You are currently offline, waiting for your internet to reconnect

How to troubleshoot software update scan failures in System Center 2012 Configuration Manager

Summary
There are several reasons that a software update scan could fail. Most problems involve communication or firewall issues between the client and the software update point computer. We describe some of the most common error conditions and their associated resolutions and troubleshooting tips here. 

Note For more information about software updates in Microsoft System Center 2012 Configuration Manager, click the following article number to view the article in the Microsoft Knowledge Base:
3092358 Software updates troubleshooting and maintenance in System Center 2012 Configuration Manager

Background

When you troubleshoot software update scan failures, you should focus on the WUAHandler.log and WindowsUpdate.log files. Because WUAHandler just reports what the Windows Update Agent reported, the error in the WUAHandler.log file would be the same error that was reported by the Windows Update Agent itself. Therefore, most information about the error will likely be found in the WindowsUpdate.log file. For more information about how to read the WindowsUpdate.log file, click the following article number to view the article in the Microsoft Knowledge Base:
902093 How to read the WindowsUpdate.log file
More information

Scan failures that are caused by missing or corrupted components

Errors 0x80245003, 0x80070514, 0x8DDD0018, 0x80246008, 0x80200013, 0x80004015, 0x800A0046, 0x800A01AD, 0x80070424, 0x800B0100, and 0x80248011 are caused by missing or corrupted components.

Several issues with the software update scan can be caused by missing or corrupted files or registry keys, component registrations, and so on. A good place to start is to run the Windows Update Troubleshooter to detect and fix these issues automatically. You can find the Windows Update Troubleshooter, together with the list of error codes it detects, in the following document: 
2714434 Description of the Windows Update Troubleshooter

It's also a good idea to make sure that you're running the latest version of the Windows Update Agent. For information about how to update the Windows Update Agent, click the following article number to view the article in the Microsoft Knowledge Base:: 
949104 How to update the Windows Update Agent to the latest version

If running the Windows Update Troubleshooter does not fix the problem, reset the Windows Update Agent data store on the client. To reset the Windows Update Agent data store, follow these steps:
  1. Stop the Windows Update service by running the following command:
    NET STOP WUAUSERV
  2. Rename the C:\Windows\SoftwareDistribution folder to C:\Windows\SoftwareDistribution.old.
  3. Start the Windows Update service by running the following command:
    NET START WUAUSERV
  4. Start a software update scan cycle. 

Scan failures that are caused by proxy-related issues

Errors 0x80244021, 0x8024401B, 0x80240030, and 0x8024402C are caused by proxy-related issues.

Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN. 

For proxy issues, WindowsUpdate.log may report errors that resemble the following:

0x80244021 or HTTP Error 502 - Bad gateway
0x8024401B or HTTP Error 407 - Proxy Authentication Required
0x80240030 - The format of the proxy list was invalid
0x8024402C - The proxy server or target server name cannot be resolved

In most cases, you can bypass the proxy for local addresses because as the WSUS computer is located within the intranet anyway. However, if the client is connected to the Internet, you must make sure that the proxy server is configured to enable that communication.

To view WinHTTP proxy settings, run one of the following commands, depending on your operating system:
Windows XP: proxycfg.exe
Windows Vista and later versions: netsh winhttp show proxy

Because proxy settings that are configured in Internet Explorer are part of the WinINET proxy settings, WinHTTP proxy settings aren't necessarily the same as the proxy settings that are configured in Internet Explorer. However, if the proxy settings are set correctly in Internet Explorer, you can import the proxy configuration from Internet Explorer.To import proxy configuration from Internet Explorer, run the following commands, depending on your operating system:
Windows XP: proxycfg.exe -u
Windows Vista and later versions: netsh winhttp import proxy source =ie
For more information, click the following article number to view the article in the Microsoft Knowledge Base::
900935 How the Windows Update client determines which proxy server to use to connect to the Windows Update website

Scan failures that are caused by issues that are related to HTTP time-out or authentication

Errors: 0x80072ee2, 0x8024401C, 0x80244023, or 0x80244017 (HTTP Status 401), 0x80244018 (HTTP Status 403)

Verify connectivity with the WSUS computer. During a scan, the Windows Update Agent has to communicate with the ClientWebService and SimpleAuthWebService virtual directories on the WSUS computer in order to run a scan. If the client can't communicate with the WSUS computer, the scan fails. This can occur for several reasons. These include port configuration, proxy configuration, firewall issues, and network connectivity. 

First, we need to find the URL of the WSUS computer. We can do this by checking the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


Try to access the URL to verify connectivity between the client and the WSUS computer. For example, the URL you use should resemble the following:
http://SUPSERVER.CONTOSO.COM:8530/Selfupdate/wuident.cab

Then check whether the client can access the ClientWebService virtual directory. The URL for this should resemble the following:
http://SUPSERVER.CONTOSO.COM:8530/ClientWebService/wusserverversion.xml

Finally, check whether the client can access the SimpleAuthWebService virtual directory. The URL to for this test should resemble the following:
http://SUPSERVER.CONTOSO.COM:8530/SimpleAuthWebService/SimpleAuth.asmx

If these tests are successful, review the IIS logs on the WSUS computer to confirm that the HTTP errors are being returned from WSUS. If the WSUS computer is not returning the error, the issue is probably with an intermediate firewall or proxy.

If any of these fail, check for name resolution issues on the client. Verify that you can resolve the FQDN of the WSUS computer.

Also, verify the proxy settings on the client to make sure that they are configured correctly. For more information, see the "Scan failures that are due to proxy-related issues" section.

Finally, verify that the WSUS ports can be accessed. WSUS can be configured to use any of the following ports: 
  • 80
  • 443
  • 8530
  • 8531
For clients to communicate with the WSUS computer, the appropriate ports must be enabled on any firewall between the client and the WSUS computer. 

Port settings are configured when the software update point site system role is created. These port settings must be the same as the port settings that are used by the WSUS website. Otherwise, WSUS Synchronization Manager will not connect to the WSUS computer that is running on the software update point to request synchronization. The following procedures provide information about how to verify the port settings that are used by WSUS and the software update point.

Determine the WSUS port settings in IIS 6.0.
  1. On the WSUS server, open Internet Information Services (IIS) Manager.
  2. Expand Web Sites, right-click the website for the WSUS server, and then click Properties.
  3. Click the Web Site tab.
  4. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port.
Determine the WSUS port settings in IIS 7.0 and later versions.
  1. On the WSUS server, open Internet Information Services (IIS) Manager.
  2. Expand Sites, right-click the website for the WSUS server, and then click Edit Bindings.
  3. In the Site Bindings dialog box, the HTTP and HTTPS port values are displayed in the Port column.

Verify and configure ports for the software update point. 
  1. On the Configuration Manager console, browse to Administration pane -> Site Configuration -> Servers and Site System Roles, and then click <SiteSystemName> in the right pane. 
  2. In the bottom pane, right-click Software Update Point and then click Properties.
  3. On the General tab, specify/verify the WSUS configuration port numbers.
After the ports are verified and configured correctly, you should check port connectivity from the client by running the following command:
telnet SUPSERVER.CONTOSO.COM <PortNumber>

If the port is inaccessible, telnet returns an error that resembles the following. (This error suggests that firewall rules must be configured to enable communication for the WSUS Server ports.)

Could not open connection to the host, on port <PortNumber>

Scan fails with error 0x80072f0c


Error 0x80072f0c translates to "A certificate is required to complete client authentication." This error should occur only if the WSUS computer is configured to use SSL. As part of the SSL configuration, WSUS virtual directories must be configured to use SSL, and they must be set to ignore client certificates. If the WSUS website or any of the virtual directories that were mentioned previously are configured incorrectly to "Accept" or "Require" client certificates, you receive this error.

When the site is configured in "HTTPS only" mode, the software update point is automatically configured to use SSL. When the site is in "HTTPS or HTTP" mode, you can chose whether to configure the software update point to use SSL. When the software update point is configured to use SSL, the WSUS computer must also be explicitly configured to use SSL. Before you configure SSL, you should review the certificate requirements and make sure that a Server Authentication certificate is installed on the software update point server.

Verify that the software update point is configured for SSL.
  1. On the Configuration Manager console, browse to Administration -> Site Configuration -> Servers and Site System Roles, and then click <SiteSystemName> in the right pane. 
  2. In the bottom pane, right-click Software Update Point, and then click Properties.
  3. On the General tab, click Require SSL communication to the WSUS Server.
Verify that the WSUS computer is configured for SSL.
  1. Open the WSUS console on the software update point for the site.
  2. In the console tree pane, click Options.
  3. In the display pane, click Update Source and Proxy Server.
  4. Verify that the Use SSL when synchronizing update information option is selected.
 Add the Server Authentication certificate to the WSUS administration website.
  1. On the WSUS computer, start Internet Information Services (IIS) Manager.
  2. Expand Sites, right-click Default Web Site or the WSUS administration website if WSUS is configured to use a custom website, and then select Edit Bindings.
  3. Click the HTTPS entry, and then click Edit.
  4. In the Edit Site Binding dialog box, select the server authentication certificate, and then click OK.
  5. In the Edit Site Binding dialog box, click OK, and then click Close.
  6. Exit IIS Manager.
Important Make sure that the FQDN that is specified in the Site System properties matches the FQDN that is specified in the certificate. If the software update point accepts connections from the intranet only, the Subject Name or Subject Alternative Name must contain the intranet FQDN. When the software update point accepts client connections from the Internet only, the certificate must still contain both the Internet FQDN and the intranet FQDN, because WCM and WSyncMgr still use the intranet FQDN to connect to the software update point . If the software update point accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified by using the ampersand (&) symbol delimiter between the two names.
Configure SSL on the WSUS computer.
The following link applies to System Center Configuration Manager 2007. However, you can follow the same steps to configure SSL on WSUS in 2012 Configuration Manager and 2012 R2 Configuration Manager.

How to Configure the WSUS Web Site to Use SSL

Important You cannot configure the whole WSUS website to require SSL, because then all traffic to the WSUS site would have to be encrypted. WSUS encrypts update metadata only. If a computer tries to retrieve update files on the HTTPS port, the transfer will fail.

Group Policy overrides the correct WSUS configuration information

The Software Updates feature automatically configures a local Group Policy setting for the Configuration Manager client so that it is configured to use the software update point source location and port number. Both the server name and the port number are required for the client to find the software update point. 

However, if an Active Directory Group Policy setting is applied to computers for software update point client installation, this overrides the local Group Policy setting. Unless the value of the setting that‘s defined in Group Policy is identical to the one that’s being set by Configuration Manager (server name and port), the Configuration Manager software update scan will fail on the client. In this case, the WUAHandler.log file shows the following:

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED

To resolve this issue, the software update point for client installation and software updates must be specified in the Active Directory Group Policy setting by using the correct name format and port information. For example, this if the software update point was using the default website, the software update point would be http://server1.contoso.com:80.

Other things to check

If all else fails, check the following things:
  1. Review the PolicyAgent.log file on the client to verify that the client is receiving policies.
  2. Verify that software update synchronization is successful on the software update point.
  3. If the WUAHandler.log file doesn't exist and isn't created after you start a scan cycle, the issue most likely occurs because one of the following isn't available: 
    • Software update scan policy
    • WSUS server location
  4. Verify that there are no communication errors in the CcmMessaging.log file on the client.
  5. If the management point returns an empty WSUS location response, there might be a mismatch in the content version of WSUS. In turn, this might be caused by failed synchronization. To find the content version of the software update point, go to Configuration Manager Console > Monitoring pane > Software Update Point Synchronization Status.

Notes

The complete list of Windows Update error codes can be found in the following Microsoft Knowledge Base article: 
938205 Windows Update error code list
SUP
Properties

Article ID: 3090184 - Last Review: 09/14/2015 22:49:00 - Revision: 4.0

Microsoft System Center 2012 Configuration Manager, Microsoft System Center 2012 Configuration Manager Service Pack 1, Microsoft System Center 2012 Configuration Manager Service Pack 2, Microsoft System Center 2012 R2 Configuration Manager

  • kbhowto kbexpertiseadvanced kbsurveynew kbinfo KB3090184
Feedback
y>