Troubleshooting Software Update Services

With Microsoft issuing a service pack for its new updating tool, here's what I've learned since writing my original article on implementing and troubleshooting Software Update Services.

When I wrote "Patching the Holes," SUS was just born, a 1.0 version. Now there's SUS with SP1, with an updated SUS10SP1.EXE. If you’ve already deployed SUS, you might want to get the latest version and follow along.

With that in mind, this troubleshooting guide assumes:

Installation and Verification
SUS installation is straightforward, especially if you have the first article handy: Create a new GPO, and load the WUAU.ADM file. You’ll likely not want to create the GPO at the domain level, because if you do, you’re telling all computers (servers and workstations) to automatically download updates (and possibly reboot). So, create a test OU called “SUS Clients” and move about 10 computer accounts into it. Then link your new GPO to that OU.

Once created, be sure to use the latest WUAU.ADM. When you do, you’ll get even more policies to play with. I detail the new policies later, when I discuss SUS modes.

.ADM file loaded into GPO
Figure 1. The newest .ADM file loaded in a properly configured GPO. (Click image to view larger version.)

Is It Working Yet?
At this point you should have the server side set up correctly and performed an initial synchronization to the Microsoft mothership. You should also have approved updates applicable for your Win2K and Windows XP clients and servers.

Are your clients getting the updates? No? Try these basic steps:

  1. First, make sure the Automatic Updates service is running on the client. If not, start it up—and figure out why it didn’t start! Questions to explore: Did you actually distribute the .MSI (for SP2), or is SP3 really installed? The fastest way to start and restart the service is to use the NET STOP/NET START WUAUSERV command.
  2. Next, determine if clients are getting the GPOs you deployed. From the client computer, run GPresult (this utility is in the Windows 2000 Resource Kit). Do the same thing with XP, even though XP (with SP1) has a working GPresult—the one in the Win2K Resource Kit is better for registry-related troubleshooting. You could also use Windows XP’s Resultant Set of Policies (RSoP) information in the Help and Support Center, which will display the Registry entry in a readable fashion.

Running gpresult /v /c (v=verbose, c=computer) on a client machine should return the following:

The following settings were applied from: {the name of your GPO here}

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate
ValueName: WUServer
ValueType: REG_SZ
Value: http://Vmserver1

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate
ValueName: WUStatusServer
ValueType: REG_SZ
Value: http://Vmserver1

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: NoAutoUpdate
ValueType: REG_DWORD
Value: 0x00000000

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: AUOptions
ValueType: REG_DWORD
Value: 0x00000004

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: ScheduledInstallDay
ValueType: REG_DWORD
Value: 0x00000000

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: ScheduledInstallTime
ValueType: REG_DWORD
Value: 0x00000000

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: UseWUServer
ValueType: REG_DWORD
Value: 0x00000001

KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ValueName: RescheduleWaitTime
ValueType: REG_DWORD
Value: 0x00000005

XP Caution (times two): Running Windows XP’s own GPResult doesn’t display the registry punches shown here. You may have to dip into the registry to make sure the changes are made on the correct keys. Still don't see it? If you're on an XP box, remember that XP takes multiple restarts to get the latest GPOs.

Another way to verify that the client has downloaded the Registry changes is to simply examine the Registry’s contents. In the HKLM|Software|Policies|Windows key, look for a subkey called WindowsUpdate. If this key is present, it will contain values that point at the SUS server and subkeys that contain the schedule information.

At this point, you can analyze what's in each Keyname, Valuename and Value above.

Of note is the Value of the first two settings, which specifies the server. The rest correspond to the other policies. To test this, change a value and make sure your client responds. On the client system, you'll likely need to do a secedit /refreshpolicy machine_policy for the change to take effect immediately (on XP, the command is gpupdate).

What’s Really Going on Under the Hood?
There's another magic place inside the client computer’s registry that SUS cares about. Group Policies and their registry punches dictate how the client will respond to our SUS server, but the Automatic Updates service has its own “internal” places that describe the current “state” of the client. Those registry locations can be found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ WindowsUpdate. If you inspect this place in the registry, you can usually determine the current state of the client. Notice the DetectionStartTime entry in Figure 2? Here, the client should check for new updates and start to download them at this time. Several seconds later, LastWaitTimeout should appear (see Figure 3).

Figure 2. Peering into the Registry, you should now see DetectionStartTime, which indicates to the client when it should check for new updates. (Click image to view larger version.)


Figure 3. Same key, only this time LastWaitTimeout appears, indicating how much time should lapse before checking the SUS server for updates.(Click image to view larger version.)

LastWaitTimeout tells Automatic Update “If you don’t find anything to download now, wait for the specified amount of time before checking for updates.” According to the SUS deployment documentation (it’s not specifically spelled out in the Policy help), the number in the data column indicates that “every 22 hours minus a random offset, your Automatic Updates client computers will poll the server running SUS for approved updates to install." If the client doesn’t find any new updates at the DetectionStartTime, it will check again at the LastWaitTimeout time.

Checking on LastWaitTimeout
Figure 4. If no new updates are found at the DetectionStartTime state, Automatic Update reverts to the time shown in LastWaitTimeout to check for updates. (Click image to view larger version.)

In either case, the client will not look for new updates until after the installation of anything that was downloaded. This is important: If there are new critical updates to be downloaded, they simply won't be downloaded or installed until this first batch is processed.

If you want to "reset" the client and have Automatic Updates think it’s at square 0 again, open the client system’s Control Panel and select the Automatic Updates icon. Uncheck the “Keep my computer up to date…” option (see Figure 5) and click Apply. Then, select the same checkbox and click Apply again.

Update immediately
Figure 5. To reset the client to immediately check for updates, go to Control Panel | Automatic Updates, then click the “Keep my computer up to date…” option.

If you’re using Group Policy and specifying settings via the WUAU.ADM template, your checkbox will be automatically filled in and, hence, you won’t be able to unselect and reselect it. Instead, you’ll need to disable the GPO that houses WUAU.ADM and refresh the client with secedit for Win2K machines or gpupdate for XP machines. Then, you can actually watch the registry punches in this part of the registry get “reborn” while reading the log file and watching the event viewer to see that what’s going on under the hood is really happening.

Modality: Mode 3 vs. Mode 4
The ADM template we loaded has settings for specifying how SUS clients will obtain updates. The most critical policy to the entire operation, Configure Automatic Updates Properties policy (see Figure 6).

Configure Automatic Updates Properties
Figure 6. Use the Configure Automatic Updates Properties dialog to specify how SUS clients will obtain updates.

From the client’s perspective, SUS simply does three things and three things only: Detect and download updates from an SUS server; install them on the client machine; and—potentially—reboot the machine. In each of SUS’ modes, it performs the download and the update differently. Let’s examine each SUS mode.

Mode 3
When modifying the Configure Automatic Updates Properties policy, we need to first distinguish between each setting's function. Mode 3 says “Download the updates whenever. Once they’re downloaded, prompt for the initiation of the install.”

The key factor of Mode 3 is that it doesn’t prompt the user. Instead, it prompts the local administrator. Why would you want to do this? First, you might have an environment in which every user is an administrator of their local machine. This allows them to download updates automatically, then decide for themselves when they're ready for the install. Mode 3 can also be set up on your servers. You'd have a separate GPO for servers, set up to react to it. Each server downloads the updates, then, once an administrator logs on, she can simply install the update and reboot the machine if necessary at an appropriate time.

To repeat: Once the updates are downloaded, they are not installed until an administrator logs on to that machine and accepts the updates. I believe this causes the majority of people’s woes with SUS. They're using Mode 3 and not actually getting their updates installed on the client systems!

Mode 3 has nothing to do with scheduling whatsoever. The computer downloads the updates from the server whenever it feels like it (up to 22 hours), then just holds the updates until the local admin completes the install. If you look really closely at Figure 6, you'll see a note that states: "The following settings are only required and applicable if 4 is selected." So, let’s talk about Mode 4.

Mode 4
Mode 4 says “Download the updates from the server whenever the computer feels like it. However, once all the downloads are done, I want the update installation to happen at a specific time (presumably when no one is around.) Prompt whoever is logged on that the machine is going to reboot.”

Tip: While you’re configuring Mode 4, ensure you've set the policy for the time you actually want it to commence. Midnight is 00:00; if you set the policy to run at 10:00 AM, you might irritate a few users. Note that the updates should start installing directly on the stroke of that hour (or within about five minutes of that hour.).

If there are updates available (and the computer is on), it’s a crapshoot as to when the client will actually install the updates—assuming you’re using Mode 4. It could perform the updates today at the specified time, or it could be tomorrow at the specified time. The next scheduled time is determined when the client completes the download of the update.

But what happens if the computer is on, and the user is working? Will it just reboot the machine with the user’s data unsaved? This is where one of the new WUAU.ADM policies comes in. If the "No auto-restart for scheduled Automatic Updates" policy is enabled, the target computer won't reboot until the user on that machine says to. This is a major improvement over the original version of SUS, which would kick off all users when it was time to reboot.

But what happens if the computer's off and it misses the time it should have installed the updates? That’s where another one of the new WUAU.ADM policies comes in. If the "Reschedule Automatic Updates scheduled installation" policy is enabled, you can force it to install the updates the next time the computer boots. Once started, it will wait the assigned number of minutes before performing the installation. Set it to a low number, like one minute. This will force the computer to install the stored updates, and reboot if necessary before the user can even log on! If you set to a number like 20 minutes, the user will be interrupted by a prompt.

So now, assuming the updates are downloaded and scheduled (based on the ScheduledInstallDate registry entry; see above) you’ll get an Event 18 (in Mode 4) in the event log telling you when the installation will occur.

Mode 4
Figure 7. A computer in Mode 4 will show Event 18, specifying the installation procedure for updates and the scheduled time when the updates will occur. In Mode 4, the machine will install the updates as soon as the user tries to log on to that machine and reboot if necessary.


Mode 3
Figure 8. Successful updates on computer in Mode 3 requires local Administrator to be logged on that client. The machine will download the updates as scheduled, but it’s up to the local administrator to install them.



Q: "[Before loading SUS], why are end users able to install applications or run Windows Update on their machines at all?"

A: You're totally right. My brain was still in Windows 98-land. Only admins can run Microsoft Windows Update.

Q: "I followed your instructions on your original article, but I can’t seem to be able to get my “automatic updates” download from my server. It keeps pointing to

A: As I just stated in this article, admins can still go to Windows Update, but users will get turned away. Even so, in both cases Windows Update from within the browser points to that Microsoft site. Performing this SUS addition doesn't change that; you just bring additional scheduling functions to the table.

Clearly, you don't want admins going to that site anymore for updates. You can use another policy to stop this from happening. Do so by enabling the policy by clicking on User Configuration | Admin Templates | Start Menu and Taskbar | Remove links and access to Windows Update.

When you do, users and admins will get an Access Denied error if they perform a regular Windows Update (see Figure).

Access denied!
If users try to use Windows Update rather than Software Update Services, they'll be denied. (Click image to view larger version.)

Troubleshooting SUS
If you’re not getting this far, you might check out the Client’s Windows Update log file at %windir% \Windows Update.log. However, the client-side log doesn’t specifically tell you where in the process the client might be failing, nor does it tell you which patches’ .cab files from the server were successful and which ones bombed. At this point, the client-side log isn’t all that useful. However, I've seen some logs show specific error codes to signify specific problems (i.e. it can’t reach the server).

Those known error codes are detailed in the excellent SUS-SP1 deployment paper ( susdeployment.asp). It also has some server-side log reading tricks to help with troubleshooting. It even has some tricks I didn’t know about when I first wrote my original article. If you're successfully getting updates and event log entries in Mode 3, switch to Mode 4 and wait a day or so. At that point the client will automatically download the updates (within 22 hours) and install them at the time specified in the policy.

Hopefully, understanding the registry pieces of SUS clears up how and when SUS does its thing. And understanding the modes clears up why SUS it does its thing. Together, you can now deploy SUS with SP1 and do your thing.

Thanks to Bill Boswell for his technical input and troubleshooting assistance. Thanks to the SUS team at Microsoft for answering my questions and contributing feedback for this article.


comments powered by Disqus

Subscribe on YouTube