WSUS2 - Client SelfUpdate problems

By Blackcurrant ·

Can somebody please help me with this.

I am trying to get WSUS2 to run on my domain, and am having some teething troubles. I have installed it on a Windows 2003 Server (Appliance Edition), and it installed fine.

I have been able to synchronise OK, and have D/L all the updates to the WSUS storage location. I have used Group Policy's Computer Configuration\Administrative Templates\Windows Components\Windows Update, to point all the clients (WinXP SP2 and Win2k SP4), in my organisation to the WSUS server. I have also enabled the Windows Update policy at User Configuration\Administrative Templates\Start Menu and Taskbar\Remove links and access to Windows Update (as per the Microsoft document 'Deploying Microsoft Windows Server Update Services.doc').

I have two problems, one of which is causing the other:

When I start the WSUS GUI, there are two entries in the To Do List. The first is Check your server configuration... ensure that the Windows Server Update Service is running. Non-running services: SelfUpdate. The second regards using SSL which I am not concerned about.

Because the clients are unable to selfupdate, they are (presumably) unable to reach the SelfUpdate folder. This means that none of my clients are showing up in the Computers list.

I have been everywhere and have tried many things to sort this problem out. I have used the troubleshooting section in the MS WSUS Operations Guide document to check that paths and permissions (anonynous access and Network Service) in IIS and on the drive on which WSUS is installed are correct. I have also checked the registry to make sure that the Group Policy settings are being applied to the clients and have confirmed that the correct path to the WSUS server exists locally.

If I start Windows Update from a client, it immediately goes to

If I manually enter the address of the WSUS server and point it to the .cab files (as part of the troubleshooting in the Operations doc), I get the prompt to save or run the cab.

If a WSUS guru can help me with this, it will surely help prevent a few more hairs turning grey, for which I will be incredibly grateful.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

2 GP things to do

by CG IT In reply to WSUS2 - Client SelfUpdate ...

Blackcurrant there are 2 GP configurations to make on clients.

specify the intranet server where clients get updates using the http://servername:8530

and configure automatic updates

Also it can take up to 20 hours for WSUS to detect clients.

Configure Windows Firewall if you run it on client computers of whatever flavor of firewall run on client computers to allow access

Last but not least the new IE7 available 11/1/2006 can be used with WSUS but previous beta versions can not.

here's a specific link for configuring GP on client computers for WSUS

Collapse -

Thanks - but still the same

by Blackcurrant In reply to 2 GP things to do

Hi, CG IT, thanks for your reply.

These policy settings have been in place for several days. I am pretty sure that I have everything covered as far as group policy is concerned.

I added the port to the intranet address, as per your suggestion, but 24 hours later, there are still no PC's in the Computers list.

Would you, or anyone else like to take a few moments and review the settings please?

Here are two screens showing the Group Policy settings for Windows Update:

And here is a screen showing the opening status page of WSUS:

If anyone can spot any problems with the settings, please let me know.

I have gone through both the Deployment and the Operations Guide documents.

I have followed the instructions for troubleshooting (checking the settings for) IIS, but as I have never used IIS before, I have no idea if there are any further checks I can make.

Thank you.

Any further help will be appreciated.

Collapse -

I have uninstalled it

by Blackcurrant In reply to WSUS2 - Client SelfUpdate ...

After many hours troubleshooting this, I have decied to cut my losses and uninstall this program.

If anyone has any further thoughts about this, please post.

Collapse -

I reinstalled.....

by Blackcurrant In reply to I have uninstalled it

and had another go. This time with more success.

I discovered that the default account used for anonymous access on the server that WSUS2 was installed on was disabled. After I re-enabled it, 7 of the 27 PC's in our network registered in the Computer Group I set up.

Also, I still got the SelfUpdate error and this has now been fixed - Using the IIS Manager I checked the security settings, source directorys and permissions for the vroot folders. The SelfUpdate folder had anonymous access disabled. After changing it to enabled, the error message disappeared.

Now I just need to wait and see if the remainder of my PC's will register.

*fingers crossed*

/Edit 29/11/2006:
No more machines had reported into the WSUS server. Further research uncovered this:
Because I had used Group Policy on the Domain Controller to control how the Windows Updates service functions, the security for the service had been changed on many of the clients. This meant that the service was not able to start on many of the machines. When I tried to start it manually I received: Error: 0x80004015: The class is configured to run as a security id different from the caller.

The solution, according to MS KB article is to use Group Policy on the Domain Controller to navigate to Computer Configuration/Windows Settings/Security Settings/System Services, then double-click Automatic Updates and add Authenticated Users via the Edit Security button. Make sure the group has Read access and everything should be OK.

I did this, refreshed the policy on a client, then ran wuauclt.exe /detectnow and the machine appeared immediately in the WSUS server's Computer Group.

Hopefully, as the other clients refresh their policy settings, they too shall register in the WSUS server.

Related Discussions

Related Forums