locked
Machine not reporting - WSUS on Win2k12R2 Std RRS feed

  • Question

  • Hello fellas !

    I have done some research before posting and I am looking for other POV and insights on some stuff that I might miss.

    • Server : Windows Server 2012 R2 Std
    • Issue : Some machines aren't reporting.
    • Method : Using GPO.

    I have tried to remove the machine from the WSUS, forcing gpupdate on the computers and run a command that detects the WSUS. Results, they are still not reporting. I have 3 guess at this stage :

    1. Firewall, UAC or Anti-Virus is preventing the process.
    2. Machine does not apply correctly the GPO.
    3. Connection between the server and the machine is broken.

    GPUpdate does work. I did a GPResult and it does show that the WSUS GPO is enabled and applied. Other machines with the same configurations are doing fine. Test-Connection from the server to the machine is ok. I do see their IP Addresses on the WSUS Panel.

    Thanks,

    Nevets24


    Thursday, April 4, 2019 1:06 PM

Answers

  • but I am not in place to buy the script for WAM, so I think I am mostly fucked now haha.

    Thanks for the help.

    Nevets

    I won't leave you hanging.

    Mass-decline all superseded updates from the WSUS Console. Run the SCW.

    Try:

    * Make the following "Advanced Settings" for WSUS Application Pool in IIS:
        - Queue Length: 25000 from 1000
        - Limit Interval (minutes): 15 from 5
        - "Service Unavailable" Response: TcpLevel from HttpLevel
    * (Stop IIS first) Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS:
        - Replace <httpRuntime maxRequestLength="4096" /> with <httpRuntime maxRequestLength="204800" executionTimeout="7200"/>
    * Adjust the private memory limit.
        - If you have WSUS Automated Maintenance (WAM), from the WAM Shell run:
            .\Clean-WSUS.ps1 -SetApplicationPoolMemory 4096
        - If you don't have WAM, edit the pool's configuration directly to change it to 4194304 (4GB)


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Nevets24 Thursday, May 23, 2019 12:39 PM
    Wednesday, April 17, 2019 12:46 AM

All replies

  • Hi Nevets24,
      

    Thank you for posting here.
    The following steps are typically used to troubleshoot such issues:
      

    1. On the client where the problem is reported, check the synchronization record and error information of WindowsUpdate.log, which will help to analyze the problem.
    2. Read the methods mentioned in the following article to cancel all replaced updates: "How to identify and decline superseded updates in WSUS".
    3. Run Server Cleanup Wizard in WSUS Console.
    4. On a client that is not reporting properly, run the command:
      > wuauclt.exe /detectnow /reportnow> usoclient.exe startscan (For Windows 10)
      Wait for the client to report to WSUS.
        

    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 5, 2019 2:03 AM
  • Hi Yic,

    Thanks for the answer. I'll run some tests and do the command you provided and see how it works. I will write back how I manage to find the issue if it's something else !

    Thanks,

    Nevets

    Monday, April 8, 2019 1:09 PM
  • The command did not work. I am actually analyzing logs from 2 computers to see what's the difference how where the problem appears in the process.
    Monday, April 8, 2019 5:03 PM
  • Have you run the client side script after removing the computer from the WSUS Console?

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    I know it looks like you may have done it before, but try it. It fixes most issues that relate to the client system being the problem. If that doesn't work, look at your WSUS server as noted in the rest of the post explaining the why.

    Try to download the WSUS iuident CAB file from the client machine.

    http://server.domain.local:8530/selfupdate/iuident.cab
    https://server.domain.local:8531/selfupdate/iuident.cab

    and then try to browse to:

    http://server.domain.local:8530/ClientWebService/client.asmx
    https://server.domain.local:8531/ClientWebService/client.asmx

    If you can download it and browse to it, that's the port/url to use in your GPO. If you can't, check firewall settings and port settings.

    If in doubt, take a look at part 4 of my 8 part blog series that deals with GPOs and policies (hint, always use fqdn) https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, April 9, 2019 1:22 AM
  • Thanks for information. I will give it a try for sure. I have come across that link too : (Troubleshooting issue with WSUS Client.) Can't post links yet.

    I have encounter issues with the BITS service. I can do the query and start, however it doesn't stay in RUNNING state for long. I do not know how that would affect the WSUS Agent from the computer itself though. 

    I will come back and give some feedback as soon as my client let me run some tests !

    Tuesday, April 9, 2019 8:16 PM
  • BITS doesn't have to be on for long. Don't worry about that. It automatically will trigger when it needs to.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, April 10, 2019 12:58 AM
  • Just tried it now. Sadly, it is still not reporting. Ran the WSUS Clean Wizard, but doesn't seem to have done much. Now the device itself says it's up-to-date but it is not (1803 instead of 1809). I ran the PowerShell command as told from your post and read the part that says : IF it didn't work. Everything's ok, but I am not in place to buy the script for WAM, so I think I am mostly fucked now haha.

    Thanks for the help.

    Nevets

    Tuesday, April 16, 2019 6:02 PM
  • but I am not in place to buy the script for WAM, so I think I am mostly fucked now haha.

    Thanks for the help.

    Nevets

    I won't leave you hanging.

    Mass-decline all superseded updates from the WSUS Console. Run the SCW.

    Try:

    * Make the following "Advanced Settings" for WSUS Application Pool in IIS:
        - Queue Length: 25000 from 1000
        - Limit Interval (minutes): 15 from 5
        - "Service Unavailable" Response: TcpLevel from HttpLevel
    * (Stop IIS first) Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS:
        - Replace <httpRuntime maxRequestLength="4096" /> with <httpRuntime maxRequestLength="204800" executionTimeout="7200"/>
    * Adjust the private memory limit.
        - If you have WSUS Automated Maintenance (WAM), from the WAM Shell run:
            .\Clean-WSUS.ps1 -SetApplicationPoolMemory 4096
        - If you don't have WAM, edit the pool's configuration directly to change it to 4194304 (4GB)


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Nevets24 Thursday, May 23, 2019 12:39 PM
    Wednesday, April 17, 2019 12:46 AM
  • Ok, thanks for that to be honest. So I did it, I'll leave it a moment to see how it reacts.

    I have never worked with WSUS so I am trying to put 1 and 1 together to sort this out, pretty hard since I haven't done any of this configuration.

    Wednesday, April 17, 2019 7:07 PM
  • To give some feedback, I retried the PowerShell commands, it didn't work. I could not reach the half of it without errors. WU & BITS Services aren't running or are not able to launch properly. 

    I ran the troubleshoot program from Windows, it does say I have an issue with WU DB. Doesn't fix it though. Tried with the WU Program downloaded from Windows, same result. I decided to use DISM /Online command to see if SFC missed his shot somewhere. We will see. As of now, I still don't get why 90% of the computer got the update without issue and the 10% did not. 

    I made sure my WSUS is clean, but I really think that it may be the WSUS DB itself that starts having issue.

    Monday, April 22, 2019 1:13 PM
  • To close the subject, our WSUS is now unable to do anything. The only solution I see as of now is to re-index the WID or reinstalling WSUS Service (most-likely what will happen).

    Thanks @AdamMarshall for the help provided. You website is really a useful tool.

    Steven

    Thursday, May 23, 2019 12:38 PM
  • You're welcome.

    If you're re-installing, make sure you do it completely. If you don't, you may leave some gremlins lurking around.

    https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Thursday, May 23, 2019 2:25 PM