WSUS Client Issues

Check Your Windows 10 machine to see that the registry key is present at HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate and its sub key AU

The whole key was missing for me on some machines and caused them to not report. You may need to recreate it.

Muhammad

Yes I checked that on the three computers I sent the logs with

All have the AU sub key with values

Hi, Thomas

You need to install a special update for WSUS to allow recognize Windows 10 Clients.

https://support.microsoft.com/en-us/kb/3095113

Hector

1. KB3095133 is already installed

2. Disagree with using WID that causes many problems with WSUS and in all the Docs I read and videos I watch I did not see or hear anyone say use WID is best practice.
I have WSUS 3.0 using a SQL database for years no major issues When I first started using WSUS I used the WID and had so many problems I switched to SQL That is going backwards not forward
I think it is another issue but can not figure out what

I hope you guys can help me figure this out

Thanks

Guys

I was trying things

in IE I go http://wsus.mydom.com:8530  I get blank page

I have a WSUS 3.0 server running
when I do the same  http://wsus2.mydom.com  I get IIS 7 display

WSUS 3.0 use port 80

WSUS 4.0 using port 8530

Is that a problem?

Am I getting somewhere?

I was able to move wsus to port 80

used wsusutil usecustomwebsite false
Using port 80 now

I can now goto http://wsus.mydom.com  it now shows iis site

I update my GPO to change the uri and removed the port 8530

I did a gpupdate /force on several machines
ran
wuauclt /resetauthorization /detectnow
wuauclt /reportnow

I will see what happens


Update

Still not Yet reporting

What can we do here?

I found this tool from solarwinds Diagnostic Tool for the Windows Server Update Service

Install it on the client and then run it gives you a health report of you WSUS Agent.

On the Computers that connected but are not report yet I get this three error conditions

See attached text

On my windows 10 computer which is not connected I get additional errors

One being the client is out of date which is probably why it does not connect

see attached
WSUS-Client.txt
wsus-client.txt

Update the solorwinds tool does not work well with Windows 10
I ran a powershell command
(Get-ChildItem 'c:\windows\System32\wuauclt.exe').versioninfo.productversionI
my version is 10.0.10586.17   I think that is current

My windows 10 windowsupdatelog shows this

Agent           Unable to query IsInventoryRequired service property hr=8024043d
  Misc            Got WSUS Client/Server URL:http: // wsus.mydom.com:8530 /clientWebService/client.asmx
 ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
 http: // wsus.mydom.com:8530 /clientWebService/client.asmx
 ProtocolTalker  PT: Calling GetConfig on server
 WebServices     Auto proxy settings for this web service call.
 WebServices     WS error: There was an error communicating with the endpoint at
 http: // wsus.mydom.com:8530 /clientWebService/client.asmx

WebServices     WS error: The server returned HTTP status code '500 (0x1F4)' with text 'Internal Server Error'.
 WebServices     WS error: The server was unable to process the request.
 WebServices     Web service call failed with hr = 8024401f.
 WebServices     Current service auth scheme=0.
 WebServices     Current Proxy auth scheme=0.
 ProtocolTalker  PTError: 0x8024401f
 ProtocolTalker  GetConfig_WithRecovery failed 0x8024401f
 ProtocolTalker  RefreshConfig failed 0x8024401f
 ProtocolTalker  RefreshPTState failed 0x8024401f
 ProtocolTalker  SyncUpdates round trips: 0
 ProtocolTalker  Sync of Updates 0x8024401f
 ProtocolTalker  SyncServerUpdatesInternal failed 0x8024401f
 Agent           Failed to synchronize, error = 0x8024401F
 Agent           Exit code = 0x8024401F


Please help going on week 2 without this working

Check the MIME types on the IIS.
Maybe you have some of those MIME Types repeatedly declared.
Go to IIS Manager, Click WSUS Website features view, Select MIME Types, and delete the wrong MIME Type from there.
Restart the website and check if you can Download updates now.

Hector

I looked at the mine types they all look ok to me

What am I looking for exactly?

From the WSUS-Client.txt log

WSUS Server Connectivity -- Unable to connect to the remote server
  clientwebservice/client.asmx:Error:Client found response content type of 'text/html; charset=utf-8', but expected 'text/xml'.

Hector

So many entries in the Mime types

I found these

.htm         text/html
.html        text/html
.hxt           text/html


Is that what you mean?

What do I do ?>

Check if there are some double defined.
Check if .asmx is defined, it should not.

Read this article on Microsoft site: https://social.technet.microsoft.com/Forums/en-US/40db1b27-6215-4bba-8a9b-fb55203d84f8/clients-no-longer-downloading-updates-error-8024401f?forum=winserverwsus

Maybe is a permissions issue.

Hector

No duplicates that I can find.
.asmx  is NOT defined.

In the article I see the guy added everyone read permissions on the WSUS folder
I added that

Went to one machine and entered wauaclt /resetauthorization /detectnow  waiting to see

tried wuauclt /detectnow and wuauclt /reportnow  also I will give it about 15 minutes to see

Hector

after about 30 min still not reporting

windowsupdatelog

WebServices     WS error: There was an error communicating with the endpoint at
 http: // wsus.mydom.com:8530 /clientWebService/client.asmx

WebServices     WS error: The server returned HTTP status code '500 (0x1F4)' with text 'Internal Server Error'.
 WebServices     WS error: The server was unable to process the request.
 WebServices     Web service call failed with hr = 8024401f.



Also when I run wsusutil checkhealth

I get event id 12022 the client web service is not working

Sorry Thomas, I ran out of bullets.
And I have to leave now, tomorrow if this isnt solved I will try again.

Hello Thomas,
I was thinking, what if you try to do a fresh install of WSUS?
You can follow this excelent EE article steps: https://www.experts-exchange.com/articles/18543/Installing-Configuring-and-Managing-WSUS.html

Hector

I have done that already many times

This is not a solution

The errors should be helpful but they are not

Could you explain in detail your instalation procedure step by step.
I think you are making the same mistake over and over.
Please, talk to us about that.

Hector

To uninstall I went to Tools ADD/Remove Roles Features

Removed IIS , WSUS

After removal restarted server.

After server started went into SQL and deleted the WSUS database.
Went to my E Drive and deleted the WSUS folder and all sub folders content etc.

Restart the server once more

Added WSUS role which installs IIS
after the install completes I run the postinstall process
Then the postinall process turns into the deployment process
This takes a long time
Then I start up the WSUS console and configure the options
I do not pick all the products for the init sync so it runs faster.

Then the clients
wuauclt /resetauthorization /detectnow

This is how I have done many wsus installs

This is my first 6.3 version of WSUS

I have all the patches already installed
One question would be should I remove them and reinstall them in some sort of order?

Thanks

Update

I will follow Seths article tonight and see if it makes any difference
I do see he created a certificate and I never did that

Will post with results

I think that the use of SSL and certificate is an optional step. Not esential.

good luck.

Hector,

no where in Seths article does it talk about the fixs need to be put on WSUS 6.3

Also does not talk about HTTP Activation Setting for Net Frame work 3.5 and 4.0

Thoughts

Hector

The Server Certificate does not exist on my server as shown in that article

Update

After following the instruction that seths except for SSL I get the same results

Downloading WSUS Client Diag Tool

On My Windows 10  and all others get same results


WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS

GetFileVersion(szEngineDir,&susVersion) failed with hr=0x80070002

The system cannot find the file specified.


Press Enter to Complete


Also same results all computers except for my Windows 10 connect but do not report

This error still happens in windowsupdatelog on all computers

WebServices     WS error: The server returned HTTP status code '500 (0x1F4)' with text 'Internal Server Error'.
  WebServices     WS error: The server was unable to process the request.
  WebServices     Web service call failed with hr = 8024401f.

Hector

I have it now using SSL https://wsus.mydom.com:8531

That means I followed all the instructions except for the options settings did not do them yet

Still no change computers not reporting still
Windows 10 not even communicating to the wsus 6.3 server

Puzzeled

Guys

If we can figure out what this error is it will resolve this issue for my computers not yet reporting

WebServices     WS error: The server returned HTTP status code '500 (0x1F4)' with text 'Internal Server Error'.
   WebServices     WS error: The server was unable to process the request.
   WebServices     Web service call failed with hr = 8024401f.


My windows 10 computer is another story

ok.

I have seen this error before:

GetFileVersion(szEngineDir,&susVersion) failed with hr=0x80070002

This is the error that shows up when running Microsoft WSUS Diag tool in an x64-based computer. Use the Solarwind WSUS diag tool instead. On my article Understanding Windows Update Agent you can find the URL.

WebServices     WS error: The server returned HTTP status code '500 (0x1F4)' with text 'Internal Server Error'.
   WebServices     WS error: The server was unable to process the request.
   WebServices     Web service call failed with hr = 8024401f.

This error is on the WindowsUpdate.log file of all clients?

I think that the problem may be on the IIS, but cant see a way to solve it. The reinstallation should do the magic.

Hector

Yes same error on all clients

The reinstall did not fix it

I am getting these error now also

Event 13042  Self-Update in not working

Event 12002 The Reporting Web Service is not working

Event 12012 The API Remoting Web Service is not working

Event 12032 The Server Synchronization Web Service is not working

Event 12022 The Client Web Service in not working

Event 12042 The SimpleAuth Web Service is not working

Event 12052 The DSS Authentication Web Service is not working

Event 12072 The WSUS content directory is not accessible

Wow, many events. I have search the web for each one, read and try this steps: (hope the solution is in some of them)

Event 13042  Self-Update in not working

    Event Type: Error
    Event Source: Windows Server Update Services
    Event Category: Clients
    Event ID: 13042
    User: N/A
    Computer: WSUS01
    Description: Self-update is not working.

To fix the issue, follow these steps:

   

• Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate.

 

• Click the Directory Security tab and ensure that Anonymous Access is allowed.

 

• Restart IIS.

Verify that the problem is fixed by running the following command at the command prompt:
C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth

Then examine the Application event log for the following event:

    Event Type: Error
    Event Source: Windows Server Update Services
    Event Category: Clients
    Event ID: 10000
    User: N/A
    Computer: WSUS01
    Description: WSUS is working correctly.


As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.

Event 12002 The Reporting Web Service is not working

I would start by verifying that the /ReportingWebService resource is properly configured in IIS.

Correct configurations can be found in the WSUS Technical Reference Guide: IIS Settings for WSUS 3.0 SP2 Web Services. (Valid also for WSUS higher versions).

Event 12012 The API Remoting Web Service is not working
Event 12032 The Server Synchronization Web Service is not working
Event 12042 The SimpleAuth Web Service is not working

Try this: http://jackstromberg.com/2013/10/windows-update-services-multiple-errors-in-event-viewer-event-id-1205212042-12022-12032-12012-1200213042/

Event 12022 The Client Web Service in not working

As microsoft expert said here:

When you enabled anonymous access on the site and virtual directories (which is, generally, the correct configuration), you may have overdone it and also enabled anonymous access on the APIRemoting30 virtual directory -- which should not have anonymous access.

Disable anonymous access on the APIRemoting30 virtual directory and set it to require Integrated Windows Authentication and Digest Authentication, and that should restore connectivity to your console.

Event 12052 The DSS Authentication Web Service is not working

Go into IIS/Web Services Extensions. In the right pane you will see all the Web Service Extensions, if you have done any updates to .NET so make sure that the status of all ASP.NET versions is "ALLOWED".

Also, take a look at these links :

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=.NET+Framework&ProdVer=2.0.50727&EvtID=12052&EvtSrc=Windows+Server+Update+Services&LCID=1033

http://www.eventid.net/display.asp?eventid=13042&eventno=8857&source=Windows%20Server%20Update%20Services&phase=1

Event 12072 The WSUS content directory is not accessible

Did somebody recently try to relocate the WSUSContent folder? or change the ACLs?

Here are the relevant questions:

   

• What is the actual physical pathname of the WSUSContent folder?

 

• What is the pathname configured in IIS for the /Content v-dir?

   

• What is the pathname configured in the registry value "ContentDir" in HKLM\Software\Microsoft\Update Services\Server\Setup?

Hector

After checking all the above I ran this
 wsusutil.exe usecustomwebsite true
form your posting
Try this: http://jackstromberg.com/2013/10/windows-update-services-multiple-errors-in-event-viewer-event-id-1205212042-12022-12032-12012-1200213042/

What that did was turn off the SSL and now I only get this one
Event 12022 The Client Web Service in not working

this I checked from above

Event 12022 The Client Web Service in not working
As microsoft expert said here:

 When you enabled anonymous access on the site and virtual directories (which is, generally, the correct configuration), you may have overdone it and also enabled anonymous access on the APIRemoting30 virtual directory -- which should not have anonymous access.

 Disable anonymous access on the APIRemoting30 virtual directory and set it to require Integrated Windows Authentication and Digest Authentication, and that should restore connectivity to your console.

the  APIRemoting30 virtual directory  has anonymous disabled
Windows Authentication is Enabled
Digest Authentication does not exist in my IIS


We are not back to a week ago when I only had the 12022 error all the time

What is wrong with this IIS installation?

Could this have any thing to do with the IUSR account on this server?  I don't seem to have one
I thought IIS created this account when it was installed?

The is a Domain Joined server

Thoughts

On Windows 2012R2 there is no IUSR account.

Hint: Have you ever try WSUSOffline? Maybe if you run it on the WSUS server it will install any missing update. You can also use it to update clients.

Going back to the IIS issue. Have you verified the physical path to the WSUS folders and its configuration on IIS?

Hector

I thought that IUSR was not part of Windows 2012 just was not sure

WSUS  Offline NO and not really interested in another product at this time
WSUS 6.3 should be working and I SHOULD NOT BE HAVING THIS ISSUE

I have checked all the virtual directories and yes they are all defined

As far as the IIS configuration goes well WSUS when you install the Role installs IIS for you.
I have not seen any documentation on how to setup IIS for WSUS  All I find is how to install and setup WSUS which is not hard to do.

The Event 12022 The Client Web Service in not working   Is the issue here I know if we figure out this one and we get WSUS Is Working message instead of EVENT 12022 when you run wsusutil checkhealth then the clients will report I am sure that is the only stumbling block here

I hope you/someone can figure this out I am at wits end trying

Thoughts

Hector

What are the proper NTFS permissions for the Update Services folder which contains Webservices folder which contains all the virtual directories

I tried to add Network Service Account to the permissions but it will not let me greyed out.

I made this NTFS Permission report for you.

r = read
w = write
x = execute

And this is a photo of the advanced settings on the IIS for the ClientWebService virtual directory:

TreeSize-Professional-Details-for-U.xlsx

Hector

The image you placed overlayed your txt info


Please repost

It is not a text, is a XLSX file attached.

Hector

I see I will compare and report back

Hector

I think I have that same program on my system somewhere

What command line parameters did you run ?

Not a command, just use the GUI for the Update Services folder. Then Export if you like.

Ok great

Hector

you have treesize PRo?  my version of treesize does not show owner and permissions

Yes, Pro. But to solve this problem you don't need TreesizePro, just verify your folder's permissions on the Security tab manually one by one.

Hector I noticed on the web services folder for example it has server/users server/administrators

That looks like it is using local accounts shouldn't it be the domain users and domain administrators on all the virtual directories?

Since this is in a domain

Domain administrators are members of local Administrators security group.
That is the default setting for any domain joined member server.
Is any difference in your server?

I will check that account

Ok the domain users is in the local group users and domain administrators is in the local administrators group

Now I need to check all the settings on the folder

Hector

Checked all the folder permissions

Found all look fine.

Some had more accounts listed
Logfiles Administrators is Full yours was +r+w_x  SYSTEM same
UpdateServicePackages Same as above
WSUSContent Same as above

So it looks like the permissions on the folder update services is ok

Need this error solved which I believe is causing the clients not to connect.

Thoughts

This is resolved

Built a new Windows 2012 R2 VM using SQL 2012 Enterprise.

Looks like WSUS 6.3 does not support/Work with SQL 2014

Thanks Hector for all your time and effort