locked
Unpredictable WSUS update behavior or I just don’t understand the WSUS process. RRS feed

  • Question

  • Last month I had started a thread about random WSUS clients failing to download updates and generating 403 errors. I am seeing the same behavior this month with a new wrinkle. The machines that generate the 403 errors 1). do not have any connectivity or permissions issues preventing them from accessing the WSUS server, 2). the failed machines appear to be random and 3). the failed machines are usually less than 15 in number out of 400+ identically configured and connected machines receiving updates. This month when the first batch of servers where scheduled to start downloading the approved updates all but 9 successfully download, rebooted and restarted completing the update process. The remaining 9 (a different 9 from the previous set) failed to download every update again with phantom 403 errors.

    That was last week. This week I opened my WSUS server console only to see the machines that were previously updated and removed from the "failed or needed" list reappear in that list. Apparently the WSUS server has spontaneously decided that several past updates from 2012 to present are needed by these machines and as these updates were previously approved years ago the client machines have started downloading these updates  and in some cases rebooting. This is particularly distressing as a). these are production machines that have a set reboot schedule and per the GPO should not reboot off schedule, b). The WSUS synch is only performed one time a month to prevent multiple update processing and reboot cycles and c). The spontaneous updating has created even more failed machines. Some machines are failing updates that were reporting as installed last week. Due to the erratic behavior and the apparent age of some of the updates I performed a WSUS reset by stopping the update service, deleting the old update folders from the WSUS server update directory, restarting the service and issuing a WSUSUtil.exe RESET to re-download the required updates from Microsoft. The WSUS server is a VMWare hosted VM with sufficient HD space and memory available.

    I have a total of about 2500 machines that receive updates from this server at different scheduled times during the month. It is not always possible to accommodate this type of erratic behavior and stay on schedule. Any help would be greatly appreciated.


    • Edited by unimorpheus Tuesday, March 24, 2015 9:06 PM
    Tuesday, March 24, 2015 9:03 PM

All replies

  • Hi,

    >>Last month I had started a thread about random WSUS clients failing to download updates and generating 403 errors.

    To troubleshoot this issue, we can enable the logs of IIS, then track the sub-status code associated with the 403.

    Here is a good guide:

    http://blogs.iis.net/tomkmvp/archive/2009/12/10/troubleshoot-a-403.aspx

    >>Apparently the WSUS server has spontaneously decided that several past updates from 2012 to present are needed by these machines and as these updates were previously approved years ago the client machines have started downloading these updates  and in some cases rebooting.

    Please check if these updates have the deadline. Client will install and reboot immediately when the deadline is passed. If we removed some updates which are suppressing this update, this update will be needed.

    Besides, please run the WSUS clean up wizard to remove the old or unneeded update.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 25, 2015 7:37 AM
  • I have not been able to find any sub-status codes for the 403 errors. IIS logs only list 200 and 206 codes, no errors any any IIS logs and full logging was enabled at IIS setup. Clients only list the following:

    2015-03-23 00:48:02:537  908 1524 Report REPORT EVENT: {09378F5D-2A95-457E-8FF9-A8B95E14A272} 2015-03-23 00:47:57:522-0700 1 161 101 {316E6D51-C2C7-4E94-9CA7-F8C8D6A526AF} 202 80244018 AutomaticUpdates Failure Content Download Error: Download failed.
    2015-03-23 00:48:02:537  908 1524 Report REPORT EVENT: {2822694A-146B-4CDD-A29A-118B2BDAD8AC} 2015-03-23 00:48:00:725-0700 1 161 101 {562DC25C-D769-464F-BAC6-FA26703E6E14} 204 80244018 AutomaticUpdates Failure Content Download Error: Download failed.
    2015-03-23 00:48:03:912  908 1488 DnldMgr WARNING: BITS job {9E1A23C2-A960-44DF-8FA7-CC84E7345235} failed, updateId = {77A8936E-B99A-43AD-8160-18B6F6F8CE14}.202, hr = 0x80190193, BG_ERROR_CONTEXT = 5
    2015-03-23 00:48:03:912  908 1488 DnldMgr   Progress failure bytes total = 0, bytes transferred = 0
    2015-03-23 00:48:03:912  908 1488 DnldMgr   Failed job file: URL = http://10.10.10.247/Content/6D/6BDA4FE99B3A77E3120BAB7C3F2EA6A38275516D.exe, local path = C:\WINDOWS\SoftwareDistribution\Download\8b32b2da2afa677aae1aeff219ee7373\windowsserver2003-kb3039066-x86-enu.exe
    2015-03-23 00:48:03:912  908 1488 DnldMgr Error 0x80244018 occurred while downloading update; notifying dependent calls.
    2015-03-23 00:48:03:927  908 e40 AU >>##  RESUMED  ## AU: Download update [UpdateId = {50CBA085-5E3A-4C26-A77D-785AD55FE271}]
    2015-03-23 00:48:03:927  908 e40 AU   # WARNING: Download failed, error = 0x80244018

    Error = 0x80244018 is just a generic 403 and I cant find the root cause anywhere. I have run the WSUS client diag and server debug utilities, both systems pass. At this point I am at a loss.

    Monday, March 30, 2015 6:29 PM
  • Hi,

    on that machine, can you download the file directly (as in using a browser?)

    http://10.10.10.247/Content/6D/6BDA4FE99B3A77E3120BAB7C3F2EA6A38275516D.exe


    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    Monday, March 30, 2015 6:59 PM
  • Yes, I have tested the error below. I have done this several times on several effected machines but with this error I pushed all the way through installation of the update manually. This update no longer shows as needed by this machine in WSUS so the reporting is working fine

    DnldMgr   Failed job file: URL = http://10.10.10.247/Content/CB/2236E727FD3D5505FB7AF6073A9A56EE45916ACB.exe, local path = C:\WINDOWS\SoftwareDistribution\Download\5c46ae3c779c237f42a8040455921c52\windowsserver2003-kb3033889-x86-enu.exe

    Manually copied http://10.10.10.247/Content/CB/2236E727FD3D5505FB7AF6073A9A56EE45916ACB.exe to C:\WINDOWS\SoftwareDistribution\Download\5c46ae3c779c237f42a8040455921c52\windowsserver2003-kb3033889-x86-enu.exe

    This took several steps as the "5c46ae3c779c237f42a8040455921c52" folder did not exist of course and the file has to be saved-as "windowsserver2003-kb3033889-x86-enu.exe". Once downloaded and renamed I was able to execute the file and install the update without issue. 



    • Edited by unimorpheus Monday, March 30, 2015 10:25 PM
    Monday, March 30, 2015 10:20 PM
  • Hmm, that's odd, the wsusutil reset should have re-downloaded that content. Is there any A/V scanning those directories? 

    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    Tuesday, March 31, 2015 6:39 AM
  • Yes, McAfee Virusscan Enterprise ver. 8.8

    Monday, April 6, 2015 5:38 PM
  • It looks like the deployment of new firewall products has partially broken WSUS processing at the upgraded stores. This issue appears to have been access related after all. Unfortunately these upgrades are handled by a different department and I was unaware of the change. A little awareness can go a long way. Thank you to everyone who offered assistance. 
    Thursday, April 23, 2015 3:56 PM