none
WSUS on Disconnected Network Not Showing Client Computers

    Question

  • I recently put WSUS on my test network which is on a different domain than my production and also doesn't route to the internet.  It's on a 2008 32-bit server.  I have client side targeting enabled and a group that corresponds with the OUs in group policy where the client side targeting is configured.  I have the specified intranet site configured (I've tried http://sername and http://servername:80).  Still none of my clients are showing up in WSUS.

    When I run the WSUS client diag on an XP machine I get this:


    WSUS Client Diagnostics Tool

    Checking Machine State
            Checking for admin rights to run tool . . . . . . . . . PASS
            Automatic Updates Service is running. . . . . . . . . . PASS
            Background Intelligent Transfer Service is not running. PASS
            Wuaueng.dll version 5.4.3790.2180 . . . . . . . . . . . PASS
                    This version is SUS 1.0

    Checking AU Settings
            AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
                    Option is from Policy settings

    Checking Proxy Configuration
            Checking for winhttp local machine Proxy settings . . . PASS
                    Winhttp local machine access type
                            <Direct Connection>
                    Winhttp local machine Proxy. . . . . . . . . .  NONE
                    Winhttp local machine ProxyBypass. . . . . . .  NONE
            Checking User IE Proxy settings . . . . . . . . . . . . PASS
                    User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                    User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                    User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                    User IE AutoDetect
                    AutoDetect not in use

    Checking Connection to WSUS/SUS Server
                    WUServer =
    http://WSUS.helgafjell.ad:80
                    WUStatusServer =
    http://wsus.helgafjell.ad:80
            UseWuServer value is missing. . . . . . . . . . . . . . FAIL

    GetAUSettingsRegistry(true,pszUseWu,&dwUseWu) failed with hr=0x80070002

    The system cannot find the file specified.

    Any ideas?

    Friday, April 09, 2010 7:17 PM

Answers

  • Is there an easy way to move this thread to the Group Policy forum?

    I can move the thread, but it would probably be cleaner to leave the discussion, till now, in this forum where others who might encounter similar issues can benefit. I would recommend creating a new post in the GP forum with the simple issue at hand:

    The Client Diagnostic Tool reports that the value is missing; the only policy in place is the Default Domain Policy which is configured to set that value as enabled, and the value does physically exist in the correct key of the registry with the value dword:0x1 -- the question being: What would prevent the Client Diagnostic Tool from being able to read the registry value that is actually present?

    And make note that this is the return from the attempt to read the value:

    GetAUSettingsRegistry(true,pszUseWu,&dwUseWu) failed with hr=0x80070002


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, April 22, 2010 3:35 PM

All replies

  • Checking Connection to WSUS/SUS Server
                    WUServer = http://WSUS.helgafjell.ad:80
                    WUStatusServer = http://wsus.helgafjell.ad:80
            UseWuServer value is missing. . . . . . . . . . . . . . FAIL

    This client is not properly configured to use WSUS.

    Either you configured this machine using direct registry edits, or you have conflicting policies configured.

    If you did not use direct registry editing, and I'll assume you did not since you talk extensively about your domain environment, then you should run RSOP on this client and identify the GPOs being applied and determine which of those GPOs are valid for configuring WSUS and which one(s) are not. One of those GPOs has "Specify intranet Microsoft update service location" explicitly DISABLED, which is what is causing the "UseWUServer value is missing" condition.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, April 09, 2010 8:47 PM
  • This is my result:

     

        Applied Group Policy Objects

        -----------------------------

            Helgafjell Computers Container

            WSUS Servers

            Default Domain Policy

     

        The following GPOs were not applied because they were filtered out

        -------------------------------------------------------------------

            Local Group Policy

                Filtering:  Not Applied (Empty)



    There were no user configuration GPOs.  The WSUS Servers GPO is the GPO that specifies the Intranet Microsoft update service location...among other things like how often it syncs, etc.  The Helgafjell Computers Container is the one that does the client side targeting.  Specify intranet Microsoft update service location is "not configured" in that GPO.  There are no other GPOs configured that do anything with WSUS.

    Monday, April 12, 2010 5:44 PM
  • There were no user configuration GPOs.  The WSUS Servers GPO is the GPO that specifies the Intranet Microsoft update service location...among other things like how often it syncs, etc.  The Helgafjell Computers Container is the one that does the client side targeting.  Specify intranet Microsoft update service location is "not configured" in that GPO.  There are no other GPOs configured that do anything with WSUS.

    And yet... something is causing the UseWUServer registry value to be set to false -- and something that has a higher application priority than the "WSUS Servers" Group Policy which is where it's being enabled.

    If you cannot find it by inspecting the policy objects, then create a special OU. Place one computer in the OU, remove all of the policies and observe the results. Add one policy at a time to that OU and observe the results. Eventually adding something will cause UseWUServer to be set to false, and you will have identified the culprit.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, April 13, 2010 1:36 PM
  • I did as you suggested.  Well, I actually edited the Default Domain Policy to do what the WSUS Servers Policy was doing (specifying the Microsoft Intranet Service Update Location) and I told it to sync ever hour.  Then I deleted the WSUS Servers GPO completely.  I unlinked the other GPO that handles client side targetting.  I ran a gpupdate /force on the client and then ran the clientdiag tool again and I still get the same error. 

    Here is the gpresult to show that only the default domain policy is being applied:


       Applied Group Policy Objects
       -----------------------------
           Default Domain Policy

       The following GPOs were not applied because they were filtered out
       -------------------------------------------------------------------
           Helgafjell Computers Container
               Filtering:  Disabled (Link)

           Local Group Policy
               Filtering:  Not Applied (Empty)

    Tuesday, April 13, 2010 3:05 PM
  • Still no luck.  Anyone have any suggestions?? 

    The wsus server is actually not activated.  Could that have something to do with it?  It doesn't have an internet connection and it's just a test server, so we haven't bothered with it.

    Monday, April 19, 2010 2:02 PM
  • The wsus server is actually not activated.  Could that have something to do with it?  It doesn't have an internet connection and it's just a test server

    No. The configuration, status, or even the actual physical presence (or lack thereof) has nothing at all to do with a Group Policy properly editing the registry value.

    You should check the ACLs on the HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate key, AU subkey, and all values, to ensure they are set correctly. A read-only key or value, or one lacking the necessary permissions, would also manifest with this behavior.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, April 19, 2010 5:50 PM
  • I checked the permissions and they are the same as in my production environment (which is working).  Any other ideas?
    Monday, April 19, 2010 7:55 PM
  • I also wanted to mention that I did export from my production server and import to this test wsus server.  Is it possible there's something weird wtih the metadata or something?
    Monday, April 19, 2010 8:28 PM
  • I also wanted to mention that I did export from my production server and import to this test wsus server.  Is it possible there's something weird wtih the metadata or something?


    Well, it's always possible that there's "Something wierd" with the data export/import you performed.. but again, *nothing* server side has anything at all to do with the successful application of a Group Policy to a workstation.

    The fundamental issue here is that the policy(s) being applied are not properly updating the registry values.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, April 19, 2010 11:23 PM
  • Yesterday I opened up the permissions even more and gave authenticated users full control.  I checked today and the clients still aren't showing up in WSUS.  I just don't get it.  I'm able to ping it, the permissions should be fine, the GPO is getting applied.  I'm just missing something.  How can I know for sure that the wsus site uses port 80?  It says 80 in IIS under the default web site.  Is there a way I can double check the path that needs to go into group policy?  Right now it says http://wsus.domain.ad:80.  The name of the wsus server is wsus and I put in my domain name, obviously.
    Tuesday, April 20, 2010 12:44 PM
  • Yesterday I opened up the permissions even more and gave authenticated users full control.  I checked today and the clients still aren't showing up in WSUS.  I just don't get it.  I'm able to ping it, the permissions should be fine, the GPO is getting applied.  I'm just missing something.  How can I know for sure that the wsus site uses port 80?  It says 80 in IIS under the default web site.  Is there a way I can double check the path that needs to go into group policy?  Right now it says http://wsus.domain.ad:80.  The name of the wsus server is wsus and I put in my domain name, obviously.


    The URL of the WSUS server is not in question here.

    The registry key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU contains a registry value called "UseWUServer". This value must be set to TRUE (dword:0x1) in order for the WUAgent to execute detections from a WSUS Server, otherwise it executes detections against the Automatic Updates functionality of microsoft.com

    The ONLY way this value is set to TRUE is with the "Specify intranet Microsoft update services location" policy. Three values get set by this policy:

    WUServer is set to the string specified in the first text field

    WUStatusServer is set to the string specified in the second text field

    UseWUServer is set to TRUE when this policy is ENABLED

    There are only TWO possible ways that the value UseWUServer is set to FALSE.

    1. A higher priority policy is being applied that has the "Specify intranet..." policy explicitly set to DISABLED, or

    2. The policy with the setting ENABLED is not being applied.

    We've looked at the most obvious causes of GPO failure in the WSUS environment, and those investigations have not identified a cause, or provided a solution. You may find it useful to discuss this situation with one of the Group Policy experts in the Group Policy forum.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, April 21, 2010 12:24 AM
  • The UseWUServer value is set to 1.  I guess I'll give group policy a try.  Thanks for your help.
    Wednesday, April 21, 2010 4:02 PM
  • Is there an easy way to move this thread to the Group Policy forum?
    Wednesday, April 21, 2010 4:05 PM
  • The UseWUServer value is set to 1.  I guess I'll give group policy a try.  Thanks for your help.

    Are you saying that "UseWUServer" is set to '1' and the CDT still reports "UseWUServer" is missing?
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, April 22, 2010 3:31 PM
  • Is there an easy way to move this thread to the Group Policy forum?

    I can move the thread, but it would probably be cleaner to leave the discussion, till now, in this forum where others who might encounter similar issues can benefit. I would recommend creating a new post in the GP forum with the simple issue at hand:

    The Client Diagnostic Tool reports that the value is missing; the only policy in place is the Default Domain Policy which is configured to set that value as enabled, and the value does physically exist in the correct key of the registry with the value dword:0x1 -- the question being: What would prevent the Client Diagnostic Tool from being able to read the registry value that is actually present?

    And make note that this is the return from the attempt to read the value:

    GetAUSettingsRegistry(true,pszUseWu,&dwUseWu) failed with hr=0x80070002


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, April 22, 2010 3:35 PM
  • That's the part I don't get.  It seems like all the right things have been set up.  I'll check with the group policy forum and make note of everything you said.

     

    Thanks!

    Thursday, April 22, 2010 4:25 PM