Firstcom
asked on
SCCM 2012 / WSUS Software Updates not installing
We have a WSUS server in our environment that works through Microsoft System Center 2012. I have a large amount of updates that I am attempting to send to a collection of PCs, but they do not seem to be deploying. I even set up the automatic deployment rule to allow it to operate outside of maintenance mode -- even though I don't have any maintenance modes set for this collection.
They are not installing. Here are the logs from updatesdeployment.log. Please advise.
<![LOG[Assignment {5c1c90c9-e4ea-4cc9-bd3d-9
<![LOG[Deadline received for assignment ({5c1c90c9-e4ea-4cc9-bd3d-
<![LOG[Detection job ({5E8BA624-B208-4B4C-A4B5-
<![LOG[Message received: '<?xml version='1.0' ?>
<CIAssignmentMessage MessageType='EnforcementDe
<AssignmentID>{9DDD6DCC-28
</CIAssignmentMessage>']LO
<![LOG[Deadline received for assignment ({9DDD6DCC-28DF-43DA-8678-
<![LOG[Enforcement trigger will be effective when the current action completes]LOG]!><time="19:
<![LOG[Message received: '<?xml version='1.0' ?>
<CIAssignmentMessage MessageType='Activation'>
<AssignmentID>{5c1c90c9-e4
</CIAssignmentMessage>']LO
<![LOG[Assignment ({5c1c90c9-e4ea-4cc9-bd3d-
<![LOG[Operation (TriggerEnforce) already in progress. No need to activate.]LOG]!><time="19:
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="22:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="22:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="22:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="22:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="22:0
<![LOG[Attempting to install 0 updates]LOG]!><time="22:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="22:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="22:00
<![LOG[CUpdateAssignmentsM
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:0
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00
<![LOG[CUpdateAssignmentsM
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:0
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00
They are not installing. Here are the logs from updatesdeployment.log. Please advise.
<![LOG[Assignment {5c1c90c9-e4ea-4cc9-bd3d-9
<![LOG[Deadline received for assignment ({5c1c90c9-e4ea-4cc9-bd3d-
<![LOG[Detection job ({5E8BA624-B208-4B4C-A4B5-
<![LOG[Message received: '<?xml version='1.0' ?>
<CIAssignmentMessage MessageType='EnforcementDe
<AssignmentID>{9DDD6DCC-28
</CIAssignmentMessage>']LO
<![LOG[Deadline received for assignment ({9DDD6DCC-28DF-43DA-8678-
<![LOG[Enforcement trigger will be effective when the current action completes]LOG]!><time="19:
<![LOG[Message received: '<?xml version='1.0' ?>
<CIAssignmentMessage MessageType='Activation'>
<AssignmentID>{5c1c90c9-e4
</CIAssignmentMessage>']LO
<![LOG[Assignment ({5c1c90c9-e4ea-4cc9-bd3d-
<![LOG[Operation (TriggerEnforce) already in progress. No need to activate.]LOG]!><time="19:
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="22:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="22:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="22:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="22:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="22:0
<![LOG[Attempting to install 0 updates]LOG]!><time="22:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="22:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="22:00
<![LOG[CUpdateAssignmentsM
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:0
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00
<![LOG[CUpdateAssignmentsM
<![LOG[CUpdateAssignmentsM
<![LOG[Suspend activity in presentation mode is selected]LOG]!><time="00:0
<![LOG[At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.]LOG]!><time="00:00:0
<![LOG[Proceeding to non-business hours activites as presentation mode is off.]LOG]!><time="00:00:00
<![LOG[Auto install during non-business hours is disabled or never set, selecting only scheduled updates.]LOG]!><time="00:0
<![LOG[A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.]LOG]!><time="00:0
<![LOG[Attempting to install 0 updates]LOG]!><time="00:00
<![LOG[No actionable updates for install task. No attempt required.]LOG]!><time="00:
<![LOG[Updates could not be installed at this time. Waiting for the next maintenance window.]LOG]!><time="00:00
ASKER
Mike, I've double checked everything. The device in question is in the targeted Collection. It's deployed.
At the beginning of the log, it states: <
Hi,
Yes, please try just a single machine. If it doesn't work, try just one patch.
Things to check/consider:
If you have SCCM SP1 to fix this error go to the settings page in the Administration client in computer, computer agent "Additional software manages the deployment of applications and software updates" change to "NO"
If not, check these:
Is the GPO set to point WSUS to your SUP?
Is the format correct - http://your-sccm-box's-FQDN:8530
Is it being trumped by any other?
Are the patches even downloading to %windir%\ccm\cache?
Have you checked the local machine logs UpdatesDeployment.log and WindowsUpdate.log ? (the second one is the key as it shows what the agent does, although in this case 0 patches are selected)
Finally, can you deploy any other software to the same collection?
Are all roles in monitoring healthy, especially the MP?
If the answer to the last is no, you have much bigger problems.
When testing I also set the patch to required (meaning mandatory) and set the time to "as soon as possible" as a deadline. Office hours are default 9-5pm and I see the patches deploy after 5 or 10 mins tops.
Mike
Yes, please try just a single machine. If it doesn't work, try just one patch.
Things to check/consider:
If you have SCCM SP1 to fix this error go to the settings page in the Administration client in computer, computer agent "Additional software manages the deployment of applications and software updates" change to "NO"
If not, check these:
Is the GPO set to point WSUS to your SUP?
Is the format correct - http://your-sccm-box's-FQDN:8530
Is it being trumped by any other?
Are the patches even downloading to %windir%\ccm\cache?
Have you checked the local machine logs UpdatesDeployment.log and WindowsUpdate.log ? (the second one is the key as it shows what the agent does, although in this case 0 patches are selected)
Finally, can you deploy any other software to the same collection?
Are all roles in monitoring healthy, especially the MP?
If the answer to the last is no, you have much bigger problems.
When testing I also set the patch to required (meaning mandatory) and set the time to "as soon as possible" as a deadline. Office hours are default 9-5pm and I see the patches deploy after 5 or 10 mins tops.
Mike
ASKER
Update: I've just now deployed this to another test PC that hasn't been touched yet. Checking shortly after the deployment, UpdatesDeployment.log shows this so far:
<![LOG[Assignment {bb255a00-e0ac-4913-8102-3
<![LOG[Deadline received for assignment ({bb255a00-e0ac-4913-8102-
<![LOG[Detection job ({AA999F6D-DBF1-4CFF-AF37-
<![LOG[User logoff system task]LOG]!><time="08:00:45
<![LOG[User logon system task]LOG]!><time="08:09:42
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:10:04.39
CAS.log does show activity as well:
<![LOG[Saved Content ID Mapping Content_2f000c6e-509c-4db8
<![LOG[Saved Content ID Mapping Content_4911b995-81f1-414c
<![LOG[Saved Content ID Mapping Content_301618a5-3f93-464f
<![LOG[Saved Content ID Mapping Content_51d0dc14-e402-4777
<![LOG[Saved Content ID Mapping Content_4fb022f3-5d78-4fca
<![LOG[Saved Content ID Mapping Content_ad631e8b-db38-4e41
<![LOG[Saved Content ID Mapping Content_e028e4a9-868c-4d28
<![LOG[Saved Content ID Mapping Content_612eb068-8692-4c64
<![LOG[Saved Content ID Mapping Content_3e7cac16-fff8-492d
<![LOG[Saved Content ID Mapping Content_9fce9061-9f76-460c
<![LOG[Saved Content ID Mapping Content_2a0cca71-af37-48a1
<![LOG[Saved Content ID Mapping Content_57fed5b9-455b-44c0
<![LOG[Saved Content ID Mapping Content_9f2c14d9-27dc-4d50
<![LOG[Saved Content ID Mapping Content_facce459-d5e6-4a40
<![LOG[Saved Content ID Mapping Content_d79417ea-60b7-46ce
<![LOG[Saved Content ID Mapping Content_a3685f24-8b3a-495f
Does this mean that the updates are downloading, and that I need to simply wait and they'll be installed at that time, or?
<![LOG[Assignment {bb255a00-e0ac-4913-8102-3
<![LOG[Deadline received for assignment ({bb255a00-e0ac-4913-8102-
<![LOG[Detection job ({AA999F6D-DBF1-4CFF-AF37-
<![LOG[User logoff system task]LOG]!><time="08:00:45
<![LOG[User logon system task]LOG]!><time="08:09:42
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:10:04.39
CAS.log does show activity as well:
<![LOG[Saved Content ID Mapping Content_2f000c6e-509c-4db8
<![LOG[Saved Content ID Mapping Content_4911b995-81f1-414c
<![LOG[Saved Content ID Mapping Content_301618a5-3f93-464f
<![LOG[Saved Content ID Mapping Content_51d0dc14-e402-4777
<![LOG[Saved Content ID Mapping Content_4fb022f3-5d78-4fca
<![LOG[Saved Content ID Mapping Content_ad631e8b-db38-4e41
<![LOG[Saved Content ID Mapping Content_e028e4a9-868c-4d28
<![LOG[Saved Content ID Mapping Content_612eb068-8692-4c64
<![LOG[Saved Content ID Mapping Content_3e7cac16-fff8-492d
<![LOG[Saved Content ID Mapping Content_9fce9061-9f76-460c
<![LOG[Saved Content ID Mapping Content_2a0cca71-af37-48a1
<![LOG[Saved Content ID Mapping Content_57fed5b9-455b-44c0
<![LOG[Saved Content ID Mapping Content_9f2c14d9-27dc-4d50
<![LOG[Saved Content ID Mapping Content_facce459-d5e6-4a40
<![LOG[Saved Content ID Mapping Content_d79417ea-60b7-46ce
<![LOG[Saved Content ID Mapping Content_a3685f24-8b3a-495f
Does this mean that the updates are downloading, and that I need to simply wait and they'll be installed at that time, or?
Hi,
I can't tell. Those cache folders could be just existing deployments. I am guessing not.
If you open the client on the machine and on the actions tab click
"Software Updates Deployment Evaluation Cycle" and "Software Updates Scan Cycle" then watch the cache folder directly. It is a good idea to have CMtrace open and have ccmexec.log loaded so you can watch it live. I rarely bother with CAS.Log.
Mike
I can't tell. Those cache folders could be just existing deployments. I am guessing not.
If you open the client on the machine and on the actions tab click
"Software Updates Deployment Evaluation Cycle" and "Software Updates Scan Cycle" then watch the cache folder directly. It is a good idea to have CMtrace open and have ccmexec.log loaded so you can watch it live. I rarely bother with CAS.Log.
Mike
ASKER
Upon looking at the files in the ccmcache directory, it looks like they are applications and not updates.
I ran the two actions and the ccmcache directory is not populating any further. If the updates download into the ccmcache directory, they do not appear to be downloading.
Here are the contents of UpdatesDeployment.log after running those two actions:
<![LOG[Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssig
<![LOG[Removing scan history to force non cached results]LOG]!><time="08:55
<![LOG[Assignment({bb255a0
<![LOG[Assignment({9DDD6DC
<![LOG[Evaluation initiated for (0) assignments.]LOG]!><time="
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:55:45.49
I ran the two actions and the ccmcache directory is not populating any further. If the updates download into the ccmcache directory, they do not appear to be downloading.
Here are the contents of UpdatesDeployment.log after running those two actions:
<![LOG[Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssig
<![LOG[Removing scan history to force non cached results]LOG]!><time="08:55
<![LOG[Assignment({bb255a0
<![LOG[Assignment({9DDD6DC
<![LOG[Evaluation initiated for (0) assignments.]LOG]!><time="
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="08:55:45.49
ASKER
Some of the pertinent options for the ADR that I have set include:
* Enable deployment after run.
* Automatically deploy and accept licenses
* Install "as soon as possible" under software available and installation deadline
* Allow software installation outside of maintenance window
We also do not have any maintenance window configured for this collection.
* Enable deployment after run.
* Automatically deploy and accept licenses
* Install "as soon as possible" under software available and installation deadline
* Allow software installation outside of maintenance window
We also do not have any maintenance window configured for this collection.
Hi,
The rules look fine as those are the settings I use. The last line of the last log is:
- Total actionable updates = 0
Which is as if the machine has scanned itself and compared the list of updates and decided that none of them are applicable.
Have you verified that any (or all) these patches install if you run them manually?
Also have you deployed the patches to your DP?
Check this walkthrough
http://blogs.technet.com/b/elie/archive/2012/05/26/system-center-2012-configuration-manager-part7-software-updates-deploy.aspx
Finally there are two more very useful logs:
UpdatesHandler.log - which will tell you about software update compliance scanning and about the download and installation of software updates on the client.
The other is UpdatesStore.log that shows compliance status for the software updates that were assessed during the compliance scan cycle.
Mike
The rules look fine as those are the settings I use. The last line of the last log is:
- Total actionable updates = 0
Which is as if the machine has scanned itself and compared the list of updates and decided that none of them are applicable.
Have you verified that any (or all) these patches install if you run them manually?
Also have you deployed the patches to your DP?
Check this walkthrough
http://blogs.technet.com/b/elie/archive/2012/05/26/system-center-2012-configuration-manager-part7-software-updates-deploy.aspx
Finally there are two more very useful logs:
UpdatesHandler.log - which will tell you about software update compliance scanning and about the download and installation of software updates on the client.
The other is UpdatesStore.log that shows compliance status for the software updates that were assessed during the compliance scan cycle.
Mike
ASKER
Mike,
I know of at least one update in that package of updates that should be applying. There is a particular patch that I'm looking to deploy. If I install it individually, it works. But even when I attempt to deploy that update by itself via the updates manager, it doesn't seem to be applying. Nothing does. I'm baffled. And they are on the DP.
I know of at least one update in that package of updates that should be applying. There is a particular patch that I'm looking to deploy. If I install it individually, it works. But even when I attempt to deploy that update by itself via the updates manager, it doesn't seem to be applying. Nothing does. I'm baffled. And they are on the DP.
ASKER
Mike,
I looked at the walkthrough and everything seems to be correct.
I did note that UpdatesStore.log has no new entries since I installed this box.
The only entries in UpdatesHandler.log are:
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="07:56:4
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:0
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:0
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="10:08:5
I looked at the walkthrough and everything seems to be correct.
I did note that UpdatesStore.log has no new entries since I installed this box.
The only entries in UpdatesHandler.log are:
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="07:56:4
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:0
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="09:39:0
<![LOG[Initiating updates scan for checking applicability.]LOG]!><time
<![LOG[Successfully initiated scan.]LOG]!><time="10:08:5
Hi,
Have you checked your GPO? If you run GPresult does the proper SUP address get applied?
I had to correct a GPO at work because they had another domain level GPO pointing at windowsupdate instead.
Also, on your test machine, does other software deploy OK? Everything should appear in Software Center.
A mini recap:
Your patches are imported in SUP?
They show as downloaded in SUP?
They are on the DP and the content source is GREEN?
You have ADR to make them available ASAP
You have no maintenance windows on the client
The latest windows update agent is installed on the client (needs to be 7.6.7600)?
Just in case:
http://support.microsoft.com/kb/949104
It seems to me that the client "pull" is not working so replying that everything is fine.
Mike
Have you checked your GPO? If you run GPresult does the proper SUP address get applied?
I had to correct a GPO at work because they had another domain level GPO pointing at windowsupdate instead.
Also, on your test machine, does other software deploy OK? Everything should appear in Software Center.
A mini recap:
Your patches are imported in SUP?
They show as downloaded in SUP?
They are on the DP and the content source is GREEN?
You have ADR to make them available ASAP
You have no maintenance windows on the client
The latest windows update agent is installed on the client (needs to be 7.6.7600)?
Just in case:
http://support.microsoft.com/kb/949104
It seems to me that the client "pull" is not working so replying that everything is fine.
Mike
ASKER
Everything on your recap is correct.
gpresult /R doesn't show anything about a SUP. Is it supposed to?
I did look at WindowsUpdate.log just now as well. Are updates through System Center supposed to feed to that log as well? I *do* see regular updates of Endpoint Protection, but nothing about the other updates I'm trying to push.
gpresult /R doesn't show anything about a SUP. Is it supposed to?
I did look at WindowsUpdate.log just now as well. Are updates through System Center supposed to feed to that log as well? I *do* see regular updates of Endpoint Protection, but nothing about the other updates I'm trying to push.
ASKER
When I send down the one update it does the same thing. CI = 1 but it doesn't install.
It's obviously seeing the updates - the logs suggest it. When I sent down the mass updates it shows a correct CI of 145 as well, which is how many updates I sent down.
A) I know the update hasn't ever been applied, and it doesn't show up in update history.
B) I know the PC is eligible to receive the update.
C) Even when I send numerous updates, it never seems to apply any.
Any other ideas?
<![LOG[Assignment {1385BDDE-E4BA-4407-BE43-7
<![LOG[Assignment ({1385BDDE-E4BA-4407-BE43-
<![LOG[Detection job ({E81DA6A4-3166-4266-9D0F-
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.54
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.71
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.24
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.40
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.69
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.88
<![LOG[User logoff system task]LOG]!><time="12:08:52
<![LOG[User logon system task]LOG]!><time="12:13:15
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.73
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.89
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:36.00
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.36
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.54
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.00
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.19
<![LOG[User logoff system task]LOG]!><time="12:35:16
<![LOG[User logon system task]LOG]!><time="12:36:12
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:36:33.59
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.32
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.51
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.07
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.28
<![LOG[User logoff system task]LOG]!><time="12:41:54
It's obviously seeing the updates - the logs suggest it. When I sent down the mass updates it shows a correct CI of 145 as well, which is how many updates I sent down.
A) I know the update hasn't ever been applied, and it doesn't show up in update history.
B) I know the PC is eligible to receive the update.
C) Even when I send numerous updates, it never seems to apply any.
Any other ideas?
<![LOG[Assignment {1385BDDE-E4BA-4407-BE43-7
<![LOG[Assignment ({1385BDDE-E4BA-4407-BE43-
<![LOG[Detection job ({E81DA6A4-3166-4266-9D0F-
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.54
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:05:56.71
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.24
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:22.40
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.69
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:07:49.88
<![LOG[User logoff system task]LOG]!><time="12:08:52
<![LOG[User logon system task]LOG]!><time="12:13:15
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.73
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:28.89
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:13:36.00
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.36
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:21:23.54
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.00
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:34:25.19
<![LOG[User logoff system task]LOG]!><time="12:35:16
<![LOG[User logon system task]LOG]!><time="12:36:12
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:36:33.59
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.32
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:38:31.51
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.07
<![LOG[EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0]LOG]!><time="12:41:00.28
<![LOG[User logoff system task]LOG]!><time="12:41:54
Hi,
SUP is just the management front-end. At the backend it uses WSUS on the server and the Windows Update Agent on the client. You kick the whole thing off by synchronising the SUP database with WSUS. WSUS downloads patches and SUP presents them. When you right-click download it makes a copy in the content library I think.
On the client, the actions poll on a schedule. It asks the MP - any jobs? If there are it gets a list and then pulls the patches into the cache. They are now "available" and the WUA starts installing them in a chain, the same way it does if just connected to windows update.Com. So, yes the WindowsUpdate.Log is vital, but if nothing is arriving in the cache, then it will be empty.
It's case of nothing ever being dispatched. The question is is the client giving bad info back to the MP, OR is there something stopping the patch being made available.
The CI total you keep seeing is just a headcount of "configuration items". So the client is being told there are 145 things to do, but none are *actionable*.
With regards GPresult there *must* be a policy set to point the clients at. Normally when you install the client, it sets this for you automatically, so it just works. Given that nothing is working it's prudent to check!
There is a nice article here although for 2007: http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/09/details-for-obtaining-100-configmgr-client-installation-amp-reach.aspx
WSUS
One thing to check is the WSUS health: WSUSCtrl.log
These (server logs in <ConfigMgrInstallationPath
Log File Name Description
ciamgr.log about the addition, deletion, and modification of software update configuration items.
distmgr.log Provides about the replication of software update deployment packages.
objreplmgr.log about the replication of software updates notification files from a parent to child sites.
PatchDownloader.log about the process for downloading software updates from the update source specified in the software updates metadata to the download destination on the site server.
Finally you need to look at the eventlogs too. Look for all WSUS events. Also never, ever configure WSUS if you are running SCCM with a SUP. SUP provides the means to download, filter, approve, deny but NOT delete patches. Configuring WSUS can break things.
SUP is just the management front-end. At the backend it uses WSUS on the server and the Windows Update Agent on the client. You kick the whole thing off by synchronising the SUP database with WSUS. WSUS downloads patches and SUP presents them. When you right-click download it makes a copy in the content library I think.
On the client, the actions poll on a schedule. It asks the MP - any jobs? If there are it gets a list and then pulls the patches into the cache. They are now "available" and the WUA starts installing them in a chain, the same way it does if just connected to windows update.Com. So, yes the WindowsUpdate.Log is vital, but if nothing is arriving in the cache, then it will be empty.
It's case of nothing ever being dispatched. The question is is the client giving bad info back to the MP, OR is there something stopping the patch being made available.
The CI total you keep seeing is just a headcount of "configuration items". So the client is being told there are 145 things to do, but none are *actionable*.
With regards GPresult there *must* be a policy set to point the clients at. Normally when you install the client, it sets this for you automatically, so it just works. Given that nothing is working it's prudent to check!
There is a nice article here although for 2007: http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/09/details-for-obtaining-100-configmgr-client-installation-amp-reach.aspx
WSUS
One thing to check is the WSUS health: WSUSCtrl.log
These (server logs in <ConfigMgrInstallationPath
Log File Name Description
ciamgr.log about the addition, deletion, and modification of software update configuration items.
distmgr.log Provides about the replication of software update deployment packages.
objreplmgr.log about the replication of software updates notification files from a parent to child sites.
PatchDownloader.log about the process for downloading software updates from the update source specified in the software updates metadata to the download destination on the site server.
Finally you need to look at the eventlogs too. Look for all WSUS events. Also never, ever configure WSUS if you are running SCCM with a SUP. SUP provides the means to download, filter, approve, deny but NOT delete patches. Configuring WSUS can break things.
ASKER
We've not touched WSUS beyond setting it up. I'll look at the GPO but I'm fairly confident it's accurate. None of this has been an issue before and we haven't changed GPO.
One other unusual thing I just noticed -- Software Center on these devices show the default "IT Organization" title rather then what was set. It may be unrelated or might be related?
One other unusual thing I just noticed -- Software Center on these devices show the default "IT Organization" title rather then what was set. It may be unrelated or might be related?
OK. Even setting WSUS up is frowned upon. The best way is just enable the role and reboot. Don't even launch the console :).
If you've never used WSUS then there won't be GPO for it. If there was a conflict you would get explicit error code. The odd thing is you are not getting any error codes at all.
As for the IT org - that will not affect anything as it is purely cosmetic but maybe check the "client settings" in the update section.
If you set the name as shown here:
http://www.rickygao.com/how-to-change-organization-name-in-software-center-in-sccm-2012/
It ought to work.
Info on GPOs etc. http://myitforum.com/cs2/blogs/jsandys/archive/2010/05/09/software-update-management-and-group-policy-for-configmgr-what-else.aspx
Mike
If you've never used WSUS then there won't be GPO for it. If there was a conflict you would get explicit error code. The odd thing is you are not getting any error codes at all.
As for the IT org - that will not affect anything as it is purely cosmetic but maybe check the "client settings" in the update section.
If you set the name as shown here:
http://www.rickygao.com/how-to-change-organization-name-in-software-center-in-sccm-2012/
It ought to work.
Info on GPOs etc. http://myitforum.com/cs2/blogs/jsandys/archive/2010/05/09/software-update-management-and-group-policy-for-configmgr-what-else.aspx
Mike
ASKER
Any other ideas, Mike? Logs we can reference, etc?
ASKER
There may be a bigger issue going on. I'm trying to re-deploy the Config Manager client to one of the impacted PCs and it doesn't seem to be getting it, either.
ASKER
I also checked GPO and we do not have any policies specified for "intranet Microsoft update service location"
ASKER
FYI, I am convinced that the one client that is having ConfigManager Client trouble is a separate issue.
Any other ideas?
Any other ideas?
Hi,
I've been out all day. Forgetting the client for a moment, are other machines able/are still getting software deployments of any kind? It's a good test, if patching is not happening, push something else that you know, without doubt worked before and still ought to.
I don't have any other ideas, no. Have you checked the eventlogs? WSUS health etc.
With the GPO I think I didn't explain one bit: there has to be a local policy (not domain) on each machine which is set when the agent is installed. As I said, if you did have a conflicting GPO you would see an error code. So we can rule that out. There still has to be a policy set somewhere though.
As for the machine with the broken client that's not good news. Try a clean install. Deploying the client itself is a good test of the infrastructure. If you can't even do that then patches won't either. It may be isolated, but once you get the client to reply then you know SCCM is pushing OK, so it's a good target to test patching.
Mike
I've been out all day. Forgetting the client for a moment, are other machines able/are still getting software deployments of any kind? It's a good test, if patching is not happening, push something else that you know, without doubt worked before and still ought to.
I don't have any other ideas, no. Have you checked the eventlogs? WSUS health etc.
With the GPO I think I didn't explain one bit: there has to be a local policy (not domain) on each machine which is set when the agent is installed. As I said, if you did have a conflicting GPO you would see an error code. So we can rule that out. There still has to be a policy set somewhere though.
As for the machine with the broken client that's not good news. Try a clean install. Deploying the client itself is a good test of the infrastructure. If you can't even do that then patches won't either. It may be isolated, but once you get the client to reply then you know SCCM is pushing OK, so it's a good target to test patching.
Mike
ASKER
Hi Mike..
I did just notice something under Software Update Point Sync Status under Monitoring.
Our wsus server, wsus.domain.local, is showing a successful sync. It's operating fine.
Our ConfigManagerCentral link and our ConfigManager link are showing a blue exclamation with no syncs at all. The unusual part is that ConfigManagerCentral is pointed to Microsoft Updates, while the primary site, ConfigManager, is pointed to wsus.firstcom.local. Neither have synced.
Upon re-installing the SUP role to ConfigManagerCentral, I don't see an option to direct it to our wsus.domain.local server, which I imagine is where it needs to be pointed to.
Can you advise?
I did just notice something under Software Update Point Sync Status under Monitoring.
Our wsus server, wsus.domain.local, is showing a successful sync. It's operating fine.
Our ConfigManagerCentral link and our ConfigManager link are showing a blue exclamation with no syncs at all. The unusual part is that ConfigManagerCentral is pointed to Microsoft Updates, while the primary site, ConfigManager, is pointed to wsus.firstcom.local. Neither have synced.
Upon re-installing the SUP role to ConfigManagerCentral, I don't see an option to direct it to our wsus.domain.local server, which I imagine is where it needs to be pointed to.
Can you advise?
ASKER
I came to the realization that ConfigManagerCentral should not need to be marked as a SUP because the external WSUS server is on the same site code.
Iwcm.log seems to indicate that it cannot connect to the server. It's pointing to itself, which I believe it's supposed to do? My wsus server is external and on a Server 2012 box, so it uses port 8350, but the primary site that I'm having trouble with is Server 2008 with only the WSUS Admin Console, so I believe it's port 80. Which port do I need to configure my primary site for? The port for the main wsus server that's running server 2012 (8350) or the port for the local WSUS admin console, which would be 80?
If it's 80 I'm getting a 404 error in wcm.log. If it's 8350, it's denying the connection.
So a) which port do I use, and B) if it's 80, why would I get a 404 error, and if it's 8350 then why would I be getting a closed connection? IIS is installed on all boxes.
Iwcm.log seems to indicate that it cannot connect to the server. It's pointing to itself, which I believe it's supposed to do? My wsus server is external and on a Server 2012 box, so it uses port 8350, but the primary site that I'm having trouble with is Server 2008 with only the WSUS Admin Console, so I believe it's port 80. Which port do I need to configure my primary site for? The port for the main wsus server that's running server 2012 (8350) or the port for the local WSUS admin console, which would be 80?
If it's 80 I'm getting a 404 error in wcm.log. If it's 8350, it's denying the connection.
So a) which port do I use, and B) if it's 80, why would I get a 404 error, and if it's 8350 then why would I be getting a closed connection? IIS is installed on all boxes.
ASKER
By the way, I'm willing to do a conference call about this and provide a LinkedIn recommendation to anyone who can help get me through this issue.
Hi,
Sorry I didn't see you previous reply. You have a CAS installed? That changes things a bit, but as you have found you need to get the SUP to sync with WSUS.
Here's some tips from a very good guy:
The combination of ConfigMgr and Software Updates is not always a simple one. This because when it's not working, it's not always easy to find the solution. Here are some best practices for installing and configuring:
• When installing WSUS, choose always for a custom website, with ports 8530 and 8531. This way the ConfigMgr Management Point and Software Updates are not both configured on port 80 and 443 (best practice).
• check permissions on the WSUS and WSUSContent folder : the Network Service account must have the right permissions. On the WSUS folder set Read permissions ; WSUSContent folder set Full Control permissions
• For WSUS on a custom website check security in IIS. This must be set to Anonymous authentication, with a "IUSR_<ConfigMgr Server>" account. This must be a Domain User account, with Local Admin rights on the ConfigMgr server.
• With MP Troubleshooter (ConfigMgr 2007 Toolkit) you can check if the IIS account has enough permissions for accessing both websites. It's always necessary for having enough (local) rights on the ConfigMgr server.
• Sometimes a Proxy server must be used for synchronizing updates. Try both configurations (on and off) with or without an User account. Sometimes there must also made a bypass on the Proxy server for getting it to work.
• At last, do a "Run Synchronization" on the Update Repository and follow the Software Updates in the wsyncmgr.log (easy to see with SMS Trace - ConfigMgr 2007 Toolkit). When synchronization is done, do it again till no updates are available anymore. Then create Search Folders.
• Use Search folders. Then it's easy to see which updates are available for the last month (example) for a specific product. These updates can be drag-and-dropped on the Update Lists for creating overviews.
http://henkhoogendoorn.blogspot.nl/2011/03/more-handy-tips-and-tricks-for.html
So, the answer to the ports is: you need to point the SUP to port 8350, not 80. 80 is only for the console connection. As for the denying, you need to check whether you have SSL enabled on the MP (I think - I don't have sccm access to see). If you do have it set then the port is 8351 instead.
Mike
Sorry I didn't see you previous reply. You have a CAS installed? That changes things a bit, but as you have found you need to get the SUP to sync with WSUS.
Here's some tips from a very good guy:
The combination of ConfigMgr and Software Updates is not always a simple one. This because when it's not working, it's not always easy to find the solution. Here are some best practices for installing and configuring:
• When installing WSUS, choose always for a custom website, with ports 8530 and 8531. This way the ConfigMgr Management Point and Software Updates are not both configured on port 80 and 443 (best practice).
• check permissions on the WSUS and WSUSContent folder : the Network Service account must have the right permissions. On the WSUS folder set Read permissions ; WSUSContent folder set Full Control permissions
• For WSUS on a custom website check security in IIS. This must be set to Anonymous authentication, with a "IUSR_<ConfigMgr Server>" account. This must be a Domain User account, with Local Admin rights on the ConfigMgr server.
• With MP Troubleshooter (ConfigMgr 2007 Toolkit) you can check if the IIS account has enough permissions for accessing both websites. It's always necessary for having enough (local) rights on the ConfigMgr server.
• Sometimes a Proxy server must be used for synchronizing updates. Try both configurations (on and off) with or without an User account. Sometimes there must also made a bypass on the Proxy server for getting it to work.
• At last, do a "Run Synchronization" on the Update Repository and follow the Software Updates in the wsyncmgr.log (easy to see with SMS Trace - ConfigMgr 2007 Toolkit). When synchronization is done, do it again till no updates are available anymore. Then create Search Folders.
• Use Search folders. Then it's easy to see which updates are available for the last month (example) for a specific product. These updates can be drag-and-dropped on the Update Lists for creating overviews.
http://henkhoogendoorn.blogspot.nl/2011/03/more-handy-tips-and-tricks-for.html
So, the answer to the ports is: you need to point the SUP to port 8350, not 80. 80 is only for the console connection. As for the denying, you need to check whether you have SSL enabled on the MP (I think - I don't have sccm access to see). If you do have it set then the port is 8351 instead.
Mike
ASKER
Yes, we have a CAS. Here's the structure:
We have a central server -- site code FCC, server name ConfigManagerCentral, running Windows Server 2008. It has the WSUS admin console running.
We have an external WSUS server that is part of the central server, FCC site code, listed as wsus.domain.local. It runs Server 2012 and has the full WSUS console installed.
We have a primary site, ConfigManager, that has site code HQ1, running Windows Server 2008. It has the WSUS admin console running.
We also have two other primary sites that we use from time to time for special projects. I'm not really worried about these, so disregard them.
I don't use SSL anywhere in my configuration.
It was my understanding that port 80 is supposedly used for certain versions of WSUS (3.0 SP2 on Server 2008), and 8350 is used for WSUS on Server 2012.
When I set up my primary site as a SUP, it's trying to connect to itself per the log files posted above. Is that what it's supposed to be doing? If yes, I would have thought I'd have to set the port to 80 because the primary site is running WSUS 3.0 SP2 on Server 2008.
If it goes to port 80, I get a 404 error. If it goes to port 8350, I'm getting connection refused. IIS is running on all servers.
We have a central server -- site code FCC, server name ConfigManagerCentral, running Windows Server 2008. It has the WSUS admin console running.
We have an external WSUS server that is part of the central server, FCC site code, listed as wsus.domain.local. It runs Server 2012 and has the full WSUS console installed.
We have a primary site, ConfigManager, that has site code HQ1, running Windows Server 2008. It has the WSUS admin console running.
We also have two other primary sites that we use from time to time for special projects. I'm not really worried about these, so disregard them.
I don't use SSL anywhere in my configuration.
It was my understanding that port 80 is supposedly used for certain versions of WSUS (3.0 SP2 on Server 2008), and 8350 is used for WSUS on Server 2012.
When I set up my primary site as a SUP, it's trying to connect to itself per the log files posted above. Is that what it's supposed to be doing? If yes, I would have thought I'd have to set the port to 80 because the primary site is running WSUS 3.0 SP2 on Server 2008.
If it goes to port 80, I get a 404 error. If it goes to port 8350, I'm getting connection refused. IIS is running on all servers.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, the port was correct at 8530. 8530 is also the default for WSUS on Server 2012, so it's already been set that way. When I update the role for the primary site in SCCM to reflect 8530, it says the connection is refused.
A reminder:
Site code: Server: Purpose SUP installed
FCC WSUS External WSUS server Y (working)
FCC ConfigManagerCentral Central Site N
HQ1 ConfigManager Primary Y
This is wcm.log:
Changes in active SUP list detected. New active SUP List is:~ $$<SMS_WSUS_CONFIGURATION_
SUP0: configmanager.domain.local
Updating active SUP groups...~ $$<SMS_WSUS_CONFIGURATION_
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketE
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
Remote configuration failed on WSUS Server.~ $$<SMS_WSUS_CONFIGURATION_
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATI
Setting new configuration state to 3 (WSUS_CONFIG_FAILED)~ $$<SMS_WSUS_CONFIGURATION_
Waiting for changes for 7 minutes $$<SMS_WSUS_CONFIGURATION_
Wait timed out after 7 minutes while waiting for at least one trigger event. $$<SMS_WSUS_CONFIGURATION_
Timed Out...~ $$<SMS_WSUS_CONFIGURATION_
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketE
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
Remote configuration failed on WSUS Server.~ $$<SMS_WSUS_CONFIGURATION_
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATI
Waiting for changes for 60 minutes $$<SMS_WSUS_CONFIGURATION_
A reminder:
Site code: Server: Purpose SUP installed
FCC WSUS External WSUS server Y (working)
FCC ConfigManagerCentral Central Site N
HQ1 ConfigManager Primary Y
This is wcm.log:
Changes in active SUP list detected. New active SUP List is:~ $$<SMS_WSUS_CONFIGURATION_
SUP0: configmanager.domain.local
Updating active SUP groups...~ $$<SMS_WSUS_CONFIGURATION_
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketE
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
Remote configuration failed on WSUS Server.~ $$<SMS_WSUS_CONFIGURATION_
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATI
Setting new configuration state to 3 (WSUS_CONFIG_FAILED)~ $$<SMS_WSUS_CONFIGURATION_
Waiting for changes for 7 minutes $$<SMS_WSUS_CONFIGURATION_
Wait timed out after 7 minutes while waiting for at least one trigger event. $$<SMS_WSUS_CONFIGURATION_
Timed Out...~ $$<SMS_WSUS_CONFIGURATION_
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketE
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
Remote configuration failed on WSUS Server.~ $$<SMS_WSUS_CONFIGURATION_
STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATI
Waiting for changes for 60 minutes $$<SMS_WSUS_CONFIGURATION_
ASKER
One thing that confuses me is that the primary site has been trying to connect to itself, unless it's connecting to itself and then to the wsus server via the WSUS admin console. Our WSUS server is actually wsus.domain.local. But this server is automatically defined when I install the SUP role on it.
ASKER
The SUPs were also configured according to the walkthroughs you gave me.
ASKER
I think I may have made *some* progress.
I had to remove the SUPs and use wsusutil to enable usecustomwebsite.
I'm now getting different errors and looking into them.
I had to remove the SUPs and use wsusutil to enable usecustomwebsite.
I'm now getting different errors and looking into them.
ASKER
Okay, so it's still actively refusing the connection. The log file I presented above is still the same case.
Can you reach the WSUS Server on the WSUS Ports you've installed it?
Telnet <Your WSUS Server> 8530
Firewall is off?
Also check out this article regarding the Port Config
http://social.technet.microsoft.com/Forums/en-US/bfb26aec-04a8-4edf-83ea-fe2e0ca3824e/wsus-configuration-manager-failed-to-configure-upstream-server-settings-on-a-wsus-server?forum=configmgrsum
Telnet <Your WSUS Server> 8530
Firewall is off?
Also check out this article regarding the Port Config
http://social.technet.microsoft.com/Forums/en-US/bfb26aec-04a8-4edf-83ea-fe2e0ca3824e/wsus-configuration-manager-failed-to-configure-upstream-server-settings-on-a-wsus-server?forum=configmgrsum
ASKER
Yes, I get a good connection from the primary server to the wsus server.
ASKER
Is the SUP list correct? Is the primary site supposed to only see itself, or should it also see wsus? If it's supposed to see wsus.domain.local, why isn't it?
I just read that you've just installed the WSUS Admin Console on Primary Site Server HQ1.
Is this correct? You can also install the full WSUS Installation there.
The log posted above....is this from the Central or the Primary Site Server?
Which list do you mean? Screenshot...The Primary Site Server does not know anything about the structure above him.
Is this correct? You can also install the full WSUS Installation there.
The log posted above....is this from the Central or the Primary Site Server?
Which list do you mean? Screenshot...The Primary Site Server does not know anything about the structure above him.
ASKER
The log above is from the Primary Site Server.
I only installed the Admin Console on HQ1 because that should be all that's required.
The list of SUPs I was referring to is the log that I pasted above.
I only installed the Admin Console on HQ1 because that should be all that's required.
The list of SUPs I was referring to is the log that I pasted above.
Ok i think you need the following
- Seperate WSUS Server for Central Site (Full WSUS Installation & SUP)
- Central Site Server (at least WSUS Admin Console)
- Primary Site Server (Full WSUS Installation & SUP)
- Seperate WSUS Server for Central Site (Full WSUS Installation & SUP)
- Central Site Server (at least WSUS Admin Console)
- Primary Site Server (Full WSUS Installation & SUP)
ASKER
I don't believe we've ever had to install the full WSUS on the primary server before. Are you sure that's accurate?
ASKER
If each site is reporting to their own WSUS servers, they won't be synced. I'd like to stick with one WSUS server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I've enabled it as a SUP but I'd like to have one consistent WSUS server.
The SUP on the Primary Site syncs with Microsoft Update and replicates down the Updates down the hierachry. If this role is installed on the Central Site Server itself or on a seperate Server does not matter. The WSUS Admin Console is just required on the Site Server when you push the SUP Installation on the WSUS Server.
In order to deploy updates in the child primary site you need a SUP there also. And SUP always means a Full WSUS Installation. The Central SUP then syncs with the Primary child site SUP.
Also check out this:
http://blogs.msdn.com/b/scstr/archive/2012/05/31/configuring_2d00_software_2d00_updates_2d00_in_2d00_configuration_2d00_manager_2d00_2012.aspx
In order to deploy updates in the child primary site you need a SUP there also. And SUP always means a Full WSUS Installation. The Central SUP then syncs with the Primary child site SUP.
Also check out this:
http://blogs.msdn.com/b/scstr/archive/2012/05/31/configuring_2d00_software_2d00_updates_2d00_in_2d00_configuration_2d00_manager_2d00_2012.aspx
ASKER
Okay, I apologize. It does look like the primary site has a WSUS server. I mistook it for the admin console. However, it's running on Server 2008 R2 while the primary site runs on Server 2012. So the wsus site would use port 8530 and the primary site would use port 80. I verified the bindings on the IIS configuration on the primary site.
However, if I point the SUP for the primary site to port 80, I get a 404 error.
However, if I point the SUP for the primary site to port 80, I get a 404 error.
The WSUS Ports does not matter that much as long as you use the same ports when installing the SUP on it.
ASKER
IIS on the primary site is configured to use port 80, and I've just now set up the SUP on the primary site to use port 80. I get a 404 error.
The WSUS IIS page is configured for port 80? Page is running?
What says WSUSCtrl.log and WCM.log?
What says WSUSCtrl.log and WCM.log?
ASKER
Yes, and when I load the page it shows the IIS screen.
wcm.log:
Changes in active SUP list detected. New active SUP List is:~ $$<SMS_WSUS_CONFIGURATION_
SUP0: configmanager.domain.local
Updating active SUP groups...~ $$<SMS_WSUS_CONFIGURATION_
Updating Group Info for WSUS.~ $$<SMS_WSUS_CONFIGURATION_
Set UseParentWSUS property in SCF to 1 on this site for configmanager.domain.local
user(NT AUTHORITY\SYSTEM) runing application(SMS_WSUS_CONFI
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: The request failed with HTTP status 404: Not Found.~~ at Microsoft.UpdateServices.A
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
wsusctrl:
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.loc
~Waiting for changes for 1 minutes $$<SMS_WSUS_CONTROL_MANAGE
Timed Out...~ $$<SMS_WSUS_CONTROL_MANAGE
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONTROL_MANAGE
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONTROL_MANAGE
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONTROL_MANAGE
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes~ $$<SMS_WSUS_CONTROL_MANAGE
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.loc
~Waiting for changes for 1 minutes $$<SMS_WSUS_CONTROL_MANAGE
wcm.log:
Changes in active SUP list detected. New active SUP List is:~ $$<SMS_WSUS_CONFIGURATION_
SUP0: configmanager.domain.local
Updating active SUP groups...~ $$<SMS_WSUS_CONFIGURATION_
Updating Group Info for WSUS.~ $$<SMS_WSUS_CONFIGURATION_
Set UseParentWSUS property in SCF to 1 on this site for configmanager.domain.local
user(NT AUTHORITY\SYSTEM) runing application(SMS_WSUS_CONFI
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONFIGURATION_
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONFIGURATION_
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONFIGURATION_
Using firstcom\administrator credentials for network connections~ $$<SMS_WSUS_CONFIGURATION_
Attempting connection to WSUS server: configmanager.domain.local
System.Net.WebException: The request failed with HTTP status 404: Not Found.~~ at Microsoft.UpdateServices.A
Done using firstcom\administrator credentials~ $$<SMS_WSUS_CONFIGURATION_
wsusctrl:
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.loc
~Waiting for changes for 1 minutes $$<SMS_WSUS_CONTROL_MANAGE
Timed Out...~ $$<SMS_WSUS_CONTROL_MANAGE
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)~ $$<SMS_WSUS_CONTROL_MANAGE
Checking runtime v2.0.50727...~ $$<SMS_WSUS_CONTROL_MANAGE
Found supported assembly Microsoft.UpdateServices.A
Found supported assembly Microsoft.UpdateServices.B
Supported WSUS version found~ $$<SMS_WSUS_CONTROL_MANAGE
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes~ $$<SMS_WSUS_CONTROL_MANAGE
Attempting connection to local WSUS server $$<SMS_WSUS_CONTROL_MANAGE
Microsoft.UpdateServices.A
Failures reported during periodic health check by the WSUS Server configmanager.firstcom.loc
~Waiting for changes for 1 minutes $$<SMS_WSUS_CONTROL_MANAGE
You first install WSUS then SUP, right?
Could you please check out the hints on this threads.
http://social.technet.microsoft.com/Forums/systemcenter/en-US/45392874-6833-48ed-a8ee-7e9462781eba/smswsuscontrolmanager-errors?forum=configmgrgeneral
http://www.windows-noob.com/forums/index.php?/topic/7047-sync-problem-with-sup-and-wsus-using-the-guides/
Could you please check out the hints on this threads.
http://social.technet.microsoft.com/Forums/systemcenter/en-US/45392874-6833-48ed-a8ee-7e9462781eba/smswsuscontrolmanager-errors?forum=configmgrgeneral
http://www.windows-noob.com/forums/index.php?/topic/7047-sync-problem-with-sup-and-wsus-using-the-guides/
ASKER
WSUS was installed first.
I've seen both of those pages already and unfortunately they didn't provide much assistance.
I've seen both of those pages already and unfortunately they didn't provide much assistance.
Ok, can you please post screenshots of your SUP Config on the Primary Site Server?
ASKER
See attached.
Untitled.png
Untitled.png
seems correct.
I would try the following:
- Remove SUP Role (Wait until uninstallation succeeded in SUPSetup.log)
- Uninstall WSUS
- Reboot (maybe reboot twice if required)
- Install WSUS, ignore the configuration wizard
- Reboot
- Install SUP Role (check out SUPSetup.log)
I would try the following:
- Remove SUP Role (Wait until uninstallation succeeded in SUPSetup.log)
- Uninstall WSUS
- Reboot (maybe reboot twice if required)
- Install WSUS, ignore the configuration wizard
- Reboot
- Install SUP Role (check out SUPSetup.log)
ASKER
I reinstalled WSUS and it seems to be working now. I went ahead and updated it to use port 8530 too. I'll keep you posted.
great News
ASKER
I am waiting for items to sync and then I will try to deploy a batch of updates. I will keep you posted.
Hi,
Yes great news. It sounds like you're nearly there. Thanks merowinger too.
I'm curious after sleeping on it - why have you got a CAS? Have you got More than one primary or 100,000 clients?
If not it just over-complicates things and you could maybe put the server to better use.
Also why is the external full WSUS where it is? It does make things easier to install on the primary as you have now.
Mike
Yes great news. It sounds like you're nearly there. Thanks merowinger too.
I'm curious after sleeping on it - why have you got a CAS? Have you got More than one primary or 100,000 clients?
If not it just over-complicates things and you could maybe put the server to better use.
Also why is the external full WSUS where it is? It does make things easier to install on the primary as you have now.
Mike
ASKER
Mike,
We have two other primary servers that we use for special projects (i.e. offsite deployments). We install a local server to make things more efficient during the process.
We have two other primary servers that we use for special projects (i.e. offsite deployments). We install a local server to make things more efficient during the process.
ASKER
It's my understanding that after I set up an ADP and the package is deployed, I can check UpdatesDeployment.log in c:\windows\ccm\logs on the client pc, correct?
The issue I had before all of this was that updates didn't seem to download and apply on the clients. It would say total actionable updates = 0.
Both the central/wsus and primary servers are still syncing, but I went ahead and created a deployment package. It's doing the same thing.
The issue I had before all of this was that updates didn't seem to download and apply on the clients. It would say total actionable updates = 0.
Both the central/wsus and primary servers are still syncing, but I went ahead and created a deployment package. It's doing the same thing.
It takes some time until the processes are going on.
Please recheck a few things.
Is the ADR working (RulesEngine.log)
Is there any update in Software Update Group?
Is there any Update in the Package
Is the Package updated on DP? (Content Status)
Is the deployment linked to your Client? Rightclick Client -> Deployment (Are there Updates listed?)
Are updates listed as required?
- On Client run a Software Update Scan Cycle
- On the Server run a Software Update Summarization
- Are now updates listed as required?
On the Client run a Software Update Deployment Cycle
All These processes need some time to run and to get processed, so please be patient
Please recheck a few things.
Is the ADR working (RulesEngine.log)
Is there any update in Software Update Group?
Is there any Update in the Package
Is the Package updated on DP? (Content Status)
Is the deployment linked to your Client? Rightclick Client -> Deployment (Are there Updates listed?)
Are updates listed as required?
- On Client run a Software Update Scan Cycle
- On the Server run a Software Update Summarization
- Are now updates listed as required?
On the Client run a Software Update Deployment Cycle
All These processes need some time to run and to get processed, so please be patient
ASKER
All of these should be accurate, yes...
Hi,
I know you want to get this going but one thing SCCM teaches you is patience. It won't deploy anything until the sync is utterly complete. Watch the wsyncmgr.log if you want to see progress. It will take 2 or 3 hours maybe more if you have lots of products/languages/slow internet pipe.
In the olden days SMS was known as "slow moving software" for a reason.
Once the sync is complete there is also the wait for rules to trigger and then updates to distribute out to the DPs.
Slowly, slowly catches monkey :).
Mike
PS: fair enough with the CAS. There might be better ways using Branchcache now but I've never played with that and it's a whole new can of worms.
I know you want to get this going but one thing SCCM teaches you is patience. It won't deploy anything until the sync is utterly complete. Watch the wsyncmgr.log if you want to see progress. It will take 2 or 3 hours maybe more if you have lots of products/languages/slow internet pipe.
In the olden days SMS was known as "slow moving software" for a reason.
Once the sync is complete there is also the wait for rules to trigger and then updates to distribute out to the DPs.
Slowly, slowly catches monkey :).
Mike
PS: fair enough with the CAS. There might be better ways using Branchcache now but I've never played with that and it's a whole new can of worms.
ASKER
I can see that the items are deployed under the client. I am not sure how to check if they're required, but the client isn't getting a software center prompt nor do I see that anything is downloading. When I run a software update deployment cycle, updatedeployment.log just shows initiating 0 assignments.
I will wait until the sync is complete. It's taking a long time. :)
And yeah, I've read about BranchCache but I am pretty new to SCCM and there is so much to learn that it's hard to touch on everything very quickly.
I will wait until the sync is complete. It's taking a long time. :)
And yeah, I've read about BranchCache but I am pretty new to SCCM and there is so much to learn that it's hard to touch on everything very quickly.
Further things you can check.
Is anything in C:\windows\ccmcache?
Are you deployments visible for the users?
Are your deployments optional or required.
All those things will change the look and feel when deploying.
Also make sure you do not have any Group Policies in place which configure the WSUS Server on the Clients. This will not work, as SCCM configures a local WSUS Server by itself.
Is anything in C:\windows\ccmcache?
Are you deployments visible for the users?
Are your deployments optional or required.
All those things will change the look and feel when deploying.
Also make sure you do not have any Group Policies in place which configure the WSUS Server on the Clients. This will not work, as SCCM configures a local WSUS Server by itself.
Yes Branchcache is new to most people I think. That's one for another day, but it would be good to go your boss and say we can use that CAS beast for something else now and some money, if possible.
Sit tight. I think the sync log actually says "Done synchronising" as per http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-01-metablogapi/3250.16.1_5F00_6682D2A9.jpg
Sit tight. I think the sync log actually says "Done synchronising" as per http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-01-metablogapi/3250.16.1_5F00_6682D2A9.jpg
ASKER
modus, that's a good idea. Please do.
You need to look at your selection rules and the patches themselves. The log is saying:
Attempting to install 0 updates
No actionable updates for install task
Effectively "nothing to see hear move along".
I generally start with one patch to one machine that is teachable and nearby (a VM even) to make sure everything is working as you expect, then add more patches.
Mike