troubleshooting Question

Client PC's denied access to Windows Updates using WSUS on Windows Server 2012 R2.

Avatar of evollic
evollic asked on
Windows Server 2012WSUS
6 Comments1 Solution1823 ViewsLast Modified:
TL,DR: Migrating to new WSUS server, Old WSUS works fine, just decommissioning. Client PC's can talk to WSUS to see what updates they need. When they go to download them they get an error and can't download. The WSUS server logs show denied access even though they have access.

Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.

Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)

Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.

Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.

IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.

Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:

Source: Windows Error Reporting
EvenID: 1001
Level: Information

Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_05b42282

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_cab_00501e8c

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Looking on the new WSUS server you see this error:

Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic

The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.

Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"3:29:34.7771538 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:34.7849925 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6010850 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6084621 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:43.5853384 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6074142 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6216802 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0428396 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0812699 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0941561 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:49.3002955 PM","w3wp.exe","15128","CreateFile","C:\Windows\System32\config\systemprofile\AppData\Roaming","ACCESS DENIED","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"3:29:50.1045416 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\anonymousCheckFile.txt","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4605213 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4638890 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4832755 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"


From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
ASKER CERTIFIED SOLUTION
Peter Hutchison
Senior Network Systems Specialist

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros