Published on

WSUS

Authors
  • Name
    Jackson Chen

WSUS troubleshooting

https://arnaudloos.com/2019/wsus-troubleshooting/

client Side Troubleshooting

WSUS Commands

Use the following commands on client side

a. If you’re on Windows 7/8/Server 2008R2/2012R2 then wuauclt works for you.
wuauclt /resetauthorization /detectnow
wauauclt /reportnow     # doesn’t do what you think and isn’t very useful.

b. Windows 10/Server 2016 then wuauclt has been depricated and you have UsoClient.
usoclient.exe startscan         # detect missing patches
usoclient.exe refreshsettings   # refresh settings if any changes were made
usoclient.exe startdownload     # download patches
usoclient.exe startinstall      # install patches

c. Powershell command
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

WSUS Logs

1. Check Windowsupdate log
On Windows 10 open an administrative powershell prompt and run 
Get-Windowsupdatelog.   # The log will be on the desktop. Wait for the command to finish running.

2. Check to make sure the service is running.
Get-Service -Name wuauserv

3. Next check and make sure client is receiving WSUS settings from Group Policy.
gpresult /scope computer        # Verif yWSUS settings policy is being applied to the machine.
Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate    # Query client registry for WSUS settings with

4. Powershell to test the connectivity.
Test-NetConnection -ComputerName <WSUS_Server> -Port 8530 -InformationLevel Detailed

5. Don’t forget the obvious step of checking the Event log.
a. Application Event log as well as 
b. App and Service Logs > Microsoft > Windows > WindowsUpdateClient

6. Run an administrative command prompt to check for file corruption that can affect the client.
sfc /scannow

7. If you have both working and non-working clients 
In WSUS check c:\program files\update services\WebServices\ClientWebServices for a web.config file and compare a working file to a non-working file for differences.

8. If this client comes from an OS image and Sysprep wasn’t run
Then the issue may be that multiple clients are using the same SUSClientID key.

Check HKLM\Software\Microsoft\Windows\CurrentVersion\WIndowsUpdate and delete the current SUSClientID.
Run wuauclt /resetauthorization /detectnow from an elevated command prompt.

clear local cache

The sequence below will clear out the local cache of the Windows Update client

attrib -h -r -s %windir%\system32\catroot2
attrib -h -r -s %windir%\system32\catroot2\*.*
net stop wuauserv
net stop CryptSvc
net stop BITS
ren %windir%\system32\catroot2 catroot2.old
ren %windir%\SoftwareDistribution SoftwareDistribution.old
ren "%ALLUSERSPROFILE%\application data\Microsoft\Network\downloader" downloader.old
net start BITS
net start CryptSvc
net start wuauserv

Re-register a machine with the WSUS server

net stop wuauserv  
net stop bits  
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f  
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f  
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
rd /s /q "C:\WINDOWS\SoftwareDistribution"
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow (or usoclient.exe RefreshSettings)
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Server Side Troubleshooting

1. Check the Windows Update service
Get-Service -name WsusService

2. Check the IIS service
Get-Service -name W3SVC

3. check server listening on the open ports
netstat -an | findstr 853*

4. Try browse to the WSUS website
http://server:8530/ClientWebServices/client.asmx?

You should see a blue and tan Client Service info page.

5. If not, we can try resetting the port.
Open an elevated command prompt and run 
wsusutil usecustomwebsite false     # This will change the port WSUS uses from 8530 to 80, so make sure nothing is running on port 80.
wsusutil usecustomwebsite true      # The run iisreset
iisreset /restart                   # This changes the port back to 8530 and “resets” the configuration.

6. Check firewall rules.
7. Check server side logging: 
c:\program files\updateservices\logfiles\SoftwareDistribution

8. Run sfc /scannow to check for file corruption.
Discuss on TwitterView on GitHub