Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
WSUS GPO freezing Windows 7 desktops

Answered WSUS GPO freezing Windows 7 desktops

  • Tuesday, January 08, 2013 5:20 PM
     
     
    Sign In to Vote
    0

    Recently 5 different Windows 7 computers have had issues with applications freezing after being on for a few minutes.

    I have finally narrowed down the issue to one group policy object that is applied to each of the OUs the desktops are in. That GPO is the one that points computers to our WSUS server among other WSUS settings.

    If I disable that GPO, the computers act normally and I can even go to Microsoft Website for updates.

    If I re-enable it again or create a new one that points to the WSUS server, the computer will start to freeze again (as an example, you can't run gpupdate /force anymore. it says update failed 5 minutes after you apply the WSUS GPO. at that point, other apps freeze, explorer.exe crashes and power off or restart without holding the power button to force it to power off).

    What's strange is that we have maybe 75-100 computers using the same GPO running Windows 7 and they aren't have issues.

    Not sure what's wrong.

    Heath

     

All Replies

  • Tuesday, January 08, 2013 11:43 PM
    Moderator
     
     Answered
    Sign In to Vote
    0

    If I disable that GPO, the computers act normally and I can even go to Microsoft Website for updates.

    If I re-enable it again or create a new one that points to the WSUS server, the computer will start to freeze again (as an example, you can't run gpupdate /force anymore. it says update failed 5 minutes after you apply the WSUS GPO. at that point, other apps freeze, explorer.exe crashes and power off or restart without holding the power button to force it to power off).

    What's strange is that we have maybe 75-100 computers using the same GPO running Windows 7 and they aren't have issues.

    How many Domain Controllers? It's possible that those clients have, or are accessing, a corrupted copy of that GPO. Other computers have access to a good copy.

    Now, simply disabling a WSUS GPO has absolutely *ZERO* affect on the operation of the Windows Update Agent, so if disabling a WSUS GPO produces this behavior, we must work from the assumption that this is a problem within the Group Policy infrastructure, not the WSUS/WUAgent infrastructure since, as noted, disabling the GPO will not, in any fashion, change how the WUAgent behaves on a client system. (Unless, of course, there is a conflicting GPO, and disabling this GPO is allowing some other GPO to take effect -- but let's leave that hypothetical scenario should we need to dig deeper into the diagnostic effort).

    So.... one way to approach this scenario is this:

    1. Leave the existing GPO disabled.

    2. Create a new GPO with the same settings, and apply it.

    3. See if the problem is reproducible with a new GPO. If not, problem solved; delete the original GPO.

    It seems that you've tried this and it did reproduce. So now, the question is, do the clients not like those settings, or maybe they cannot respond to the GPO instructions. For example, adversely changing the ACLs on the registry keys set by a WSUS GPO could prevent the application of that GPO by the client.

    To that point... have you reviewed the EventLogs on these client systems to see if anything specific has been logged with respect to this situation?

    With respect to the GPO, let's start by defining a basic WSUS GPO. Set the intranet update service location setting, and set the configure automatic updates setting, and leave all of the rest set to "Not Configured". Does the problem still occur? What are the actual policy settings? What are the actual values stored in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


     
  • Wednesday, January 09, 2013 3:20 PM
     
     
    Sign In to Vote
    0

    what's interesting is that the one computer that I was testing with that had problems is working normally now.

    When I started testing it a couple of days ago, I could reproduce the problem over and over again. If I enabled the old WSUS GPO, it would start freezing after 5 minutes, as soon as I disabled it and applied it, it would act normally again. I created the new WSUS GPO and it did the exact same thing. When I tried this testing scenario yesterday, it worked normally using the old and new WSUS GPO. I think the only thing I did was run the WSUS cleanup wizard overnight, removed the computer from WSUS and did a wuauclt.exe /resetauthorization /detectnow. Didn't make a lot of sense to me.

    I moved the computer back to it's original OU yesterday that has the original GPOs applied to it and it still works this morning.

    If it was a problem with a corrupted GPO, wouldn't have creating a new one fix it?

    If it were a problem with a specific domain controller and not specific with that GPO, why would enabling it, running the gpupdate without rebooting make it freeze?

    We have 3 domain controllers, by the way.

    My next step, I guess, is putting one of the other computers back into its original OU and see if it works normally. If it doesn't, check which logonserver it used.

    How would I fix the domain controller if it is a problem? I guess its possible to demote and promote it but don't really want to do that.

    Heath

     
  • Wednesday, January 09, 2013 5:29 PM
     
     
    Sign In to Vote
    0

    moved one of the other computers back to its OU and it is freezing again.

    not sure why yet since I can't get the one I am testing with to freeze anymore.

    need to find out the logonserver of the one that is frozen and start from there.

    btw...nothing helpful in the eventviewer.

    Heath

     
  • Wednesday, January 09, 2013 6:03 PM
     
     
    Sign In to Vote
    0
    ran gpotool against all 3 domain controllers and didn't see any issues

    Heath

     
  • Wednesday, January 09, 2013 10:00 PM
     
     
    Sign In to Vote
    0

    finally got my hands on a computer that was having issues

    checked the logonserver and noticed it said DC2 and it was having issues

    powered it off, powered it on and noticed it said the logonserver was DC3 and it was still having issues

    disabled the original WSUS GPO and enabled the new WSUS GPO and it was still having issues

    while it was in the forzen state, I used RDP to delete the computer account from the WSUS Server and screen flashed for a second. I checked and the gpupdate command was successful like it should be. I powered it off and on, logged on and the computer showed up as an unassigned computer in WSUS. I placed it in the proper group, Checked Windows Update on the desktop and it found the latest updates. It is functionally normally now.

    Weird.

    Heath

     
  • Tuesday, January 15, 2013 3:19 PM
     
     
    Sign In to Vote
    0

    unfortunately the issues have returned

    after a couple of days, the computer I thought was fixed is acting up again in the exact same way

    as of now, I have disabled the WSUS GPO.

    I tried setting up a local group policy on a couple of computers and one computer seems to be okay and another started acting up again soon after.

    at this point I'm thinking about disabling (and then deleting) the WSUS GPO for all computers, re-installing WSUS and creating new GPOs.

    If that doesn't fix it for everyone, it's time to contact Microsoft, I guess.

    Heath