The creation of the Windows Update web site a few years ago revolutionized the way people with Microsoft products updated these products with the latest patches. Windows Update made it possible for a “mere mortal” to determine exactly which updates they needed to install and install them automatically. Windows Update greatly improved the the overall security of millions of Windows Desktops worldwide.
Windows Server Update Service (WSUS) is a free product from Microsoft that enables you to deploy your own Windows Update site within your own network and control which updates are installed on your equipment. With WSUS, an administrator can authorize updates for deployment after they are tested and also get detailed reports of which updates each computer needs. Another big benefit of WSUS is it enables updates to be deployed to computer while no one is logged in. The most common scenario is to have users log out each night and install patches during the off hours so the computers can be rebooted if necessary. Although WSUS can deploy patches for most Microsoft applications it is not a complete solution when it comes to maintaining a consistent configuration on all desktops and servers. For large environments, SMS should be considered because it gives you the ability to deploy, applications and Operating Systems. In addition SMS will provide detailed inventory information on the hardware and software you have in your environment.
I have been helping a customer bring their WSUS server back on line so they can get updates deployed until the SMS infrastructure they are designing has been completed. The information below is related to troubleshooting the deployment of WSUS and the Windows Update client.
Windows Update Client
WSUS requires the latest version of the Windows Update client software to be installed. Windows Server 2003 and Windows XP Service Pack 1 computers Will have the client by default. For all other you should go to Microsoft.com/downloads to get the latest WSUS client.
Download Windows Server Update Services (software & documentation)
Most of the troubleshooting that needs to be performed with WSUS is related to the clients installing updates and/or reporting they have installed updates. Keep one thing in mind when troubleshooting, nothing happens instantly with WSUS. The product is designed to be low maintenance and to have minimal impact on the operation of the computers that are clients. Don’t expect updates to be applied instantly. If you need that kinds of response, use SMS.
The WSUS client on each computer can be configured manually for small environments but Group Policy is the preferred way. The Group Policies are located at Computer Configuration > Administrative Templates > Windows Components > Windows Update. Confirm the GPO is configured with the correct server name and the GPO is linked to the correct OUs. At the client side, open a command prompt and run “GPUDATE /FORCE” (XP /2003 only) to apply the GPOs to the computer. Now type “GPRESULT” to see which GPOs are being applied to the computer. Confirm the GPO containing the WSUS settings was applied under Computer Settings.
There are two keys on the client that indicate that the computer is getting the WSUS settings from the GPO. The first contains the actual policy settings:
The second set of registry keys contains information specific to the computer such as the “SusClientId”, “NextDetectionTime”, “ScheduledInstallDate” etc.
Client Log Files
The are two locations on the local computer where information is logged for the WSUS client. The first tis the WindowsUpdate.log file located in the C:\Windows folder. This file contains a running log of all the activity the WSUS client performs.
The second log is named ReportingEvents.log and is located in the C:\Windows\SoftwareDistribution folder. Open this log file and go the the last few lines to see which updates are available for installation.
The easiest way to see what is happening is to compare the log files from a working computer to the logs on the computer you are troubleshooting.
Another area to look at is the C:\Windows\SoftwareDistribution\Download folder. This folder should contain tempo ray folder for recently downloaded updates pending installation.
Confirm GPO configuration and linkage to correct OU.
You should see the computer listed in the Unassigned Computers group once it begins reporting to the WSUS server.
Confirm the “Automatic Updates” and “Background Intelligent Transfer Service” is running on client and startup is set to automatic.
Run GPUPDATE & GPRESULT on client to confirm GPOs are being applied.
Check the registry keys and confirm they exist. If they do not, their may be conflicting GPO settings. Open a blank MMC and add the RSOP snap in. Run the RSOP snap in and review the WSUS settings are being configured. If they are not, another GPO may have the WSUS settings set to “disabled” instead of “not configured”.
Review Log files.
Stop and start the “Automatic Updates” and “Background Intelligent Transfer Service”services and then review the log files after a few minutes (remember, things do not happen instantly). The log files should indicate what updates are required and will be installed