Home
.. About WSUS Wiki

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Troubleshooting Automatic Updates with SUS

Here are a few troubleshooting steps which can help you to resolve issues related to Automatic Updates with SUS.

1. For clients in a domain environment, ensure the Automatic Update Polices, WUAU.ADM Group Policy has been applied. You can use GPRESULT.EXE against the Windows client computer to see the applied policies (download GPRESULT.EXE from the Microsoft web site). Additionally, you can use the Group Policy Management Console to ensure the AU related policies have been applied.

2. For clients in a workgroup environment, configuration is via the registry. For more information on the necessary registry configuration, see Manipulating SUS Settings through the Registry.

3. Confirm the client's AU settings and ensure they are set the way you intend. A simple way is to use the REG.exe command to dump out the policy settings from the client's registry. Use the following syntax:

Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s

You should see something like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://dc1.nwtraders.msft
WUStatusServer REG_SZ http://dc1.nwtraders.msft

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate REG_DWORD 0x0
AUOptions REG_DWORD 0x3
ScheduledInstallDay REG_DWORD 0x0
ScheduledInstallTime REG_DWORD 0x3
UseWUServer REG_DWORD 0x1
DetectionFrequencyEnabled REG_DWORD 0x1
DetectionFrequency REG_DWORD 0x1

4. Another common issue is using the IIS Lockdown Wizard and installing the URLScan tool, prior to installing SUS, and setting this to block all .EXE files. For more information on the IIS Lockdown wizard, see http://support.microsoft.com/default.aspx?scid=kb;en-us;325864&Product=iis50 or view an web cast on URL SCAN.

Check your urlscan.ini to allow *.exe requests. If not, you should update the urlscan.ini file, and restart both IIS and SUS server.

Add following setting in the urlscan.ini

[Allow Extensions]
.exe

Remove ".exe" from:

[Deny Extensions]

Also ensure the following are set:

[Allow Verbs]
GET
HEAD
POST
OPTIONS

5. You may find a Library Download Errorin windows update.log. If so, try to download the file iuident.cab successfully from the workstation, by typing the following command:

http://YOUR-SUS-SERVER/iuident.cab

6. Permissions play an important role in Automatic Updates with SUS. Ensure you have effective IIS & NTFS permissions:

Make sure on SUS SERVER:

• You have ANONYMOUS ACCESS on Default Website, selfupdate, autoupdate and content.
• C:\SUSContent EVERYONE should at least have READ Permission
• Web Anonymous User, IUSR & IWAM Users may have READ & EXECUTE, LIST FOLDER CONTENTS & READ Permission on C:\SUS - Content.

7. If you have a Proxy Server within your network, make sure:

• In your computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected
• Bypass SUSSERVER from IE Tools-Internet Options-Connections-LAN settings-Advanced and add IP Address of your SUS Server.
• Run PROXYCFG from Command Prompt to see Bypass List (to check WinHttpSettings)

Note that the AU client is dependent on the Proxy Bypass list.

8. Have a look at Event Viewer for any Errors & Warnings AND have a look at client’s C:\Windows\Windows Update.log

9. Have a look at the AU STATE by typing,

Reg Query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"

Also, check out Explaining AU STATE

10. You can use the log parser on Wayne's Site PDX Consulting to parse your IIS log and look for detailed client activity.

11. Automatic Updates uses BITS to download the patches and BITS will try to resolve the YOUR-SUS-SERVER-NAME in the first place, so make sure you have a proper DNS host record in your Local DNS Server. If you are in Workgroup Environment, don’t worry, you can edit the workstation's HOSTS file found at C:\WINDOWS\system32\drivers\etc\hosts to add IP address and the HOST NAME, Where IP ADDRESS is your SUS SERVER IP with its HOSTNAME/NETBIOS NAME.

12. Use the Bitsadmin tool (its on WinXP CD - Support Tools) to list the jobs & what they are reporting, Run Bitsadmin /list /allusers /verbose to see what is in the queue. This tool really helps in troubleshooting AU Clients.

13. In the worst case, I would delete everything under C:\Program Files\WindowsUpdate and C:\WUTEMP or C:\Program Files\WindowsUpdate\wuaudnld.tmp while waiting to install the patches & then manually go to windowsupdate.com, and at least install any 1 of those missing patches and then use SUS later on, which will restore/recreate any corrupt files.

14. Use IP ADDRESS instead of the servers NetBIOS name, in SET OPTIONS on SUSADMIN as BITS can struggle to resolve NetBIOS names. Also, while configuring AU Clients via GPO or REGEDITS, use the IP ADDRESS instead of NETBIOS NAME in WUServer & WUStatusServer.

15. Make sure time on the client is in sync with the server.

16. Post errors on the SUSServer site.