locked
WSUS - one client getting error 0x8024401c RRS feed

  • Question

  • I have WSUS running on Windows Server 2016. All but one client connects and reports successfully.  The client that's having problems is a Windows 2016 domain controller that's getting the following error when running updates - error 0x8024401c.  This domain controller shows up in WSUS but displays "This computer has not reported status yet".  If I force the client to check for updates it causes high cpu and memory usage on the IIS Worker Process and will eventually crash the service on WSUS.  I have tried setting Private Memory Limit to zero for the Wsus Application Pool which is described in many blogs.  Also I have deleted the following registry entries  SusClientId and SusClientIdValidation and deleted the SoftwareDistribution folder. If I set the registry setting UseWuServer to 0 then it will successfully go out to MIcrosoft to download updates.   Other Windows 10 and 2016 Servers connect and report just fine.

    Friday, July 14, 2017 8:22 PM

Answers

  • This is a relatively new WSUS installation. I have clients downloading and installing updates from Microsoft rather than WSUS so at this point I don't think there's much to optimize.

    I never get tired of hearing this. Just because it's new, doesn't mean it's optimized!

    Once you run my script and learn the power of what it does, you will say to yourself "Why didn't I do this earlier"

    It sounds like a Star Wars reference to the Dark side of the force, but in this case, you end up seeing the Light!

    Don't believe me? Try it yourself and see!


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by AJTek.caMVP Tuesday, September 12, 2017 7:19 PM
    • Marked as answer by coryv1 Tuesday, September 12, 2017 7:23 PM
    Tuesday, September 12, 2017 4:15 PM

All replies

  • Hello,

    Please follow steps below to troubleshoot this issue:

    1) Increased private memory limit for recycling in the WSUS Application Pool in IIS.

    2) Recommended WSUS cleanup and declining superseded updates: https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/ 

    Regards,

    Yan Li



    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Yan Li_ Monday, July 17, 2017 1:01 AM
    Monday, July 17, 2017 1:00 AM
  • I have tried increasing the private memory limit but that didn't fix the issue.  This is a new WDS installation so I have very few updates that are approved to be installed.
    Monday, July 17, 2017 5:51 PM
  • Hi,

    Follow the steps

    1. Stop the Wsus updates.

    2. Delete the download files and re-approve all the DC's mandatory list.

    3. Recycle APP Pool.

    Regards,



    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! http://sesaitech.blogspot.in/

    Monday, July 17, 2017 5:55 PM
  • Are you referring to the SoftwareDistribution folder on the DC?  I have deleted that folder.  Also, this WSUS is configured to just approve the updates and then have the client download the updates from Microsoft.
    Monday, July 17, 2017 6:01 PM
  • Hello,


    I suggest you configure an alternate download server in the GPO(point to the same WSUS server) and check the result.

    Here is a similar thread for your reference:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/acef323f-7e30-4c2c-87c0-33bd61923fbe/windows-update-client-failed-to-detect-with-error-0x8024401c?forum=winserverwsus


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Yan Li_ Monday, July 31, 2017 1:31 AM
    Friday, July 28, 2017 1:51 AM
  • My script fixes issues like this.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by FeldPeter Thursday, October 19, 2017 8:34 AM
    Saturday, July 29, 2017 3:27 AM
  • Hello,

    Just checking in to see is there any update? Have you tried configure an alternate download server in the GPO?

    Regards,

    Yan


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 31, 2017 1:30 AM
  • I just set the alternate download server in the GPO but it still didn't solve the problem.
    Tuesday, August 29, 2017 5:45 PM
  • I've just released version 3.0 of my script that boasts a SIGNIFICANT speed increase to WSUS. Have you tried my script yet? It sounds like you have not, but you should - I'm not blindly advertising it, it DOES actually work.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Another thing you can try on the affected client is run the following script on an Administrative Command Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by AJTek.caMVP Tuesday, September 12, 2017 7:19 PM
    Saturday, September 2, 2017 2:22 AM
  • Hi, 

    A solução para o Problema está no KB - https://support.microsoft.com/de-de/help/4039396/windows-10-update-kb4039396

    O Esse problema acontece devido ao KB4034658 conforme abaixo:

    28 de agosto de 2017 - KB4039396 (BS-construção 14393,1670):

    Esta atualização contém melhorias na qualidade. No entanto, há novos recursos para o sistema operacional a ser introduzido. mudanças importantes:

    • Que após a instalação das atualizações do sistema operacional 14393.1532 a 14393.1613, incluindo KB4034658, o histórico de atualizações do problema de atualizações perdidas e ocultas ir e uma verificação completa de atualizações é realizada foi corrigido. Ao instalar esta actualização, o histórico de atualizações são ou atualizações ocultas não restaurado para os usuários que já instalaram as actualizações listadas. No entanto, esta última atualização corrige esse problema para usuários que ainda não tenham instalado-los.

    • O problema é que no processamento de WSUS metadados de atualização em alguns clientes, uma mensagem de erro de tempo limite ao 0x8024401c ocorrem foi corrigido.

    Atenciosamente,

    Baian0


    Baian0

    Tuesday, September 5, 2017 12:06 AM
  • Adicionalmente ao KB acima, execute no IIS do Servidor de WSUS:

    • Make a copy of \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
    • Open \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
    • Find the element “<httpRunTime”. It will look like this (in an unmodified web.config):
    <httpRuntime maxRequestLength="4096" />
    • Modify httpRunTime by adding an executionTimeout attribute:
    <httpRuntime maxRequestLength="4096" executionTimeout="3600" />
    • Save the web.config to a different location and copy the modified one into the directory.
    • From an elevated command prompt, run IISReset to restart IIS.

    Após esse processo o problema foi resolvido em meus Windows Serve 2016.

     

    Baian0

    Tuesday, September 5, 2017 7:04 PM
  • Baian0 - I have tried editing the Web.Config as you suggested and that didn't make any difference.

    Adamj.org - I have also ran these commands on the client but didn't help.

    net stop bits net stop wuauserv reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f rd /s /q "C:\WINDOWS\SoftwareDistribution" net start bits net start wuauserv wuauclt /resetauthorization /detectnow

    This is a relatively new WSUS installation. I have clients downloading and installing updates from Microsoft rather than WSUS so at this point I don't think there's much to optimize.

    Tuesday, September 12, 2017 3:58 PM
  • This is a relatively new WSUS installation. I have clients downloading and installing updates from Microsoft rather than WSUS so at this point I don't think there's much to optimize.

    I never get tired of hearing this. Just because it's new, doesn't mean it's optimized!

    Once you run my script and learn the power of what it does, you will say to yourself "Why didn't I do this earlier"

    It sounds like a Star Wars reference to the Dark side of the force, but in this case, you end up seeing the Light!

    Don't believe me? Try it yourself and see!


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by AJTek.caMVP Tuesday, September 12, 2017 7:19 PM
    • Marked as answer by coryv1 Tuesday, September 12, 2017 7:23 PM
    Tuesday, September 12, 2017 4:15 PM
  • I don't often comment on these forums, but if your experiencing problems with the odd Windows 10 PC stubbornly not reporting to your WSUS server then USE THIS SCRIPT.  Make sure you turn off the deleting computers that havent contacted the server variable, read the comments Adam has inserted into the script as they explain exactly what will happen and sit back and watch those problems PC's report in.  I cant praise Adam enough for this script as it's obvious he's put a lot of work into it and it has been a lifesaver for me....thanks Adam much appreciated.
    Friday, November 3, 2017 9:37 AM
  • I don't often comment on these forums, but if your experiencing problems with the odd Windows 10 PC stubbornly not reporting to your WSUS server then USE THIS SCRIPT.  Make sure you turn off the deleting computers that havent contacted the server variable, read the comments Adam has inserted into the script as they explain exactly what will happen and sit back and watch those problems PC's report in.  I cant praise Adam enough for this script as it's obvious he's put a lot of work into it and it has been a lifesaver for me....thanks Adam much appreciated.

    Thank you for those kind words :) Makes me smile :)

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, November 4, 2017 4:47 AM
  • I also almost never comment on these forums, but in my opinion, Microsoft has released a mediocre product if it relies on scripts from third party to work.

    I know that there may be some bugs in any software, but WSUS (and Windows Update) is so full of them that it is really ridiculous.

    Isn't there some developer at Microsoft that can fix this so the stock WSUS installation just works?

    In our organization we have 7000+ computers doing online windows updates all the time, and our internet connection does really suffer. We actually increased the capacity of our firewall solution to solve the problem.

    I have argued for setting up a WSUS server or two, but a lot of failures in my test lab really does not help me.

    Surely, I can run your script, but why do i have to run it?
    The product promises to fulfill my needs, so this script is really just a rescue mission so that MS developers can ignore the bugs.

    Thursday, April 5, 2018 6:42 PM