WSUS - Workstations not updating

Hello.

I have a few devices on WSUS (WS2008 R2) in following state (see attachment). Some of them are turned off so I understand why they haven't installed updates yet or why I see an older date in Last Status Report column. But some of them are connected and available over a network. Nothing has changed since I used commands wuauclt /detectnow, /reportnow  or /resetauthorization (repeatedly).

I connected to these devices remotely and perform these commands but nothing happened.

I also made a batch file and run it on all domain devices:
net stop wuauserv
net start wuauserv
wuauclt /resetauthorization /detectnow
wuauclt /reportnow

Didn't work either.

Also I've waited a couple of days for any change. Nothing happened.

I appreciate any help.
wsus.PNG
LVL 13
Hello ThereSystem AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
do you see any other similar system (having the same OS version and build number or the same hardware configuration) NOT having the same problem.

if the similar systems do exist and they have the same issue, you may work out a pattern to determine the symptom then hopefully determine the reason.
0
Hello ThereSystem AdministratorAuthor Commented:
Sorry. I don't see any pattern.
0
Seth SimmonsSr. Systems AdministratorCommented:
how is the gpo configured?  it is supposed to install on a certain day and time?
0
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Hello ThereSystem AdministratorAuthor Commented:
It's set up to check for updates every 22 hours (default I guess) and updates are supposed to be installed daily at 9 am.

I don't see where you point to. GPO settings are fine. They are working on hundreds of computers.
0
Hello ThereSystem AdministratorAuthor Commented:
Anybody?
0
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
I've been going through this myself.   Script I have been using is:

net stop wuauserv
net stop bits
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v AccountDomainSid /f
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v PingID /f
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v SusClientId /f
RD /s /q %windir%\SoftwareDistribution
net start wuauserv
net start bits
wuauclt /resetauthorization /detectnow

Open in new window


and so far, it's worked on all but one client that I've tried it on.  

 The reasons for a client not reporting appear to be many, and this script attacks a number of those in that:

1. It deletes the registry keys so they get re-created.
2. It flushes the software distribution folder, which gets rid of any corrupt files.
3. It forces a re-authorization.

 Run the script, then give the station 30 minutes or so to see if it appears in WSUS.

Jim.
0
Hello ThereSystem AdministratorAuthor Commented:
Thank you. I will come back with a feedback.
0
Hello ThereSystem AdministratorAuthor Commented:
I ran this script three times and nothing changed.
0
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
Sorry for the delay in getting back....I wanted to check on a few other things I had done.

As I mentioned, there seems to be a lot of different reasons why this can fail.   While the script I posted seems to hit most, it most certainly does not cover all.   That's why when you search the internet, you find a lot of different things with some saying "that did it for me" and others "did not work here".

In any case, here are the other things I did besides using the script I posted:

1. I started running the Adamj Clean-WSUS script.

   I used to do this manually, but started using this script and it works well.  Basically it gets rid of all the junk in WSUS.    It's important to do this because if things like drivers are included, then the number of updates processed can cause a client to exceed defaults in IIS for the app pool that WSUS uses, and the operation will time out (I did increase the setting before I did the script and you still might want to do that as well, but the script should be enough).

  That script can be found here:

   https://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus


2. I setup a GPO to populate two update settings for the clients:

Set the intranet statistics server:
Set the alternate download server:

I set these the same as the WSUS server

http://wsusServerName:portnumber 

  For me, the port number was 8530.  To check the servers a client is pointed to, do this at a CMD prompt on the client:

  reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

 and it will list the servers.

3. Made sure I could contact the WSUS server from the client.   From a browser:

 http://wsusServerName:portNumber

  Port is usually 8530.   You should get a "403 - Forbidden: Access is denied."

Then try:

http://wsusServerName:portnumber/selfupdate/wuident.cab

  You should get a prompt for a file download.  

4. On a couple stations, I had to manually kick-off an update telling it to check on-line for updates rather than using the WSUS server.   After getting caught up on updates, the station would start to report.

 I had over a dozen stations on one network not reporting and these steps took care of all.

 But if none of that helps, then I would check the windowsupdate.log file for clues as to what might be happening.

Jim.
1
Hello ThereSystem AdministratorAuthor Commented:
I will be back with a feedback after Christmas.
0
Hello ThereSystem AdministratorAuthor Commented:
Thanks to all! Finally I resolved my issue.
I had to delete all superseded updates. After that and running my custom script (described above) I resolved my issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
Interesting.

Since we talked here, I've now got two stations that are stuck and non-reporting.   I've tracked it down to the client web services reporting an error of   Text/HTML being returned rather than Text/XML with an error code of 0x80240439.   I can't tell though if that is just because the WSUS is returning an HTML error for some reason or what.  Interestingly enough, I can manually browse the WSUS site from the client, and don't get any errors.    Client will also work fine going to Microsoft for updates, but not the internal site, so it appears that something is wrong with the internal site.

Not sure what it's trying to do and I'm trying to track that down now (haven't looked at the IIS logs as yet).

I've also got a side issue though with one of the stations with an un-related piece of software which is now returning the same error when trying to perform an update, so it may still be something with these stations.  I'll report back here if I find the cause.

Bottom line: there are many, many things that can cause a workstation to not update.

Glad to hear you found a solution though!

Jim.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I've heard recently that the amount of updates to check can cause clients hanging and/or not reporting, because some pool memory is getting exhausted, so reducing the amount of updates presented to the client is something you should try. Declining old superseded updates is one way to do that (but you shouldn't do that for recent updates, unless they are not required for installation anymore).
0
Hello ThereSystem AdministratorAuthor Commented:
...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.