a0cca71-af37-48a1-8b91-71f726890ec3.1, C:\WINDOWS\ccmcache\1]LOG]!><time="07:56:20.616+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_57fed5b9-455b-44c0-b4d7-062754fb6f6b.1, C:\WINDOWS\ccmcache\f]LOG]!><time="07:56:20.621+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_9f2c14d9-27dc-4d50-88c4-52b3835d594a.1, C:\WINDOWS\ccmcache\6]LOG]!><time="07:56:20.628+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_facce459-d5e6-4a40-8f49-0382b00c8b50.1, C:\WINDOWS\ccmcache\d]LOG]!><time="07:56:20.633+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_d79417ea-60b7-46ce-94b2-85eb1fcc18e3.1, C:\WINDOWS\ccmcache\8]LOG]!><time="07:56:20.638+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">
<![LOG[Saved Content ID Mapping Content_a3685f24-8b3a-495f-a98c-289f9afa336c.1, C:\WINDOWS\ccmcache\3]LOG]!><time="07:56:20.643+300" date="04-07-2014" component="ContentAccess" context="" type="1" thread="2180" file="cachedcontentinfo.cpp:188">


Does this mean that the updates are downloading, and that I need to simply wait and they'll be installed at that time, or?
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

I can't tell. Those cache folders could be just existing deployments. I am guessing not.
If you open the client on the machine and on the actions tab click
"Software Updates Deployment Evaluation Cycle" and "Software Updates Scan Cycle" then watch the cache folder directly. It is a good idea to have CMtrace open and have ccmexec.log loaded so you can watch it live. I rarely bother with CAS.Log.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Upon looking at the files in the ccmcache directory, it looks like they are applications and not updates.

I ran the two actions and the ccmcache directory is not populating any further. If the updates download into the ccmcache directory, they do not appear to be downloading.

Here are the contents of UpdatesDeployment.log after running those two actions:

<![LOG[Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>False</UseCachedResults></SoftwareUpdatesMessage>']LOG]!><time="08:55:40.617+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4712" file="cdeploymentagent.cpp:189">
<![LOG[Removing scan history to force non cached results]LOG]!><time="08:55:40.617+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4712" file="assignmentsmanager.cpp:1214">
<![LOG[Assignment({bb255a00-e0ac-4913-8102-3b5bb036a033}) already in progress state (AssignmentStateDetecting). No need to evaluate]LOG]!><time="08:55:40.683+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4712" file="updatesassignment.cpp:839">
<![LOG[Assignment({9DDD6DCC-28DF-43DA-8678-F27B4453FD81}) already in progress state (AssignmentStateDetecting). No need to evaluate]LOG]!><time="08:55:40.693+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4712" file="updatesassignment.cpp:839">
<![LOG[Evaluation initiated for (0) assignments.]LOG]!><time="08:55:40.693+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4712" file="assignmentsmanager.cpp:1105">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:55:45.492+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4376" file="updatesmanager.cpp:945">
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Some of the pertinent options for the ADR that I have set include:

* Enable deployment after run.
* Automatically deploy and accept licenses
* Install "as soon as possible" under software available and installation deadline
* Allow software installation outside of maintenance window

We also do not have any maintenance window configured for this collection.
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

The rules look fine as those are the settings I use. The last line of the last log is:
 - Total actionable updates = 0

Which is as if the machine has scanned itself and compared the list of updates and decided that none of them are applicable.
Have you verified that any (or all) these patches install if you run them manually?
Also have you deployed the patches to your DP?

Check this walkthrough
http://blogs.technet.com/b/elie/archive/2012/05/26/system-center-2012-configuration-manager-part7-software-updates-deploy.aspx

Finally there are two more very useful logs:
UpdatesHandler.log - which will tell you about software update compliance scanning and about the download and installation of software updates on the client.

The other is UpdatesStore.log that shows compliance status for the software updates that were assessed during the compliance scan cycle.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Mike,

I know of at least one update in that package of updates that should be applying. There is a particular patch that I'm looking to deploy. If I install it individually, it works. But even when I attempt to deploy that update by itself via the updates manager, it doesn't seem to be applying. Nothing does. I'm baffled. And they are on the DP.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Mike,

I looked at the walkthrough and everything seems to be correct.

I did note that UpdatesStore.log has no new entries since I installed this box.

The only entries in UpdatesHandler.log are:

<![LOG[Initiating updates scan for checking applicability.]LOG]!><time="07:56:46.916+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="4620" file="capplicabilityhandler.cpp:459">
<![LOG[Successfully initiated scan.]LOG]!><time="07:56:47.181+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="4620" file="capplicabilityhandler.cpp:515">
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time="09:39:00.265+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="160" file="capplicabilityhandler.cpp:459">
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:00.531+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="160" file="capplicabilityhandler.cpp:515">
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time="09:39:00.889+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="5528" file="capplicabilityhandler.cpp:459">
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:01.123+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="5528" file="capplicabilityhandler.cpp:515">
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time="10:08:59.469+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="4232" file="capplicabilityhandler.cpp:459">
<![LOG[Successfully initiated scan.]LOG]!><time="10:08:59.657+300" date="04-07-2014" component="UpdatesHandler" context="" type="1" thread="4232" file="capplicabilityhandler.cpp:515">
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

Have you checked your GPO? If you run GPresult does the proper SUP address get applied?
I had to correct a GPO at work because they had another domain level GPO pointing at windowsupdate instead.

Also, on your test machine, does other software deploy OK? Everything should appear in Software Center.

A mini recap:
Your patches are imported in SUP?
They show as downloaded in SUP?
They are on the DP and the content source is GREEN?
You have ADR to make them available ASAP
You have no maintenance windows on the client
The latest windows update agent is installed on the client (needs to be 7.6.7600)?

Just in case:
http://support.microsoft.com/kb/949104

It seems to me that the client "pull" is not working so replying that everything is fine.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Everything on your recap is correct.

gpresult /R doesn't show anything about a SUP. Is it supposed to?

I did look at WindowsUpdate.log just now as well. Are updates through System Center supposed to feed to that log as well? I *do* see regular updates of Endpoint Protection, but nothing about the other updates I'm trying to push.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
When I send down the one update it does the same thing. CI = 1 but it doesn't install.

It's obviously seeing the updates - the logs suggest it. When I sent down the mass updates it shows a correct CI of 145 as well, which is how many updates I sent down.

A) I know the update hasn't ever been applied, and it doesn't show up in update history.
B) I know the PC is eligible to receive the update.
C) Even when I send numerous updates, it never seems to apply any.

Any other ideas?

<![LOG[Assignment {1385BDDE-E4BA-4407-BE43-7058D321E199} has total CI = 1]LOG]!><time="12:05:14.654+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4764" file="updatesassignment.cpp:161">
<![LOG[Assignment ({1385BDDE-E4BA-4407-BE43-7058D321E199}) received activation trigger]LOG]!><time="12:05:14.654+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4764" file="updatesassignment.cpp:729">
<![LOG[Detection job ({E81DA6A4-3166-4266-9D0F-8AEC5B595578}) started for assignment ({1385BDDE-E4BA-4407-BE43-7058D321E199})]LOG]!><time="12:05:14.654+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4764" file="updatesassignment.cpp:1196">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.540+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4792" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.712+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4792" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.240+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="1324" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.404+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="1324" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.694+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4028" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.882+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4028" file="updatesmanager.cpp:945">
<![LOG[User logoff system task]LOG]!><time="12:08:52.187+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="3320" file="systemtasks.cpp:142">
<![LOG[User logon system task]LOG]!><time="12:13:15.547+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2200" file="systemtasks.cpp:90">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.732+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2056" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.894+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2056" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:36.002+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2056" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.362+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4412" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.549+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4412" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.005+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5112" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.192+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5112" file="updatesmanager.cpp:945">
<![LOG[User logoff system task]LOG]!><time="12:35:16.243+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5580" file="systemtasks.cpp:142">
<![LOG[User logon system task]LOG]!><time="12:36:12.887+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="4552" file="systemtasks.cpp:90">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:36:33.597+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5412" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.324+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5412" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.514+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5412" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.074+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5168" file="updatesmanager.cpp:945">
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.289+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="5168" file="updatesmanager.cpp:945">
<![LOG[User logoff system task]LOG]!><time="12:41:54.706+300" date="04-07-2014" component="UpdatesDeploymentAgent" context="" type="1" thread="2472" file="systemtasks.cpp:142">
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

SUP is just the management front-end. At the backend it uses WSUS on the server and the Windows Update Agent on the client. You kick the whole thing off by synchronising the SUP database with WSUS. WSUS downloads patches and SUP presents them. When you right-click download it makes a copy in the content library I think.

On the client, the actions poll on a schedule. It asks the MP - any jobs? If there are it gets a list and then pulls the patches into the cache. They are now "available" and the WUA starts installing them in a chain, the same way it does if just connected to windows update.Com. So, yes the  WindowsUpdate.Log is vital, but if nothing is arriving in the cache, then it will be empty.
It's  case of nothing ever being dispatched. The question is is the client giving bad info back to the MP, OR is there something stopping the patch being made available.

The CI total you keep seeing is just a headcount of "configuration items". So the client is being told there are 145 things to do, but none are *actionable*.

With regards GPresult there *must* be a policy set to point the clients at. Normally when you install the client, it sets this for you automatically, so it just works. Given that nothing is working it's prudent to check!

There is a nice article here although for 2007: http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/09/details-for-obtaining-100-configmgr-client-installation-amp-reach.aspx

WSUS
One thing to check is the WSUS health: WSUSCtrl.log

These (server logs in <ConfigMgrInstallationPath>\Logs) are handy too

Log File Name       Description
ciamgr.log        about the addition, deletion, and modification of software update configuration items.

distmgr.log       Provides  about the replication of software update deployment packages.

objreplmgr.log         about the replication of software updates notification files from a parent to child sites.

PatchDownloader.log         about the process for downloading software updates from the update source specified in the software updates metadata to the download destination on the site server.

Finally you need to look at the eventlogs too. Look for all WSUS events. Also never, ever configure WSUS if you are running SCCM with a SUP. SUP provides the means to download, filter, approve, deny but NOT delete patches. Configuring WSUS can break things.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
We've not touched WSUS beyond setting it up.  I'll look at the GPO but I'm fairly confident it's accurate. None of this has been an issue before and we haven't changed GPO.

One other unusual thing I just noticed -- Software Center on these devices show the default "IT Organization" title rather then what was set. It may be unrelated or might be related?
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
OK. Even setting WSUS up is frowned upon. The best way is just enable the role and reboot. Don't even launch the console :).

If you've never used WSUS then there won't be  GPO for it. If there was a conflict you would get explicit error code. The odd thing is you are not getting any error codes at all.

As for the IT org - that will not affect anything as it is purely cosmetic but maybe check the "client settings" in the update section.

If you set the name as shown here:
http://www.rickygao.com/how-to-change-organization-name-in-software-center-in-sccm-2012/

It ought to work.

Info on GPOs etc. http://myitforum.com/cs2/blogs/jsandys/archive/2010/05/09/software-update-management-and-group-policy-for-configmgr-what-else.aspx

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Any other ideas, Mike? Logs we can reference, etc?
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
There may be a bigger issue going on. I'm trying to re-deploy the Config Manager client to one of the impacted PCs and it doesn't seem to be getting it, either.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I also checked GPO and we do not have any policies specified for "intranet Microsoft update service location"
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
FYI, I am convinced that the one client that is having ConfigManager Client trouble is a separate issue.

Any other ideas?
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

I've been out all day. Forgetting the client for a moment, are other machines able/are still getting software deployments of any kind? It's a good test, if patching is not happening, push something else that you know, without doubt worked before and still ought to.

I don't have any other ideas, no. Have you checked the eventlogs? WSUS health etc.

With the GPO I think I didn't explain one bit: there has to be a local policy (not domain) on each machine which is set when the agent is installed. As I said, if you did have a conflicting GPO you would see an error code. So we can rule that out. There still has to be a policy set somewhere though.

As for the machine with the broken client that's not good news. Try a clean install. Deploying the client itself is a good test of the infrastructure. If you can't even do that then patches won't either. It may be isolated, but once you get the client to reply then you know SCCM is pushing OK, so it's a good target to test patching.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Hi Mike..

I did just notice something under Software Update Point Sync Status under Monitoring.

Our wsus server, wsus.domain.local, is showing a successful sync. It's operating fine.

Our ConfigManagerCentral link and our ConfigManager link are showing a blue exclamation with no syncs at all. The unusual part is that ConfigManagerCentral is pointed to Microsoft Updates, while the primary site, ConfigManager, is pointed to wsus.firstcom.local. Neither have synced.

Upon re-installing the SUP role to ConfigManagerCentral, I don't see an option to direct it to our wsus.domain.local server, which I imagine is where it needs to be pointed to.

Can you advise?
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I came to the realization that ConfigManagerCentral should not need to be marked as a SUP because the external WSUS server is on the same site code.

Iwcm.log seems to indicate that it cannot connect to the server. It's pointing to itself, which I believe it's supposed to do? My wsus server is external and on a Server 2012 box, so it uses port 8350, but the primary site that I'm having trouble with is Server 2008 with only the WSUS Admin Console, so I believe it's port 80. Which port do I need to configure my primary site for?  The port for the main wsus server that's running server 2012 (8350) or the port for the local WSUS admin console, which would be 80?
 
If it's 80 I'm getting a 404 error in wcm.log. If it's 8350, it's denying the connection.
 
So a) which port do I use, and B) if it's 80, why would I get a 404 error, and if it's 8350 then why would I be getting a closed connection? IIS is installed on all boxes.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
By the way, I'm willing to do a conference call about this and provide a LinkedIn recommendation to anyone who can help get me through this issue.
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

Sorry I didn't see you previous reply. You have a CAS  installed? That changes things a bit, but as you have found you need to get the SUP to sync with WSUS.

Here's some tips from a very good guy:

The combination of ConfigMgr and Software Updates is not always a simple one. This because when it's not working, it's not always easy to find the solution. Here are some best practices for installing and configuring:

      • When installing WSUS, choose always for a custom website, with ports 8530 and 8531. This way the ConfigMgr Management Point and Software Updates are not both configured on port 80 and 443 (best practice).
      
      • check permissions on the WSUS and WSUSContent folder : the Network Service account must have the right permissions. On the WSUS folder set Read permissions ; WSUSContent folder set Full Control permissions
      
      • For WSUS on a custom website check security in IIS. This must be set to Anonymous authentication, with a "IUSR_<ConfigMgr Server>" account. This must be a Domain User account, with Local Admin rights on the ConfigMgr server.
      
      • With MP Troubleshooter (ConfigMgr 2007 Toolkit) you can check if the IIS account has enough permissions for accessing both websites. It's always necessary for having enough (local) rights on the ConfigMgr server.
      
      • Sometimes a Proxy server must be used for synchronizing updates. Try both configurations (on and off) with or without an User account. Sometimes there must also made a bypass on the Proxy server for getting it to work.
      
      • At last, do a "Run Synchronization" on the Update Repository and follow the Software Updates in the wsyncmgr.log (easy to see with SMS Trace - ConfigMgr 2007 Toolkit). When synchronization is done, do it again till no updates are available anymore. Then create Search Folders.
      
      • Use Search folders. Then it's easy to see which updates are available for the last month (example) for a specific product. These updates can be drag-and-dropped on the Update Lists for creating overviews.
      
      http://henkhoogendoorn.blogspot.nl/2011/03/more-handy-tips-and-tricks-for.html


So, the answer to the ports is: you need to point the SUP to port 8350, not 80. 80 is only for the console connection. As for the denying, you need to check whether you have SSL enabled on the MP (I think - I don't have sccm access to see). If you do have it set then the port is 8351 instead.


Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Yes, we have a CAS. Here's the structure:

We have a central server -- site code FCC, server name ConfigManagerCentral, running Windows Server 2008. It has the WSUS admin console running.

We have an external WSUS server that is part of the central server, FCC site code, listed as wsus.domain.local. It runs Server 2012 and has the full WSUS console installed.

We have a primary site, ConfigManager, that has site code HQ1, running Windows Server 2008. It has the WSUS admin console running.

We also have two other primary sites that we use from time to time for special projects. I'm not really worried about these, so disregard them.

I don't use SSL anywhere in my configuration.

It was my understanding that port 80 is supposedly used for certain versions of WSUS (3.0 SP2 on Server 2008), and 8350 is used for WSUS on Server 2012.

When I set up my primary site as a SUP, it's trying to connect to itself per the log files posted above. Is that what it's supposed to be doing? If yes, I would have thought I'd have to set the port to 80 because the primary site is running WSUS 3.0 SP2 on Server 2008.

If it goes to port 80, I get a 404 error. If it goes to port 8350, I'm getting connection refused. IIS is running on all servers.
0
 
LVL 16

Assisted Solution

by:Mike T
Mike T earned 250 total points
Comment Utility
Hi,

I just posted an addendum and lost it all...

First, you made a typo and then I copied it! It's port 8530 and 8531 for SSL, not 8350.
As for the WSUS port - yes you're right. On 2008 it's hard-coded to use port 80 and 443.
On 2008R2 and later you can choose.

Ideally, for SCCM you choose custom for the WSUS install. It does not have to be 8530, just make it the same!

As for the CAS install, I can't remember the wizard option but this is a good walkthrough although they install WSUS on the same box.

http://windowsmasher.wordpress.com/2013/03/04/sccm-2012-installing-the-sup-role/.
And
http://blogs.technet.com/b/elie/archive/2012/05/24/system-center-2012-configuration-manager-part6-software-updates-sup.aspx


It should not matter where WSUS is as long as SCCM can talk to it.

So, forget the 2008 boxes. You have WSUS 3 Full install on a 2012 box. Change the port there AND in SCCM to 8530. Also forget about using the WSUS console anywhere. You do everything through SCCM now.
If you are getting connection refused for 8530 make sure it IS 8530 and that is allowed through any firewalls. I can't think of anything else.
Also, any approvals etc on the 2012 box will be void. The patches only appear in SUP. The approval is implicit by creating rules.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Sorry, the port was correct at 8530. 8530 is also the default for WSUS on Server 2012, so it's already been set that way. When I update the role for the primary site in SCCM to reflect 8530, it says the connection is refused.

A reminder:

Site code:      Server:                             Purpose                                    SUP installed
FCC                 WSUS                              External WSUS server                      Y (working)
FCC                 ConfigManagerCentral     Central Site                                      N
HQ1               ConfigManager                 Primary                                            Y


This is wcm.log:
 
Changes in active SUP list detected. New active SUP List is:~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.388+300><thread=3772 (0xEBC)>
    SUP0: configmanager.domain.local, group = , nlb = ~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.405+300><thread=3772 (0xEBC)>
Updating active SUP groups...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.421+300><thread=3772 (0xEBC)>
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.440+300><thread=3772 (0xEBC)>
Checking runtime v2.0.50727...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.459+300><thread=3772 (0xEBC)>
Found supported assembly Microsoft.UpdateServices.Administration version 3.1.6001.1, file version 3.1.7600.256~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.479+300><thread=3772 (0xEBC)>
Found supported assembly Microsoft.UpdateServices.BaseApi version 3.1.6001.1, file version 3.1.7600.256~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.500+300><thread=3772 (0xEBC)>
Supported WSUS version found~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.517+300><thread=3772 (0xEBC)>
Using firstcom\administrator credentials for network connections~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.544+300><thread=3772 (0xEBC)>
Attempting connection to WSUS server: configmanager.domain.local, port: 8530, useSSL: False  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:51.561+300><thread=3772 (0xEBC)>
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 172.31.36.61:8530~~   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)~~   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.619+300><thread=3772 (0xEBC)>
Done using firstcom\administrator credentials~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.661+300><thread=3772 (0xEBC)>
Remote configuration failed on WSUS Server.~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.699+300><thread=3772 (0xEBC)>
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=configmanager.domain.local SITE=HQ1 PID=2224 TID=3772 GMTDATE=Sun Apr 13 00:49:53.730 2014 ISTR0="configmanager.domain.local" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.730+300><thread=3772 (0xEBC)>
Setting new configuration state to 3 (WSUS_CONFIG_FAILED)~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.784+300><thread=3772 (0xEBC)>
Waiting for changes for 7 minutes  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:49:53.813+300><thread=3772 (0xEBC)>
Wait timed out after 7 minutes while waiting for at least one trigger event.  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:09.852+300><thread=3772 (0xEBC)>
Timed Out...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:19.889+300><thread=3772 (0xEBC)>
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:19.923+300><thread=3772 (0xEBC)>
Checking runtime v2.0.50727...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:19.952+300><thread=3772 (0xEBC)>
Found supported assembly Microsoft.UpdateServices.Administration version 3.1.6001.1, file version 3.1.7600.256~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:19.985+300><thread=3772 (0xEBC)>
Found supported assembly Microsoft.UpdateServices.BaseApi version 3.1.6001.1, file version 3.1.7600.256~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:20.018+300><thread=3772 (0xEBC)>
Supported WSUS version found~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:20.046+300><thread=3772 (0xEBC)>
Using firstcom\administrator credentials for network connections~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:20.179+300><thread=3772 (0xEBC)>
Attempting connection to WSUS server: configmanager.domain.local, port: 8530, useSSL: False  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:20.212+300><thread=3772 (0xEBC)>
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 172.31.36.61:8530~~   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)~~   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:22.246+300><thread=3772 (0xEBC)>
Done using firstcom\administrator credentials~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:22.264+300><thread=3772 (0xEBC)>
Remote configuration failed on WSUS Server.~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:22.279+300><thread=3772 (0xEBC)>
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=configmanager.domain.local SITE=HQ1 PID=2224 TID=3772 GMTDATE=Sun Apr 13 00:57:22.306 2014 ISTR0="configmanager.domain.local" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:22.306+300><thread=3772 (0xEBC)>
Waiting for changes for 60 minutes  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-12-2014 19:57:22.339+300><thread=3772 (0xEBC)>
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
One thing that confuses me is that the primary site has been trying to connect to itself, unless it's connecting to itself and then to the wsus server via the WSUS admin console. Our WSUS server is actually wsus.domain.local. But this server is automatically defined when I install the SUP role on it.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
The SUPs were also configured according to the walkthroughs you gave me.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I think I may have made *some* progress.

I had to remove the SUPs and use wsusutil to enable usecustomwebsite.

I'm now getting different errors and looking into them.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Okay, so it's still actively refusing the connection. The log file I presented above is still the same case.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
Can you reach the WSUS Server on the WSUS Ports you've installed it?

Telnet <Your WSUS Server> 8530

Firewall is off?
Also check out this article regarding the Port Config
http://social.technet.microsoft.com/Forums/en-US/bfb26aec-04a8-4edf-83ea-fe2e0ca3824e/wsus-configuration-manager-failed-to-configure-upstream-server-settings-on-a-wsus-server?forum=configmgrsum
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Yes, I get a good connection from the primary server to the wsus server.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Is the SUP list correct? Is the primary site supposed to only see itself, or should it also see wsus? If it's supposed to see wsus.domain.local, why isn't it?
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
I just read that you've just installed the WSUS Admin Console on Primary Site Server HQ1.
Is this correct? You can also install the full WSUS Installation there.
The log posted above....is this from the Central or the Primary Site Server?

Which list do you mean? Screenshot...The Primary Site Server does not know anything about the structure above him.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
The log above is from the Primary Site Server.

I only installed the Admin Console on HQ1 because that should be all that's required.

The list of SUPs I was referring to is the log that I pasted above.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
Ok i think you need the following

- Seperate WSUS Server for Central Site (Full WSUS Installation & SUP)
- Central Site Server (at least WSUS Admin Console)
- Primary Site Server (Full WSUS Installation & SUP)
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I don't believe we've ever had to install the full WSUS on the primary server before. Are you sure that's accurate?
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
If each site is reporting to their own WSUS servers, they won't be synced. I'd like to stick with one WSUS server.
0
 
LVL 31

Accepted Solution

by:
merowinger earned 250 total points
Comment Utility
Primary Site needs a Software Update Point
http://technet.microsoft.com/en-us/library/gg712696.aspx
"The central administration site and all child primary sites must have a software update point where you will deploy software updates"
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Yes, I've enabled it as a SUP but I'd like to have one consistent WSUS server.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
The SUP on the Primary Site syncs with Microsoft Update and replicates down the Updates down the hierachry. If this role is installed on the Central Site Server itself or on a seperate Server does not matter. The WSUS Admin Console is just required on the Site Server when you push the SUP Installation on the WSUS Server.
In order to deploy updates in the child primary site you need a SUP there also. And SUP always means a Full WSUS Installation. The Central SUP then syncs with the Primary child site SUP.

Also check out this:
http://blogs.msdn.com/b/scstr/archive/2012/05/31/configuring_2d00_software_2d00_updates_2d00_in_2d00_configuration_2d00_manager_2d00_2012.aspx
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Okay, I apologize. It does look like the primary site has a WSUS server. I mistook it for the admin console. However, it's running on Server 2008 R2 while the primary site runs on Server 2012. So the wsus site would use port 8530 and the primary site would use port 80. I verified the bindings on the IIS configuration on the primary site.

However, if I point the SUP for the primary site to port 80, I get a 404 error.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
The WSUS Ports does not matter that much as long as you use the same ports when installing the SUP on it.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
IIS on the primary site is configured to use port 80, and I've just now set up the SUP on the primary site to use port 80. I get a 404 error.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
The WSUS IIS page is configured for port 80? Page is running?
What says WSUSCtrl.log and WCM.log?
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Yes, and when I load the page it shows the IIS screen.

wcm.log:

Changes in active SUP list detected. New active SUP List is:~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:37.847+300><thread=5704 (0x1648)>
    SUP0: configmanager.domain.local, group = , nlb = ~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:37.862+300><thread=5704 (0x1648)>
Updating active SUP groups...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:37.878+300><thread=5704 (0x1648)>
Updating Group Info for WSUS.~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:37.878+300><thread=5704 (0x1648)>
Set UseParentWSUS property in SCF to 1 on this site for configmanager.domain.local.~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.081+300><thread=5704 (0x1648)>
user(NT AUTHORITY\SYSTEM) runing application(SMS_WSUS_CONFIGURATION_MANAGER) from machine (configmanager.domain.local) is submitting SDK changes from site(HQ1)  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.128+300><thread=5704 (0x1648)>
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.783+300><thread=5704 (0x1648)>
Checking runtime v2.0.50727...~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.799+300><thread=5704 (0x1648)>
Found supported assembly Microsoft.UpdateServices.Administration version 3.1.6001.1, file version 3.1.7600.262~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.799+300><thread=5704 (0x1648)>
Found supported assembly Microsoft.UpdateServices.BaseApi version 3.1.6001.1, file version 3.1.7600.262~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.814+300><thread=5704 (0x1648)>
Supported WSUS version found~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:38.814+300><thread=5704 (0x1648)>
Using firstcom\administrator credentials for network connections~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:44.571+300><thread=5704 (0x1648)>
Attempting connection to WSUS server: configmanager.domain.local, port: 80, useSSL: False  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:44.618+300><thread=5704 (0x1648)>
System.Net.WebException: The request failed with HTTP status 404: Not Found.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:44.977+300><thread=5704 (0x1648)>
Done using firstcom\administrator credentials~  $$<SMS_WSUS_CONFIGURATION_MANAGER><04-14-2014 08:04:44.977+300><thread=5704 (0x1648)>

wsusctrl:

Attempting connection to local WSUS server  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:17:03.153+300><thread=4348 (0x10FC)>
Microsoft.UpdateServices.Administration.WsusInvalidServerException: Exception of type 'Microsoft.UpdateServices.Administration.WsusInvalidServerException' was thrown.~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:17:03.168+300><thread=4348 (0x10FC)>
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.local. Will retry check in 1 minutes~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:17:03.184+300><thread=4348 (0x10FC)>
~Waiting for changes for 1 minutes  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:17:03.200+300><thread=4348 (0x10FC)>
Timed Out...~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.241+300><thread=4348 (0x10FC)>
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.257+300><thread=4348 (0x10FC)>
Checking runtime v2.0.50727...~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.288+300><thread=4348 (0x10FC)>
Found supported assembly Microsoft.UpdateServices.Administration version 3.1.6001.1, file version 3.1.7600.262~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.319+300><thread=4348 (0x10FC)>
Found supported assembly Microsoft.UpdateServices.BaseApi version 3.1.6001.1, file version 3.1.7600.262~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.335+300><thread=4348 (0x10FC)>
Supported WSUS version found~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.366+300><thread=4348 (0x10FC)>
Attempting connection to local WSUS server  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.397+300><thread=4348 (0x10FC)>
Microsoft.UpdateServices.Administration.WsusInvalidServerException: Exception of type 'Microsoft.UpdateServices.Administration.WsusInvalidServerException' was thrown.~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.429+300><thread=4348 (0x10FC)>
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.444+300><thread=4348 (0x10FC)>
Attempting connection to local WSUS server  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.475+300><thread=4348 (0x10FC)>
Microsoft.UpdateServices.Administration.WsusInvalidServerException: Exception of type 'Microsoft.UpdateServices.Administration.WsusInvalidServerException' was thrown.~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.522+300><thread=4348 (0x10FC)>
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.local. Will retry check in 1 minutes~  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.553+300><thread=4348 (0x10FC)>
~Waiting for changes for 1 minutes  $$<SMS_WSUS_CONTROL_MANAGER><04-14-2014 08:18:03.585+300><thread=4348 (0x10FC)>
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
WSUS was installed first.

I've seen both of those pages already and unfortunately they didn't provide much assistance.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
Ok, can you please post screenshots of your SUP Config on the Primary Site Server?
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
See attached.
Untitled.png
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
seems correct.
I would try the following:

- Remove SUP Role (Wait until uninstallation succeeded in SUPSetup.log)
- Uninstall WSUS
- Reboot (maybe reboot twice if required)
- Install WSUS, ignore the configuration wizard
- Reboot
- Install SUP Role (check out SUPSetup.log)
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I reinstalled WSUS and it seems to be working now. I went ahead and updated it to use port 8530 too. I'll keep you posted.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
great News
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I am waiting for items to sync and then I will try to deploy a batch of updates. I will keep you posted.
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

Yes great news. It sounds like you're nearly there. Thanks merowinger too.

I'm curious after sleeping on it - why have you got a CAS? Have you got More than one primary or 100,000 clients?

If not it just over-complicates things and you could maybe put the server to better use.
Also why is the external full WSUS where it is? It does make things easier to install on the primary as you have now.

Mike
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
Mike,

We have two other primary servers that we use for special projects (i.e. offsite deployments). We install a local server to make things more efficient during the process.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
It's my understanding that after I set up an ADP and the package is deployed, I can check UpdatesDeployment.log in c:\windows\ccm\logs on the client pc, correct?

The issue I had before all of this was that updates didn't seem to download and apply on the clients. It would say total actionable updates = 0.

Both the central/wsus and primary servers are still syncing, but I went ahead and created a deployment package. It's doing the same thing.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
It takes some time until the processes are going on.
Please recheck a few things.

Is the ADR working (RulesEngine.log)
Is there any update in Software Update Group?
Is there any Update in the Package
Is the Package updated on DP? (Content Status)
Is the deployment linked to your Client? Rightclick Client -> Deployment (Are there Updates listed?)
Are updates listed as required?
- On Client run a Software Update Scan Cycle
- On the Server run a Software Update Summarization
- Are now updates listed as required?
On the Client run a Software Update Deployment Cycle

All These processes need some time to run and to get processed, so please be patient
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
All of these should be accurate, yes...
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Hi,

I know you want to get this going but one thing SCCM teaches you is patience. It won't deploy anything until the sync is utterly complete. Watch the wsyncmgr.log if you want to see progress. It will take 2 or 3 hours maybe more if you have lots of products/languages/slow internet pipe.

In the olden days SMS was known as "slow moving software" for a reason.

Once the sync is complete there is also the wait for rules to trigger and then updates to distribute out to the DPs.

Slowly, slowly catches monkey :).

Mike
PS: fair enough with the CAS. There might be better ways using Branchcache now but I've never played with that and it's a whole new can of worms.
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
I can see that the items are deployed under the client. I am not sure how to check if they're required, but the client isn't getting a software center prompt nor do I see that anything is downloading.  When I run a software update deployment cycle, updatedeployment.log just shows initiating 0 assignments.

I will wait until the sync is complete. It's taking a long time. :)

And yeah, I've read about BranchCache but I am pretty new to SCCM and there is so much to learn that it's hard to touch on everything very quickly.
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
Further things you can check.
Is anything in C:\windows\ccmcache?
Are you deployments visible for the users?
Are your deployments optional or required.
All those things will change the look and feel when deploying.

Also make sure you do not have any Group Policies in place which configure the WSUS Server on the Clients. This will not work, as SCCM configures a local WSUS Server by itself.
0
 
LVL 16

Expert Comment

by:Mike T
Comment Utility
Yes Branchcache is new to most people I think. That's one for another day, but it would be good to go your boss and say we can use that CAS beast for something else now and some money, if possible.


Sit tight. I think the sync log actually says "Done synchronising" as per http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-01-metablogapi/3250.16.1_5F00_6682D2A9.jpg
0
 
LVL 1

Author Comment

by:Firstcom
Comment Utility
modus, that's a good idea. Please do.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now