locked
wsus deploy with GPO issues RRS feed

  • Question

  • Hi,

    recently i installed WSUS server in my network to dispose current WSUS server. i dont want it to scan other systems until i am satisfied with the WSUS server.

    SO

    i have got 2 test computers in separate OU --> "WSUS test."

    i have installed WSUS server 3.0 SP2.

    i have created a new GPO called "WSUS test". this was my first GPO i have ever created so i have selected WSUS test OU in the domain --> right click on it and selected "Create a GPO in this Domain and link it here" option. 

    then Right click WSUS test GPO Edit.

    In Computer Configuration expand Policies --> Administrative templates--> windows components --> windows update.

    Enabled "configure Automatic Updates" and selected option 4 and scheduled to install every sunday 10 am.

    Enabled "Specify intranet microsoft update service location" to Http://xxxx:8530   http://xxxx:8530.

    Enabled "Enable Client-side Trageting" with Traget group name for this computer "WSUS test". <-- my understanding with this option is, WSUS server look in to the "WSUS test" OU computers for client's.

    i have restated the server and after login to the server, i opened windows server update service.

    in options --> computers  i have selected use the update services console as this will give me option to move computers in to groups like Windows 7, Windows 8 and other groups.

    the problem i am getting:

    the WSUS server was not only scanning the WSUS test OU computers, it also scanning others computers including server.

    i can see all my 19 servers including the server running as WSUS (old and new) and 11 other win 7 and xp computers.

    except 2 servers all other servers are showing "Not yet reported" in the last status report. the 2 servers are showing 88% installed from the day 1 and not reached to 100%.

    the actuall 2 test computers i want to use are also showing as not reported with 0% installed and a Red X. when i access one test computer (win 7 pro) and from computer properties --> windows update and click "check for updates" button,

    i am getting error message with code 800B0001.


    Not sure where did i made the mistake.

    please give me some suggestions.

    thank you,

    krishna 


    Krishna Gummadapu

    Monday, August 12, 2013 3:06 AM

Answers

All replies

  • When you have created an OU adding 2 computers and linked a policy to that OU, then the other machines should not acquire that policy. Please check if there is another WSUS policy on the domain level or so. As per your saying you have enabled the group policy for windows update for the first time, I suggest you to take a look at rsop on the both the client machines and servers.

    For WSUS installation and client side targetting please check my posts -

    http://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus/

    http://prajwaldesai.com/installation-of-wsus-3-0-sp2/

    http://prajwaldesai.com/configuring-wsus-3-0-sp2-on-windows-server/

    http://prajwaldesai.com/managing-wsus-3-0-sp2-on-windows-server/

    http://prajwaldesai.com/troubleshooting-wsus-3-0-sp2-on-windows-server/


    Prajwal Desai http://PrajwalDesai.Com

    Monday, August 12, 2013 3:27 AM
  • hi Prajwal,

    thank you for your reply.

    i have used your posts to install wsus3.0 sp2 and configure client side tragetting.

    i followed all the steps you mentioned except WSUS-->options-->computers-->use the update services console  instead of use group policy or registry settings on computers.

    i did this so i can move the clients to different groups. ex: win 7 or xp.

    in GPO.

    i already got one GPO working for the computers in the domain. it was assigned to Computers OU in the domain.

    Like:

    mydomain.local

    - mydomain

        +mydomain servers

        +computers --> All computers under this OU will get the Default WSUS policy.

    + builtin

    + comuters

    + WSUS test --> i have created the GPO under this OU.

    can you please let me know how to check the Rsop in the client machines and servers.

    is there any thing to do with WUAgent (V7.6) and WSUS (3.2) compatibility.

    thank you,

    krishna 


    Krishna Gummadapu

    Monday, August 12, 2013 4:43 AM
  • to check the policies that are getting applied on client machines, go to any of the client machine, click start, run, type rsop.msc. check the policies...

    Prajwal Desai http://PrajwalDesai.Com

    Monday, August 12, 2013 4:58 AM
  • the client system is using WSUS test GPO.

    what is your suggestion about using KB2720211 patch. some people saying it will create more problems.

    thank you,

    krishna 


    Krishna Gummadapu

    Monday, August 12, 2013 6:07 AM
  • Can you tell me is the policy applied to all the computers in your domain or only those 2 computers in WSUS test OU ?

    KB2720211 patch is safe and you can go ahead and apply it..


    Prajwal Desai http://PrajwalDesai.Com


    Monday, August 12, 2013 6:13 AM
  • well I have followed your post to client side targeting and entered the group name as WSUS test.

    other than this I haven't mentioned anywhere about the client.

    this is the only doubt I got. is this the way to point client computers for wsus.

    thank you,

    Krishna


    Krishna Gummadapu

    Monday, August 12, 2013 7:05 AM
  • yes the name of the OU and name that you mention in the client side targetting policy should match. This is the way to perform client side targetting, you don't target OU rather you target set of clients inside the OU. May i know is it working fine now ?

    Prajwal Desai http://PrajwalDesai.Com

    Monday, August 12, 2013 7:10 AM
  • hi,

    I have applied the patch and restarted the server, now I can not able to access the wsus console.

    error:

    The WSUS administration console was unable to connect to the WSUS Server via the remote API.

    Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

    System.IO.IOException -- The handshake failed due to an unexpected packet format.

    any suggestion

    thank you,

    Krishna


    Krishna Gummadapu

    Monday, August 12, 2013 7:15 AM
  • Hi Krishna,

    First of all, if you applied the KB2720211, this will solve your Windows 7 0x800B0001 error message in the WindowsUpdate.log file.

    You might also have to update your WSUS server with the KB2734608 to have the lastest build of WSUS (3.2.7600.256)

    For your message :

    The WSUS administration console was unable to connect to the WSUS Server via the remote API.

    Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

    System.IO.IOException -- The handshake failed due to an unexpected packet format.

    The error code indicates that the WSUS virtual directory is not working. I've found two answer over the Technet! but they were a bit old ...

    1.  Navigate to “%windir%\Microsoft.net\framework\v2.0.50727”.
    2. Run “aspnet_regiis –I”.
    3. Run “iisreset”
    4. Navigate to "%appdata%\microsoft\mmc", delete WSUS.
    5. Then restart IIS and  Windows Update service.

    Let me know if this helps.

    TiGrOu.

    • Proposed as answer by Brice Pradel Wednesday, August 14, 2013 7:42 AM
    Monday, August 12, 2013 7:31 AM
  • Navigate to “%windir%\Microsoft.net\framework\v2.0.50727”.--> is not working.

    I did a fresh installation of WSUS. followed the same steps as before. somehow now I only got test computers in WSUS.

    I still got the same issue. systems are not reporting to WSUS and wind 7 system giving Error code 800B0001.

    I am bit scared to apply the KB2720211 as it killed my WSUS.

    any help please.

    thank you,

    Krishna


    Krishna Gummadapu

    Tuesday, August 13, 2013 11:42 PM
  • I worked it out.

    installed KB2720211 and KB2734608 and it updated WSUS to 3.2.7600.256.

    now windows 7 system is reporting to WSUS and getting updates from WSUS.

    BUT

    Windows 8 system is not getting updates and not reporting.

    the error code: 80248013

    thank you,

    Krishna


    Krishna Gummadapu

    Wednesday, August 14, 2013 6:17 AM
  • For your Windows 8 clients that are not synchronizing, you may have found your answer reading the KB2734608 article on the Support ;)

    If you have Windows 8 or Windows Server 2012 clients that synchronized with WSUS 3SP2 before you applied this update, wait for the update to be applied to the WSUS servers, and then follow these steps:
    1. On the affected client, open cmd.exe in elevated mode
    2. Type the following commands. Make sure that you press Enter after you type each command:

      Net stop wuauserv

      rd /s %windir%\softwaredistribution\

      Net start wuauserv

    Try this on your client and come back to us if needed.

    TiGrOu.

    • Marked as answer by Yan Li_ Thursday, August 22, 2013 12:42 PM
    Wednesday, August 14, 2013 7:42 AM