WSUS clients do NOT see approved updates from WSUS server
This is a follow up question to one I posted just last week where none of our WSUS clients had reported a status in the past 30 days. After getting past the failed .NET patch on our (W2K19) WSUS server, every client is now reporting a status. The WSUS console does show that clients are in need of patches that are approved for install.
But the Win 10 clients I've checked show NO update history, and no patches needed despite the fact that the WSUS console says otherwise. I should note that the Win 10 clients I've checked have recently had O365 installed - with updates configured to be downloaded directly from Microsoft.
The couple of test servers I've checked DO show update histories, but they also fail to see the approved updates waiting for them on the WSUS server.
I've tried resetting a test WSUS client, but it does not resolve the issue. I wanted to post this now while I'm still pouring through event logs to see if anyone has seen this before.
I'll provide more details should I find any additional clues.
ASKER
The report shows "Install" for approval and "Not installed" for status.
have you tried to stop the windows update service, deleting all of the files in \windows\softwaredistribution, starting the windows update service and doing another check?
ASKER
I tried it on a Windows 10 client and it detected zero updates.
I would blame it on the Office 365 updates, but it's happening to every client, O365 or not, Win 10 or Win Server *.
KH
I would blame it on the Office 365 updates, but it's happening to every client, O365 or not, Win 10 or Win Server *.
KH
wsus doesn't have any updates needing files does it?
ASKER
The WSUS server hasn't found anything that it thinks it needs to install when running the update check against its own downloads. I allowed it to check online with Microsoft and it found some we have not approved yet. So I'm allowing these to install now - which will take some time.
I'm also seeing the following error in the app event log :
I'm also seeing the following error in the app event log :
Log Name: Application
Source: Windows Server Update Services
Date: 12/15/2021 9:06:38 PM
Event ID: 10032
Task Category: 7
Level: Error
Keywords: Classic
User: N/A
Computer: <mywsusserver>.com
Description:
The server is failing to download some updates.
Event Xml:ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Post reboot of the WSUS server (after installing all available updates), the 12002 error (The Reporting Web Service is not working) and 1309 ASP.NET warning events my previous question asked for help with have re-appeared and clients are no longer reporting their status at all.
So we're back where we started....
Previous discussion : ALL of our WSUS clients have failed to report their status in more than 30 days
Previous (and now current) error events :
So we're back where we started....
Previous discussion : ALL of our WSUS clients have failed to report their status in more than 30 days
Previous (and now current) error events :
Log Name: Application
Source: Windows Server Update Services
Date: 12/16/2021 1:32:18 PM
Event ID: 12002
Task Category: 9
Level: Error
Keywords: Classic
User: N/A
Computer: WSUS.xxxxxx.com
Description:
The Reporting Web Service is not working.
Event Xml:
Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 12/16/2021 1:03:17 AM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: WSUS.xxxxxx.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 12/16/2021 1:03:17 AM
Event time (UTC): 12/16/2021 6:03:17 AM
Event ID: 78fa1e0f13fe43bbb67cd150e1d57136
Event sequence: 26886
Event occurrence: 32
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1558258880/ROOT-16-132839353019997346
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files\Update Services\WebServices\Root\
Machine name: WSUS
Process information:
Process ID: 3872
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: HttpException
Exception message: A potentially dangerous Request.Path value was detected from the client (<).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Request information:
Request URL: http://wsus.xxxxxx.com:8530/cgi-bin/search=<script>alert('XSS')</script>
Request path: /cgi-bin/search=<script>alert('XSS')</script>
User host address: 10.2.36.72
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 58
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)ASKER
After reviewing SoftwareDistribution.log, I hope to be going in the right direction now. There are a bunch of errors. But it's hard to tell which error is key. To start with, we have 100+ of the following:
We also have 300+ of this error mixed in with the above
I've tried "C:\Program Files\Update Services\Tools>WsusUtil.exe postinstall" from an administrative prompt, but it didn't change anything.
I've confirmed the permissions for "NETWORK SERVICE" to the root of the WSUSContent drive and made sure it has full permissions to "WsusContent".
This server worked until the 2021-09 CU for W2K19 failed to install on 11/8/2021. It has since been replaced by the 2021-10 CU and the 2021-11 CU.
Hoping someone has been down this road.
Source File: /c/msdownload/update/software/crup/2021/11/aspnetcore-runtime-5.0.12-win-x64_4922f60dcb21f8c227e2ba022138eefc7ac70d9f.exe
Destination File: E:\WsusContent\9F\4922F60DCB21F8C227E2BA022138EEFC7AC70D9F.exe
2021-12-17 18:32:11.151 UTC Info WsusService.16 EventLogEventReporter.ReportEvent EventId=364,Type=Error,Category=Synchronization,Message=Content file download failed.
Reason: There are no more endpoints available from the endpoint mapper.We also have 300+ of this error mixed in with the above
2021-12-17 19:21:33.945 UTC Error WsusService.11 HmtWebServices.CheckReportingWebService Reporting WebService SoapException:System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.Reporting.WebService' threw an exception. ---> System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Server is in script upgrade mode. Only administrator can connect at this time.I've tried "C:\Program Files\Update Services\Tools>WsusUtil.exe postinstall" from an administrative prompt, but it didn't change anything.
I've confirmed the permissions for "NETWORK SERVICE" to the root of the WSUSContent drive and made sure it has full permissions to "WsusContent".
This server worked until the 2021-09 CU for W2K19 failed to install on 11/8/2021. It has since been replaced by the 2021-10 CU and the 2021-11 CU.
Hoping someone has been down this road.
Server is in script upgrade mode.
that is a problem
what database is being used?
seems to indicate SQL is being patched or upgraded causing WSUS issues
if someone was doing something with the database, try restarting the WSUS service; could have been a transient error
ASKER
We're using the built in database. The server has been rebooted multiple times. This has been an issue for a month.
Can we move the DB from the built-in to a SQL server? Or do we need to start over and build a new server that uses a separate SQL server for its database? Or remove WSUS, the DB, the content, and start over completely, setting up WSUS to use an external SQL server (assuming that's an option)?
At this point, I just need something that works.
Can we move the DB from the built-in to a SQL server? Or do we need to start over and build a new server that uses a separate SQL server for its database? Or remove WSUS, the DB, the content, and start over completely, setting up WSUS to use an external SQL server (assuming that's an option)?
At this point, I just need something that works.
Can we move the DB from the built-in to a SQL server?
sure
Migrating the WSUS Database from WID to SQL
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/wid-to-sql-migrationASKER
Given the mountain of errors in our SoftwareDistribution.log, should I uninstall everything on the existing server and redo from the ground up, this time pointing to an external SQL server? I can't tell from the error whether I have a content problem or a database problem.
Is there any benefit to deleting the contents of our WsusContent directory and running a "wsusutil.exe reset"? We "kind of" did this once already, although I think we failed to run the "wsusutil.exe reset" immediately after deleting the contents of WsusContent. So it's possible we made things worse.
Is there any benefit to deleting the contents of our WsusContent directory and running a "wsusutil.exe reset"? We "kind of" did this once already, although I think we failed to run the "wsusutil.exe reset" immediately after deleting the contents of WsusContent. So it's possible we made things worse.
you could start over. I had frequent console errors doing certain things when using WID but rebuild with SQL express and have had no issues since. Not sure what would happen if you kept the content folder; it might just create new folders and download it again as what you have is currently mapped in the database.
ASKER
So a local install of SQL express is an option rather than using an external SQL server (with a full SQL install)?
yes sql express is an option
ASKER
It appears a "wsusutil.exe reset" plus (re)enabling the Windows Firewall has fixed my issues (wrt clients reporting update history and downloading newly approved updates) for all but one stubborn server. Every other client is showing their update history locally, and downloading newly approved updates from the WSUS server.
I have one W2K19 server that is only showing the updates I applied manually (last night) in the update history. Funny thing is when you go to "uninstall updates" the complete list of updates IS there. I've tried resetting the client (while removing it from the WSUS console at the same time). It re-appeared in the WSUS console, but it still not showing the history in "View Update History".
It's been more than 24 hours since I reset the WSUS client info. Even though this seems to be a minor glitch, I still would prefer to see a proper update history list.
Any ideas?
I have one W2K19 server that is only showing the updates I applied manually (last night) in the update history. Funny thing is when you go to "uninstall updates" the complete list of updates IS there. I've tried resetting the client (while removing it from the WSUS console at the same time). It re-appeared in the WSUS console, but it still not showing the history in "View Update History".
It's been more than 24 hours since I reset the WSUS client info. Even though this seems to be a minor glitch, I still would prefer to see a proper update history list.
Any ideas?
if you run a report for one of those systems, does the status show updates as 'approved' and 'not installed'?