none
Problem with some clients - svchost.exe at 50%, fatal error in windowsupdate log

    Question

  • I would like some advice on how to troubleshoot an issue that is occuring on some WSUS clients.  The issue is that updates are not being passed down to the client.

    In one particular case, the WSUS server says that the client has not reported in 17 days, even though it has been on the network each day since.  This client is XP SP3, and the version of WU client is 7.4.7600.226   The version of WSUS on the server is 3.2.7600.226

    Approx 20 days ago (near the end of January), we had the same issue with this client, and fixed it that time with the 'rename the C:\Windows\SoftwareDistribution folder' solution, which did initially bring down plenty of updates, but soon the problem was back.

    At that time, in the windowsupdate.log, we see things like:

    2012-02-01 12:30:22:810 1832 75c COMAPI FATAL: Unable to connect to the service (hr=8007045B)

    &

    2012-02-02 16:10:47:002 1844 910 COMAPI -- START --  COMAPI: Search [ClientId = Microsoft Forefront Client Security State Assessment Service v1.0.1725.0]
    2012-02-02 16:10:47:002 1844 910 COMAPI ---------
    2012-02-02 16:10:47:039 1844 910 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = Microsoft Forefront Client Security State Assessment Service v1.0.1725.0]
    2012-02-02 16:10:54:688  476 704 Misc WARNING: Send failed with hr = 80072efd.
    2012-02-02 16:10:54:688  476 704 Misc WARNING: SendRequest failed with hr = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2012-02-02 16:10:54:688  476 704 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http: <WSUS_SERVER="">/wuident.cab>. error 0x80072efd
    2012-02-02 16:10:54:688  476 704 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2012-02-02 16:10:54:688  476 704 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efd
    2012-02-02 16:10:54:688  476 704 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efd
    2012-02-02 16:11:41:490  476 704 Misc WARNING: Send failed with hr = 80072efd.
    2012-02-02 16:11:41:490  476 704 Misc WARNING: SendRequest failed with hr = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2012-02-02 16:11:41:490  476 704 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http: <WSUS_SERVER="">/selfupdate/wuident.cab>. error 0x80072efd
    2012-02-02 16:11:41:490  476 704 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2012-02-02 16:11:41:490  476 704 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072efd
    2012-02-02 16:11:41:490  476 704 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072efd
    2012-02-02 16:11:41:490  476 704 Misc WARNING: DownloadFileInternal failed for http://WSUS SERVER/selfupdate/wuident.cab: error 0x80072efd
    2012-02-02 16:11:41:490  476 704 Setup FATAL: IsUpdateRequired failed with error 0x80072efd
    2012-02-02 16:11:41:490  476 704 Setup WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x80072efd
    2012-02-02 16:11:41:490  476 704 Setup WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error = 0x80072EFD
    2012-02-02 16:11:41:490  476 704 Agent   * WARNING: Skipping scan, self-update check returned 0x80072EFD
    2012-02-02 16:11:41:574  476 704 Agent   * WARNING: Exit code = 0x80072EFD
    2012-02-02 16:11:41:574  476 704 Agent *********
    2012-02-02 16:11:41:574  476 704 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2012-02-02 16:11:41:574  476 704 Agent *************
    2012-02-02 16:11:41:574  476 704 Agent WARNING: WU client failed Searching for update with error 0x80072efd
    2012-02-02 16:11:41:574  476 704 Agent *************
    2012-02-02 16:11:41:574  476 704 Agent ** START **  Agent: Finding updates [CallerId = Microsoft Forefront Client Security State Assessment Service v1.0.1725.0]
    2012-02-02 16:11:41:574  476 704 Agent *********
    2012-02-02 16:11:41:574  476 950 AU >>##  RESUMED  ## AU: Search for updates [CallId = {EF2623DE-056A-4479-9AC4-66277A633C4D}]
    2012-02-02 16:11:41:574  476 704 Agent   * Online = Yes; Ignore download priority = No
    2012-02-02 16:11:41:574  476 950 AU   # WARNING: Search callback failed, result = 0x80072EFD
    2012-02-02 16:11:41:574  476 704 Agent   * Criteria = "IsInstalled=0 AND CategoryIDs CONTAINS 'E0789628-CE08-4437-BE74-2495B842F43B' AND CategoryIDs CONTAINS '0A487050-8B0F-4F81-B401-BE4CEACD61CD'"
    2012-02-02 16:11:41:574  476 950 AU   # WARNING: Failed to find updates with error code 80072EFD
    2012-02-02 16:11:41:574  476 704 Agent   * ServiceID = {EF2623DE-056A-4479-9AC4-66277A633C4D} Third party service
    2012-02-02 16:11:41:574  476 950 AU #########
    2012-02-02 16:11:41:574  476 704 Agent   * Search Scope = {Machine}
    2012-02-02 16:11:41:574  476 950 AU ##  END  ##  AU: Search for updates [CallId = {EF2623DE-056A-4479-9AC4-66277A633C4D}]
    2012-02-02 16:11:41:574  476 950 AU #############
    2012-02-02 16:11:41:574  476 950 AU AU setting next detection timeout to 2012-02-02 21:11:41
    2012-02-02 16:11:41:908  476 704 PT WARNING: Cached cookie has expired or new PID is available
    2012-02-02 16:11:41:908  476 704 PT Initializing simple targeting cookie, clientId = ddf5659b-9001-4161-a6e6-be7a3858b46d, target group = , DNS name = gbr0007-001129.concern.net
    2012-02-02 16:11:41:908  476 704 PT   Server URL = http:// WSUS SERVER/SimpleAuthWebService/SimpleAuth.asmx
    2012-02-02 16:12:26:800  476 704 Misc WARNING: Send failed with hr = 80072efd.
    2012-02-02 16:12:26:800  476 704 Misc WARNING: SendRequest failed with hr = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2012-02-02 16:12:26:800  476 704 PT   + Last proxy send request failed with hr = 0x80072EFD, HTTP status code = 0
    2012-02-02 16:12:26:800  476 704 PT   + Caller provided credentials = No
    2012-02-02 16:12:26:800  476 704 PT   + Impersonate flags = 0
    2012-02-02 16:12:26:800  476 704 PT   + Possible authorization schemes used = 
    2012-02-02 16:12:26:800  476 704 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EFD, soap client error = 5, soap error code = 0, HTTP status code = 200
    2012-02-02 16:12:26:800  476 704 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072efd
    2012-02-02 16:12:26:800  476 704 PT WARNING: PopulateAuthCookies failed: 0x80072efd
    2012-02-02 16:12:26:800  476 704 PT WARNING: RefreshCookie failed: 0x80072efd
    2012-02-02 16:12:26:800  476 704 PT WARNING: RefreshPTState failed: 0x80072efd
    2012-02-02 16:12:26:800  476 704 PT WARNING: StartCategoryScan failed : 0x80072efd
    2012-02-02 16:12:26:800  476 704 Agent   * WARNING: Exit code = 0x80072EFD
    2012-02-02 16:12:26:800  476 704 Agent *********
    2012-02-02 16:12:26:800  476 704 Agent **  END  **  Agent: Finding updates [CallerId = Microsoft Forefront Client Security State Assessment Service v1.0.1725.0]
    2012-02-02 16:12:26:800  476 704 Agent *************
    2012-02-02 16:12:26:800  476 704 Agent WARNING: WU client failed Searching for update with error 0x80072efd
    2012-02-02 16:12:26:800  476 704 Report REPORT EVENT: {6B29AD8A-CB09-43AD-A449-F2DA70C68F3F} 2012-02-02 16:11:41:490-0000 1 148 101 {D67661EB-2423-451D-BF5D-13199E37DF28} 0 80072efd SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x80072efd.  /blockquote </http:></http:>

    And most importantly - we see svchost.exe taking up 50% of CPU, and slowing down the machines.

    I have seen a comment here saying that many WSUS client problems can be tracked back to WSUS server problem, but I'm not sure how I would go about investigating that - any ideas?

    In the meantime, I intend to experiment with a script I found online which is recommended to 'resolve a lot of WSUS client issues'

    I'm out of my depth when it comes to this - are there any reasons not to try this script? 

    %Windir%\system32\net.exe stop bits 
     
    %Windir%\system32\net.exe stop wuauserv
     
     
     
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
     
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
     
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
     
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientValidation /f
     
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
     
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
     
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
     
     
     
     
     
     
     
     
     
    if exist %Windir%\system32\atl.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\atl.dll  
     
    if exist %Windir%\system32\jscript.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\jscript.dll 
     
    if exist %Windir%\system32\softpub.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\softpub.dll  
     
    if exist %Windir%\system32\wuapi.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuapi.dll 
     
    if exist %Windir%\system32\wuaueng.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng.dll  
     
    if exist %Windir%\system32\wuaueng1.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng1.dll  
     
    if exist %Windir%\system32\wucltui.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wucltui.dll  
     
    if exist %Windir%\system32\wups.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups.dll  
     
    if exist %Windir%\system32\wups2.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups2.dll  
     
    if exist %Windir%\system32\wuweb.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuweb.dll  
     
    if exist %windir%\system32\iuengine.dll %windir%\system32\regsvr32.exe /s iuengine.dll
     
    if exist %windir%\system32\wuauserv.dll %windir%\system32\regsvr32.exe /s wuauserv.dll
     
    if exist %windir%\system32\cdm.dll %windir%\system32\regsvr32.exe /s cdm.dll
     
    if exist %windir%\system32\msxml2r.dll %windir%\system32\regsvr32.exe /s msxml2r.dll
     
    if exist %windir%\system32\msxml3r.dll %windir%\system32\regsvr32.exe /s msxml3r.dll
     
    if exist %windir%\system32\msxml.dll  %windir%\system32\regsvr32.exe /s msxml.dll
     
    if exist %windir%\system32\msxml3.dll %windir%\system32\regsvr32.exe /s msxml3.dll
     
    if exist %windir%\system32\msxmlr.dll %windir%\system32\regsvr32.exe /s msxmlr.dll
     
    if exist %windir%\system32\msxml2.dll %windir%\system32\regsvr32.exe /s msxml2.dll
     
    if exist %windir%\system32\qmgr.dll %windir%\system32\regsvr32.exe /s qmgr.dll
     
    if exist %windir%\system32\qmgrprxy.dll %windir%\system32\regsvr32.exe /s qmgrprxy.dll
     
    if exist %windir%\system32\iuctl.dll %windir%\system32\regsvr32.exe /s iuctl.dll
     
     
     
    del C:\Windows\WindowsUpdate.log /S /Q
     
    rd /s /q %windir%\softwareDistribution
     
    sleep 5
     
    %Windir%\system32\net.exe start bits 
     
    %Windir%\system32\net.exe start wuauserv 
     
     
     
     
     
    sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
     
     
     
     
     
    sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
     
     
     
    wuauclt.exe /resetauthorization
     
    wuauclt.exe /detectnow 
     
    wuauclt.exe /reportnow
     
     
     
     
     
     
     
    exit /B 0

    What else should I be looking at to resolve this, please?

    Thanks!


    • Edited by Eoin Ryan Friday, February 17, 2012 5:18 PM
    Friday, February 17, 2012 4:42 PM

Answers

  • What response do you get from these URLs using a browser on a client in this site:

    http://GBR0000-0011004/iuident.cab

    http://GBR0000-0011004/selfupdate/iuident.cab

    For both of the above, IE offers to save the cab file.

    http://GBR0000-0011004/simpleauthwebservice/simpleauth.asmx

    Displays a webpage -  The following operations are supported. For a formal definition,
    please review the Service Description GetAuthorizationCookie  Ping

    Excellent. That helps us to confirm that the WSUS server is, fundamentally, functional and accessible by a properly configured and functioning client system, and the Client Diagnostic Tool also confirmed for us that the client is properly configured and can communicate with the WSUS server.

    So, now, let's try a full detection. Please do the following:

    1. Record the system time of a test client on that site.
    2. Restart the Automatic Updates service.
    3. Run this command from a command prompt: wuauclt /resetauthorization /detectnow.
    4. Wait 30 minutes.
    5. Post the log entries from WindowsUpdate.log starting at the time you recorded in Step #1.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Marked as answer by Eoin Ryan Wednesday, March 07, 2012 7:21 PM
    Thursday, March 01, 2012 8:01 PM

All replies

  • 2012-02-02 16:10:54:688  476 704 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http: <WSUS_SERVER="">/wuident.cab>. error 0x80072efd

    Your problem is buried in the information you chose to hide from us.

    The 0x80072EFD error means that the URL you configured does not exist, or cannot be reached.

    Also... in subsequent posts, could you please post the log snippets as PLAIN TEXT -- the excess of 'span' tags in your post above has made the post about 10x larger than it needs to be. The one 100-character log entry I quoted above uses about 1K of actual space.



    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Saturday, February 18, 2012 9:50 PM
  • Hi Lawrence,

    Thanks for that help.  I haven't been able to figure out why the client wouldn't have been able to communicate with the wsus server.  It's a remote office where we don't have IT staff, but I'm very confident that the physical connection that the WSUS box has to the network is reliable.  e.g I'm RDP'ing on to it now and it's rock solid, and have done continuous ping without a single drop.

    The other thing that's confusing is that this WSUS server (32.4) is listed in it's own WSUS control panel as not having contacted the WSUS server in 7 days.  Is that not weird?  In case it's unclear, when looking at the list of computers in the WSUS panel, I see an entry for computer 32.4 (which is the very WSUS server on which I am looking at the WSUS panel) and it hasn't had contact in a week.

    Why would a WSUS server not be able to contact itself?  What parts of the log should I put in to help diagnose this?

    thanks

    Thursday, February 23, 2012 1:49 PM
  • The other thing that's confusing is that this WSUS server (32.4)is listed in it's own WSUS control panel as not having contacted the WSUS server in 7 days.  Is that not weird?

    No. Not at all, considering that your primary symptom is a Cannot Connect error.

    Why would a WSUS server not be able to contact itself?

    There are actually several possible reasons, and consistent with the error code - the fundamental premise here is that something is misconfigured in the network. It's great that you can make inbound connections via RDP, or that you can do ICMP, but that doesn't really tell us much about connections going outbound. For example:

    • Have you verified that DNS is working perfectly on that site. Can every client properly resolve the hostname of the WSUS server to the correct (local) IP Address?
    • Have you verified that the WUAgent is getting the correct URL for that WSUS Server?
    • What happens when you ping the WSUS server, by Hostname, and by IP Address, from each of the clients on that site (including the WSUS server itself)?
    • Are the routing tables correct on every client?
    • Are the proxy configurations correct? (One of the things I see a lot is clients trying to route a connection to a non-existent proxy server. That connection attempt simply dies in the Ether -- and the WUAgent logs the 0x80072EFD error because it gets nothing back from the HTTP GET package it sent out.
    What parts of the log should I put in to help diagnose this?

    None. The WindowsUpdate.log has told us all that it can. Now you must diagnose the network. :-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Saturday, February 25, 2012 5:18 PM
  • Thank you for helping me to find a way through this problem.

    Have you verified that DNS is working perfectly on that site. Can every client properly resolve the hostname of the WSUS server to the correct (local) IP Address?

    It appears to be working fine.  I only tested it on 5 clients, all of whom have trouble connecting to WSUS - but they all correctly resolved the name of the WSUS server from the IP (ping -a)

    Have you verified that the WUAgent is getting the correct URL for that WSUS Server?  Yes.

    What happens when you ping the WSUS server, by Hostname, and by IP Address, from each of the clients on that site (including the WSUS server itself)?   I get normal replies.

    Are the routing tables correct on every client?  I don't know, and am researching how to check this.

    Are the proxy configurations correct? Yes, there is no proxy in this office.

    I ran the WSUS Client Diagnostics tool from one of the problematic machines, and the results would suggest there is no problem.  I'll continue to investigate the things you've suggested to try and figure out what's going on with our network.  Thanks.

    WSUS Client Diagnostics Tool

    Checking Machine State
     Checking for admin rights to run tool . . . . . . . . . PASS
     Automatic Updates Service is running. . . . . . . . . . PASS
     Background Intelligent Transfer Service is running. . . PASS
     Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
      This version is WSUS 2.0

    Checking AU Settings
     AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
      Option is from Policy settings

    Checking Proxy Configuration
     Checking for winhttp local machine Proxy settings . . . PASS
      Winhttp local machine access type
       <Direct Connection>
      Winhttp local machine Proxy. . . . . . . . . .  PASS
      Winhttp local machine ProxyBypass. . . . . . .  PASS
     Checking User IE Proxy settings . . . . . . . . . . . . PASS
      User IE Proxy. . . . . . . . . . . . . . . . .  PASS
      User IE ProxyByPass. . . . . . . . . . . . . .  PASS
      User IE AutoConfig URL Proxy . . . . . . . . .  PASS
      User IE AutoDetect
      AutoDetect in use

    Checking Connection to WSUS/SUS Server
      WUServer = http://GBR0000-0011004
      WUStatusServer = http://GBR0000-0011004
     UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
     Connection to server. . . . . . . . . . . . . . . . . . PASS
     SelfUpdate folder is present. . . . . . . . . . . . . . PASS

    Monday, February 27, 2012 7:01 PM
  • What response do you get from these URLs using a browser on a client in this site:

    http://GBR0000-0011004/iuident.cab

    http://GBR0000-0011004/selfupdate/iuident.cab

    http://GBR0000-0011004/simpleauthwebservice/simpleauth.asmx

    http://GBR0000-0011004:8530/iuident.cab

    http://GBR0000-0011004:8530/selfupdate/iuident.cab

    http://GBR0000-0011004:8530/simpleauthwebservice/simpleauth.asmx


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, February 29, 2012 10:06 PM
  • What response do you get from these URLs using a browser on a client in this site:

    http://GBR0000-0011004/iuident.cab

    http://GBR0000-0011004/selfupdate/iuident.cab

    For both of the above, IE offers to save the cab file.

    http://GBR0000-0011004/simpleauthwebservice/simpleauth.asmx

    Displays a webpage -  The following operations are supported. For a formal definition,
    please review the Service Description GetAuthorizationCookie  Ping

    http://GBR0000-0011004:8530/iuident.cab

    http://GBR0000-0011004:8530/selfupdate/iuident.cab

    http://GBR0000-0011004:8530/simpleauthwebservice/simpleauth.asmx

    For all three above, "IE cannot display"


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Thanks for the continued help.
    Thursday, March 01, 2012 1:24 PM
  • What response do you get from these URLs using a browser on a client in this site:

    http://GBR0000-0011004/iuident.cab

    http://GBR0000-0011004/selfupdate/iuident.cab

    For both of the above, IE offers to save the cab file.

    http://GBR0000-0011004/simpleauthwebservice/simpleauth.asmx

    Displays a webpage -  The following operations are supported. For a formal definition,
    please review the Service Description GetAuthorizationCookie  Ping

    Excellent. That helps us to confirm that the WSUS server is, fundamentally, functional and accessible by a properly configured and functioning client system, and the Client Diagnostic Tool also confirmed for us that the client is properly configured and can communicate with the WSUS server.

    So, now, let's try a full detection. Please do the following:

    1. Record the system time of a test client on that site.
    2. Restart the Automatic Updates service.
    3. Run this command from a command prompt: wuauclt /resetauthorization /detectnow.
    4. Wait 30 minutes.
    5. Post the log entries from WindowsUpdate.log starting at the time you recorded in Step #1.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Marked as answer by Eoin Ryan Wednesday, March 07, 2012 7:21 PM
    Thursday, March 01, 2012 8:01 PM
  • Thanks Lawrence.  Running the resetauthorization command above seems to have fixed it on one of the machines, at least. I'm delighted!!!

    On this particular site, I still have 5 other clients that are 'not yet reported' and I will try the same resolution on each of them and come back to the thread.

    On one of them at least, there was a remnant of some previous malware.  Scans with Forefront didn't find anything bad, but Malwarebytes found some 'malicious registry entries' which had set updates to disabled, so that might be something else contributing.

    All in all, it's a great help, thanks.

    Wednesday, March 07, 2012 7:21 PM
  • Another of these troublesome clients in this particular office suddenly started pulling down updates when it was taken off the domain and then rejoined.

    Does that indicate any systemic problem that I can further investigate?

    Thursday, March 08, 2012 5:44 PM
  • Another of these troublesome clients in this particular office suddenly started pulling down updates when it was taken off the domain and then rejoined.

    Does that indicate any systemic problem that I can further investigate?

    Very possibly.

    That behavior is symptomatic of the presence of WUAgent configuration settings in LOCAL POLICY, which are suppressed when the machine is a member of the domain, but become the authoritative configuration when the machine is removed from the domain and no longer subject to Group Policy.

    Generally speaking, when you remove a machine from the domain, the GPO settings will be left behind in the registry, and the machine will continue to communicate with the assigned WSUS server. In the instant case, it seems that the machine ceased to be a WSUS client, and reverted to being an AU client.

    Rejoining the domain likely put the machine back in the default container which would not be subject to any GPOs. Even if that did not happen, and the machine popped back into the original orgUnit, obtained the original GPO, and reverted to being a WSUS client -- it only takes one detection event against AU to queue a boatload of Not-Yet-Approved updates for download, and the client is off and running.

    You can remediate the problem by purging the BITS download queue on that client (using BITSADMIN.exe v2 or later), running a detection against the WSUS server which will pick up your current approvals and 'undo' any previous intent to install additional updates, and re-queue the needed/approved updates for download from the WSUS server.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, March 09, 2012 3:25 AM