• Save
Common WSUS Errors Codes - Decoded and Resolved
 

Common WSUS Errors Codes - Decoded and Resolved

on

  • 7,501 views

For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx ...

For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx

This presentation decodes common WSUS error codes as well as how to resolve them!

Part 1
• HTTP errors

Part 2
• Configuration errors
• Security errors
• Other errors

Statistics

Views

Total Views
7,501
Views on SlideShare
7,501
Embed Views
0

Actions

Likes
4
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.
  • 1. Using WSUS effectively to apply updates to new installations baselined at the most recent service pack level. (e.g. XP SP3, Vista SP1 machines) a. First step: Identify an organizational baseline for all new machine installations. b. Ensure this baseline is achieved before allowing the machine to connect to the WSUS Server. (For retail purchases, this may require manual installation of a service pack.) c. Configure the server and synchronize. d. Approve ALL updates that are not superseded by the baseline service pack AND are not superseded by other updates. e. After installation of the approved non-superseded updates is completed, review the update status of the computers and identify any other updates still reported as needed that were not previously approved. Determine if these updates need to be installed, and approve accordingly.

Common WSUS Errors Codes - Decoded and Resolved Common WSUS Errors Codes - Decoded and Resolved Presentation Transcript

  • Author Lawrence Garvin, WSUS MVPCommon WSUS Error Codes Decoded & Resolved
  • Agenda Part 1 » HTTP errors Part 2 » Configuration errors » Security errors » Other errorsModify This Footer: View -> Header & Footer - Slide 2 -
  • HTTP Errors Finding subcodes in IIS logs 401 – 0x80190191 / 0x80244017 403 – 0x80190193 / 0x80244018 404 – 0x80190194 / 0x80244019 407 – 0x80190197 / 0x8024401B
  • IIS Logfiles
  • IIS Logfiles 2010-11-09 00:14:51 ::1 POST /reportingwebservice/reportingwebservice.asmx - 80 - ::1 Mozilla/4.0+ (compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0 2010-11-09 00:14:51 ::1 POST /ApiRemoting30/WebService.asmx - 80 ONSITECHIS$ ::1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0 2010-11-09 00:14:51 ::1 POST /ServerSyncWebService/serversyncwebservice.asmx - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 10 2010-11-09 00:14:51 ::1 POST /ClientWebService/Client.asmx - 80 - ::1 Mozilla/4.0+(compatible; +MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 0 2010-11-09 00:14:51 ::1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - ::1 Mozilla/4.0+ (compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.4016) 200 0 0 10
  • IIS Logfiles Remote console session failure (Authentication failure) » 2010-11-09 00:14:51 ::1 POST /ApiRemoting30/WebService.asmx - 80 ONSITECHNoAdmin ::1 Mozilla/4.0+(compatible; +MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.40 16) 401 1 0 0 Windows Update Agent detection failure (Anonymous Access removed) » 2010-11-09 00:14:51 ::1 POST /ClientWebService/Client.asmx - 80 - ::1 Mozilla/4.0+(compatible; +MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.40 16) 401 2 0 0
  • IIS Logfiles 2010-01-16 01:26:15 ::1 POST /ApiRemoting30/WebService.asmx - 80 - ::1 Mozilla/4.0+ (compatible; +MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50 727.4016) 401 1 5 941 2010-01-16 01:26:17 ::1 POST /ApiRemoting30/WebService.asmx - 80 ONSITECHIS$ ::1 Mozilla/4.0+(compatible; +MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50 727.4016) 200 0 0 2463.
  • HTTP Errors Finding subcodes in IIS logs 401 – 0x80190191 / 0x80244017 403 – 0x80190193 / 0x80244018 404 – 0x80190194 / 0x80244019 407 – 0x80190197 / 0x8024401B
  • HTTP ErrorsError Code 0x80190191/0x80244017 (HTTP 401)Caused by missing or removed Anonymous Accesspermissions on: » Default Web Site » WSUS Administration » Virtual directoriesCaused by missing Integrated Windows Authenticationon APIRemoting30
  • HTTP Errors Error Code 0x80190191/0x80244017 (HTTP 401) 401.1 Access denied due to invalid credentials » Attempt to connect WSUS console with account credential that is not a member of WSUS Administrators or BUILTINAdministrators 401.2 Access denied due to server authentication method » Website or virtual directory does not have anonymous access enabled » APIRemoting30 virtual directory does not have Integrated Windows Authentication enabled 401.3 Access denied due to ACL on resource » Filesystem permissions have been modified » Security Configuration Wizard template has been applied
  • HTTP Errors Finding subcodes in IIS logs 401 – 0x80190191 / 0x80244017 403 – 0x80190193 / 0x80244018 404 – 0x80190194 / 0x80244019 407 – 0x80190197 / 0x8024401B
  • HTTP ErrorsError Code0x80190193/0x80244018 (HTTP 403)Typically caused by a proxy server or firewall interfering withaccess to the WSUS Server. » Verify correct proxy client configuration for WinHTTP » Verify correct proxy server configuration » Verify correct firewall rules (80, 443, 8530, 8531) » Also caused when SSL is improperly enabled on the WSUS Server
  • HTTP ErrorsError Code0x80190193/0x80244018 (HTTP 403)403 All access is denied » Proxy server is blocking access to the target URL403.1 Execute access denied » The virtual directories do not have Execute: Scripts Only permissions403.2 Read access denied » Rarely seen, but would be caused by removing READ permissions from the web resource
  • HTTP ErrorsError Code0x80190193/0x80244018 (HTTP 403)403.4 SSL is required » Attempt to connect to port 80 or 8530 when SSL is required » Connect using port 443 or 8531403.7 Client SSL certificate is required » SSL is enabled for WSUS, but the SSL certificate is not installed on the client system
  • HTTP ErrorsError Code0x80190193/0x80244018 (HTTP 403)403.6 Client IP Address is rejected » Web resource is blocking access based on source IP address403.8 Client DNS name is rejected » Web resource is blocking access based on source DNS name
  • HTTP Errors Finding subcodes in IIS logs 401 – 0x80190191 / 0x80244017 403 – 0x80190193 / 0x80244018 404 – 0x80190194 / 0x80244019 407 – 0x80190197 / 0x8024401B
  • HTTP ErrorsError Code0x80190194/0x80244019 (HTTP 404)Typically caused by a missing self-update virtual directoryor a missing update file in the store, depending on thecontext in which the error is encountered: » Verify presence of selfupdate virtual directories » Verify presence of physical file in ~WSUSContent Run wsusutil reset to download missing content
  • HTTP ErrorsError Code0x80190194/0x80244019 (HTTP 404)404 Resource not found » Content file is missing from filesystem404.1 Web site does not exist or is inaccessible on specifiedport » Port suffix of configured URL does not match the installation port.404.2 Web service extension lockdown policy prevents request » IIS Web Service Extensions are misconfigured (e.g. ASP.NET v1.1 is enabled instead of ASP.NET v2.0)404.3 MIME map policy prevents request » MIME mappings for website are not correct for EXE or CAB
  • HTTP Errors Finding subcodes in IIS logs 401 – 0x80190191 / 0x80244017 403 – 0x80190193 / 0x80244018 404 – 0x80190194 / 0x80244019 407 – 0x80190197 / 0x8024401B
  • HTTP ErrorsError Code0x80190197/0x8024401B (HTTP 407)Caused by a proxy server refusing access because ofinvalid proxy credentials » The proxy credentials are missing or incorrect on the client » The proxy credentials configured on the client do not have access to use the proxy server » The proxy credentials configured on the client are explicitly blocked from accessing the target URL
  • Agenda Part 1 » HTTP errors Part 2 » Configuration errors » Security errors » Other errors
  • Configuration Errors Error Code - 0x80072ee5 Invalid URL Most common cause is the presence of trailing slashes in the URL resulting in a double slash in the URL sent in the HTTP request. Remediation is to inspect and correct the URL; the correct URL format is: » http://wsusservername » http://wsusservername:8530
  • Configuration Errors Error Code - 0x80072ee6 Unrecognized Scheme Intranet Update server URL(s) have missing or invalid characters Most common causes: » using backslashes instead of forward slashes (http:wsusserver) » using UNC pathnames in the URL (wsusserver) Remediation is to inspect and correct the URL
  • Configuration Errors Error Code - 0x80072ee7 Name Not Resolved WSUS Servername is not resolvable to an IP Address » An entry error in the URL » The hostname is not in DNS » The client is not querying the correct DNS server(s)
  • Configuration Errors Error Code - 0x80072efd Cannot Connect The WUAgent gets no response from the targeted URL; this can be caused by a number of infrastructure defects: » Incorrect hostname in URL resulting in return of incorrect IP Address » Incorrect DNS entries resulting in return of incorrect IP Address » Invalid/Incorrect IP Address in URL » Incorrect gateway or routing tables » WSUS server is offline
  • Agenda Part 1 » HTTP errors Part 2 » Configuration errors » Security errors » Other errors
  • Security Errors Error Code - 0x800710dd Removal of the NT AUTHORITYAuthenticatedUsers group from the BUILTINUsers group on the WSUS Server IUSR_machinename password does not match On some early Windows XP/2003 systems, a defective security descriptor for the Automatic Updates service or BITS could cause this » If the Automatic Updates service or BITS was ever DISABLED, the security descriptor is corrupted
  • Agenda Part 1 » HTTP errors Part 2 » Configuration errors » Security errors » Other errors
  • Other Errors Error Code 0x8024400E/SOAP 0x190 most commonly caused by a metadata defect in the Office 2003 Service Pack 1 update package for WSUS Remediation: » Upgrade to WSUS 3 Service Pack 1 » Install KB954960
  • Other Errors Error Code 0x8024400E/SOAP 0x190 Just today!! I saw this error logged when the Network Service account was unable to access a locally installed instance of SQL Server® where the WSUS database was migrated from W.I.D. to SQL Server. Remediation: » On a locally installed instance, manually create a SQL Login for the NT AUTHORITYNetwork Service account and assign it to the database user that is a member of the webservice database role » On a remote instance, manually create a SQL Login for the DOMAINMACHINES account of the front-end server, assign it to the MACHINES database user or create a MACHINES database user account, and assign that database user to the webservice database role
  • Other Errors Error Code 0x8024400D/0x80244015/SOAP 0x12c Primary documented cause: misconfiguration of a load balancing scenario » Not using a common back-end database server for the nodes of the load balancing cluster » http://blogs.technet.com/b/sus/archive/2008/10/29/wsus-clients » In the real world, this most often occurs where duplicate SusClientIDs exist May also occur » In a misconfigured DNS Round Robin scenario, or » Where duplicate hostnames are inadvertently configured in DNS
  • Helpful Resources Hope these tips help you decode commonWSUS errors. To free up more of your time, try SolarWinds Patch Manager Watch Video Test Drive Live Demo Ask Our Community Download 30-day Free Trial Click any of the links above - Slide 32 -
  • Author: Lawrence Garvin, WSUS MVP Thank You! Feedback or questionslawrence.garvin@solarwinds.com