Troubleshooting WSUS Connection Issues

Problem

The configuration has been completed for client computers to connect to a WSUS server, but are not reporting in after a period of days.  Computers may show up in the WSUS console, but will not be reporting in or will not have reported in for several days

Background / Cause

Some client computers have been affected by a known issue with Windows Server 2003 http.sys and Internet Information Services (IIS).  In some cases this transient issue will prevent the client computers from checking in, because they receive incorrect responses from the server after a number of attempts.  For more information about this issue, see article 898708 in the Microsoft Download Center.  This type of failed communication can also be the result of some bad DNS entries, poor connectivity, or corrupt WSUS settings from a previous installation or migration from another WSUS server.

Resolution

Ensure that the client computer connection to the WSUS server is working properly.
1.    Open a Command Prompt window
2.    Verify communication with the WSUS server with the following:
ping WSUSServerName

Contact the WSUS HTTP (IIS) server.  Open Internet Explorer and in the address bar type the following URL:

http://WSUSServerName:portNumber

where WSUSServerName is the name of the WSUS server, and portNumber is the port that has been configured for it (for example, 80 for HTTP, 443 for SSL, and 8530 for a custom port).

Verify the existence of the self-update tree. In an Internet Explorer address bar, type:

http://WSUSServerName/selfupdate/wuident.cab

If the WSUS server is functioning properly, a File Download window will appear requesting to open or save the file.  Close the window.

Review the registry entries to verify the Automatic Update client has been configured correctly.
1.    Open a Command Prompt window.
2.    Type:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

The output should be like the following if the client computer has been configured to get its updates from a WSUS server:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
WUServer    REG_SZ  http://WSUSServerName
WUStatusServer      REG_SZ  http://WSUSServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

The output should be similar to the following if Automatic Update is functioning, but the client computer has not been configured to get its updates from a WSUS server

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

If the output from Step 2 contains values for WUServer and WUStatusServer, try to contact the WSUS server that is listed in these values.
1.    Open Internet Explorer and in the address bar type

http://WUServer

where WUServer stands for the value in the output from Step 2.

You should see an “Under Construction” page if the WUServer value is valid. If it is not, you will get an HTTP error message.

Reset the client settings

If clients are still failing to check in as expected, performing a reset on the client will help get things back in place

  • Open a Command Prompt window
  • Type:
wuauclt.exe /resetauthorization /detectnow
  • Wait 10 minutes for the detection cycle to finish.

Known Issues / Troubleshooting

Problem: | The steps above still fail to resolve the communication problem

Solution: | The next step is using the following script to completely remove all update settings and reapply the new settings fresh.  The following script is offered as is, if you don’t understand what it is doing, please use at your own risk.  The WSUS server name and port will need to be set for the script to setup the client machine successfully.

 

References