locked
Clients not reporting in without gpupdate /force RRS feed

  • Question

  • We have WSUS running on Server 2012 R2 for clients running Windows 7 Pro x64.  WSUS settings are pushed out via GPO.  It seems that about 1 of every 10 workstations will report as they should while the rest will report once and stop.  When checking the clients, I'll run RSOP and verify the WSUS settings are applied as they should and yet when I open Windows Update, the "Managed by your system admin" message is missing. 

    I run a gpupdate /force and this fixes the problem (temporarily) and all the clients will report in again for a while (maybe a day) and then stop again.  I can also just minimally change the GPO and change it back to make the clients refresh that gpo and it will also (temporarily) make the clients all report in again. 

    I have checked the WindowsUpdate.log and see where throughout the day the WSUS Server settings will go back and forth from the WSUS server address to "NULL".  (Even when the WSUS Server says "NULL" in the latest entry of the update log, RSOP will still show the appropriate WSUS settings applied).

    Below is a couple of excerpts from the one of the logs...

    2014-08-10 02:02:48:666 2180 e40 COMAPI ---------
    2014-08-10 02:02:48:666 2180 e40 COMAPI --  END  --  COMAPI: Search [ClientId = <NULL>]
    2014-08-10 02:02:48:666 2180 e40 COMAPI -------------
    2014-08-10 02:02:53:631  272 e70 Report REPORT EVENT: {AE397F94-F11F-4D83-A5B3-D00E9A197C32} 2014-08-10 02:02:48:635-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0  Success Software Synchronization Windows Update Client successfully detected 1 updates.
    2014-08-10 02:02:53:631  272 e70 Report CWERReporter finishing event handling. (00000000)
    2014-08-10 08:55:17:008  272 e64 AU AU setting next sqm report timeout to 2014-08-11 12:55:17
    2014-08-10 11:00:00:027  272 e64 AU ###########  AU: Uninitializing Automatic Updates  ###########
    2014-08-10 11:00:00:027  272 e64 Agent Sending shutdown notification to client
    2014-08-10 11:00:00:027 2180 f2c COMAPI WARNING: Received service shutdown/self-update notification.
    2014-08-10 11:00:00:027  272 e64 Agent Sending shutdown notification to client
    2014-08-10 11:00:00:027 2180 f2c COMAPI WARNING: Received service shutdown/self-update notification.
    2014-08-10 11:00:00:027  272 e64 Report CWERReporter finishing event handling. (00000000)
    2014-08-10 11:00:00:027  272 e64 Service *********
    2014-08-10 11:00:00:027  272 e64 Service **  END  **  Service: Service exit [Exit code = 0x240001]
    2014-08-10 11:00:00:027  272 e64 Service *************
    2014-08-10 11:00:00:293  272 45c Misc ===========  Logging initialized (build: 7.6.7600.320, tz: -0400)  ===========
    2014-08-10 11:00:00:293  272 45c Misc   = Process: C:\Windows\system32\svchost.exe
    2014-08-10 11:00:00:293  272 45c Misc   = Module: c:\windows\system32\wuaueng.dll
    2014-08-10 11:00:00:293  272 45c Service *************
    2014-08-10 11:00:00:293  272 45c Service ** START **  Service: Service startup
    2014-08-10 11:00:00:293  272 45c Service *********
    2014-08-10 11:00:00:293  272 45c Agent   * WU client version 7.6.7600.320
    2014-08-10 11:00:00:293  272 45c Agent   * Base directory: C:\Windows\SoftwareDistribution
    2014-08-10 11:00:00:293  272 45c Agent   * Access type: No proxy
    2014-08-10 11:00:00:293  272 45c Agent   * Network state: Connected
    2014-08-10 11:00:00:558  272 e88 Report CWERReporter::Init succeeded
    2014-08-10 11:00:00:558  272 e88 Agent ***********  Agent: Initializing Windows Update Agent  ***********
    2014-08-10 11:00:00:558  272 e88 Agent   * Prerequisite roots succeeded.
    2014-08-10 11:00:00:558  272 e88 Agent ***********  Agent: Initializing global settings cache  ***********
    2014-08-10 11:00:00:558  272 e88 Agent   * WSUS server: <NULL>
    2014-08-10 11:00:00:558  272 e88 Agent   * WSUS status server: <NULL>
    2014-08-10 11:00:00:558  272 e88 Agent   * Target group: Workstations
    2014-08-10 11:00:00:558  272 e88 Agent   * Windows Update access disabled: No
    2014-08-10 11:00:00:558  272 e88 DnldMgr Download manager restoring 0 downloads
    2014-08-10 11:00:00:558 2180 d94 COMAPI -------------
    2014-08-10 11:00:00:558 2180 d94 COMAPI -- START --  COMAPI: Search [ClientId = <NULL>]
    2014-08-10 11:00:00:558 2180 d94 COMAPI ---------
    2014-08-10 11:00:00:573 2180 d94 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = <NULL>]
    2014-08-10 11:00:00:667  272 45c Report ***********  Report: Initializing static reporting data  ***********
    2014-08-10 11:00:00:667  272 45c Report   * OS Version = 6.1.7601.1.0.65792
    2014-08-10 11:00:00:667  272 45c Report   * OS Product Type = 0x00000030
    2014-08-10 11:00:00:667  272 45c Report   * Computer Brand = Dell Inc.
    2014-08-10 11:00:00:683  272 45c Report   * Computer Model = OptiPlex 3010
    2014-08-10 11:00:00:683  272 45c Report   * Bios Revision = A12
    2014-08-10 11:00:00:683  272 45c Report   * Bios Name = BIOS Date: 04/28/14 09:26:03 Ver: A12.00
    2014-08-10 11:00:00:683  272 45c Report   * Bios Release Date = 2014-04-28T00:00:00
    2014-08-10 11:00:00:683  272 45c Report   * Locale ID = 1033
    2014-08-10 11:00:00:683  272 820 Agent *************
    2014-08-10 11:00:00:683  272 820 Agent ** START **  Agent: Finding updates [CallerId = ]
    2014-08-10 11:00:00:683  272 820 Agent *********
    2014-08-10 11:00:00:683  272 820 Agent   * Online = Yes; Ignore download priority = No
    2014-08-10 11:00:00:683  272 820 Agent   * Criteria = "IsInstalled=0 or IsInstalled=1"
    2014-08-10 11:00:00:683  272 820 Agent   * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
    2014-08-10 11:00:00:683  272 820 Agent   * Search Scope = {Machine}
    2014-08-10 11:00:00:683  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:00:00:698  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:00:00:698  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPF024.tmp with dwProvFlags 0x00000080:
    2014-08-10 11:00:00:714  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:00:00:714  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\v6-win7sp1-wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:00:00:714  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:00:06:969  272 820 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190194
    2014-08-10 11:00:06:969  272 820 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190194
    2014-08-10 11:00:06:969  272 820 Misc WARNING: DownloadFileInternal failed for http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab: error 0x80190194
    2014-08-10 11:00:06:969  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\v6-win7sp1-wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:00:06:985  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:00:13:787  272 820 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190194
    2014-08-10 11:00:13:787  272 820 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190194
    2014-08-10 11:00:13:787  272 820 Misc WARNING: DownloadFileInternal failed for http://download.microsoft.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab: error 0x80190194
    2014-08-10 11:00:13:787  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\v6-win7sp1-wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:00:13:802  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:00:18:435  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\v6-win7sp1-wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:00:18:451  272 820 Misc  Microsoft signed: NA

    ****************************************************************************************************

    2014-08-10 11:01:07:076  272 820 PT +++++++++++  PT: Synchronizing server updates  +++++++++++
    2014-08-10 11:01:07:076  272 820 PT   + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
    2014-08-10 11:01:17:279  272 820 Agent WARNING: Failed to evaluate Installed rule, updateId = {2A1234D0-3E2D-4D9E-AA5E-3430A20EDC11}.100, hr = 80242013
    2014-08-10 11:01:18:839  272 820 Agent WARNING: Failed to evaluate Installed rule, updateId = {818701AF-1182-45C2-BD1E-17068AD171D6}.101, hr = 80242013
    2014-08-10 11:01:21:085  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:101  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:101  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\TMP2A46.tmp with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:101  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:101  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\v6-muredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:101  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:147  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\v6-muredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:147  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:163  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:163  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:163  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\TMP2A85.tmp with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:163  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:163  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\wuredir.cab with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:163  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:179  272 820 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\TMP2A86.tmp with dwProvFlags 0x00000080:
    2014-08-10 11:01:21:179  272 820 Misc  Microsoft signed: NA
    2014-08-10 11:01:21:179  272 820 PT +++++++++++  PT: Synchronizing extended update info  +++++++++++
    2014-08-10 11:01:21:179  272 820 PT   + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
    2014-08-10 11:01:21:881  272 820 Agent   * Added update {7B3369E2-5608-495B-AF58-A9F66C0676D2}.206 to search result
    2014-08-10 11:01:21:881  272 820 Agent   * Found 1 updates and 82 categories in search; evaluated appl. rules of 4940 out of 7996 deployed entities
    2014-08-10 11:01:21:881  272 820 Agent *********
    2014-08-10 11:01:21:881  272 820 Agent **  END  **  Agent: Finding updates [CallerId = ]
    2014-08-10 11:01:21:881  272 820 Agent *************
    2014-08-10 11:01:21:912  272 820 Report CWERReporter finishing event handling. (00000000)
    2014-08-10 11:01:21:912 2180 c2c COMAPI >>--  RESUMED  -- COMAPI: Search [ClientId = <NULL>]
    2014-08-10 11:01:21:912 2180 c2c COMAPI   - Updates found = 1
    2014-08-10 11:01:21:912 2180 c2c COMAPI ---------
    2014-08-10 11:01:21:912 2180 c2c COMAPI --  END  --  COMAPI: Search [ClientId = <NULL>]
    2014-08-10 11:01:21:912 2180 c2c COMAPI -------------
    2014-08-10 11:01:26:888  272 820 Report REPORT EVENT: {47D37663-005B-4247-BD94-9DF2C1224738} 2014-08-10 11:01:21:881-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0  Success Software Synchronization Windows Update Client successfully detected 1 updates.
    2014-08-10 11:01:26:888  272 820 Report CWERReporter finishing event handling. (00000000)
    2014-08-10 12:25:43:602  272 45c Agent ***********  Agent: Refreshing global settings cache  ***********
    2014-08-10 12:25:43:602  272 45c Agent   * WSUS server: http://fpadc01:8530 (Changed)
    2014-08-10 12:25:43:602  272 45c Agent   * WSUS status server: http://fpadc01:8530 (Changed)
    2014-08-10 12:25:43:602  272 45c Agent   * Target group: Workstations (Unchanged)
    2014-08-10 12:25:43:602  272 45c Agent   * Windows Update access disabled: No (Unchanged)
    2014-08-10 12:25:43:602  272 45c AU AU received policy change subscription event
    2014-08-10 12:25:43:603  272 45c AU Sus server changed through policy.
    2014-08-10 12:25:43:603  272 45c AU AU Options changed from policy.
    2014-08-10 12:25:43:603  272 45c AU Successfully wrote event for AU health state:0
    2014-08-10 12:25:43:603  272 45c AU ###########  AU: Policy change processed  ###########
    2014-08-10 12:25:43:603  272 45c AU   # Policy changed, AU refresh required = Yes
    2014-08-10 12:25:43:603  272 45c AU   # WSUS server: http://fpadc01:8530
    2014-08-10 12:25:43:603  272 45c AU   # Detection frequency: 2
    2014-08-10 12:25:43:603  272 45c AU   # Target group: Workstations
    2014-08-10 12:25:43:603  272 45c AU   # Approval type: Scheduled (Policy)
    2014-08-10 12:25:43:603  272 45c AU   # Scheduled install day/time: Every day at 21:00
    2014-08-10 12:25:43:603  272 45c AU   # Auto-install minor updates: Yes (Policy)
    2014-08-10 12:25:43:603  272 45c AU   # Will interact with non-admins (Non-admins are elevated (Policy))
    2014-08-10 12:25:43:603  272 45c AU   # Will display featured software notifications (User preference)
    2014-08-10 12:25:43:603  272 45c AU AU Refresh required....
    2014-08-10 12:25:43:605  272 45c AU AU setting next detection timeout to 2014-08-10 16:25:43
    2014-08-10 12:25:43:607  272 45c AU AU setting next featured software notification timeout to 2014-08-10 16:25:43
    2014-08-10 12:25:43:607  272 45c AU Successfully wrote event for AU health state:0
    2014-08-10 12:25:43:607  272 45c AU Triggering Online detection (non-interactive)
    2014-08-10 12:25:43:607  272 45c AU #############
    2014-08-10 12:25:43:607  272 45c AU ## START ##  AU: Search for updates
    2014-08-10 12:25:43:607  272 45c AU #########
    2014-08-10 12:25:43:608  272 45c AU <<## SUBMITTED ## AU: Search for updates [CallId = {DF2ED0F7-240E-4F19-BECC-D223475367A0}]
    2014-08-10 12:25:43:609  272 1368 Agent *************
    2014-08-10 12:25:43:609  272 1368 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2014-08-10 12:25:43:610  272 1368 Agent *********

    Wednesday, August 13, 2014 8:00 PM

Answers

  • Found it! I noticed the 11am event as well so I got suspicious and ran a live process monitor on my PC to see what was going on at that time. Turns out the registry entries were being deleted by the N-able Windows Agent (NOC monitoring software we use for our IT consulting company that we use to do our 24/7 monitoring).  Thanks for all the input, gentlemen!  Greatly appreciated!!
    • Marked as answer by sean.brown007 Tuesday, August 19, 2014 3:55 PM
    Tuesday, August 19, 2014 3:55 PM

All replies

  • BTW, I have checked for conflicting GPOs and even had the WSUS GPO take top precendence with still no luck.
    Wednesday, August 13, 2014 8:04 PM
  • Hello,

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    The settings will be applied to the registry key above. According to the log, I think some processes changed the value. We can perform a registry key auditing. In event log, security, we may see the which process changed the value.

    http://support.microsoft.com/kb/324739

    The log might be very long since we don't know when the key is changed. Please notice registry in task category. And in my test, event IDs 4657, 4658, 4663 were logged.

    In addition, if you have any anti-virus softwares, please temperory disable them.

    Thursday, August 14, 2014 8:12 AM
  • Thanks for the advice, Daniel.  I did check and it does seem like the registry strings are disappearing on me, but only the ones for the server addresses for both updates and reporting.  The rest of the strings in that key along with everything in the AU key is still intact.  

    I've got an audit set up on one of the PCs as a test bed to see what I can find out.  Once I have more info, I'll let you know!

    Thursday, August 14, 2014 5:43 PM
  • Thanks for the advice, Daniel.  I did check and it does seem like the registry strings are disappearing on me, but only the ones for the server addresses for both updates and reporting.  The rest of the strings in that key along with everything in the AU key is still intact.  

    I've got an audit set up on one of the PCs as a test bed to see what I can find out.  Once I have more info, I'll let you know!

    FWIW... the *only* way this can happen is if there's a logon script that's forcing those registry values *AFTER* Group Policy has been applied.

    But this sequence of events seems inconsistent with that as well:

    2014-08-10 11:00:00:293  272 45c Service *************
    2014-08-10 11:00:00:293  272 45c Service ** START **  Service: Service startup
    2014-08-10 11:00:00:293  272 45c Service *********

    2014-08-10 11:00:00:558  272 e88 Agent   * WSUS server: <NULL>
    2014-08-10 11:00:00:558  272 e88 Agent   * WSUS status server: <NULL>

    The service was started at 11:00am and there is no WSUS configuration. If this Service Start was the result of a reboot, that would also imply that there's no Group Policy being applied, but if you merely restarted the service, then it's just reflecting what it found in the registry.

    2014-08-10 12:25:43:602  272 45c Agent ***********  Agent: Refreshing global settings cache  ***********
    2014-08-10 12:25:43:602  272 45c Agent   * WSUS server: http://fpadc01:8530 (Changed)
    2014-08-10 12:25:43:602  272 45c Agent   * WSUS status server: http://fpadc01:8530 (Changed)

    At 12:25pm, something forced a refresh of the settings cache ... unless the WUA team made radical changes in this new build, it was not a Group Policy change, as Group Policy changes are explicitly logged as such (the WUA is aware of policy changes).


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, August 18, 2014 3:01 AM
  • Found it! I noticed the 11am event as well so I got suspicious and ran a live process monitor on my PC to see what was going on at that time. Turns out the registry entries were being deleted by the N-able Windows Agent (NOC monitoring software we use for our IT consulting company that we use to do our 24/7 monitoring).  Thanks for all the input, gentlemen!  Greatly appreciated!!
    • Marked as answer by sean.brown007 Tuesday, August 19, 2014 3:55 PM
    Tuesday, August 19, 2014 3:55 PM