For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx Tips & Solutions for Common WSUS Issues Deployment • Documentation • Database Engine • Target Group Management Operations • Superseded updates • Server Cleanup Wizard Diagnostics • Content Downloading • Duplicate SusClientID • High CPU Utilization • Client Diagnostics Tool • WindowsUpdate.log

1. Author
Lawrence Garvin, WSUS MVP
Common WSUS Issues in
Deployment, Operations, and
Diagnostics: Tips & Solutions

2. Tips & Solutions for Common WSUS Issues
 Deployment
» Documentation
» Database Engine
» Target Group Management
 Operations
» Superseded updates
» Server Cleanup Wizard
 Diagnostics
» Content Downloading
» Duplicate SusClientID
» High CPU Utilization
» Client Diagnostics Tool
» WindowsUpdate.log

3. Deployment
Documentation
 Release Notes (Must Read)
» http://go.microsoft.com/fwlink/?LinkId=71268 (WSUS v3 SP1)
» http://go.microsoft.com/fwlink/?LinkId=139840 (WSUS v3 SP2)
 WSUS Overview (New to Windows Update or WSUS)
» http://go.microsoft.com/fwlink/?LinkId=71266
 Step By Step Guide (First Time Installation)
» http://go.microsoft.com/fwlink/?LinkId=71267
 Deployment Guide (Advanced Installations)
» http://go.microsoft.com/fwlink/?LinkId=79983
 Operations Guide (How to Use WSUS)
» http://go.microsoft.com/fwlink/?LinkId=139828
 TechNet Library (Online)
» http://technet.microsoft.com/en-us/library/dd939796(WS.10).aspx

4. Deployment
Database Engine
 Windows Internal Database vs. SQL Server® Express
Edition
 SQL Server Express limited to 4GB database size
» SQL 2008 R2 increases to 10GB
 SQL Server Express limited to 1 CPU
 SQL Server Express limited to 1GB RAM
 Windows Internal Database not limited

5. Deployment
WSUS Target Groups
 Two groups created at installation
» Unassigned Computers
» All Computers
 Default group assignment methodology is Server-Side
Targeting
 Groups defined in policy must be manually created on the
WSUS server
 There is NO association between Active Directory® OUs and
WSUS Target Groups except that OUs are a method to
convey a policy setting to a group of client systems

6. Deployment
WSUS Target Groups
 Grouping strategies:
» By installed operating system
• E.g. Windows XP®, Windows 2003, Windows 2008, Windows 7
» By function or purpose
• E.g. DomainControllers, SQL, Microsoft Exchange Server®
» By location
• E.g. Corporate, Seattle, Miami, Australia
» These strategies can all be used together
 Groups can be hierarchical
 Clients can belong to multiple groups

7. Deployment
WSUS Target Groups

8. Deployment
WSUS Target Groups

9. Deployment
WSUS Target Groups

10. Deployment
WSUS Target Groups
 WSUS Server = Server; Policy = Enabled
» Server will permit assignment of group memberships
» Client will ignore changes made at the server because it
believes it is authoritative
» Client will scan/report based on the group(s) assigned in the
GPO

11. Deployment
WSUS Target Groups
 WSUS Server = GP; Policy = Not Enabled
» Server will prohibit assignment of group memberships
» Client will query WSUS Server for current group membership(s)
» Client will scan/report based on the group(s) last assigned at
the server
» New clients will be assigned to Unassigned Computers

12. Operations
Superseded Updates
 Handling superseded updates
» All superseded updates will be reported as Needed until an
update in the chain is installed.
» The Windows Update Agent (WUA) can recognize a
superseded update and that a superseding update is available.
» Ensure update is superseded for all applicable platforms.
» Declining unneeded superseded updates assists in
performance by reducing WUA scanning overhead.

13. Operations
Selecting superseded updates to decline

14. Operations
Server Cleanup Wizard

15. Operations
Server Cleanup Wizard

16. Operations
Server Cleanup Wizard
 Recommended frequency of execution
» Minimum: The Server Cleanup Wizard should be executed at least
monthly. The most ideal time is after your monthly Patch Tuesday
cycle, when new updates have been approved, and the Agent has
now reported older updates as NotApplicable.
» Recommended: If you have auto-approval rules in place for
Definition Updates, particularly for Forefront Client Security, you
should be using the Server Cleanup Wizard on a weekly basis.

17. Operations
Server Cleanup Wizard
 Recommended order of execution
1. Delete computers – reducing number of computers in the database
reduces the query effort to identify machines with “Needed” updates in later
phases.
2. Decline expired updates – This is usually a very short list, particularly if the
option to auto-decline expired revisions is approved.
3. Decline superseded updates – The update must not have an active
approval or be reported as needed by any client. Older updates that were
approved previously must be manually reset to Not Approved.
4. Delete expired updates/revisions – This is the most resource intensive step
because it requires removing rows from the database, which requires the
rewriting of associated index files.
5. Delete unneeded files – Once all updates have been set to the correct
approval status or deleted, then the deletion of files will have the most
effective result.

18. Operations
Server Cleanup Wizard
 Special considerations for use in a Replica environment.
» Assign all approvals/declinations; complete all downloads.
» Synchronize all servers and verify servers are idle.
» Disable synchronization on all servers.
» Run Server Cleanup Wizard on all servers.
» Manually synchronize all servers and confirm no unexpected changes.
» Re-enable synchronization on all servers.

19. Diagnostics
Content Downloading – General Notes
 Apparent slow downloading – Understanding BITS
 Issues affecting download failures on the WSUS Server are logged
in the Application Event Log of the WSUS Server
 There are two commonly encountered download failures:
» HTTP v1.1 Range Protocol Header
» Write Access Denied on non-SYSVOL volume

20. Diagnostics
Content Downloading – Range Protocol Header
 The Background Intelligent Transfer Service (BITS) requires the
use of HTTP v1.1 Range Protocol Headers in order to support
download and resume functionality.
 Some third party firewall and proxy server appliances and software
either do not support, or have not been properly configured by
default, to support the full capabilities of HTTP v1.1.
 Most notably this occurs in older SonicWall appliances.
» SonicWall has documented the necessary configuration changes on
their support website.

21. Diagnostics
Content Downloading – Access Denied
 A long standing defect in the .NET Framework v2.0 installer fails to
properly configure permissions for the NT AUTHORITYNetwork
Service account on volumes other than SYSVOL.
 When WSUS is then configured to place the ~WSUSContent
folder on a non-SYSVOL volume, WSUS is unable to write to the
content store.

22. Diagnostics
Content Downloading – Access Denied
 The remediation is to add READ
permissions to the ROOT of the
non-SYSVOL volume for the
Network Service account.

23. Diagnostics
Duplicate SusClientID
 Caused, almost exclusively, by cloning physical or virtual machines
from a master image containing a SusClientID registry value.
 Manifests in a number of different possible ways.
» The most common is by the continual appearance and
disappearance of machines in the WSUS Admin Console, marked by
a fixed number of machines always in the list. The fixed number
indicates the actual number of unique SusClientIDs in the
environment.
» It may also manifest as error codes 0x80070002, 0x80070006,
0x80072ee2, 0x80072efd, 0x80072efe, 0x8007400D, or 0x80244015
in the WindowsUpdate.log.

24. Diagnostics
Duplicate SusClientID
 This issue, with WUA v5.8 (WSUS v2) was resolvable by using the -reseal
parameter with sysprep. This worked because the WUA also maintained a
value named AccountDomainSID, and used that value to determine if the
SusClientID needed to be regenerated (anytime the AccountDomainSID
no longer matched the machine SID).
 This 'feature' was removed in the WUA v7 (WSUS v3) client, leaving
'sysprep -reseal' a non-functional solution to this issue.
 Good News!: New capabilities have been added to the WUA v7.4 (WSUS
v3 SP2) client, which will now auto-detect the presence of duplicate
SusClientIDs and automatically generate a new (unique) SusClientID.

25. Diagnostics
Duplicate SusClientID
 Best: Upgrade to WSUS v3 SP2 and WUAgent v7.4
 Preferred: Remove the SusClientID value from the master image
before cloning.
 Post-cloning: Remove the SusClientID value from each cloned
machine and restart the AU service (or reboot).
 See KB903262 for remediation details:
» http://support.microsoft.com/kb/903262

26. Diagnostics
SVCHOST.EXE 100% CPU Utilization
 WSUS v2.0/WUA v5.8 (Upgrade to WSUS 3.0 SP1 and apply
KB927891)
 WUA v7.1.6000.65, the WSUS 3.0 SP1 native client (Upgrade
WSUS to Service Pack 2 and update WUA to v7.4.7600.226)
 Large number of updates installed on Microsoft Office® 2003
(Reinstall Office 2003; apply Service Pack 3)
 Outlook® 2003 installed on Office XP® (SBS2003 environments
with Office XP on desktop) (Upgrade Office XP to Office 2003)
 Undeclined superseded updates on WSUS server (Decline
superseded updates)

27. Diagnostics
SVCHOST.EXE 100% CPU Utilization
 WUA v7.4.7600.226, the WSUS 3.0 SP2 native client and a conflict
with the Group Policy setting “Download missing COM
components”
» http://social.technet.microsoft.com/Forums/en-
US/winserverwsus/thread/daf131c5-6a4f-45d1-a03f-c39cea436b6f

28. Diagnostics
Client Diagnostics Tool
 is a console application (command-line only)
 is a 32-bit application (not available for 64-bit)
 was written for WSUS v2 (knows nothing about WSUS v3)
 can be downloaded from the MS Download Center or from the
“Tools and Utilities” link on the WSUS Home Page
» http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-
8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE

29. Diagnostics
Client Diagnostics Tool
 Tests four areas of interest
 The machine state (Rights, Services, WUA version)
 AU Settings
 Proxy Configuration (WinHTTP, IE)
 Ability to connect to the WSUS Server (selfupdate).

30. Diagnostics
Client Diagnostics Tool
CDT – Machine State

31. Diagnostics
Client Diagnostics Tool

32. Diagnostics
Client Diagnostics Tool
CDT – AU Settings

33. Diagnostics
Client Diagnostics Tool
CDT – Proxy Configuration

34. Diagnostics
Client Diagnostics Tool
CDT – WSUS Server Connection

35. Diagnostics
WindowsUpdate.log
 Located in %windir% (usually C:WINDOWS)
 Is a rolling log file (~30 days or 2MBytes)
 Detailed analysis guide contained in KB902093
 Key areas of interest:
» Service startup
» Selfupdate Check
» Detection
» Downloading
» Reporting

36. Diagnostics
WindowsUpdate.log – Service startup

37. Diagnostics
WindowsUpdate.log – Service startup

38. Diagnostics
WindowsUpdate.log – Service startup

39. Diagnostics
WindowsUpdate.log – Service startup

40. Diagnostics
WindowsUpdate.log – Service startup

41. Diagnostics
WindowsUpdate.log – Service startup

42. Diagnostics
WindowsUpdate.log – Selfupdate check

43. Diagnostics
WindowsUpdate.log – Detection

44. Diagnostics
WindowsUpdate.log – Detection

45. Diagnostics
WindowsUpdate.log – Detection

46. Diagnostics
WindowsUpdate.log – Detection

47. Diagnostics
WindowsUpdate.log – Download

48. Diagnostics
WindowsUpdate.log – Reporting

49. Helpful Resources
Hope these tips help you quickly solve your
WSUS errors. To free up more of your time, try
SolarWinds Patch Manager
Watch Video Test Drive Live Demo
Ask Our Community Download 30-day Free Trial
Click any of the links above
- Slide 49 -

50. Author: Lawrence Garvin, WSUS MVP
Thank You!
Feedback or questions
lawrence.garvin@solarwinds.com