Tips for troubleshooting WSUS Agents that are not reporting to the WSUS server
The WSUS client agent may not report to the WSUS server for many reasons. Here I'll go through some
of the reasons and how you can troubleshoot the process. There are also some situations you may run into where some or all clients stop reporting to the server and these steps will also help for those scenarios as well.
1. Make sure that the client has the proper WSUS settings
On the client run gpresult or rsop.msc to make sure that the details of the WSUS server exist. If not then a couple possible causes include:
-
- The system does not have the group policy from the Domain.
-
- The Group Policy is not been targeted to the client system.
To address this, you need to make sure that the group policy is successfully updated on each client and that
the WSUS setting is properly configured. For more information on this see the following TechNet documentation:
Configure Automatic Updates by Using Group Policy
In case you are using a registry modification or local policy make sure that the same is applied. The registry location where the WSUS server configuration is stored is below:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"=" https://<WSUSSERVER:PORT >""
"WUStatusServer"= https://<WSUSSERVER:PORT > …etc
Further options on the WSUS Agent settings are available here:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:0000000X …etc
You can find more details on how you can use scripts to configure the WSUS settings from the following link:
https://msmvps.com/blogs/athif/archive/2005/09/14/Manually_Configure_WUA.aspx
Once you have made sure that the WSUS settings are configured correctly you can move on to next step.
2. Make sure that the agent services are up and running
You need to make sure that the WSUS agent service (Automatic Updates) and BITS (Background Intelligent Transfer Service) are running. The System\Application event viewer events can help you identify and troubleshoot this issue. If you suspect your issue may be related to issues with the Automatic Update or BITS services, here are few links that can be helpful in troubleshooting these types of issues:
KB331716 - List of known issues for Background Intelligent Transfer Service (BITS)
KB969632 - Background Intelligent Transfer Service (BITS) does not start in Windows XP, and you receive a message in the System log: "The Background Intelligent Transfer Service service terminated with service-specific error 2147500037 (0x80004005)"
KB883614 - You receive a "Windows Update has encountered an error and cannot display the requested page" error message when you try to install an update
KB959894 - Error message: “The necessary service "Automatic Updates" (WUAUSERV) is not started or Background Intelligent Transfer Service (BITS) is disabled. Error 0x8DDD0018” or Error codes 0x80244019 or 0x80070422 when attempting to install updates.
3. Make sure the WSUS server is reachable from the client
Make sure that you can access the site /iuident.cab">/iuident.cab">/iuident.cab">https://<WSUSSERVER:port>/iuident.cab and download the file without errors. If this fails then some possible reasons include:
- There is a name resolution issue on the client.
- There is network related issue (e.g. there's a proxy configuration issue, etc.).
One of the most common issues we see is the proxy issue. For that you can check the windowsupdate.log (C:\windows\) and see if there are any proxy related errors. If yes then you can run the proxycfg command to check the win http proxy settings. For more information on the proxycfg command you can check the following link:
https://msdn.microsoft.com/en-us/library/ms761351(VS.85).aspx
Most of the clients will have the proxycgf utility but if not then you can download it here:
KB830605 - The Proxycfg.exe configuration tool is available for WinHTTP 5.1
If you are finding proxy errors then what you can do is go to Internet Explorer –> Tools -> Connections –> LAN Settings and configure the correct proxy and make sure you can reach the WSUS URL specified. Once done you can copy these user proxy settings to the win http proxy settings using the proxycfg –u command.
Once the proxy settings are specified you can run wuauclt /detectnow and check the windowsupdate.log for errors.
4. Make sure the agent is healthy and working
If you still have errors you can check the windows update agent version. The details on how to do this are here:
https://technet.microsoft.com/en-us/library/bb680319.aspx
If you find that the agent is not up to date then you can update the windows update agent to the latest here:
KB949104 - How to obtain the latest version of the Windows Update Agent to help manage updates on a computer
For more information see https://technet.microsoft.com/en-us/library/bb932139.aspx
You can also use the utility provided in KB971058 that will help you to sort out most of the issues with the agent. Once you've run the fix or updated the agent you can run wuauclt /detectnow and check the windowsupdate.log to make sure there is no issues.
5. Automatic Update Agent Store is corrupted
When we have issues with the ability to download updates and we're experiencing errors relating to the software distribution store then try the following on the client:
a. Stop the Automatic Updates service
b. Rename the software distribution folder (i.e. C:\Windows\SoftwareDistribution).
c. Restart the Automatic Update service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow
6. Clients with the Same SUSclient ID
This issue can happen when we image systems and the clients end up having the same SUSclientID. The result is that only one among these clients will appear in the console. You may also see that out of a group of these clients, only one appears at a time but the exact one that does appear may change over time. For those clients that are not registering due to the SUS GUID issue we can use the following:
a. Stop the automatic service
b. Delete the SUSclientID reg keyHKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
c. Restart the automatic service
d. Run wuauclt /resetauthorization /detectnow
e. Run wuauclt /reportnow
Note : Most of these issues can be traced from windowsupdate.log and the error codes it contains. For understanding what the error codes mean you can check the following link: https://inetexplorer.mvps.org/archive/windows_update_codes.htm.
Hope this helps,
Sudheesh Narayanaswamy | Support Engineer
Comments
- Anonymous
April 10, 2013
Thanks, this is a really helpful post! I'll try each suggestion and hopefully figure out why some of the WSUS clients have stopped reporting into the server. - Anonymous
November 06, 2013
This link: technet.microsoft.com/.../bb680319.aspx assumes that you have System Center Configuration Manager installed, or that you're using a dedicated SQL database for your WSUS server.If you don't have either of those, is there a way to check the client version? - Anonymous
December 04, 2013
Muchas gracias, es la primera respuesta que me da resultado - Anonymous
January 25, 2014
Thank you very much!!Cheers!! - Anonymous
August 08, 2016
I just moved my domain from 2008r2 to 2012 on new hardware. This included moving my WSUS from 3.2 to 6.2 on the new server. I initially set the new instance as a Replica but then switched it to direct sync. However none of my clients could use the new server even after I changed my GPO to point to it. I found eventually that the Network Location Awareness service was detecting the server's LAN connection as a "Private" network rather than as a "Domain" network and thus the Windows Advanced Firewall was using the wrong set of values for incoming traffic. On my clients this showed up as a bunch of 8024401c errors. I've changed NLA to "delayed start" and hope that will fix the problem.