WSUS client configuration checks and known issues

Discussion in 'Update Services' started by Bobbie Harder \(MSFT\), Jul 15, 2005.

  1. Hi folks: Oscar, Don, and I have been pulling together some info on the
    primary client configuration pitfalls and known issues

    which may be preventing some of your clients from checking in with the
    server. After watching trends and types of questions/issues folks are
    having we thought this would be helpful. This is the latest info on ways
    to address the 2 known issues impacting client check-in, as well confas
    self-updating or updating via the latest client standalone package.

    WSUS Client configuration checks and known issues:

    Bobbie Harder, PM WSUS

    Oscar Lee, Software Design Engineer/Test WSUS

    Don Cottam, Software Test Engineer/ WSUS

    Configuration checks:

    1. Has the client in question been updated to the latest Automatic
    Updates version? AU is the WSUS client software and is required to have
    clients work with the WSUS server. AU can be used with WSUS on any
    computer that runs any of the following operating systems:

    · Microsoft Windows 2000 Professional with Service Pack 3 (SP3) or
    Service Pack 4 (SP4),

    · Windows 2000 Server with SP3 or SP4, or Windows 2000 Advanced
    Server with SP3 or SP4

    · Microsoft Windows XP Professional, with or without Service Pack 1
    or Service Pack 2

    · Microsoft Windows Server 2003, with or without SP1 Standard
    Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003,
    Datacenter Edition; Windows Server 2003, Web Edition

    WSUS requires the WSUS client, a version of Automatic Updates compatible
    with WSUS.

    The current version of the Windows Update Agent (the WSUS client component
    in AU) is determined by the version of the WUAUENG.DLL that is running in
    the \system32 subdirectory of the current Windows installation. When the
    version of WUAUENG.DLL is 5.4.3790.1000 or greater, the WSUS client (or WUA)
    is installed. A version less than 5.4.3790.1000 indicates that SUS or
    earlier AU version 1.0 is installed.

    If you have an earlier version of the AU client, it must be updated in order
    to work with WSUS. Computers running Windows XP with Service Pack 2 (SP2)
    already have the WSUS client installed.

    The AU client, when contacting the WSUS server, will automatically update
    itself to the latest WSUS version if the self-update files are properly
    setup on the server. When connected to Windows Update or Microsoft Update,
    the AU client will also be able to self-update if it is not running the
    latest version. In addition, the AU client can also be updated by using a
    signed stand-alone installation package that is available from Microsoft.

    For further instructions on how to detect the need for, and or download the
    standalone latest release version of WUA, see the Updating the Windows
    Update Agent section of the Windows Update Agent API portion of the WSUS SDK
    at: .

    On the left navigation, from Windows Server Update Services -> Windows
    Update Agent API -> Using the Windows Update Agent API -> Updating the
    Windows Update Agent.

    2. If you want AU clients to update from a WSUS server in your
    environment, be sure you have set anonymous access permissions on the
    virtual Self Update directory and that it is on a Web server running on port
    80. WSUS uses IIS to automatically update client computers to the
    WSUS-compatible Automatic Updates software version. To do this, WSUS Setup
    creates a virtual directory named Self Update, under the Web site running on
    port 80 of the computer where you installed WSUS. This virtual directory,
    called the "self-update tree", contains the WSUS-compatible Automatic
    Updates software. Earlier Automatic Updates client versions can only update
    if they find the self-update tree on a Web server running on port 80. The
    access permissions on this virtual directory must be set to allow anonymous
    access. This Automatic Updates version check is done every time the client
    checks-in with the server to detect new approved updates.

    3. Be aware of GP replication time which may cause delay in your
    clients' self-update process the first time a WSUS server and client are
    mapped. If clients have been mapped to WSUS servers using GP in an Active
    Directory environment, the timing of AU client check in with the WSUS server
    can be impacted by AD GP refresh timing (generally about every 90 to 120
    minutes depending on environment). Clients mapped to servers in a
    non-Active Directory environment can be forced to check in and update right
    away by running wuauclt/detectnow from the command prompt .

    4. Another variable that will impact client check-in behavior is the
    Automatic Updates detection frequency setting. By default, this value is
    set to the maximum of every 22 hours. This means that every 22 hours, minus
    a random offset, AU polls or checks in with the WSUS server for approved
    updates. Every time the client checks in, it also verifies it has the
    latest version of the client and if not it self-updates from the server.
    This setting can be modified via policy or by directly editing the local
    policy or registry on the client. The minimum frequency is one hour. If
    clients have been mapped to a WSUS server via local policy or direct
    registry editing, without detection forced by running wuauclt/detectnow, it
    could be up to 22 hours until that client will self-update and appear in the
    WSUS Admin Console.

    5. Imaged clients with a duplicate client ID will only appear once in the
    WSUS Admin Console. Each AU client must have a unique id which is created
    for each individual install. When imaging systems it is recommended always
    to use SysPrep. The WSUS admin console will only display one client for each
    unique ID. If you have multiple clients created from one image which are
    sharing the same ID, only one will appear in the WSUS admin console. All
    clients will check in and download updates, but only one will appear and
    display status in the WSUS admin console. In cases where clients are not
    checking in, and they were created without SysPrep, the following steps will
    reset the existing duplicative client IDs.

    a. Run regedit and go to

    b. Delete the PingID, SUSClientID and the AccountDomainSID keys (or do
    they just delete values or is it the same thing)

    c. Stop and start the Wuauserv Service

    d. From the command prompt run: wuauclt /resetauthorization /detectnow

    From the command line, once you are sure the AU client is properly
    configured and not disabled, you could run a batch file (which might look
    something like this sample) and get the same results:

    rem Fixes problem with client machines not showing up on the server due to
    imaging method

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    AccountDomainSid /f

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    PingID /f

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    SusClientId /f


    @echo Triggering detection after resetting WSUS client identity

    net stop wuauserv

    net start wuauserv

    wuauclt /resetauthorization /detectnow

    Known Client Issues:

    1. Some clients have been impacted by a known issue in with Windows
    Server 2003 http.sys and IIS. In some cases, this transient issue will
    appear to prevent clients from checking in, because they receive invalid
    responses from the server after some attempts. It was previously believed to
    be an issue with IIS compression and there was a workaround suggested to
    disable compression, and then rename the
    %windir%\system32\inetsrv\suscomp.dll file and restart the IIS, and the
    Update Services service.
    Further Investigation shows the problem source to be a known condition with
    IIS and http.sys, which is not related to compression, and for which there
    is an available hotfix. It is not recommended to disable compression as
    this will not impact the problem source, and possibly increase network
    traffic & server load, while reducing the number of clients you can
    effectively serve. Further information about the issue and obtaining the
    hotfix can be found: .

    2. AU clients have been impacted by an issue under investigation with the
    current W2K SP4 rollup 1 distribution package if installed via Express
    Install. Investigation so far reveals that when this update rollup package
    is installed as an Express Install, it can damage the existing client
    msxml3.dll. When this happens, the AU client will not be able to detect,
    or check in, with the server. Detection will fail with a 0x80244001 error.
    Microsoft is currently investigating the best fix to this issue. To verify
    this issue might be preventing your client from detecting, check the file
    size of the msxml3.dll on any W2k SP4 client which has installed the Update
    Rollup, but has not checked in with the WSUS server. If the msxml3.dll file
    has been damaged, the file size will appear as zero. To repair the damaged
    file, download and reinstall MSxml3.dll SP5 from here:

    Hope this helps and let us know if you have any questions- thanks,
    Bobbie Harder
    Program Manager, WSUS

    This posting is provided "As Is" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    Bobbie Harder \(MSFT\), Jul 15, 2005
    1. Advertisements

  2. I would like to add that the "reg" command does not install/exist by default
    under Windows 2000. This command line utility can be acquired by installing
    the support tools from the Windows 2000 media (<cd>:/Support/Tools).

    Other than that, thanks for the info Bobbie, Oscar, and Don.
    neo [mvp outlook], Jul 16, 2005
    1. Advertisements

  3. Yes.. much thanks for the summary .... can we get this posted to a web page
    so we can simply cite the URL for the hundreds of people who will continue
    to post questions covered by these items, rather than citing the thread
    and/or reposting the content in the newsgroup?

    one additional note from reading the KB898708 article concerning the hotfix
    for the IIS/http.sys issue -- the hotfix requires Service Pack 1 to be
    installed to the Windows Server 2003. It would be useful to note if anybody
    has experienced this issue on a Windows Server 2003 RTM system or a Windows
    2000 Server system -- where the hotfix will not be applicable.
    Lawrence Garvin, Jul 18, 2005
  4. Thanks for the feedback and additional notes. We'll get the summary posted
    on the Wiki and in the blog accessible from the product page (MS.Com)
    community site cearly this week.
    Also a clarification on the last item in the summary; this condition does
    not occur on all Xpress installs of the W2k SP4 rollup. We have only seen a
    very few cases reported, and it was quite difficult to repro.


    Bobbie Harder
    Program Manager, WSUS

    This posting is provided "As Is" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    Bobbie Harder \(MSFT\), Jul 18, 2005
  5. Bobbie Harder \(MSFT\)

    pooch Guest

    pooch, Jul 18, 2005
  6. Bobbie Harder \(MSFT\)

    teh Guest


    It is a great summary. But, I wish to find out whether XP Home support WSUS ?

    If I have configured the WSUS to used other port, for example,
    http://localhost:8530. I still need to setup the IIS for client to access to
    http://localhost/selfupdate ?

    teh, Sep 19, 2005
  7. Officially, no, but if you set the Automatic Updates configuration
    through registry entries, XP Home will be updated by the WSUS server.

    In the Automatic Updates client configuration, for server address:
    If WSUS is on port 80 (default), use http://WSUSservernamehere
    If WSUS is on port 8530, use http://WSUSservernamehere:8530
    Torgeir Bakken \(MVP\), Sep 19, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.