Mohammed. Athif Khaleel
[MVP SUS/ WSUS]
Based on my experience in Automatic Updates with Software
Update Services (SUS) I am adding a few Troubleshooting steps which you can
try in resolving issues related to Automatic Updates. Well, this is my
approach and based on the feedback from folks on Communities from
SUSserver.com these steps have helped in resolving many issues.
At the first place, you have to make sure the Automatic Update Polices,
WUAU.ADM Template from Group Policy is applied, and do a
GPRESULT to see the applied GPO's. Download
to see the policies applied to that particular client. Additionally, you
can use the
Group Policy Management Console, GPMC
to ensure the AU related policies have been applied.
If you are in
make sure you deploy the correct registry entries. For more information
on the necessary registry configuration, see my
Manipulating SUS Settings through the Registry
Confirm the client's AU settings and ensure they are set the way you
intend. A simple way is to use the
REG.EXE command to dump out the policy settings from the client's
Windows XP this tool is a part of the operating system's native
commands. In NT and W2000 you'll need the Resource Kit to add this tool.
Use the following syntax:
Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
Here's an example:
NoAutoUpdate REG_DWORD 0x0
Once the settings are in place, let's set some sort of permissions. If
you already had
installed prior to installing SUS and it is set to block all *.exe
files, SUS install doesn't change that URLScan setting, so the client
computers will not be able to download any of the patches or updates. In
order to correct this problem, you need to change urlscan.ini to allow
*.exe requests, and then restarts Internet Information Services (IIS) or
restart the SUS server as detailed here:
Check the following, C:\WINNT\system32\inetsrv\urlscan.
Then you might want to change your "urlscan.ini".
Have a look at How to install and Use
the IIS Lockdown Wizard
Add the following setting in the urlscan.ini:
And remove ".exe" it from...
For those interested, You can view an on-demand replay of the web cast
on URLScan at:
many cases, I have seen itís always Library download error in windows
update.log. As part of Troubleshooting, you can try to see if you can
download the file iuident.cab successfully from the workstation (http://YOUR-SUS-SERVER/iuident.cab).
If not, goto the next step.
Permissions play an important role in Automatic Updates with SUS, so
make sure you have effective IIS & NTFS permissions. Make sure on
your SUS SERVER:
ANONYMOUS ACCESS on the
Default Website, selfupdate, autoupdate and content.
EVERYONE should have at least
have READ Permission.
Web Anonymous User, IUSR & IWAM
Users may have READ
& EXECUTE, LIST FOLDER CONTENTS & READ
Permission on C:\SUS - Content.
If you have a Proxy Server within your network, make sure:
In your computer's LAN settings, the automatically
detect settings check box is NOT selected
Bypass SUSSERVER from IE Tools-Internet
Options-Connections-LAN settings-Advanced and add
the IP Address of your SUS Server.
Win HTTP Proxy Configuration utility (PROXYCFG.EXE)
from a Command Prompt to see Bypass List
Note that the AU client is dependent on the Proxy
Have a look at Event Viewer for any Errors &
Warnings AND Have a look at clientís
C:\windows\windows update.log for V4
Windows Update Component
and C:\windows\windowsupdate.log for V5
Windows Update Component.
For more information, see my
Why do my Clients show two Windows Update Log
Have a look at the AU State, AU STATE:
Reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
For More Information, check out
Explaining AU States.
You can use the log parser on Wayne's Site
PDX Consulting to parse your IIS log and
look for detailed client activity.
Automatic Updates uses Background Intelligent
Service (BITS), to download the patches.
Here you will find answers to common questions
pertaining to BITS. BITS will try to resolve
the SUS-SERVER-NAME in the first place, so you
make sure you have a proper
DNS HOST RECORD
in your local DNS Server. If you are in
Workgroup Environment, donít worry, you can EDIT
the workstations HOST FILE found at
C:\WINDOWS\system32\drivers\etc\hosts to add
IPADDRESS HOSTNAME, where IP ADDRESS is your SUS
SERVER IP with its HOSTNAME/NETBIOS NAME.
Bitsadmin tool (its on WinXP CD -
to list the jobs & what they are reporting:
to see what is
in the queue. Here are few
Bitsadmin Examples. This tool really helps
in troubleshooting AU Clients.
In the worst case, I would delete everything
under "C:\Program Files\WindowsUpdate\" and "C:\WUTEMP\"
or C":\Program Files\WindowsUpdate\wuaudnld.tmp\"
while waiting to install the patches & then
manually go to windowsupdate.com and at least
install any one of those missing patches and
then use SUS later on, which will
restore/recreate any corrupt files.
I would suggest using IP ADDRESS
as SUS SERVER NAME
in SET OPTIONS
on SUSADMIN instead of NetBIOS Name. I
have seen many issues with BITS struggling to
resolve NETBIOS NAME and in such case, this
works a treat. Also, while configuring AU
Clients via GPO or REGEDITS, use the IP ADDRESS
instead of NETBIOS NAME in WUServer &
Sometimes in WindowsUpdate.log you may see that
even after configuring Automatic Updates to use
SUSServer, it goes to Windowsupdate.com as shown
02-03 11:47:29-0000 804 634 PT: Using
2005-02-03 11:47:29-0000 804 634
Using server URL
2005-02-03 11:47:29-0000 804 634
URL for server is
This is because of the following Registry value,
which is pointing to windowsupdate.com:
C:\>Reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
! REG.EXE VERSION 3.0
You have to DELETE the following "ODFFileURL
registry value from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion≠\WindowsUpdate\Auto
Restart the machine which will also restart the
Automatic Update Services. Now, force the update
detection and monitor the logs.
is not skewed, Workstation Time should be in sync with
For further assistance, or for any queries post
that on the
SUS Forum for which I'm a Moderator or on
Microsoft Community Group
and I will try to help.
Mohammed. Athif Khaleel
"Save Internet, Keep
all Systems Patched"