WSUS - clients stopped updating

Question

_{Thursday, January 11, 2018 1:46 PM}

Hey Guys,

My Clients stopped downloading updates it seems on my WSUS server. This is the situation ;

• I have one test group and one main group

• Test group is downloading updates fine , but still getting errors in log

• main group has 10-15 computers that updated, the rest don't see the updates as available when I mouse over the computers in console.

• Performed the wuauclt /detectnow with no luck. Below are the error messages ; 2018-01-10  08:55:19:461    1044    440 AU  WARNING: There are no approved updates to install

Below are the error messages ; 2018-01-10  08:55:19:461    1044    440 AU  WARNING: There are no approved updates to install

2018-01-10  09:12:39:097    1044    172c    Report  WARNING: CSerializationHelper:: InitSerialize failed : 0x80070002

2018-01-10  09:07:20:352    1044    440 WuTask  WARNING: ValidateTriggersForAoAc, GetUserStringForUserSid failed, error = 0x80070534 2018-01-10  09:07:20:352    1044    440 WuTask  WARNING: ValidateTriggersForAoAc failed with: , error = 0x80070534 2018-01-10  09:07:20:352    1044    440 WuTask  WARNING: SessionConnectHandler, could not validate trigger for AoAC, error = 0x80070534 2018-01-10  09:07:20:352    1044    440 WuTask  WARNING: SessionConnectHandler, could not validate and register task, error = 0x80070534

2018-01-10  09:12:39:050    1044    1d58    Service WARNING: ConnectedStandbyMonitor: LPE state change outside of CS - ignoring

collection

All replies (26)

_{Thursday, January 11, 2018 1:50 PM}

2017-12-05 08:16:59:063 1056 286c WS WARNING: The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
2017-12-05 08:16:59:064 1056 286c WS WARNING: The server understood the request, but cannot fulfill it.
2017-12-05 08:16:59:064 1056 286c WS WARNING: The operation could not be completed because the channel has been aborted.
2017-12-05 08:16:59:065 1056 286c WS WARNING: Current service auth scheme='None'.
2017-12-05 08:16:59:065 1056 286c WS WARNING: Proxy List used: 'xxx.xxx.xx.xx:8080', Bypass List used: '(null)', Last Proxy used: 'xxx.xxx.xx.xx:8080', Last auth Schemes used: 'None'.

collection

_{Thursday, January 11, 2018 1:51 PM}

2017-12-05 08:16:59:065 1056 286c WS FATAL: OnCallFailure failed with hr=0X80244017
2017-12-05 08:16:59:066 1056 286c PT WARNING: PTError: 0x80244017
2017-12-05 08:16:59:066 1056 286c PT WARNING: SyncUpdates_WithRecovery failed.: 0x80244017

collection

_{Thursday, January 11, 2018 2:46 PM}

Are you using WAM? It usually fixes these issues.

Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

What it does:

1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
2. Remove all Drivers from the WSUS Database (Default; Optional).
3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
4. Remove declined updates from the WSUS Database.
5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
6. Compress Update Revisions.
7. Remove Obsolete Updates.
8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
11. Run the Recommended SQL database Maintenance script on the actual SQL database.
12. Run the Server Cleanup Wizard.

It will email the report out to you or save it to a file, or both.

Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

.\Clean-WSUS.ps1 -FirstRun

If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Thursday, January 11, 2018 2:48 PM}

If after using WAM, and waiting 72-96 hours to see how the effect on machines is going, it may be required to run the following client side script on affected computers from an Administrative command prompt.

net stop bits
net stop wuauserv
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
rd /s /q "C:\WINDOWS\SoftwareDistribution"
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Both of these combined should fix your issues.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Thursday, January 11, 2018 2:49 PM}

Thanks, I will try this.

collection

_{Wednesday, February 7, 2018 8:05 PM}

do i rename the name of the file to " Clean-WSUS"?

So I can call it like so in powerShell

.\Clean-WSUS.ps1 -FirstRun

collection

_{Wednesday, February 7, 2018 8:14 PM}

Yes, "Clean-WSUS.ps1"

Stick it in a folder like C:\Scripts

And then run .\Clean-WSUS.ps1 -FirstRun

(Follow the instructions at the top of the script as they indicate exactly how to run it).

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Wednesday, February 7, 2018 8:15 PM}

thank adam, so much.

will give this a go.

collection

_{Friday, February 9, 2018 1:10 PM}

Hello Adam,

The script is still running and its been over 12 hours.

Is this normal?

Thanks again

collection

_{Friday, February 9, 2018 2:02 PM}

Hello Adam,

The script is still running and its been over 12 hours.

Is this normal?

Thanks again

collection

Very much so. It can take between 10 minutes and days where the bulk fall into the 1 hour to 3 day mark.

It depends on a lot of factors including the server, the amount of data that it has to deal with, the amount of clients reporting in as it processes (taking up CPU cycles to respond to the client, rather than running the script), etc.

What stream is it currently running?

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Friday, February 9, 2018 2:14 PM}

THanks, its on moving actually.

Its on " compressUpdate Revisions"

collection

_{Friday, February 9, 2018 2:37 PM}

You've past the RemoveObsoleteUpdates section which usually takes the longest. It should finish fairly quickly now...

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Friday, February 9, 2018 2:39 PM}

Thank-you so much.

Running this script was in hopes to fix my issue that updates were not downloading.

I'm assuming / hoping that updates will resume in a day or two once the script is complete?

collection

_{Friday, February 9, 2018 2:45 PM}

After the script runs, examine the log for errors (TXT log in the same folder as the script, and/or via email). If you find errors, contact me through my website and reference this thread. If it wasn't successful, you may need to re-run -FirstRun a couple of times (up to 15).

After a successful FirstRun, do nothing else for 24-72 hours. After 72 hours (assuming systems are on during that 72 hours) check to see if they are working as expected. If they are not, delete the computer from WSUS and then run the client side script mentioned in an above post. Wait another 24-72 hours and then re-evaluate and report back.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Monday, February 12, 2018 1:36 PM}

Thanks so much Adam.

As you can expect, the script ran over the week-end and its still on the same part " RemoveObsoleteUpdates"

Perhaps i should cancel it and restart it?

Thanks

collection

_{Monday, February 12, 2018 1:42 PM}

No, don't cancel it.

Open up SSMS (run as Administrator) and connect to your WID instance

    WID2008 = 'np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query'
    WID2012Plus = 'np:\\.\pipe\MICROSOFT##WID\tsql\query'

Then open a new query window and run the following

USE SUSDB
EXEC spGetObsoleteUpdatesToCleanup

This will give you how many rows it has to continue to process. Wait an hour or so and re-rerun it. You can then calculate how many per hour it's doing, and an approximate time to finish.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Monday, February 12, 2018 2:40 PM}

Thanks,  it has only has 4 rows left.

Perhaps its stuck, but I will check again in one hour!

added pic

collection

_{Monday, February 12, 2018 6:48 PM}

Hello,

Still no luck, still 4 row 4 hours later.

perhaps I can skip this part of the script?

Let me know what you think.

collection

_{Monday, February 12, 2018 7:13 PM}

Before doing anything, hit Enter in the powershell window. I'm curious if somehow it got paused by a selection or something. Then wait 1 more hour.

After that, cancel the script and restart it using -FirstRun again (it will pick up where you left off, but you'll lose the output of how many updates it removed before.)

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Monday, February 12, 2018 8:07 PM}

The script worked, cleand up 150 gigs around and no errors.

I will wait 24-72v hours and follow instructions above and report back.

Thanks again

collection

_{Wednesday, February 14, 2018 2:47 PM}

Hey Adam,

I checked and no computers started updating again. I followed your instructions for the client side script. Everything worked except for the last part, see below if it matters.

I ran the script and will wait 72 hours as indicated

Also, a newbie question, I have the same computer model. Some models have 150 computer updates installed and others have 230. This is my issue. All models should have the same model of updates installed correct?

collection

_{Wednesday, February 14, 2018 3:14 PM}

The Powershell is for Windows 10/2016 systems only (As Windows 10 deprecated wuauclt /detectnow switch and replaced it with that powershell command). They don't work on Windows 8.1 and lower systems. I take it this system is less than Windows 10. If not, the error in the message would give you the reason.

If all models are exact, some may have more software or different software on them (eg, office x86 vs x64), or some have silverlight and others don't, etc.

I would look at what are the needed updates are for the systems.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Wednesday, February 14, 2018 3:25 PM}

Thanks, they are on window 8.1 and have exactly the same software installed on them, as its being pushed out by SCCM.

Right now, I'm only choosing critical / security patches for office / windows.

My understanding is that all computers should have the same.

collection

_{Wednesday, February 14, 2018 3:28 PM}

and this is PC that looks good

collection

_{Wednesday, February 14, 2018 4:29 PM}

Delete the computer object from WSUS And let it come back either naturally or force it through 'check for updates'

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

_{Wednesday, February 14, 2018 4:32 PM}

updates are starting to come in again!!

Will keep you updated.

But looks good, real good!