Troubleshooting issues with WSUS client agents

When you experience issues with the WSUS client agent they can manifest themselves in many ways. Some common problems are listed here:

  • It could be an issue with the client settings for Group Policy.
  • It could be an issue with BITS.
  • It could be an issue with the WSUS agent service.
  • It could be related to a network issue that prevents the client from reaching the server.
  • It could be an issue with the Automatic Update Agent Store.
  • It could be an issue in which clients have duplicate WSUS client IDs caused by disk cloning.

If you experience any of these issues, this guide is for you.

You can also find additional information on WSUS installation, configuration and administration in the TechNet Document Library for Windows Server Update Services 3.0 SP2.

What does this guide do?

Helps you diagnose and resolve issues with WSUS client agents that are not reporting to a WSUS server, or that cannot successfully retrieve updates from the server.

Who is it for?

IT professions who needs to resolve WSUS client agent issues.

How does it work?

We’ll take you through a series of steps to resolve your WSUS client agent issues.

Estimated time of completion:

10-15 minutes.

Verify that the client has the proper WSUS settings

When beginning to troubleshoot issues with a WSUS client agent, the first thing you’ll want to do is make sure the client is properly configured. Make sure that the proper Active Directory group policy is being received by the client and that the details of the WSUS server are present. You can do this by running the following commands from a Command Prompt:

GPRESULT /V > GPRESULT.TXT

then

Notepad GPRESULT.TXT

Find the name of your WSUS policy in GPRESULT.TXT. For example, if your WSUS policy is named WSUS, it will be visible in the GPRESULT.TXT file within the Computer Settings section under the Applied Group Policy Objects heading as shown in the example below:

Applied Group Policy Objects

-----------------------------

Default Domain Policy

WSUS

Local Group Policy

If the WSUS settings are not present then possible causes include:

  • The system does not have the group policy from the domain.
  • The group policy is not been targeted to the client system.

To address this, you need to make sure that the group policy is successfully updated on each client and that the WSUS setting is properly configured.

To update the group policy on the client, run GPUpdate /force from a command prompt.

For more information about configuring group policy for WSUS clients see the following TechNet documentation:

Configure Automatic Updates by Using Group Policy


Did this solve your problem?

Verify that the client has the proper WSUS settings

When beginning to troubleshoot issues with a WSUS client agent, the first thing you’ll want to do is make sure the client is properly configured. Make sure that the proper Active Directory group policy is being received by the client and that the details of the WSUS server are present. You can do this by running the following commands from a Command Prompt:

GPRESULT /V > GPRESULT.TXT

then

Notepad GPRESULT.TXT

Find the name of your WSUS policy in GPRESULT.TXT. For example, if your WSUS policy is named WSUS, it will be visible in the GPRESULT.TXT file within the Computer Settings section under the Applied Group Policy Objects heading as shown in the example below:

Applied Group Policy Objects

-----------------------------

Default Domain Policy

WSUS

Local Group Policy

If the WSUS settings are not present then possible causes include:

  • The system does not have the group policy from the domain.
  • The group policy is not been targeted to the client system.

To address this, you need to make sure that the group policy is successfully updated on each client and that the WSUS setting is properly configured.

To update the group policy on the client, run GPUpdate /force from a command prompt.

For more information about configuring group policy for WSUS clients see the following TechNet documentation:

Configure Automatic Updates by Using Group Policy


Did this solve your problem?

BITS Configuration

The BITS service must run under the Local System user account, which is the default configuration. To configure the service to run under the correct account, open a command prompt and run the following command:

sc config bits obj= LocalSystem

Note that a space must occur between obj= and LocalSystem). If successful you should receive the following:

[SC] ChangeServiceConfig SUCCESS

Next, stop and restart BITS by running the following commands from a Command Prompt:

sc stop bits

then

sc start bits


Did this solve your problem?

BITS jobs are failing

If the client is properly configured to receive updates, BITS is configured correctly, and BITS appears to start and run properly, you may be experiencing an issue where BITS jobs themselves are failing. To verify this, look in the event log for any BITS related errors. You can use the following table to diagnose the cause of these errors. 

 Error name Error code Description
 E_INVALIDARG0x80070057
An incorrect proxy server name was specified in the user’s Internet Explorer proxy settings. This error is also seen when credentials are supplied for authentication schemes that are not NTLM/Negotiate, but the user name or password is null. Change the user’s IE settings to be a valid proxy server or Change the credentials not to be NULL user name/password for schemes other than NTLM/Negotiate. 
 ERROR_WINHTTP_NAME_NOT_RESOLVED 0x80072ee7 The server/proxy could not be resolved by BITS. Internet Explorer on the same machine in the context of the job owner would see the same problem. Try downloading the same file via the web browser using the context of the job owner.
 ERROR_HTTP_INVALID_SERVER_RESPONSE 0x80072f78 This is a transient error and the job will continue downloading.
 BG_E_INSUFFICIENT_RANGE_SUPPORT 0x80200013BITS uses range headers in HTTP requests to request parts of a file. If the server or proxy server doesn’t understand Range requests and returns the full file instead of the requested range, BITS puts the job into the ERROR state with this error. Capture the network traffic during the error and examine if HTTP GET requests with “Range” header are getting valid responses. Check proxy servers to ensure that they are configured correctly to support Range requests. 
 BG_E_MISSING_FILE_SIZE 0x80200011 When BITS sends a HEAD request and the server/proxy does not return Content-Length header in the response, BITS puts the job in ERROR state with this error. Check the proxy server and WSUS server to ensure that they are configured correctly. Some versions of the Apache 2.0 proxy server are known to exhibit this behavior.
 BG_E_HTTP_ERROR_403 0x80190193 When the server returns HTTP 403 response in any of the requests, BITS puts the job in ERROR state with this error code. HTTP 403 corresponds to “Forbidden: Access is denied." Check access permissions for the account running the job.
 ERROR_NOT_LOGGED_ON 0x800704dd The SENS service is not receiving user logon notifications. BITS (version 2.0 and up) depends on logon notifications from Service Control Manager, which in turn depends on the SENS service. Ensure that the SENS service is started and running correctly.
Did this solve your problem?
BITS fails to start

If the BITS service fail to start, look in the event log for any BITS related error. You can use the following table to diagnose the cause of these errors.

Error name
 Error codeDescription
 ERROR_SERVICE_DOES_NOT_EXIST 0x80070424 See the section on repairing the BITS configuration below.
 ERROR_SERVICE_NOT_IN_EXE 0x8007043B BITS is not listed as one of the services in the netsvcs svchost group (does not apply to Windows 2000).
ERROR_SERVICE_DISABLED
 0x80070422 BITS has been disabled. Enable the BITS service.
 ERROR_SERVICE_DEPENDENCY_DELETED ERROR_SERVICE_DEPENDENCY_FAIL 0x80070433, 0x8007042c A service appearing in the BITS service dependency list cannot be started. Make sure the dependency list for the BITS service is correct:
Windows Vista: RpcSs, EventSystem (also http.sys and LanManWorkstation when peercaching is enabled)
Windows Server 2003: Rpcss, EventSystem
Windows XP: Rpcss
Windows 2000: Rpcss, SENS, Wmi
 ERROR_PATH_NOT_FOUND 0x80070003 Pre-Windows Vista: %ALLUSERSPROFILE%\Microsoft\Network doesn’t exist
 ERROR_FILE_NOT_FOUND 0x80070002 The “Parameters” key is missing. Ensure that the following keys and values exist: HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ServiceDll= %SystemRoot%\System32\qmgr.dll
 REGDB_E_CLASSNOTREG, EVENT_E_INTERNALERROR 0x80040154, 0x80040206BITS for Windows 2000 is dependent on SENS and EventSystem services. If the COM+ catalog is corrupted, BITS may fail with this error code. See KB article Q315296 for details.
Check for issues relating to BITS

Background Intelligent Transfer Service (BITS) is the service used by WSUS to download updates from Microsoft Update to the main WSUS server as well as from WSUS servers to their clients. Some download issues may be caused by problems with BITS on the server or client computers. When you are troubleshooting download problems, you should ensure that BITS is running properly on all affected computers.

To view the BITS service status, open a command prompt and run the following command:

sc query bits

If BITS is running, you should see output similar to the following:

SERVICE_NAME: bits

TYPE: 20 WIN32_SHARE_PROCESS

STATE: 4 RUNNING

If BITS is not running, you will see output like the following:

SERVICE_NAME: bits

TYPE: 20 WIN32_SHARE_PROCESS

STATE: 1 STOPPED

Often it is possible to resolve BITS issues simply by stopping the service and restarting it. Note that you must be logged on as a local administrator to stop and restart BITS.

To stop and restart the BITS service, run the following commands from a Command Prompt:

sc stop bits

then

sc start bits

Congratulations!

Your WSUS client agent issue is resolved.

Sorry

It appears that we are unable to resolve your issue by using this guide. For more help resolving this issue please see our TechNet support forum or contact Microsoft Support

Issues with the WSUS agent service

Make sure that the Windows Update service is able to start successfully.

To view the current status of the Windows Update service, open a Command Prompt and run the following command:

sc query wuauserv

If WUAUSERV is running, you should see output similar to the following:

SERVICE_NAME: wuauserv

TYPE: 20 WIN32_SHARE_PROCESS

STATE: 4 RUNNING

If WUAUSERV is not running, you will see output like the following:

SERVICE_NAME: bits

TYPE: 20 WIN32_SHARE_PROCESS

STATE: 1 STOPPED

Verify that you are able to start the WUAUSERV service successfully. Note that you must be logged on as a local administrator to stop and restart WUAUSERV.

To start the WUAUSERV service, run the following commands from a Command Prompt:

sc start wuauserv

WUAUSERV fails to start

If the client agent fails to start and run properly, check the windows update agent version. The details on how to do this can be found here:

http://technet.microsoft.com/en-us/library/bb680319.aspx

If you find that the agent is not up to date then update the windows update agent to the latest here:

949104 - How to obtain the latest version of the Windows Update Agent to help manage updates on a computer (http://support.microsoft.com/kb/949104)

For more information see http://technet.microsoft.com/en-us/library/bb932139.aspx

You can also use the utility provided in the following knowledge base article to reset the agent:

971058 - How do I reset Windows Update components? (http://support.microsoft.com/kb/971058)

Once you've run the fix or updated the agent you can run wuauclt /detectnow from a Command Prompt and check the windowsupdate.log to make sure there is no issues.

Make sure the WSUS server is reachable from the client

Make sure that you can access the site http://<WSUSSERVER:port>/iuident.cab and download the file without errors.

The WSUS server is not reachable from the client

If the WSUS server is unreachable from the client, the most likely causes include:

  • There is a name resolution issue on the client.
  • There is network related issue (e.g. there's a proxy configuration issue).
Use standard troubleshooting procedures to verify name resolution is working on the network. If name resolution is working, the next step is to check for proxy issues. Check the windowsupdate.log (C:\windows\) and see if there are any proxy related errors. If yes then you can run the proxycfg command to check the win http proxy settings. For more information on the proxycfg command please see the following:
Most clients will have the proxycgf utility already installed, but if not then you can download it here:
830605 - The Proxycfg.exe configuration tool is available for WinHTTP 5.1 (http://support.microsoft.com/kb/830605)
If you are finding proxy errors, go to Internet Explorer –> Tools -> Connections –> LAN Settings and configure the correct proxy, then make sure you can reach the WSUS URL specified. 
Once done, you can copy these user proxy settings to the win http proxy settings using the proxycfg –u command.Once the proxy settings are specified, run wuauclt /detectnow from a Command Prompt and check the windowsupdate.log for errors.
Rebuild the Automatic Update Agent Store

When there are issues downloading updates and there are errors relating to the software distribution store then complete the following on the client:

  • Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.
  • Rename the software distribution folder (e.g. C:\Windows\SoftwareDistribution).
  • Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.
  • From a Command Prompt, run wuauclt /resetauthorization /detectnow.
  • From a Command Prompt, run wuauclt /reportnow.

Did this solve your problem?

Check for clients with the Same SUSclient ID

You may experience an issue where only one WSUS client will appear in the console, or you may notice that out of a group of clients, only one appears in the console at a time but the exact one that does appear may change over time. This issue can happen when systems are imaged and the clients end up having the same SUSclientID. For those clients that are not working properly due to having the same SUSclientID, complete the following:

  • Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.
  • Delete the SUSclientID reg key from the following location: HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
  • Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.
  • From a Command Prompt, run wuauclt /resetauthorization /detectnow.
  • From a Command Prompt, run wuauclt /reportnow.

Did this solve your problem?

คุณสมบัติ

รหัสบทความ: 10132 - การตรวจสอบครั้งสุดท้าย: 8 มี.ค. 2016 - ฉบับแก้ไข: 25

คำติชม