locked
Clients are not showing up on WSUS, RRS feed

  • Question

  • I've got a WSUS on Windows 2012R2 - Update Service Version: 6.3.9600.16384.

    My wsus-gpo configuration has it configured to :Auto download and schedule the install" "Every Wednesday" at 03:00. Specified the internet/intranet wsus server using 8530 port (e.g. http://wsus-srv.example.com:8530). Its set to auto-update detectio frequency at 22 hours. And, enabled client-side targeting - WinSrv_Dev1. I've added 5 Windows Servers (Win2008r2 and Win2012R2) to the Security Filtering.

    Ran gpupdate /force on the client machines and the gpresulst /r shows that the wsus-gpo is in place. On WSUS console, 1 showed up within 5 minutes - non after that. Yes, I've waited 1-4 days and non have showed up.
    We run a VMWare shop and pretty much create our new WinSrv vm's from a template. From my goggling, that it may be a SID issue. I ran a utility, psgetsid, on the 4 other WinServers and the SIDs are different on each one.
    Another google page pointed me to technet - https://social.technet.microsoft.com/Forums/lync/en-US/8943fe65-50a1-4653-adba-99b9a8e3d4c4/wsus-on-windows-2012-clients-not-showing-up?forum=winserverwsus,
    I've check out the registry on the servers that are not showing up on the console and found that there are only 2 entry. They are SusClientId and SusClientIDValidation. 
    I've also checked out the 1 that did show up on the console and it too only shows to entry (SusClientId and SusClientIDValidation).

    Just for the heck of it, I deleted the 2 registry entries on the other 4 WinSrvs by running the batch file..

    net stop wuauserv
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f 
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
    net start wuauserv
    wuauclt.exe /resetauthorization /detectnow
    pause (left it there just to see)
     
    Again waited sometime - no show. I checked out the WindowsUpdate.log

    WSUS server: http://wsus-srv.example.com:8530
    2016-12-12 08:24:51:012 356 2280 Agent  * WSUS status server: http://wsus-srv.example.com:8530
    2016-12-12 08:24:51:012 356 2280 Agent  * Target group: WinSrv_Dev1
    2016-12-12 08:24:51:012 356 2280 Agent  * Windows Update access disabled: No
    2016-12-12 08:24:51:012 356 2280 DnldMgr Download manager restoring 0 downloads

    It looks like it sees the WSUS server and trying to assign it to the target group. But I don't see in the 4 servers on the WSUS console. I only see 1. What am i missing?  Is it because I only 2 reg entry? I don't know, still new to WSUS. Please help.

    Wednesday, December 14, 2016 10:43 PM

Answers

  • Well, looks like the problem turned out to be a GPO hierarchy. For those who are in similar situation. The problem I had was that a GPO was disabling Configuration Automatic Updates from my WSUS GPO configuration - see screenshot.  My fix was to move the GPO link order higher than the gpo that disable 'Configuration Automatic Updates'. After a 'gpupdate /force', a run of rsop.msc - problem resolved.


    • Marked as answer by nseawater Monday, February 6, 2017 6:49 PM
    Monday, February 6, 2017 6:49 PM

All replies

  • Is BITs and Windows Update services running?  Check for any time differences in the client servers.

    Did you try the Run wuauclt /reportnow command? Also check the tips at

    https://blogs.technet.microsoft.com/sus/2009/11/17/tips-for-troubleshooting-wsus-agents-that-are-not-reporting-to-the-wsus-server/


    • Edited by CyberSG Thursday, December 15, 2016 12:47 AM Correction
    Thursday, December 15, 2016 12:23 AM
  • Hi nseawater,

    1. Generally,  WSUS clients not show up in WSUS server may due to duplicated SUSClientID, if you are still not clear about how to reset SUSClientID, please refer to the following steps, or, you may do it again:

    1). In cmd, net stop wuauserv

    2). Delete the value in registry key " SusClientId " and "SusClientIDValidation" locates in:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

    3). In cmd, net start wuauserv
         wuauclt.exe /resetauthorization /detectnow

    2. Please check if the clients not show up in the WSUS server could resolve the name of the WSUS server to correct IP address, check your DNS settings along with firewall settings;

    3. If you enabled client-side target, then please ensure the group name in the GPO is totally the same with the name in WSUS server. And check "Use Group Policy or registry settings on computers:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 15, 2016 3:23 AM
  • So, I went through your suggestions:

    Checked to make sure that Background Intelligent Transfer Service (BITS) service was running - it wasn't and set to manual. I've changed that to Startup Type to Automatic.

    Checked GPO to verify that client-side targeting - WinSrv_Dev1 matches what's on the WSUS console - All Computers. Though, I would assume that it's correct since 1 of the 5 showed up.

    Double checked and verified that Options, on the console, for Computers is set for "Use Group or registry settings on computers." - again, I would assume that it's correct since 1 of the 5 showed up. never huts to check. ;-).

    Re-ran the batch script to stop the services, pull out the registry entries and start the services again. But, first I've renamed both SoftwareDistribution folder & WindowsUpdate.log - just to get a clean one.

    net stop wuauserv
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f 
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
    net start wuauserv
    wuauclt.exe /resetauthorization /detectnow
    wuauclt.exe /reportnow

    Checked the registry for WSUS entry: (blanked out some info.)

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

    On this, I only see 1 entry. From my goggling, it reference for 4 reg entry:

    PingID
    AccountDomainSid
    SusClientId
    SusClientIDValidation

    Could this be my problem...? As for the WindowsUpdate.log

    I don't see anything that sticks out from the log.

    As for the firewall.. I can telnet to the WSUS server using port 8530. Do I need any other ports?

    • Edited by nseawater Thursday, December 15, 2016 5:52 PM
    Thursday, December 15, 2016 5:41 PM
  • Hi nseawater,

    >On this, I only see 1 entry. From my goggling, it reference for 4 reg entry:

    Two necessary registry keys are needed: SusClientId and SusClientIdValidation。

    Please delete the original one, then new "String value" named "SusClientId" and new "Binary value" named "SusClientValidation". Then, restart windows update services, and in cmd, run wuauclt.exe /resetauthorization /detectnow.

    Then check the value of the two registry, if looks like this:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 16, 2016 2:13 AM
  • It looks like it's working now - i think.

    What I did:

    1 - Updated WSUS updates via Windows Update (Microsoft makes it soooo easy. not!)

    2 - Stop services for both BITS & wuauserv

    3 - Deleted both registry entry for SusClientId and SusClientIDValidation

    4 - Deleted SoftwareDistribution folder and WindowsUpdate.log

    5 - Started services for both BITS & wuauserv

    6 - Executed  "wuauclt.exe /resetauthorization /detectnow"

    7 - Checked WindowsUpdate.log and verified that both "WSUS server:" and "WSUS status server:" point to "http://wsus-srv.example.com:8530"

    8 - Also check and verified that "Target group: WinSrv_Dev1"

    9 - Checked Registry but only found "SusClientId"

    10 - Check WSUS console just to see if it showed up - nope

    11 - Back on client, on IE web browser, pointed it to "http://wsus-srv.example.com:8530/SimpleAuthWebService/SimpleAuth.asmx" - Good, I get SimpleAuth page.

    12 - Just to the heck of it, launched Windows Update and "Checked for updates"

    13 - Checked the logs again (after a minutes or 2) and found this entry "2016-12-09 06:37:12:596 888 fac PT  Server URL = http://wsus-srv.example.com:8530/SimpleAuthWebService/SimpleAuth.asmx"

    14 - Refreshed registry and found both SusClientId and SusClientIDValidation

    15 - Check WSUS console and the client showed up!

    I repeated the same process, 2 through 15, on another Winserver and it too showed up.

    My questions:

    1. For both BITS & wuauserv services - what startup type should they be? The 5 servers that I am testing have them as manual for BITS and either Manual or Automatic (Delayed Start) for wuauserv. And can't find a clear definition via google.

    2. I ran steps 2 through 6 on the 4th and 5th servers and checked on the registry. Its showing SusClientId only. Its also not showing up on the console. Is this one of those times where I just let it run its course and check back in the next day or so?

    Friday, December 16, 2016 6:51 PM
  • Hi nseawater,

    Glad to hear you have made it work, then you may mark useful replies as answer, so that others meet the similar issue may find useful information quickly.

    >1. For both BITS & wuauserv services - what startup type should they be? The 5 servers that I am testing have them as manual for BITS and either Manual or Automatic (Delayed Start) for wuauserv. And can't find a clear definition via google.

    I would recommend "Automatic ( Delayed Start)" for both windows update services and BITS.

    >2. I ran steps 2 through 6 on the 4th and 5th servers and checked on the registry. Its showing SusClientId only. Its also not showing up on the console. Is this one of those times where I just let it run its course and check back in the next day or so?

    I think you may 1-6 is useful.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 20, 2016 9:29 AM
  • Hi Anne,

    So, I ran the steps 2 - 6 on the 5th test server, Win2012, last Friday and it hasn't showed up. I'd rather not have to manually run Windows Update on this box - cause we have over 600+ Win2008R2 and Win2012R2.

    And, the first Win2008R2 server, that did show up on its own, is now getting a "This computer has not reported status in 12 or more days...." on the WSUS console. I checked the Windowsudpate.log on the Test_Box1, 2008R2, and no errors and none on the Eventvwr.msc. I feel that I'm missing something. I don't see anything that tells me that it can't talk to wsus console. Or, why the 5th Test_Box2 is not showing up on the console.

    I don't believe it's a firewall issue, since I can telnet from the Test_Box1-5 on port 8530/8531 to the WSUS server. Do, I also need inbound rules that allow 8530/8531 to the clients? Are there anything else that I need to check besides the registry (only 2 entry on all 5 test_boxes), services and windowsupdate log?   

    best,

    Nate

    Tuesday, December 20, 2016 4:57 PM
  • Hi nseawater,

    Please also run Server Cleanup Wizard and re-index WSUS database on the WSUS server, check if it could help:

    On WSUS 2012 R2, we may use the following method to reindex WSUS database:

    1.Download and install the following tools:

    Microsoft Command Line Utilities 11 for SQL Server:

    https://www.microsoft.com/en-us/download/details.aspx?id=36433

    ODBC driver 11 for SQL:

    https://www.microsoft.com/en-us/download/details.aspx?id=36434

    2. In CMD, direct to SQLCMD.exe path using command:

    cd C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn

     3. Cope the script and store it locally:

    https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61#content

    4. In CMD, run the following command:

    SQLCMD -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i <script location>

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 22, 2016 5:53 AM
  • Hi Anne,

    I did what you suggested, downloaded the utility and ran the command:

    SQLCMD -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i "E:\WSUS DB Maintenace Script\WsusDBMaintenance.sql"

    That was last week. And still no WinServers that I've added the week before. Any thing else I can try?

    Thanks...

    Wednesday, January 11, 2017 4:53 PM
  • Well, looks like the problem turned out to be a GPO hierarchy. For those who are in similar situation. The problem I had was that a GPO was disabling Configuration Automatic Updates from my WSUS GPO configuration - see screenshot.  My fix was to move the GPO link order higher than the gpo that disable 'Configuration Automatic Updates'. After a 'gpupdate /force', a run of rsop.msc - problem resolved.


    • Marked as answer by nseawater Monday, February 6, 2017 6:49 PM
    Monday, February 6, 2017 6:49 PM