none
WSUS setting change

    Question

  • Greetings. I have been trying to solve a WSUS problem for a few weeks. Any help would be appreciated.
    I have two servers running Windows SBS and four client computers running XP or XP Tablet. One server is the WSUS server (WSUS 3.0 SP1) on port 8530 and all of the computers are directed to obtain their updates from the intranet server by the WSUS GPO.
    I first noticed the problem when I realized that none of the computers, including the computer hosting the WSUS server, had reported in for nearly 5 months. They seemed to be downloading updates though.  Try as I might, I cannot get the connections to work properly. It is particularly frustrating because everything had been working just fine for over a year.
    I am pretty sure the problem is in my GPO because running ClientDiag gives me:


    WSUS Client Diagnostics Tool

    Checking Machine State
            Checking for admin rights to run tool . . . . . . . . . PASS
            Automatic Updates Service is running. . . . . . . . . . PASS
            Background Intelligent Transfer Service is not running. PASS
            Wuaueng.dll version 7.6.7600.256. . . . . . . . . . . . PASS
                    This version is WSUS 2.0

    Checking AU Settings
            AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                    Option is from Policy settings

    Checking Proxy Configuration
            Checking for winhttp local machine Proxy settings . . . PASS
                    Winhttp local machine access type
                            <Direct Connection>
                    Winhttp local machine Proxy. . . . . . . . . .  NONE
                    Winhttp local machine ProxyBypass. . . . . . .  NONE
            Checking User IE Proxy settings . . . . . . . . . . . . PASS
                    User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                    User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                    User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                    User IE AutoDetect
                    AutoDetect not in use

    Checking Connection to WSUS/SUS Server
                    WUServer = WUA
                    WUStatusServer = http://rrserver:8530
            UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

    VerifyWUServerURL() failed with hr=0x80072ee6

    The URL does not use a recognized protocol

    When I gpupdate /force, the results change:


    WSUS Client Diagnostics Tool

    Checking Machine State
            Checking for admin rights to run tool . . . . . . . . . PASS
            Automatic Updates Service is running. . . . . . . . . . PASS
            Background Intelligent Transfer Service is not running. PASS
            Wuaueng.dll version 7.6.7600.256. . . . . . . . . . . . PASS
                    This version is WSUS 2.0

    Checking AU Settings
            AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                    Option is from Policy settings

    Checking Proxy Configuration
            Checking for winhttp local machine Proxy settings . . . PASS
                    Winhttp local machine access type
                            <Direct Connection>
                    Winhttp local machine Proxy. . . . . . . . . .  NONE
                    Winhttp local machine ProxyBypass. . . . . . .  NONE
            Checking User IE Proxy settings . . . . . . . . . . . . PASS
                    User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                    User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                    User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                    User IE AutoDetect
                    AutoDetect not in use

    Checking Connection to WSUS/SUS Server
                    WUServer = http://rrserver:8530
                    WUStatusServer = http://rrserver:8530
            UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
            Connection to server. . . . . . . . . . . . . . . . . . PASS
            SelfUpdate folder is present. . . . . . . . . . . . . . PASS

    These results look good, but after waiting about one minute, they change back to the first results.

    When I run gpresult.exe I get:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\pmontany>gpresult.exe

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 10/15/2012 at 7:34:37 AM


    RSOP results for RIVERROCKSURGIC\pmontany on RECEPTION : Logging Mode
    ----------------------------------------------------------------------

    OS Type:                     Microsoft Windows XP Professional
    OS Configuration:            Member Workstation
    OS Version:                  5.1.2600
    Domain Name:                 RIVERROCKSURGIC
    Domain Type:                 Windows 2000
    Site Name:                   Default-First-Site-Name
    Roaming Profile:
    Local Profile:               C:\Documents and Settings\pmontany
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=Reception,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=RiverRockSurgical
    ,DC=local
        Last time Group Policy was applied: 10/15/2012 at 7:20:01 AM
        Group Policy was applied from:      rrserver.RiverRockSurgical.local
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Small Business Server Windows Firewall
            Small Business Server Client Computer
            Small Business Server Remote Assistance Policy
            Small Business Server Lockout Policy
            Small Business Server Domain Password Policy
            Default Domain Policy
            Windows Server Update Services

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Small Business Server Internet Connection Firewall
                Filtering:  Denied (WMI Filter)
                WMI Filter: PreSP2

            Small Business Server - Windows Vista policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Vista

            Small Business Server Folder Redirection
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups:
        --------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            Reception$
            Domain Computers


    USER SETTINGS
    --------------
        CN=Paul Montany,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=RiverRockSurgical,DC=l
    ocal
        Last time Group Policy was applied: 10/15/2012 at 7:33:29 AM
        Group Policy was applied from:      rrserver.RiverRockSurgical.local
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Small Business Server Folder Redirection
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Small Business Server Internet Connection Firewall
                Filtering:  Denied (WMI Filter)
                WMI Filter: PreSP2

            Windows Server Update Services
                Filtering:  Disabled (GPO)

            Small Business Server - Windows Vista policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Vista

            Small Business Server Client Computer
                Filtering:  Not Applied (Empty)

            Small Business Server Lockout Policy
                Filtering:  Disabled (GPO)

            Small Business Server Remote Assistance Policy
                Filtering:  Disabled (GPO)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            Small Business Server Domain Password Policy
                Filtering:  Not Applied (Empty)

            Small Business Server Windows Firewall
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups:
        ----------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            LOCAL
            Domain Admins
            SBS Mobile Users
            SBS Report Users
            Web Workplace Users
            Offer Remote Assistance Helpers

    It looks to me like something is overriding my WSUS GPO, but I have checked all of the settings for all of my GPOs, and none of them have any WSUS settings.

    Any ideas?  Thank you.

    Monday, October 15, 2012 12:15 PM

Answers

  • Would it be worth trying just reinstalling Explorer 8?

    Actually, a defective IE8 installation is also a possible cause.

    Also, thinking back, there were considerations regarding the installation of IE7 and installing XP SP3, and different orders of installation had different impacts on the state of IE7. It's possible that a similar scenario exists for IE8, although it would be highly unusual for IE8 to be installed on an XP SP2 system, and it may be that IE8 required XP SP3. (It's been a very very long time, and I don't remember.)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Marked as answer by riverrocksurg Thursday, November 08, 2012 9:17 PM
    • Unmarked as answer by riverrocksurg Thursday, November 08, 2012 9:17 PM
    • Marked as answer by riverrocksurg Thursday, November 08, 2012 9:18 PM
    Wednesday, November 07, 2012 8:46 PM

All replies

  • >>One server is the WSUS server (WSUS 3.0 SP1) on port 8530 and all of the computers are directed to obtain their updates from the intranet server by the WSUS GPO.<<

    WSUS 3.0 SP1 currently not supported


    >>Wuaueng.dll version 7.6.7600.256. . . . . . . . . . . . PASS<<

    In order to successfully communicate with clients WUA version 7.6.7600.256 your WSUS must be 3.2.7600.251 version - it means that you must have WSUS 3.0 SP2  + KB2720211 or KB2734608 installed

    So at first step -  upgrade your WSUS to SP2 and then install KB2720211 or KB2734608 on it.


    Tuesday, October 16, 2012 5:59 AM
  • Thank you for your reply.  Nice catch.

    After checking my system, my WSUS is version  3.2.7600.226. I put WSUS SP1 because that is what the icon was labeled. As directed by Microsoft on how to check if WSUS SP2 is installed, I checked in the Add or Remove Programs Control Panel and indeed WSUS 3.0 SP2 is present. So I guess WSUS SP2 is installed after all.

    I just upgraded with KB2734608. It did not change my version number.

    Tuesday, October 16, 2012 9:15 PM
  • I just upgraded with KB2734608. It did not change my version number.

    It won't in the About->Help of the MMC. Check the version number on the Home Page of the console.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, October 18, 2012 8:39 PM
  • Checking Connection to WSUS/SUS Server
                    WUServer = WUA
                    WUStatusServer = http://rrserver:8530
            UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

    VerifyWUServerURL() failed with hr=0x80072ee6

    Aside from the other issues pointed out, you also have two defects in the WUAgent configuration. The WUServer and WUStatusServer values must identical, and they must be correct. The WUServer value is invalid (so its being ignored); the WUStatusServer value has an extra slash and that's what is causing hte 0x80072ee6 INVALID URL error.

    The WUServer value was updated after your refresh, but the URLs are still invalid:

    Checking Connection to WSUS/SUS Server
                    WUServer = http://rrserver:8530
                    WUStatusServer = http://rrserver:8530

    These results look good, but after waiting about one minute, they change back to the first results.

    That suggests you have a GP-driven script that's running and setting these values after the GPO has been applied.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Thursday, October 18, 2012 8:42 PM
  • Mr Garvin, thank you for also trying to help.

                   Check the version number on the Home Page of the console.

    I do not understand this instruction. Sorry.

                   That suggests you have a GP-driven script that's running and setting these values after the GPO has been applied.

    I would agree, based on some of your responses to other questions posted in this and other forums. How do I find the GPO that is over-writing my WSUS GPO?

    Or did I misunderstand? Is a conflicting GPO the same as a conflicting GP-driven script?

    I ran gpresults /v>>results.txt on one of the clients that won't report. The results follow. I could not find the conflict.

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 10/16/2012 at 8:14:09 AM

    RSOP results for RIVERROCKSURGIC\pmontany on RECEPTION : Logging Mode
    ----------------------------------------------------------------------

    OS Type:                     Microsoft Windows XP Professional
    OS Configuration:            Member Workstation
    OS Version:                  5.1.2600
    Domain Name:                 RIVERROCKSURGIC
    Domain Type:                 Windows 2000
    Site Name:                   Default-First-Site-Name
    Roaming Profile:            
    Local Profile:               C:\Documents and Settings\pmontany
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=Reception,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=RiverRockSurgical,DC=local
        Last time Group Policy was applied: 10/16/2012 at 7:28:23 AM
        Group Policy was applied from:      rrserver.RiverRockSurgical.local
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Small Business Server Windows Firewall
            Small Business Server Client Computer
            Small Business Server Remote Assistance Policy
            Small Business Server Lockout Policy
            Small Business Server Domain Password Policy
            Default Domain Policy
            Windows Server Update Services

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Small Business Server Internet Connection Firewall
                Filtering:  Denied (WMI Filter)
                WMI Filter: PreSP2

            Small Business Server - Windows Vista policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Vista

            Small Business Server Folder Redirection
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups:
        --------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            Reception$
            Domain Computers
           
        Resultant Set Of Policies for Computer:
        ----------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Small Business Server Domain Password Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  N/A

                GPO: Small Business Server Domain Password Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  24

                GPO: Small Business Server Lockout Policy
                    Policy:            LockoutDuration
                    Computer Setting:  10

                GPO: Small Business Server Lockout Policy
                    Policy:            ResetLockoutCount
                    Computer Setting:  10

                GPO: Small Business Server Domain Password Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  N/A

                GPO: Small Business Server Lockout Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  50

                GPO: Small Business Server Domain Password Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  4294967295

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Small Business Server Domain Password Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Small Business Server Domain Password Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\Windows NT\Security Center
                    State:   Enabled

                GPO: Small Business Server Remote Assistance Policy
                    Setting: software\policies\microsoft\windows NT\Terminal Services
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   disabled

                GPO: Small Business Server Remote Assistance Policy
                    Setting: software\policies\microsoft\windows NT\Terminal Services\RAUnsolicit
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Client Computer
                    Setting: software\microsoft\windows nt\currentversion\winlogon
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List
                    State:   Enabled

                GPO: Small Business Server Client Computer
                    Setting: software\policies\microsoft\windows\network connections
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Client Computer
                    Setting: software\policies\microsoft\windows\network connections
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts
                    State:   Enabled

                GPO: Windows Server Update Services
                    Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
                    State:   Enabled

                GPO: Small Business Server Windows Firewall
                    Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts
                    State:   Enabled

                GPO: Small Business Server Remote Assistance Policy
                    Setting: software\policies\microsoft\windows NT\Terminal Services
                    State:   Enabled

                GPO: Small Business Server Client Computer
                    Setting: software\microsoft\windows\currentversion\policies\explorer
                    State:   Enabled


    USER SETTINGS
    --------------
        CN=Paul Montany,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=RiverRockSurgical,DC=local
        Last time Group Policy was applied: 10/16/2012 at 6:42:56 AM
        Group Policy was applied from:      rrserver.RiverRockSurgical.local
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Small Business Server Folder Redirection
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Small Business Server Internet Connection Firewall
                Filtering:  Denied (WMI Filter)
                WMI Filter: PreSP2

            Windows Server Update Services
                Filtering:  Disabled (GPO)

            Small Business Server - Windows Vista policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Vista

            Small Business Server Client Computer
                Filtering:  Not Applied (Empty)

            Small Business Server Lockout Policy
                Filtering:  Disabled (GPO)

            Small Business Server Remote Assistance Policy
                Filtering:  Disabled (GPO)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            Small Business Server Domain Password Policy
                Filtering:  Not Applied (Empty)

            Small Business Server Windows Firewall
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups:
        ----------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            LOCAL
            Domain Admins
            SBS Mobile Users
            SBS Report Users
            Web Workplace Users
            Offer Remote Assistance Helpers
           
        Resultant Set Of Policies for User:
        ------------------------------------

            Software Installations
            ----------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A

            Folder Redirection
            ------------------
                GPO: Small Business Server Folder Redirection
                    Setting:  InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory moved
                        Policy Removal:    Redirect the folder back to user profile location
                        Redirecting Group: Everyone
                        Redirected Path:   \\rrserver\users\pmontany\my documents\My Pictures
                                       
                GPO: Small Business Server Folder Redirection
                    Setting:  InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory moved
                        Policy Removal:    Redirect the folder back to user profile location
                        Redirecting Group: Everyone
                        Redirected Path:   \\rrserver\users\pmontany\my documents
                                       
            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A

    Any ideas?

    Thursday, October 18, 2012 11:54 PM
  • Any ideas?

    Yes, but first we need to go back to your original post and check on something I overlooked...

    I have two servers running Windows SBS and four client computers running XP or XP Tablet. One server is the WSUS server (WSUS 3.0 SP1) on port 8530 and all of the computers are directed to obtain their updates from the intranet server by the WSUS GPO.

    Can you please confirm the accuracy (or lack thereof) of the boldfaced phrase above. It is my hope that you are simply being less-than-accurate in your description of what is installed on those two systems, to wit, I need to know exactly which version and edition of Windows Server is installed on those two systems. There can only be *one* SBS server in a network -- so either the problem is being caused by a second SBS server, if one takes your post literally, or you don't have two servers running SBS.

                   Check the version number on the Home Page of the console.

    I do not understand this instruction. Sorry.

    Open the WSUS Console. Select the node with the SERVER name. Look in the lower right corner of the center of the console in the section labelled "Connection" and read the value next to "Server version:".

                   That suggests you have a GP-driven script that's running and setting these values after the GPO has been applied.<//strong>

    I would agree, based on some of your responses to other questions posted in this and other forums. How do I find the GPO that is over-writing my WSUS GPO?

    Or did I misunderstand? Is a conflicting GPO the same as a conflicting GP-driven script?

    You misunderstand.

    First, it's not a GPO that's overwriting your WSUS GPO, because you would not be able to see those changes happen.

    You reported that:

    1. You ran the Client Diagnostic Tool and got a client configuration (which is fatally flawed).
    2. Then you ran gpupdate /force which reverted the settings back to the configured values in the GPO.
    3. And a minute or so later, the settings reverted to the values originally seen in #1.

    Originally I suggested this might be a GP-based script  - a script that is executed as a component of another GPO - but the truth is, that cannot be possible with these symptoms, unless it's a really really long-running script and it actually takes a minute or more to get to the part where this client is configured. Otherwise, I don't know of any legitimate domain configuration in which this behavior could be observed.

    So, the simple part is that something other than your WSUS GPO is configuring these clients, and it might be a script -- and if it is, it's either a very slow or a very long script, or its a script being executed as a scheduled task. The objective is to find out what that is. This is a task that will require on-site diagnostics and a thorough inspection of the entire environment. A key question might be whether the original settings always revert back after one minute, or whether that time varies, and by how much it varies. If you can establish the time frame in which the bad configuration values get pushed back onto the machines, that might give you a clue as to what, or where, the source of the problem is coming from.

    Of course the other relevant point here is that this is a NEW problem, relatively speaking. That is to say, it was working correctly, and now it is not. Identifying when it last worked correctly would be a good approach. This can be obtained from [a] the Last Installation Date of any update in the system, and [b] the latest Last Reported Date on the WSUS server.

    Then again, that information won't be entirely accurate either, at least for this client, as the machine you ran the Client Diagnostic Tool against has the WUAgent v7.6.7600.256 -- which tells us that this client machine has been updated from Windows Update sometime since June 12, 2012.

    Oh.. and btw... even if the client configurations were correct .... because this client was updated from AU/WU/MU since June 12, 2012 and has the *NEW* Windows Update Agent installed -- it's incapable of communicating with your WSUS 3.0 SP1 server anyway, so we know unequivocally that this client has not been updated from your WSUS server since before June 12, 2012. (You'll want to check and see if the other WinXP devices have been updated to the v7.6.7600.256 WUAgent as well.)

    In any case, you will also need to do the following:

    1. Upgrade the WSUS server with Service Pack 2 (which, btw, was released in Fall, 2009).
    2. Install KB2720211 (which was released in June, 2012).

    Neither of those tasks are trivial, so you should also prepare for each of those tasks appropriately.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, October 24, 2012 12:11 AM
  • I have two servers running Windows SBS

         This is not correct. Server #1 is running Microsoft Windows Server 2003 for Small Business Server, Service Pack 2 and is hosting the WSUS Server.  Server #2 is running Microsoft Windows Server 2003 Standard Edition, Service Pack 2.

    Look in the lower right corner of the center of the console in the section labelled "Connection" and read the value next to "Server version:".

         I don't have a section labelled "Connection" in my console.

    Upgrade the WSUS server with Service Pack 2

         I have been running WSUS server with Service Pack 2 the whole time. The icon was still labelled SP1, but I checked in the Add or Remove Programs control panel and SP2 has been installed.

    Install KB2720211

         I had already installed KB2734608, which was supposed to include KB2720211. But I ran the install for KB2720211 and rebooted anyway.

    the WUStatusServer value has an extra slash and that's what is causing hte 0x80072ee6 INVALID URL error

         I do not understand why you say my http://rrserver:8530 has an extra slash. Microsoft instructions say: "Include a custom port number in the URL directing the client computer to the WSUS server—for example, http://WSUSServerName:portnumber".

    You'll want to check and see if the other WinXP devices have been updated to the v7.6.7600.256 WUAgent as well.

         It seems that the clients are getting some of the updates. They all have v7.6.7600.256. But the WSUS console says they have not reported in since May 2012.

    Thank you.

    Wednesday, October 24, 2012 11:11 AM
  • the WUStatusServer value has an extra slash and that's what is causing hte 0x80072ee6 INVALID URL error

         I do not understand why you say my http://rrserver:8530 has an extra slash.

    Argh... because it was 8:42pm, and my eyes were probably crossed and saw three slashes... or my brain froze and I interpreted http:// as an invalid string. Either way, ignore that response, as it was absolutely incorrect - and then take note that it's now 9:30pm, so I'm probably equally as eye-crossed or brain-frozen tonight, too.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, October 25, 2012 2:30 AM
  • Install KB2720211

         I had already installed KB2734608, which was supposed to include KB2720211. But I ran the install for KB2720211 and rebooted anyway.

    You'll want to check and see if the other WinXP devices have been updated to the v7.6.7600.256 WUAgent as well.

         It seems that the clients are getting some of the updates. They all have v7.6.7600.256. But the WSUS console says they have not reported in since May 2012.

    Hmmmm..... if the WSUS server is SP2+KB2720211 and the clients are WUAgent v7.6.7600.256, then they should be communicating, and if they aren't that brings us back to whatever is creating this errant value for WUServer in the registry.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, October 25, 2012 2:32 AM
  • Mr Garvin,

    Your guidance made me call the IT company that watches my computers in case I need a disaster recovery on a hunch. It turns out that they installed an agent that applied a Patch Management process to override my WSUS settings. With that turned off, my WSUS is now working just fine.

    I now find, however, that one of my client computers will not install five updates, giving either a 0x80246007 or a 0x80070002 error code, though it installed several other updates at the same time without difficulty. The other clients installed the five updates without any trouble. Several sites suggest that similar problems in an XP machine downloading its own updates can be fixed by deleting and re-downloading the updates. Do you think that I could clear up the problem by deleting the updates from the WSUS server and then resetting the server to download them again?

    Friday, October 26, 2012 8:19 PM
  • Your guidance made me call the IT company that watches my computers in case I need a disaster recovery on a hunch. It turns out that they installed an agent that applied a Patch Management process to override my WSUS settings.

    Helpful little bugger, eh? I presume you sent copious thankyous to your contractor for their undocumented modification to your network. :-)

    I now find, however, that one of my client computers will not install five updates, giving either a 0x80246007 or a 0x80070002 error code, though it installed several other updates at the same time without difficulty.

    Several sites suggest that similar problems in an XP machine downloading its own updates can be fixed by deleting and re-downloading the updates. Do you think that I could clear up the problem by deleting the updates from the WSUS server and then resetting the server to download them again?

    No, and that's not what that article means. It's talking about having the *WinXP* system re-download its updates. and its likely the correct action in this case, since both of those error codes point to a corrupted WUAgent datastore.

    This procedure is done by:

    1. Stopping the Automatic Updates service.
    2. Renaming the C:\Windows\SoftwareDistribution folder.
    3. Restarting the Automatic Updates service.
    4. Running the command wuauclt /resetauthorization /detectnow, and waiting 30 minutes for the results.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, October 26, 2012 10:36 PM
  • I presume you sent copious thankyous to your contractor for their undocumented modification to your network.

    Oh, you better believe it!

    This procedure is done by:

    1. Stopping the Automatic Updates service.
    2. Renaming the C:\Windows\SoftwareDistribution folder.
    3. Restarting the Automatic Updates service.
    4. Running the command wuauclt /resetauthorization /detectnow, and waiting 30 minutes for the results.

    Do I also stop the Background Intelligent Transfer service?

    To what do I rename the C:\Windows\SoftwareDistribution folder? And do I delete it, re-name it back, or what after (if) the updates then install?

    Friday, October 26, 2012 10:48 PM
  • Do I also stop the Background Intelligent Transfer service?

    It is not necessary. BITS does not hold any file locks on resources in the SoftwareDistribution folder tree, but the wuauserv does.

    To what do I rename the C:\Windows\SoftwareDistribution folder?

    To whatever you would like. SoftwareDistribution.OLD is as good as anything. Renaming the folder allows the wuauserv to recreate the entire folder tree, and a fresh datastore -- which we're doing under the presumption that the existing datastore is corrupted -- but without deleting any of the critical sole-source information contained in that folder, should the expiriment fail.
    And do I delete it, re-name it back, or what after (if) the updates then install?
    If services are restored, copy the ReportingEvents.log out of the ~\SoftwareDistribution.OLD folder to ReportingEvents.log.old (this the *only* comprehensive history of all Windows Update activity on that client system since its installation) in the new ~\SoftwareDistribution folder, and you can then delete the ~\SoftwareDistribution.OLD folder. If renaming the folder does not resolve the issue, then stop the service, delete the newly created folder, rename the old folder back to its original name, and restart the service -- as the issue then does exist elsewhere and it will be useful to preserve the original cached and logged information.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Tuesday, October 30, 2012 12:07 AM
  • Thank you for the clarifications.

    I followed your instructions and got all but one update to install. The Cummulative Security Update KB2744842 would still not install. It would seem to freeze and then eventually cancel itself. I went to the Microsoft website and downloaded the update and tried to install it directly. It too crashed and I got this error:

    Setup cannot copy the file msfeedsbs.dll

    Ensure that the location specified below is correct, or change it and insert "Windows XP System Files" in the drive you specify.

    Copy files from: c:\windows\system32\dllcache

    I could not find the file  c:\windows\system32\dllcache     so I am once again stuck.

    Any suggestions?

    Tuesday, October 30, 2012 11:31 PM
  • Thank you for the clarifications.

    The Cummulative Security Update KB2744842 would still not install.

    What version of IE is installed on this Windows XP system?

    Are there previous instances of the Cumulative Security Update for IE installed? (e.g. KB2722913)?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, October 31, 2012 2:22 AM
  • I have IE 8.0.6001.18702

    My Add or Remove control panel says that Security Update for Windows Internet Explorer (KB2722913) was installed on 8/25/2012.

    Wednesday, October 31, 2012 10:45 PM
  • I have IE 8.0.6001.18702

    My Add or Remove control panel says that Security Update for Windows Internet Explorer (KB2722913) was installed on 8/25/2012.

    It's possible that there is a defect in KB2744842, although if there were I would have expected us to have heard more instances by now.

    It's also possible that this machine has an issue with the update chain for Cumulative Security Updates. One thing to try is to chronologically uninstall each existing Cumulative Security Update, starting with KB2722913, and then attempt KB2744842 again. If there is an issue in the chain, the uninstallation may remediate that.

    The mass application of six months of updates might also have some relationship, although that's merely a speculative answer. I have no information that would suggest this is an actual possibility.

    Yet another option is to simply sit on KB2744842 and wait and try the next Cumulative Security Update.

    Of course, investigating the original error message should not be ignored either.

    Finally, since this is a  WinXP system, reapplying SP3 and repatching any still-needed updates might be a solution as well. (It would depend on whether SP3 has an updated copy of msfeedsbs.dll that it can replace. BTW, the ~\dllcache folder is hidden by default, so be sure that your inability to find it wasn't because of this simple attribute.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, November 07, 2012 2:18 PM
  • Would it be worth trying just reinstalling Explorer 8?
    Wednesday, November 07, 2012 7:44 PM
  • Would it be worth trying just reinstalling Explorer 8?

    Actually, a defective IE8 installation is also a possible cause.

    Also, thinking back, there were considerations regarding the installation of IE7 and installing XP SP3, and different orders of installation had different impacts on the state of IE7. It's possible that a similar scenario exists for IE8, although it would be highly unusual for IE8 to be installed on an XP SP2 system, and it may be that IE8 required XP SP3. (It's been a very very long time, and I don't remember.)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Marked as answer by riverrocksurg Thursday, November 08, 2012 9:17 PM
    • Unmarked as answer by riverrocksurg Thursday, November 08, 2012 9:17 PM
    • Marked as answer by riverrocksurg Thursday, November 08, 2012 9:18 PM
    Wednesday, November 07, 2012 8:46 PM
  • I fixed it.

    Based on your comments, I uninstalled KB2722913 and installed KB2744842. Everything went fine and my WSUS seems to now be running just fine.

    Thank you for all of your help and patience.

    Thursday, November 08, 2012 9:18 PM