The Microsoft Windows Server Update Services (WSUS) SelfUpdate service does not send automatic updates

Symptoms

When you try to use the Microsoft Windows Server Update Services (WSUS) SelfUpdate service to send automatic updates to client computers, the client computers do not receive the updates. Additionally, the client computers do not report to the WSUS server.

When this occurs, the WSUS Administration console logs the following error message:
Check your server configuration. One or more Update Service components could not be contacted. Check your server status and ensure that the Windows Server Update Service is running.
Non-running services: SelfUpdate
The event log may also include the following event:

Cause

This problem may occur if one or more of the following conditions are true:
  • The permissions on the C:\Program Files\Update Service\SelfUpdate directory are missing or incorrectly configured, or the IUSR_ComputerName account has been removed from the Users group.
  • The SelfUpdate virtual directory is missing from the WSUS server.
  • The SelfUpdate virtual directory is not configured for the default site on port 80.
  • The SelfUpdate virtual directory does not have anonymous access permissions.
  • The default Web site is configured to use specified IP addresses and is missing an entry for 127.0.0.1.
  • The default Web site does not have anonymous access permissions.
  • The WSUS server also has Microsoft Windows Sharepoint Services installed. The WSUS resources have not been excluded from Sharepoint management.
  • The Selfupdate.msi installation was defective. Therefore, files are missing from the ~\Selfupdate subfolders.

Resolution

To resolve this problem, you must have the following minimum permissions on the C:\Program Files\Update Service\SelfUpdate directory.
GroupPermissions
AdministratorsFull Control
SystemFull Control
Domain/Users or Local/UsersRead&Execute, Read, List Folders
IUSR_ComputerNameRead&Execute, Read, List Folders
Note IUSR_ComputerName represents the host name of the server that is running IIS where WSUS is installed. If this account is a member of the Users group, you do not have to explicitly define these permissions.

To resolve a problem where the SelfUpdate virtual directory is missing or there is no SelfUpdate virtual directory listed under the Web site that is bound to port 80, run the Selfupdate.msi file that is located in the Program files\Update services\Setup folder.

To resolve issues where the SelfUpdate virtual directory does not have anonymous access permissions, open IIS Manager, expand the default Web site, right-click the SelfUpdate virtual directory, and then click Properties. On the Directory Security tab, click edit under Authentication and access control. Make sure that anonymous access is enabled.

Note This step should be performed for the default Web site as well. The SelfUpdate tree does not work if you have a Web site that is bound to a specific IP address in your IIS configuration. The workaround is either to set your IIS configuration to respond to "All unassigned" addresses or to add 127.0.0.1 to the list of IP addresses used for SelfUpdate. For information about how to configure WSUS to run on a computer that is also running Windows Sharepoint Services, see page 87 in the Microsoft Windows Server Update Services Operations Guide. This guide is located on the following Microsoft Web site: Use Internet Information Services (IIS) Management console to verify that the server is set up with one of the following two configurations.

Configuration 1: WSUS is installed on the default Web site


Configure the default Web site by using the following settings:
  • SelfUpdate
  • Content
  • ClientWebService
  • SimpleAuthWebService
  • WSUSAdmin
  • ReportingWebService
  • DssAuthWebService
  • ServerSyncWebService

Configuration 2: WSUS is installed on a custom Web site

Configure the default Web site on port 80 by using the following settings:
  • SelfUpdate
  • ClientWebService
Configure WSUS Administration on port 8530 with the following settings:
  • SelfUpdate
  • Content
  • ClientWebService
  • SimpleAuthWebService
  • WSUSAdmin
  • ReportingWebService
  • DssAuthWebService
  • ServerSyncWebService
Regardless of the configuration that you select, you must also verify the following settings:
  • You must configure the SelfUpdate virtual directory under the default Web site or any other Web site to listen on Port 80.
  • The SelfUpdate virtual directory points to C:\Program Files\Update Service\SelfUpdate.
  • The WSUSAdmin virtual directory is the only virtual directory in IIS that should have security set to Integrated Windows Authentication. Set all other virtual directories security to Anonymous Access Enabled.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

When you use IIS, you can move the SelfUpdate directory to a different Web site. To do this, follow these steps:

References

For information about verifying WSUS and IIS configuration settings, visit the following Microsoft Web site: For information about how to troubleshoot client self-update issues, visit the following Microsoft Web site: For information about how to install and configure IIS for use with WSUS, visit the following Microsoft Web site: For more information about automatic updates in Windows, click the following article number to view the article in the Microsoft Knowledge Base:
294871 Description of the Automatic Updates feature in Windows

속성

문서 ID: 920659 - 마지막 검토: 2008. 7. 21. - 수정: 1

피드백