Troubleshooting the Windows Update Client
Occasionally, you might discover a client that isn't automatically installing updates correctly. Typically, such clients are identified during software update audits, as described in the section titled "Tools for Auditing Software Updates" earlier in this tutorial. To identify the source of the problem, follow these steps:
- Determine the last time the client was updated. This can be done in two different ways:
by checking the client's registry (the most reliable technique) or, if you use WSUS, by
checking the Reports page on the WSUS Web site.
- To check the client's registry, open the HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results registry key. In each of the Detect, Download, and Install subkeys, examine the LastSuccessTime entry to determine when updates were last detected, downloaded, and installed.
- To check the WSUS server, open the Update Services console on the WSUS server. Click the Reports icon and then click Computer Detailed Status. Browse the computers to find the problematic computer and examine the updates that have been successfully installed, as well as those that have not yet been installed.
- Examine any error messages returned by the Windows Update client by viewing the
client's %SystemRoot%\WindowsUpdate.log file. This text file contains detailed output
from the Windows Update client, including notifications for each attempt to find,
download, and install updates. You can also use the WindowsUpdate.log file to verify
that the client is attempting to access the correct update server. Search for any error
messages in the Microsoft Knowledge Base for more troubleshooting information.
Note For detailed information about how to read the WindowsUpdate.log file, refer to Microsoft Knowledge Base article 902093 at http://support.microsoft.com/kb/902093/. - If you are using WSUS, verify that the client can connect to the WSUS server. Open a Web browser on the client and go to http://<WSUSServerName>/iuident.cab. If you are prompted to download the file, this means that the client can reach the WSUS server and it is not a connectivity issue. Click Cancel. If you are not prompted to download the file, you might have a name resolution or connectivity issue, or WSUS is not configured correctly. Troubleshoot the problem further by identifying why the client cannot communicate with the WSUS server using HTTP.
- If you can reach the WSUS server, verify that the client is configured correctly. If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to check the computer's effective configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings.
- If you think WSUS is not configured correctly, verify the IIS configuration. WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client. For this reason, a Web site must be running on port 80, even if you put the WSUS Web site on a custom port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree. To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server. Next, type the following at the command prompt of the WSUS server.
cscript <WSUSInstallationDrive>:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs
More Info For more information about troubleshooting WSUS, visit http://technet.microsoft.com/en-us/library/cc708554.aspx.
If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle. You can do this using the Services console or by running the following two commands.
net stop wuauserv net start wuauserv
Within 6 to 10 minutes, Windows Update will attempt to contact your update server.
In this tutorial:
- Managing Software Updates
- Methods for Deploying Updates
- Windows Update Client
- Windows Server Update Services
- System Center Configuration Manager 2007 R2
- Manually Installing, Scripting, and Removing Updates
- Overview of Windows 7 Update Files
- How to Script Update Installations
- How to Remove Updates
- Deploying Updates to New Computers
- Other Reasons to Use a Private Network for New Computers
- Managing BITS
- BITS Behavior
- BITS Group Policy Settings
- Configuring the Maximum Bandwidth Served For Peer Client Requests Policy
- Managing BITS with Windows PowerShell
- Windows Update Group Policy Settings
- Configuring Windows Update to Use a Proxy Server
- Tools for Auditing Software Updates
- The MBSA Console
- MBSACLI
- Scheduling MBSA
- Troubleshooting the Windows Update Client
- The Process of Updating Network Software
- Assembling the Update Team
- Inventorying Software
- Creating an Update Process
- Discovering Updates
- Evaluating Updates
- Speeding the Update Process
- Retrieving Updates
- Testing Updates
- Installing Updates
- Removing Updates
- Auditing Updates
- How Microsoft Distributes Updates
- Security Updates
- Update Rollups
- Service Packs
- Microsoft Product Life Cycles