FAQShop.com : Basic Troubleshooting Steps using SUS with AU

Basic Troubleshooting Steps using SUS with AU

Contributed By: Mohammed. Athif Khaleel [MVP SUS/ WSUS]
Based on my experience in Automatic Updates with Software Update Services (SUS) I am adding a few Troubleshooting steps which you can try in resolving issues related to Automatic Updates. Well, this is my approach and based on the feedback from folks on Communities from Microsoft Newsgroups, FAQShop.com & SUSserver.com these steps have helped in resolving many issues.

At the first place, you have to make sure the Automatic Update Polices, WUAU.ADM Template from Group Policy is applied, and do a GPRESULT to see the applied GPO's. Download GPRESULT.EXE to see the policies applied to that particular client. Additionally, you can use the Group Policy Management Console, GPMC to ensure the AU related policies have been applied.
If you are in WORKGROUP Environment, make sure you deploy the correct registry entries. For more information on the necessary registry configuration, see my Manipulating SUS Settings through the Registry article.
Confirm the client's AU settings and ensure they are set the way you intend. A simple way is to use the REG.EXE command to dump out the policy settings from the client's registry. In Windows XP this tool is a part of the operating system's native commands. In NT and W2000 you'll need the Resource Kit to add this tool. Use the following syntax:

      Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s

Here's an example:

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
          WUServer                    REG_SZ http://Your-SUS-Server-IP/Hostname
          WUStatusServer              REG_SZ http://Your-SUS-Server-IP/Hostname

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
          NoAutoUpdate               REG_DWORD      0x0
          AUOptions                     REG_DWORD      0x3
          ScheduledInstallDay        REG_DWORD      0x0
          ScheduledInstallTime       REG_DWORD      0x3
          UseWUServer                 REG_DWORD      0x1
          RescheduleWaitTime      REG_DWORD      0x1e
Once the settings are in place, let's set some sort of permissions. If you already had URLScanTool installed prior to installing SUS and it is set to block all *.exe files, SUS install doesn't change that URLScan setting, so the client computers will not be able to download any of the patches or updates. In order to correct this problem, you need to change urlscan.ini to allow *.exe requests, and then restarts Internet Information Services (IIS) or restart the SUS server as detailed here:
http://forums.susserver.com/index.php?act=ST&t=2460&f=3&view=findpost&p=12750

Check the following, C:\WINNT\system32\inetsrv\urlscan. Then you might want to change your "urlscan.ini". Have a look at How to install and Use the IIS Lockdown Wizard http://support.microsoft.com/default.aspx?...4&Product=iis50

Add the following setting in the urlscan.ini:

[Allow Extensions]
.exe
And remove ".exe" it from...
[Deny Extensions]
--
[Allow Verbs]
GET
HEAD
POST
OPTIONS

For those interested, You can view an on-demand replay of the web cast on URLScan at:
http://msevents.microsoft.com/CUI/WebCastE...3&Culture=en-US.
In many cases, I have seen it’s always Library download error in windows update.log. As part of Troubleshooting, you can try to see if you can download the file iuident.cab successfully from the workstation (http://YOUR-SUS-SERVER/iuident.cab). If not, goto the next step.
Permissions play an important role in Automatic Updates with SUS, so make sure you have effective IIS & NTFS permissions. Make sure on your SUS SERVER:

You have ANONYMOUS ACCESS on the Default Website, selfupdate, autoupdate and content.

C:\SUSContent EVERYONE should have at least have READ Permission.

Web Anonymous User, IUSR & IWAM Users may have READ & EXECUTE, LIST FOLDER CONTENTS & READ Permission on C:\SUS - Content.

If you have a Proxy Server within your network, make sure:

In your computer's LAN settings, the automatically detect settings check box is NOT selected

Bypass SUSSERVER from IE Tools-Internet Options-Connections-LAN settings-Advanced and add the IP Address of your SUS Server.

Run the Win HTTP Proxy Configuration utility (PROXYCFG.EXE) from a Command Prompt to see Bypass List (WinHttpSettings)

Note that the AU client is dependent on the Proxy Bypass list.

Have a look at Event Viewer for any Errors & Warnings AND Have a look at client’s C:\windows\windows update.log for V4 Windows Update Component and C:\windows\windowsupdate.log for V5 Windows Update Component. For more information, see my Why do my Clients show two Windows Update Log Files? article.
Have a look at the AU State, AU STATE:

Reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"

For More Information, check out Explaining AU States.
You can use the log parser on Wayne's Site PDX Consulting to parse your IIS log and look for detailed client activity.
Automatic Updates uses Background Intelligent Service (BITS), to download the patches. Here you will find answers to common questions pertaining to BITS. BITS will try to resolve the SUS-SERVER-NAME in the first place, so you make sure you have a proper DNS HOST RECORD in your local DNS Server. If you are in Workgroup Environment, don’t worry, you can EDIT the workstations HOST FILE found at C:\WINDOWS\system32\drivers\etc\hosts to add IPADDRESS HOSTNAME, where IP ADDRESS is your SUS SERVER IP with its HOSTNAME/NETBIOS NAME.
Use the Bitsadmin tool (its on WinXP CD - \Support\Tools\Support.cab) to list the jobs & what they are reporting:

Bitsadmin /list /allusers /verbose

to see what is in the queue. Here are few Bitsadmin Examples. This tool really helps in troubleshooting AU Clients.
In the worst case, I would delete everything under "C:\Program Files\WindowsUpdate\" and "C:\WUTEMP\" or C":\Program Files\WindowsUpdate\wuaudnld.tmp\" while waiting to install the patches & then manually go to windowsupdate.com and at least install any one of those missing patches and then use SUS later on, which will restore/recreate any corrupt files.
I would suggest using IP ADDRESS as SUS SERVER NAME in SET OPTIONS on SUSADMIN instead of NetBIOS Name. I have seen many issues with BITS struggling to resolve NETBIOS NAME and in such case, this works a treat. Also, while configuring AU Clients via GPO or REGEDITS, use the IP ADDRESS instead of NETBIOS NAME in WUServer & WUStatusServer.
Sometimes in WindowsUpdate.log you may see that even after configuring Automatic Updates to use SUSServer, it goes to Windowsupdate.com as shown below:

02-03 11:47:29-0000    804    634     PT: Using ServerID {9482F4B4-E343-43B6-B170-9A65BC822C77}
2005-02-03      11:47:29-0000    804    634     PT:
Using server URL https://v5.windowsupdate.microsoft.com/ClientWebService/client.asmx
2005-02-03      11:47:29-0000    804    634
URL for server is http://v5stats.windowsupdate.microsoft.com/ReportingWebService/Report...

This is because of the following Registry value, which is pointing to windowsupdate.com:

C:\>Reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"

! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

ODFFileURL REG_SZ http://v4.windowsupdate.microsoft.com/odf/wuodf.xml

You have to DELETE the following "ODFFileURL REG_SZ http://v4.windowsupdate.microsoft.com/odf/wuodf.xml" registry value from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"

Restart the machine which will also restart the Automatic Update Services. Now, force the update detection and monitor the logs.
Make sure Windows Time is not skewed, Workstation Time should be in sync with the server.

For further assistance, or for any queries post that on the SUS Forum for which I'm a Moderator or on Microsoft Community Group and I will try to help.

Happy Reading!
Athif
Mohammed. Athif Khaleel
"Save Internet, Keep all Systems Patched"