[Rob Dunn]

Because of the amount of posts regarding this topic, I have decided to make a pinned topic to help you determine why your computers are not reporting into the WSUS console. If anyone has any further information to add/change, let me know, and I will combine entries here.

Some questions to ask yourself:

Client-related

Do my clients meet the requirements to run WSUS?

• Windows 2000 Service Pack 3 (SP3) and later
• Windows XP and later
• Windows Server 2003

Have you cloned your computers on the network? If yes, did you run Sysprep, Ghostwalker, or NewSID on the computers after they have been deployed with the new image?

Some symptoms of this may also include computers randomly disappearing/reappearing from/into your WSUS console. Another symptom is the computer will receive updates, but not report into the server properly (if at all!).

Each computer on a network requires a SID (Security IDentifier), which uniquely describes that computer account to the rest of the Windows network resources - supposedly not as big of an issue with computers in a domain environment as it is with workgroups. However, it is best to avoid this issue at all costs. When WSUS creates its own client ids, they are based off of the original computer SID. If these are duplicates of other computers (which happens with cloned environments where the aforementioned tools have NOT been run), then you can see how this might be a problem.

If you have not run either one of these tools (they are each mutually exclusive), then you will need to delete the WSUS Client ID keys on the affected workstations:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId

Stop and start the Automatic Update service, then run 'wuauclt.exe /resetauthorization /detectnow'. You should see the computer report into the WSUS server shortly thereafter.

You can use this script to do it automatically for you - either a remote workstation or local (you should only need to perform this step once on each affected PC):
http://www.wsus.info...?showtopic=9134

Want to figure out which computers have duplicate SIDS?
Use psGetSID from Sysinternals: http://www.microsoft...s/psgetsid.mspx - You can run this against all computers in your domain to discover who has a duplicate SID.

You should really then run NewSID from Sysinterals on any of the duplicate computers to resolve any potential issues in the future (not to mention the security issues involved with having duplicate SIDS on the network): http://www.microsoft...ies/newsid.mspx

NOTE: You don't need to RUN NewSID on each computer prior to fixing the duplicate ID issue in WSUS, but it may rear its ugly head later on, so if you can find the time, I would recommend fixing this issue as soon as you can.

Active Directory
Did you apply your GPO to the appropriate OU? Did you apply the GPO to an OU that contains computer objects?

The WSUS GPO template applies to computer objects only. If you apply this GPO to an OU with user objects, the settings will not propagate to your computers.

Are you waiting long enough for your GPOs to be applied to your computers?

You can run GPUpdate on a workstation to force the computer to check in and pull down any new GPOs. If you are using Windows 2000, you will need to use SecEdit.

Link --> Refresh Group Policy settings with GPUpdate.exe

Command-line syntax for forcing a computer to check in and receive updated GPOs:

Windows 2000: secedit /refreshpolicy machine_policy /enforce
Windows XP/2k3: gpupdate /force

Be aware that if the GPO was configured/added to a DC in a multi-DC environment, GPUpdate may not work until the GPO is replicated to the computer's logon server.

Is the GPO even applying to your computer?

Use GPResult to Check if the policy is applying to your computer.

Link --> How to Use the Group Policy Results (GPResult.exe) Command Line Tool

Command-line syntax for checking the applicable GPOs against your computer:

Windows 2000: GPResult (You must download it first from: http://download.micr...S/gpresult.exe)
Windows XP/2k3: GPResult

If you don't see the GPO specified in the output of your GPResult, then you know you need to look to Active Directory as the source of the problem. If you do see the GPO applied here, then it is more likely an issue with the client (i.e. a duplicate SID issue).

Do you have 'Block Inheritance' set on your OU which would restrict a group policy from applying to the OU and objects contained therein?

In the GPO MMC, any OU that is blocking inheritance will have a blue exclamation point over the OU icon. Check with your system administrator before you start altering these settings - - they might be there for a reason!

----------------------------------------------------
Other things you can try:

Client issues:

• Save, extract, and run the client diagnostic tool on your affected PC: http://download.micr...stic%20Tool.EXE
  
• Check the windowsupdate.log file in the %windir% folder (i.e. c:\windows, c:\winnt, etc.) for issues. See this link (http://www.wsus.info...?showtopic=7407) to isolate your issue.

Server issues:

Save, extract, and run the server diagnostic tool on your affected Server: http://download.micr...ebug%20Tool.EXE

[mcmurray]

I had about 75 computers not reporting into the WUS server. Some showing up but then disappearing. I DID run Sysprep on the image that was used on these computers computer to reset the SID prior to deployment. For what ever reason it did not work so I must have made a mistake some where. I downloaded the utilities listed in this post and did the following.

Checked the SID numbers using the PSTools utility (psgetsid.exe) which proved the SID numbers to be duplicates.
Ran the newsid.exe utility provided by Microsoft to create a new sid for each computer
Ran the Set Autorization script provided in the post to delete the registry keys and restart the update service.

It takes about 20 minutes and the affected machines start showing up in the WUS database.

Thanks for the help! It Works.

[tbarkdull]

mcmurray, on Wed 28th Feb 2007, 05:57 pm, said:

:rolleyes:
I had about 75 computers not reporting into the WUS server. Some showing up but then disappearing. I DID run Sysprep on the image that was used on these computers computer to reset the SID prior to deployment. For what ever reason it did not work so I must have made a mistake some where. I downloaded the utilities listed in this post and did the following.

Checked the SID numbers using the PSTools utility (psgetsid.exe) which proved the SID numbers to be duplicates.
Ran the newsid.exe utility provided by Microsoft to create a new sid for each computer
Ran the Set Autorization script provided in the post to delete the registry keys and restart the update service.

It takes about 20 minutes and the affected machines start showing up in the WUS database.

Thanks for the help! It Works. :)

I too was having this issue, only a fraction of my PCs were showing up in WSUS, but all were getting updates. I ran NewSID on all and they all reported.

Now I have another issue. EVERY computer reports in 2 or 3 times each day and adds a new entry. So instaed of having 75 computers reporting, I have nearly 500! How do I clean it up?

[Magnet]

I was just testing initial install of my WSUS server in a disconnected network with single client as yet. It's an environment without AD and I am doing settings on Windows XP SP2 station using gpedit.

After importing WSUSContent and metadata successfully, all the updates showed up.

After making adequate changes to the gpedit, the machine instantly showed up on my WSUS computers tab. Client Diagnostic tool returned pass.
Updates required for this PC were identified as needed but showed "not approved" in remarks. I have kept settings to approve all although but even after doing "wuauclt /detectnow" and netstat showing an establishing connection with my WSUS, none of the "NEEDED" updates flowed down.

Then, I deleted my lone and sole computer from WSUS console and re-did gpupdate. Restarted my client and restarted my server. The machine just doesn't show up again.

Client Diagnostic tool is returning all the values as "PASS".

What should I do to make this workstation show again. It's not an SID issue as this is the ONLY client on my network yet configured to talk to WSUS?

Also, where do I find out that my WSUS is SP1 patched although I am sure it is for I recently downloaded it.

This post has been edited by Magnet: 12 Mar 2007, 08:22

[Magnet]

OK!! The next day morning, the machine showed up by itself.

But the upates were marked as 7 NEEDED. 'classified as 'Detect Only' even though, under options I had made all the updates marked as 'Approved'.

I had to manually approve the 7 needed updates before the client machine picked them up.

Is this a known bug in running WSUS in a 'disconnected' network mode?

[bryguy1]

Any info on clients not reporting in but getting the updates after SUS was unistalled on the server running WSUS? I am running into this issue.

[Rob Dunn]

bryguy1, on Fri 16th Mar 2007, 02:09 pm, said:

Any info on clients not reporting in but getting the updates after SUS was unistalled on the server running WSUS? I am running into this issue.

Did you check for duplicate client IDS? SUS was ignorant to this issue since it blindly distributed updates, and no client reporting was occuring...

[bryguy1]

I noticed that these clients were not being deleted from AD before being RIS'd. Once they were deleted then RIS'd they started reporting in.

[mcyr]

I still can not get it to work. If anyone is good with all of this and could pm and we could talk about via pm's or phone that would be greatly appreciated. I seemed to have tried everything method that you all have talked about, but it still is not working. Maybe i am putting in the wrong AD environment.
Although, I have tried all possible.
I have it all set up correctly in my GPO.
Everything seems right, it just is not working.
Any help would be awesome.

[allanpoegarcia]

I was having the same issue, my PC's would show up one day, then 'poof' gone the next, I followed the instructions Rob left and within minutes, the missing PC's showed up.

Thanks Rob for your post, you saved me from digging around the net.

btw, my test environment is:
No AD
NT4 Domain
using registry scripts to talk to WSUS server

[Rob Dunn]

mcyr, on Tue 3rd Apr 2007, 08:06 am, said:

I still can not get it to work. If anyone is good with all of this and could pm and we could talk about via pm's or phone that would be greatly appreciated. I seemed to have tried everything method that you all have talked about, but it still is not working. Maybe i am putting in the wrong AD environment.
Although, I have tried all possible.
I have it all set up correctly in my GPO.
Everything seems right, it just is not working.
Any help would be awesome.

Can you create a new thread in the main server forum, and post your:

• GPO settings
  
• GPResult, erm...results
  
• WindowsUpdate.log from an affected computer

[Rob Dunn]

allanpoegarcia, on Wed 4th Apr 2007, 05:37 pm, said:

I was having the same issue, my PC's would show up one day, then 'poof' gone the next, I followed the instructions Rob left and within minutes, the missing PC's showed up.

Thanks Rob for your post, you saved me from digging around the net.

btw, my test environment is:
No AD
NT4 Domain
using registry scripts to talk to WSUS server

Glad this helped you! This post was probably WAYYY overdue.

[VHCO-Admin]

Hey there, those tools have been a great help! Thank you much!

I am running the GPResult, and my local PC says it is connecting but back at my server, still no computers listed. i know the GP is applying on all the PC in the domain, but i cant get them to show up..

The server is running windows server 2003 with GP in AD
All the clients are on windows XP Pro
None of them were ghosted, all unique SIDs... im stumped...

Thanks for any advice!

***EDIT*** Solved the Problem, for some reason the custom group i had the computer objects in was limiting the WSUS to not see the computers. Moved them to the default directory and all is good now.

This post has been edited by VHCO-Admin: 08 May 2007, 14:31

[hersentoledo]

I had 3 domains and 7 servers out of domains, WSUS v3.0 is in the Contoso.com domain, other server are in different domains. I make a Group Policy for other domains, specify the wsus server FQDN and a script for out of domains servers, but this servers not register in WSUS console.
Script:

-WSUS.reg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
@=""
"WUServer"="http://SAPL134.intra.banesco.com"
"WUStatusServer"="http://SAPL134.intra.banesco.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- WSUS.bat:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@echo off
Net Stop "wuauserv"
Echo Importing WSUS.reg
%windir%\Regedit.exe /s WSUS.reg
Echo WSUS.reg imported succesfully
Net Start "wuauserv"
Echo Forcing update detection
wuauclt /detectnow
Pause
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- WindowsUpdate.log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2007-05-31 14:41:45 1008 844 Misc =========== Logging initialized (build: 5.8.0.2694, tz: -0700) ===========
2007-05-31 14:41:45 1008 844 Misc = Process: C:\Windows\System32\svchost.exe
2007-05-31 14:41:45 1008 844 Misc = Module: C:\Windows\system32\wuaueng.dll
2007-05-31 14:41:45 1008 844 Service *************
2007-05-31 14:41:45 1008 844 Service ** START ** Service: Service startup
2007-05-31 14:41:45 1008 844 Service *********
2007-05-31 14:41:45 1008 844 Agent * WU client version 5.8.0.2694
2007-05-31 14:41:45 1008 844 Agent * SusClientId = '379e0821-276e-45e5-9707-6dd28a32687f'
2007-05-31 14:41:45 1008 844 Agent * Base directory: C:\Windows\SoftwareDistribution
2007-05-31 14:41:45 1008 844 Agent * Access type: No proxy
2007-05-31 14:41:45 1008 844 Agent * Network state: Connected
2007-05-31 14:42:30 1008 844 Agent *********** Agent: Initializing Windows Update Agent ***********
2007-05-31 14:42:30 1008 844 Agent *********** Agent: Initializing global settings cache ***********
2007-05-31 14:42:30 1008 844 Agent * WSUS server: <NULL>
2007-05-31 14:42:30 1008 844 Agent * WSUS status server: <NULL>
2007-05-31 14:42:30 1008 844 Agent * Target group: (Unassigned Computers)
2007-05-31 14:42:30 1008 844 Agent * Windows Update access disabled: No
2007-05-31 14:42:30 1008 844 DnldMgr Download manager restoring 0 downloads
2007-05-31 14:42:30 1008 844 AU ########### AU: Initializing Automatic Updates ###########
2007-05-31 14:42:30 1008 844 AU # Approval type: Pre-download notify (Policy)
2007-05-31 14:42:31 1008 844 AU AU setting pending client directive to 'Download Approval'
2007-05-31 14:42:45 1008 844 AU AU found 1 sessions to launch client into
2007-05-31 14:42:45 1008 844 AU Launched new AU client for directive 'Download Approval', session id = 0x0
2007-05-31 14:42:45 3596 ed8 Misc =========== Logging initialized (build: 5.8.0.2694, tz: -0700) ===========
2007-05-31 14:42:45 3596 ed8 Misc = Process: C:\Windows\system32\wuauclt.exe
2007-05-31 14:42:45 3596 ed8 AUClnt Launched Client UI process
2007-05-31 14:42:45 3596 ed8 AUClnt AU client got new directive = 'Download Approval', serviceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, return = 0x00000000
2007-05-31 14:42:45 3596 ed8 AUClnt AU client creating default WU/WSUS UI plugin
2007-05-31 14:42:45 1008 534 AU AU setting client response for sessionId 0x0 to 'Pending'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What I need to make for this working???

Regards...

[hersentoledo]

hersentoledo, on Fri 1st Jun 2007, 07:58 am, said:

I had 3 domains and 7 servers out of domains, WSUS v3.0 is in the Contoso.com domain, other server are in different domains. I make a Group Policy for other domains, specify the wsus server FQDN and a script for out of domains servers, but this servers not register in WSUS console.
Script:

-WSUS.reg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
@=""
"WUServer"="http://SAPL134.intra.banesco.com"
"WUStatusServer"="http://SAPL134.intra.banesco.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- WSUS.bat:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@echo off
Net Stop "wuauserv"
Echo Importing WSUS.reg
%windir%\Regedit.exe /s WSUS.reg
Echo WSUS.reg imported succesfully
Net Start "wuauserv"
Echo Forcing update detection
wuauclt /detectnow
Pause
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- WindowsUpdate.log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2007-05-31 14:41:45 1008 844 Misc =========== Logging initialized (build: 5.8.0.2694, tz: -0700) ===========
2007-05-31 14:41:45 1008 844 Misc = Process: C:\Windows\System32\svchost.exe
2007-05-31 14:41:45 1008 844 Misc = Module: C:\Windows\system32\wuaueng.dll
2007-05-31 14:41:45 1008 844 Service *************
2007-05-31 14:41:45 1008 844 Service ** START ** Service: Service startup
2007-05-31 14:41:45 1008 844 Service *********
2007-05-31 14:41:45 1008 844 Agent * WU client version 5.8.0.2694
2007-05-31 14:41:45 1008 844 Agent * SusClientId = '379e0821-276e-45e5-9707-6dd28a32687f'
2007-05-31 14:41:45 1008 844 Agent * Base directory: C:\Windows\SoftwareDistribution
2007-05-31 14:41:45 1008 844 Agent * Access type: No proxy
2007-05-31 14:41:45 1008 844 Agent * Network state: Connected
2007-05-31 14:42:30 1008 844 Agent *********** Agent: Initializing Windows Update Agent ***********
2007-05-31 14:42:30 1008 844 Agent *********** Agent: Initializing global settings cache ***********
2007-05-31 14:42:30 1008 844 Agent * WSUS server: <NULL>
2007-05-31 14:42:30 1008 844 Agent * WSUS status server: <NULL>
2007-05-31 14:42:30 1008 844 Agent * Target group: (Unassigned Computers)
2007-05-31 14:42:30 1008 844 Agent * Windows Update access disabled: No
2007-05-31 14:42:30 1008 844 DnldMgr Download manager restoring 0 downloads
2007-05-31 14:42:30 1008 844 AU ########### AU: Initializing Automatic Updates ###########
2007-05-31 14:42:30 1008 844 AU # Approval type: Pre-download notify (Policy)
2007-05-31 14:42:31 1008 844 AU AU setting pending client directive to 'Download Approval'
2007-05-31 14:42:45 1008 844 AU AU found 1 sessions to launch client into
2007-05-31 14:42:45 1008 844 AU Launched new AU client for directive 'Download Approval', session id = 0x0
2007-05-31 14:42:45 3596 ed8 Misc =========== Logging initialized (build: 5.8.0.2694, tz: -0700) ===========
2007-05-31 14:42:45 3596 ed8 Misc = Process: C:\Windows\system32\wuauclt.exe
2007-05-31 14:42:45 3596 ed8 AUClnt Launched Client UI process
2007-05-31 14:42:45 3596 ed8 AUClnt AU client got new directive = 'Download Approval', serviceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, return = 0x00000000
2007-05-31 14:42:45 3596 ed8 AUClnt AU client creating default WU/WSUS UI plugin
2007-05-31 14:42:45 1008 534 AU AU setting client response for sessionId 0x0 to 'Pending'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What I need to make for this working???

Regards...

I find the solution for this. Is to necessary the value name “UseWUServer” with the value “1” in the route “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU”
Regards...

[kevintho]

Hi,

I ran the client diagnostic tool, and it showed that one of the diagnostic failed. I don't really have idea on how to solve that. The diagnostic is as below.

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 7.0.6000.374. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Control Panel

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

[CzPeter]

Greetings All!

We have WSUS 2 on Win. Server 2003 and a standard workstation system with about 800 PC-s in one domain. All of them are installed, not cloned. Running the diagnostic tool they have the following messages:

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is not running. PASS
Wuaueng.dll version 5.8.0.2607. . . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy
prx-gtb.net.sanofi-aventis.com:3129
User IE ProxyByPass
<local>;*.sanofi-aventis.com;*.pharma.aventis.com;*.aventis.com;
*.enterprise;*.sanofi-synthelabo.com;*.sanofi.com;*.hmrag.com;*.sanofi-aventis-j
ob.com;https://analysis.ingenuity.com
User IE AutoConfig URL Proxy
http://wpad.sanofi-a.../config-gtb.ins
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://ujpsips04.pha...ventis.com:8530
WUStatusServer = http://ujpsips04.pha...ventis.com:8530
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
Connection to server. . . . . . . . . . . . . . . . . . PASS
SelfUpdate folder is present. . . . . . . . . . . . . . PASS

Press Enter to Complete

About 600 PCs workstations appear and report to WSUS. About 200 are appear but doesn't report. These 200 PCs most apear on "Unassigned Computers" group, but some of them appears on a self-made group. (We have more site)
I checked all the things mentioned by Rob at the start of this topic and everything is allright.
Maybe someone can tell me anyting about this.
Thx.
-Peter

This post has been edited by CzPeter: 10 Oct 2007, 01:05