Common WSUS Issues in Deployment Operations and Diagnostics


Published on

For more information on Patch Manager, visit:

Tips & Solutions for Common WSUS Issues

• Documentation
• Database Engine
• Target Group Management

• Superseded updates
• Server Cleanup Wizard

• Content Downloading
• Duplicate SusClientID
• High CPU Utilization
• Client Diagnostics Tool
• WindowsUpdate.log

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Common WSUS Issues in Deployment Operations and Diagnostics

  1. 1. Author Lawrence Garvin, WSUS MVP Common WSUS Issues inDeployment, Operations, andDiagnostics: Tips & Solutions
  2. 2. Tips & Solutions for Common WSUS Issues Deployment » Documentation » Database Engine » Target Group Management Operations » Superseded updates » Server Cleanup Wizard Diagnostics » Content Downloading » Duplicate SusClientID » High CPU Utilization » Client Diagnostics Tool » WindowsUpdate.log
  3. 3. DeploymentDocumentation Release Notes (Must Read) » (WSUS v3 SP1) » (WSUS v3 SP2) WSUS Overview (New to Windows Update or WSUS) » Step By Step Guide (First Time Installation) » Deployment Guide (Advanced Installations) » Operations Guide (How to Use WSUS) » TechNet Library (Online) »
  4. 4. DeploymentDatabase Engine Windows Internal Database vs. SQL Server® Express Edition SQL Server Express limited to 4GB database size » SQL 2008 R2 increases to 10GB SQL Server Express limited to 1 CPU SQL Server Express limited to 1GB RAM Windows Internal Database not limited
  5. 5. DeploymentWSUS Target Groups Two groups created at installation » Unassigned Computers » All Computers Default group assignment methodology is Server-Side Targeting Groups defined in policy must be manually created on the WSUS server There is NO association between Active Directory® OUs and WSUS Target Groups except that OUs are a method to convey a policy setting to a group of client systems
  6. 6. DeploymentWSUS Target Groups Grouping strategies: » By installed operating system • E.g. Windows XP®, Windows 2003, Windows 2008, Windows 7 » By function or purpose • E.g. DomainControllers, SQL, Microsoft Exchange Server® » By location • E.g. Corporate, Seattle, Miami, Australia » These strategies can all be used together Groups can be hierarchical Clients can belong to multiple groups
  7. 7. DeploymentWSUS Target Groups
  8. 8. DeploymentWSUS Target Groups
  9. 9. DeploymentWSUS Target Groups
  10. 10. DeploymentWSUS Target Groups WSUS Server = Server; Policy = Enabled » Server will permit assignment of group memberships » Client will ignore changes made at the server because it believes it is authoritative » Client will scan/report based on the group(s) assigned in the GPO
  11. 11. DeploymentWSUS Target Groups WSUS Server = GP; Policy = Not Enabled » Server will prohibit assignment of group memberships » Client will query WSUS Server for current group membership(s) » Client will scan/report based on the group(s) last assigned at the server » New clients will be assigned to Unassigned Computers
  12. 12. OperationsSuperseded Updates Handling superseded updates » All superseded updates will be reported as Needed until an update in the chain is installed. » The Windows Update Agent (WUA) can recognize a superseded update and that a superseding update is available. » Ensure update is superseded for all applicable platforms. » Declining unneeded superseded updates assists in performance by reducing WUA scanning overhead.
  13. 13. OperationsSelecting superseded updates to decline
  14. 14. OperationsServer Cleanup Wizard
  15. 15. OperationsServer Cleanup Wizard
  16. 16. OperationsServer Cleanup Wizard Recommended frequency of execution » Minimum: The Server Cleanup Wizard should be executed at least monthly. The most ideal time is after your monthly Patch Tuesday cycle, when new updates have been approved, and the Agent has now reported older updates as NotApplicable. » Recommended: If you have auto-approval rules in place for Definition Updates, particularly for Forefront Client Security, you should be using the Server Cleanup Wizard on a weekly basis.
  17. 17. OperationsServer Cleanup Wizard Recommended order of execution 1. Delete computers – reducing number of computers in the database reduces the query effort to identify machines with “Needed” updates in later phases. 2. Decline expired updates – This is usually a very short list, particularly if the option to auto-decline expired revisions is approved. 3. Decline superseded updates – The update must not have an active approval or be reported as needed by any client. Older updates that were approved previously must be manually reset to Not Approved. 4. Delete expired updates/revisions – This is the most resource intensive step because it requires removing rows from the database, which requires the rewriting of associated index files. 5. Delete unneeded files – Once all updates have been set to the correct approval status or deleted, then the deletion of files will have the most effective result.
  18. 18. OperationsServer Cleanup Wizard Special considerations for use in a Replica environment. » Assign all approvals/declinations; complete all downloads. » Synchronize all servers and verify servers are idle. » Disable synchronization on all servers. » Run Server Cleanup Wizard on all servers. » Manually synchronize all servers and confirm no unexpected changes. » Re-enable synchronization on all servers.
  19. 19. DiagnosticsContent Downloading – General Notes Apparent slow downloading – Understanding BITS Issues affecting download failures on the WSUS Server are logged in the Application Event Log of the WSUS Server There are two commonly encountered download failures: » HTTP v1.1 Range Protocol Header » Write Access Denied on non-SYSVOL volume
  20. 20. DiagnosticsContent Downloading – Range Protocol Header The Background Intelligent Transfer Service (BITS) requires the use of HTTP v1.1 Range Protocol Headers in order to support download and resume functionality. Some third party firewall and proxy server appliances and software either do not support, or have not been properly configured by default, to support the full capabilities of HTTP v1.1. Most notably this occurs in older SonicWall appliances. » SonicWall has documented the necessary configuration changes on their support website.
  21. 21. DiagnosticsContent Downloading – Access Denied A long standing defect in the .NET Framework v2.0 installer fails to properly configure permissions for the NT AUTHORITYNetwork Service account on volumes other than SYSVOL. When WSUS is then configured to place the ~WSUSContent folder on a non-SYSVOL volume, WSUS is unable to write to the content store.
  22. 22. DiagnosticsContent Downloading – Access Denied The remediation is to add READ permissions to the ROOT of the non-SYSVOL volume for the Network Service account.
  23. 23. DiagnosticsDuplicate SusClientID Caused, almost exclusively, by cloning physical or virtual machines from a master image containing a SusClientID registry value. Manifests in a number of different possible ways. » The most common is by the continual appearance and disappearance of machines in the WSUS Admin Console, marked by a fixed number of machines always in the list. The fixed number indicates the actual number of unique SusClientIDs in the environment. » It may also manifest as error codes 0x80070002, 0x80070006, 0x80072ee2, 0x80072efd, 0x80072efe, 0x8007400D, or 0x80244015 in the WindowsUpdate.log.
  24. 24. Diagnostics Duplicate SusClientID This issue, with WUA v5.8 (WSUS v2) was resolvable by using the -reseal parameter with sysprep. This worked because the WUA also maintained a value named AccountDomainSID, and used that value to determine if the SusClientID needed to be regenerated (anytime the AccountDomainSID no longer matched the machine SID). This feature was removed in the WUA v7 (WSUS v3) client, leaving sysprep -reseal a non-functional solution to this issue. Good News!: New capabilities have been added to the WUA v7.4 (WSUS v3 SP2) client, which will now auto-detect the presence of duplicate SusClientIDs and automatically generate a new (unique) SusClientID.
  25. 25. DiagnosticsDuplicate SusClientID Best: Upgrade to WSUS v3 SP2 and WUAgent v7.4 Preferred: Remove the SusClientID value from the master image before cloning. Post-cloning: Remove the SusClientID value from each cloned machine and restart the AU service (or reboot). See KB903262 for remediation details: »
  26. 26. DiagnosticsSVCHOST.EXE 100% CPU Utilization WSUS v2.0/WUA v5.8 (Upgrade to WSUS 3.0 SP1 and apply KB927891) WUA v7.1.6000.65, the WSUS 3.0 SP1 native client (Upgrade WSUS to Service Pack 2 and update WUA to v7.4.7600.226) Large number of updates installed on Microsoft Office® 2003 (Reinstall Office 2003; apply Service Pack 3) Outlook® 2003 installed on Office XP® (SBS2003 environments with Office XP on desktop) (Upgrade Office XP to Office 2003) Undeclined superseded updates on WSUS server (Decline superseded updates)
  27. 27. DiagnosticsSVCHOST.EXE 100% CPU Utilization WUA v7.4.7600.226, the WSUS 3.0 SP2 native client and a conflict with the Group Policy setting “Download missing COM components” » US/winserverwsus/thread/daf131c5-6a4f-45d1-a03f-c39cea436b6f
  28. 28. DiagnosticsClient Diagnostics Tool is a console application (command-line only) is a 32-bit application (not available for 64-bit) was written for WSUS v2 (knows nothing about WSUS v3) can be downloaded from the MS Download Center or from the “Tools and Utilities” link on the WSUS Home Page » 8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
  29. 29. DiagnosticsClient Diagnostics Tool Tests four areas of interest The machine state (Rights, Services, WUA version) AU Settings Proxy Configuration (WinHTTP, IE) Ability to connect to the WSUS Server (selfupdate).
  30. 30. DiagnosticsClient Diagnostics Tool CDT – Machine State
  31. 31. DiagnosticsClient Diagnostics Tool
  32. 32. DiagnosticsClient Diagnostics Tool CDT – AU Settings
  33. 33. DiagnosticsClient Diagnostics ToolCDT – Proxy Configuration
  34. 34. DiagnosticsClient Diagnostics Tool CDT – WSUS Server Connection
  35. 35. DiagnosticsWindowsUpdate.log Located in %windir% (usually C:WINDOWS) Is a rolling log file (~30 days or 2MBytes) Detailed analysis guide contained in KB902093 Key areas of interest: » Service startup » Selfupdate Check » Detection » Downloading » Reporting
  36. 36. DiagnosticsWindowsUpdate.log – Service startup
  37. 37. DiagnosticsWindowsUpdate.log – Service startup
  38. 38. DiagnosticsWindowsUpdate.log – Service startup
  39. 39. DiagnosticsWindowsUpdate.log – Service startup
  40. 40. DiagnosticsWindowsUpdate.log – Service startup
  41. 41. DiagnosticsWindowsUpdate.log – Service startup
  42. 42. DiagnosticsWindowsUpdate.log – Selfupdate check
  43. 43. DiagnosticsWindowsUpdate.log – Detection
  44. 44. DiagnosticsWindowsUpdate.log – Detection
  45. 45. DiagnosticsWindowsUpdate.log – Detection
  46. 46. DiagnosticsWindowsUpdate.log – Detection
  47. 47. DiagnosticsWindowsUpdate.log – Download
  48. 48. DiagnosticsWindowsUpdate.log – Reporting
  49. 49. Helpful Resources Hope these tips help you quickly solve yourWSUS errors. To free up more of your time, try SolarWinds Patch Manager Watch Video Test Drive Live Demo Ask Our Community Download 30-day Free Trial Click any of the links above - Slide 49 -
  50. 50. Author: Lawrence Garvin, WSUS MVP Thank You! Feedback or