locked
WSUS on Windows Server 2016 - 8024401C & 0x80244007 RRS feed

  • Question

  •    Hello!  I have a new Windows 2016 Server with WSUS 5 installed.  My problem is that I just can't get any clients to connect to it. ;-)  I have changed Group Policy (setting the Configure Automatic Updates, Specify intranet Microsoft update service location, etc.).  And I've verified the GP settings with RSoP.  I am using the URL http://wsus:8530 for my WSUS update location.  I've verified the port in the WSUS and the URL http://wsus:8530/selfupdate/wuident.cab does download from a PC.

       On Windows 10 PC's I get an error 0x80244007 when I check for updates.  Since I've been reading about a host of issues with Windows 10 PC's and WSUS I figured I'd create a Windows 2012 VM to see if that worked with my WSUS server.  It doesn't work either - it gives an error 8024401C when checking for updates.  

       The WSUS server reports that no computers are registered to receive updates - yet when I look in the WSUS update logs on the PC's they are trying to connect to the WSUS server.  

       Where do I go from here?  Any troubleshooting help would be greatly appreciated!

       Thanks so much!  Dave

    Friday, December 16, 2016 4:38 PM

Answers

  • Anne,

       Thanks so much for the suggestion.  Instead of just removing the WSUS components I created an entirely new VM.  In the process of creating the Computer Group in WSUS (that was specified in Group Policy) I found that the name I used for the Computer Group had an apostrophe which turns out to be an invalid character.

       So in hindsight I don't know whether the problem was really the WSUS server or me trying to use a Computer Group in Group Policy which had an invalid character and the group hadn't been created in the WSUS console.

       Thanks again for your help!

    Dave

    Monday, January 9, 2017 1:12 PM

All replies

  • A number of things possibly:

    1. Firewall settings on the client

    2. You could try running a script on a client that resets windows update and then tries to report to the WSUS.

    3. Duplicate SIDs

    This script or some of it might be worth trying on one of your clients:

    net stop wuauserv 
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f 
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f 
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f  
    reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f  net start wuauserv  wuauclt.exe /resetauthorization /detectnow  pause

    Friday, December 16, 2016 4:57 PM
  • Thanks for the suggestions.  Here are my responses:

    1.  I turned off the firewalls (on both a Windows 10 PC and a Windows Server 2012 R2 VM).

    2.  I ran the above commands on both the Windows 10 and the Server 2012 R2.

    3.  I used Ntdsutil - there are no duplicate SID's in Active Directory.

    This didn't make any difference on either host.  I am still getting the same error numbers when I try to manually check for updates.  

    Do you have any further suggestions?

    Friday, December 16, 2016 5:17 PM
  • That's really strange indeed. Are you 100% sure your group policy location is right and the port is right?

    stupid question I know but can you ping the server from the client and vice versa?


    Also if you remove the client from the policy and check for updates does that work? I mean over the internet check without wsus..
    Friday, December 16, 2016 8:12 PM
  • I can't say that I'm 100% sure, but certainly high 90's...  And no question is stupid - I really appreciate your help.

    Yes, I can ping (by name and by IP) - both directions.  There is no internal network firewall - this is all on one subnet.

    Yes, I can see that the RSoP says that the policy is in place.  Plus when I go into Windows Updates I see messages like "You receive updates: Managed by your system administrator".

    Yes, I verified the port 8530 on the WSUS console.  And I can hit http://wsus:8530/selfupdate/wuident.cab from a client.  I think that this should mean that I have the correct server address, DNS, port, and server firewall settings.  IIS says that the "Default Web Site" is running on port 80 and the "WSUS Administration" is running on 8530 (http) and 8531 (https).  But I'm assuming that I should be using the "WSUS Administration" port of 8530 in the GP Setting "Specify intranet Microsoft update service location".  Is that correct?  Or should I be using port 80?

    Yes, the Windows 10 PC's were working just fine before I added them to the WSUS server.

    Thanks for your help...

    Friday, December 16, 2016 8:38 PM
  • It is really strange. Especially that you can browse to the cab file with no issues.

    I guess you can rule out a network connectivity issue then..

    I think the system administrator manages update bit just means you enabled the group policy so the path still could be an issue. I think even if you set the server to: http://mickeymouse:8530 it would tell you the updates are managed by the administrator however I can't confirm that.

    I'll get my config when I have a moment and post it to you.

    also have you patched your 2012 server to allow W10 feature packs etc. You will probably need that at some point

    https://support.microsoft.com/en-gb/kb/3095113

    yes you are right about the port thing. You specify the 8530 so http://wsusupdateserver:8350

    I don't know if this helps at all:

    https://support.microsoft.com/en-gb/kb/2883975

    although this seems to be for Windows 8 and 2012

    I must admit I haven't really had much time on 2016 only 2012 in a WSUS environment. I only just realised you were talking 2016 and not 2012.


    Friday, December 16, 2016 11:02 PM
  •    I'm not sure what you mean by "I think the system administrator manages update bit just means you enabled the group policy so the path still could be an issue."  I believe that my URL is correct with the 8530 port.

       This server is actually a Windows Server 2016.  the patch you provided is for Windows 2012.  My guess is that the problem is on the Windows Server 2016 WSUS side because both the Windows 10 PC's and my test Windows 2012 R2 VM aren't working with it.

    Thanks... dave

    Friday, December 16, 2016 11:08 PM
  • I mean that when you go to updates it says updates are managed by the system administrator is because you enabled the policy. I think any path in the WSUS intranet location would trigger that however I haven't tried so cannot confirm this.

    like you say it seems as if it is the 2016 server side that is the issue. I will post my config as soon as I can incase it helps at all.

    Do you have any polices related to cookies? The error you describe seems to point to cookies problems.

    possibly try this on one of the clients if you haven't already:

    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
    net stop "Windows Update"
    move %windir%\windowsupdate.log%windir%\windowsupdate.old.log
    move %windir%\SoftwareDistribution %windir%\SoftwareDistributionold
    regsvr32 /s atl.dll
    regsvr32 /s wucltui.dll
    regsvr32 /s wups.dll
    regsvr32 /s wuaueng.dll
    regsvr32 /s wuapi.dll
    regsvr32 /s msxml3.dll
    regsvr32 /s mssip32.dll
    regsvr32 /s initpki.dll
    regsvr32 /s softpub.dll
    net start "Windows Update"
    wuauclt /resetauthorization /detectnow


    Saturday, December 17, 2016 12:05 AM
  •    No, I don't have any group policies related to cookies.  I saw some posts about that but I don't think it's related to what is going on here.

       I did try executing your commands in a script.  It didn't seem to help.

       I do think that the problem is the Windows 2016 server.  It is a brand-new VM, fully patched, without anything else installed on it except WSUS.

    Thanks again...  Dave

    Saturday, December 17, 2016 12:13 AM
  • Does anyone have WSUS running successfully on Windows Server 2016?  Did you have to do anything special to get it to work?

    I'd certainly be glad for anyone's insight if they'd like to share it with me...

    Dave

    Tuesday, December 20, 2016 1:19 PM
  • Hi dbaddorf,

    1. Could the WSUS clients show up in the WSUS 2016?

    2. Please check if you installed the latest monthly rollup for server 2016, if not, please install it:

    https://support.microsoft.com/en-us/help/4000825/windows-10-update-history

    3. Check if there are errors in the WSUS event log in event viewer.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 22, 2016 9:04 AM
  • Anne,

       Thanks for your questions!  Here are my responses:

    1. No clients show up in WSUS 2016.

    2. The last monthly rollout (from December) is installed.

    3. Here are WSUS event logs in the Application Log.  Recent errors include:

    • Event ID 12072: The WSUS content directory is not available.  System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
    • Event ID 12052: The DSS Authentication Web Service is not working.
    • Event ID 12042: The SimpleAuth Web Service is not working.
    • Event ID 12072: The Client Web Service is not working.
    • Event ID 12032: The Server Synchronization Web Service is not working.
    • Event ID 12012: The API Remoting Web Service is not working.
    • Event ID 12002: The Reporting Web Service is not working.
    • Event ID 13051: No client computers have ever contacted the server.
    • Event ID 13042: Self-update is not working

       All of these errors occur at the same second.  Do you have any clue as to what I should do?

       I appreciate you looking into this for me.

    Thanks.. dave

    Thursday, December 22, 2016 2:50 PM
  • Hi dbaddorf,

    According to the event logs, related WSUS components are all not working.

    Then, I would recommend reinstall the WSUS server role (Since the server is not put in use, it may easy to reinstall).

    Remove the WSUS role, remove WSUS IIS site, remove WSUS content folder, remove SUSDB. Then reinstall the WSUS role.

    When reinstall, ensure the WSUS content is stored in local drive. And ensure the post-installation progress finish correctly.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 23, 2016 2:28 AM
  • Anne,

       Thanks so much for the suggestion.  Instead of just removing the WSUS components I created an entirely new VM.  In the process of creating the Computer Group in WSUS (that was specified in Group Policy) I found that the name I used for the Computer Group had an apostrophe which turns out to be an invalid character.

       So in hindsight I don't know whether the problem was really the WSUS server or me trying to use a Computer Group in Group Policy which had an invalid character and the group hadn't been created in the WSUS console.

       Thanks again for your help!

    Dave

    Monday, January 9, 2017 1:12 PM
  • Hi dbaddorf,

    Then, does everything working now? If yes, you may mark your reply as answer, so that this case can be closed.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 10, 2017 8:33 AM