WSUS Health Check

Group Policy: Group Policies are the easiest way to configure automatic update settings for client systems in an Active Directory environment. To check WSUS policy has been applied or not, log on to client computer. Open command prompt>type gpresult.exe>hit enter. You will be presented with a list applied GPO in that machine including WSUS policy. Alternatively, you can do the followings.

1. Click Start>Administrative Tools>Group Policy Management.
The Group Policy Management Console will come up.
2. At the bottom of the Console Tree, you will see a node called Group
Policy Results. Right-click on it and choose Group Policy Results
3. It will come up to the Welcome to the Group Policy Results Wizard screen. Just click Next.
4. Now you will come to the Computer Selection screen. You have the choice of This computer or Another computer. Now click Next.

5. Now you can select a specific user or check Do not display policy settings for the selected computer in the results (display user policy
settings only). Since you are only interested in whether the Updates GPO
has run, you will not select a user.
6. Next the Summary of Selections screen comes up, allowing you to review your selections. Once you’ve verified them, click Next and the Completing the Group Policy Results Wizard will come up. Click Finish. the right, under Summary, click on Group Policy Objects> Applied GPOs. You should see the list of applied GPOs. In this case you are looking for the GPO WSUS Updates.

E-mail Notifications: WSUS 3.0 can send e-mail notifications of new updates and provide status reports to an administrator. To set this up do the following:
1. Create a user account for the WSUS server to use as an e-mail account. For instance, in our example we created a user account with a mailbox in our domain called WSUS.
2. Now open the WSUS Administrative Console, go to Options in the
Console Tree area, then in the Details Pane select E-mail Notifications.
3. In the General tab of E-mail Notifications, as seen in Figure 3.59, put a check beside Send e-mail notification when new updates are synchronized and type the e-mail addresses of the recipients. If you have more than one recipient, separate them by commas.
4. If you are sending status reports to these recipients, put a check beside Send status reports. Select the frequency with which each report is sent (Weekly or Daily) and the time the reports are to be sent, and type in the names of the recipients. You can also select which language you wish the reports to be sent in.

5. Now that the information on the General tab is complete, go to the E-mail Server tab and enter the information about the SMTP server, its port number, the sender’s name and e-mail address, and the username and password of the user that you created for the WSUS account earlier. 6. Once you’ve entered the correct information, click the Test button to verify your settings are correct. If everything looks correct, click OK and you’re done.

Personalization : If you want to personalize the way information is displayed for a WSUS server you can do so by clicking on Personalization within Options. This option allows administrators to choose how server rollup data is displayed, what items will be listed in the To Do list and how validation errors are displayed.

Automatic Approvals:  The Automatic Approvals option allows an administrator to automatically approve updates to be installed based on product and classification, and gives the ability to target which computers to set the automatic approval for. Automatic approvals are based on rules.

1. To create a new rule, first click on Automatic Approvals, found in Options.
2. In the Update Rules tab, select New Rule.

3. There are two steps in the Add Rule box. The first step is to select properties. For our example, we chose an update based on product, so we selected When an update is in a specific product. We could also specify a certain classification if we wanted to. Type Name of Rule such as Windows 7 Approval
4. The second step is to edit the properties or values. Click on the link for any product and in the list of products remove the check from All Products. Now scroll down to the listing for Windows and select Windows 7 Client. Click Approve the update for link and select Windows 7 Computer Group, Click when update is in and select update rollups, features or whatever you need. When click OK.
5. We are now back at the Add Rule box. Click Windows 7 approval rule>click run rule.

6. Repeat step2 to step 5 for all other computer groups such windows server 2008 x64.

Server Cleanup Wizard:  The Server Cleanup Wizard is used to help administrators manage their disk space by removing unused updates and revisions, deleting computers not contacting the server, deleting unneeded update files, declining expired updates, and declining superseded updates.

Important!  If you have WSUS 3.0 downstream servers, you may see discrepancies in both upstream and downstream servers. Be extra careful when cleaning server.

Reports and logs : You can monitor WSUS events information in the Application Event Log of Windows. You can check detailed update reports, computers reports and synchronization report from WSUS console>reports.

share this  Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Troubleshooting WSUS server

Are you straggling to troubleshoot WSUS server. Those who followed the steps, I mentioned in my previous posting Install and Configure WSUS—Step by Step but couldn’t get it going and still got issue with deployment. you might have few issues with WSUS. Here are solutions for you.

Client not showing in WSUS Server:

There are several reasons client don’t pop up in WSUS server. a) GPO and WSUS miss-configured. b) Proper prerequisite has not been meet both for server and client as I mentioned in my post.

Log on to WSUS sever as Domain Admin. Open WSUS Console>Option>Computers>Select use group policy or registry settings on computers>Apply>ok.

WSUS Console>Server Name>computers>All Computers>Add Proper Computer Groups, I mean client target group you have mentioned in GPO.

Are all the computers and Server pointing proper client target group as you mentioned in GPO? Did you configure parent GPO and computers pointing child GPO???  Check group policy object using GPO management console to find out any miss-configuration!!! Make sure the computer you are looking WSUS console is placed in right GPO. Run gpresult.exe from command prompt to find out computer and user config. Wait until GPO refresh time and you will see client in WSUS console.

Another way to see client quickly in WSUS console is to log on to Windows XP SP2 (Must have SP2) client. Run WUAUCLT /DETECTNOW and GPUPDATE /FORCE  from command prompt. Reboot client. Log back again.

Start menu>run>Type regedit.exe>ok. Now go to HKEY_Local_Machine\Software\Policies\Microsoft\Windows\Windows Update

You are suppose to see

client target group REG_SZ Group Name in GPO say Desktop, WindowsXP, Windows7, Server, etc
ClientGroupEnabled REG_DWORD 0x00000001(1)
WUServer REG_SZ Http://ServerName:8530
WUStatusSever REG_SZ Http://ServerName:8530

This mean this client is reporting to WSUS server.

Another critical point to note here, don’t use default configuration port that is 80. Use port 8530 because in ISA server or corporate firewall might be pointing this port to corporate web site unless web publisher added in ISA.

WSUS database full of BugCheck Dump causing WSUS to stop functioning:

***This file is generated by Microsoft SQL Server version 9.00.4035.00 upon detection of fatal unexpected error. Please return this file,  the query or program that produced the bugcheck, the database and the error log, and any other pertinent information with a Service Request***

***Stack Dump being sent to c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLDump0154.txt***

I am one of the victim of this SQL error. This will occupy entire disk space in system partition causing WSUS to stop working. This error got nothing to do with WSUS. This is purely SQL problem. It happens when WSUS is running long and you don’t run clean up wizard to clean database and WSUS. I have to be honest here. I am not an SQL Expert. I found some clues by searching books and google, this SQL error occur when SQL index is corrupt. I logged to SQL server using management studio express and follow this Microsoft link and run DBCC CHECKDB.  But this will not solve this issue. Basically, SQL database is screwed. You have to backup database, reinstall WSUS and restore will solve this issue. But my best suggestion would be fresh installation of everything….. start from scratch.

You may also try this link if you require re-indexing database.

Connection Error

“An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists.
Click Reset Server Node to connect the server again.”

Reason: WSUS-related Web services (IIS) may stop working when you upgrade a Windows Server 2003-based computer to Windows Server 2008


Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

Try removing the persisted preferences for the console by deleting the wsus file under C:\Documents and Settings\%username%\Application data\Microsoft\MMC\

To work around this problem, uninstall the ASP.NET role service in IIS, and then use Service Manager to reinstall the service. To do this, follow these steps:

  1. Click Start, click Administrative Tools, and then click Server Manager.
  2. Expand Roles, and then click Web Server (IIS).
  3. In the Role Services section, click Remove Role Services.
  4. Disable the ASP.NET check box, and then click Next.
  5. Click Remove.
  6. Wait for the removal process to finish, and then click Close.
  7. In the same Role Services section, click Add Role Services.
  8. Enable the ASP.NET check box, and then click Next.
  9. Click Install.
  10. Wait for the installation process to finish, and then click Close
  11. Restart all WSUS related services such as IIS, SQL, Update services (Location Administrative Tools>Services)

WSUS debug tools Download WSUS debug tools from Microsoft WSUS sites. Extract Clientdiag.exe in client machine and WSUS server diagnostic tools in WSUS server. In both case extract in %windir%\system32 location. Open command prompt>change directory to %windir%\system32. Run clientdiag.exe (client machine) and wsusdebugtool.exe (WSUS server) from command prompt. You can run both in wsus server to test whether wsus server is contacting itself for update or not. If you see checking machine state PASS that means client is contacting wsus.

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine