SBS 2011 WSUS issues - Any experts here??

[TLE]

Hi,

I have just recently installed SBS 2011 as I would like to make use of WSUS to update client PC's so as to reduce my bandwith usage. All sounds well and good but...

The SBS server will not self-update and the clients will not update. WSUS has synchronized and has downloaded the updates which have been approved for installation to the various groups. Whenever the server or client checks to see if any updates are available none are returned although they show in WSUS console as being required for those machines.

I have checked the WSUS virtual directorys and an error is produced when testing the connection.

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.

I have ensured that the 'NetworkService' does have Read Access to the physical path, but still this error persists?

Does anyone have any ideas? as I am now tempted to try SBS 2008.

Here are some Windows Update logs from the SBS...

2011-03-14 12:22:16:734 936 1f2c Agent *************
2011-03-14 12:22:16:734 936 1f2c Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2011-03-14 12:22:16:734 936 1f2c Agent *********
2011-03-14 12:22:16:734 936 1f2c Agent * Online = Yes; Ignore download priority = No
2011-03-14 12:22:16:734 936 1f2c Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2011-03-14 12:22:16:734 936 1f2c Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2011-03-14 12:22:16:734 936 1f2c Agent * Search Scope = {Machine}
2011-03-14 12:22:16:734 936 1f2c Setup Checking for agent SelfUpdate
2011-03-14 12:22:16:734 936 1f2c Setup Client version: Core: 7.4.7600.226 Aux: 7.4.7600.226
2011-03-14 12:22:16:734 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2011-03-14 12:22:16:734 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:22:16:734 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2011-03-14 12:22:16:750 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:22:16:750 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2011-03-14 12:22:16:766 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:22:16:766 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2011-03-14 12:22:16:781 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:22:16:859 936 1f2c Setup Determining whether a new setup handler needs to be downloaded
2011-03-14 12:22:16:859 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe:
2011-03-14 12:22:16:875 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:22:16:875 936 1f2c Setup SelfUpdate handler update NOT required: Current version: 7.4.7600.226, required version: 7.4.7600.226
2011-03-14 12:22:16:875 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:22:16:875 936 1f2c Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:22:16:875 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:22:16:922 936 1f2c Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:22:16:922 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:22:16:984 936 1f2c Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:22:16:984 936 1f2c Setup SelfUpdate check completed. SelfUpdate is NOT required.
2011-03-14 12:22:17:234 936 1f2c PT +++++++++++ PT: Synchronizing server updates +++++++++++
2011-03-14 12:22:17:234 936 1f2c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://THIRSKHOME-SVR:8530/ClientWebService/client.asmx
2011-03-14 12:22:20:572 936 1f2c PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2011-03-14 12:22:20:572 936 1f2c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://THIRSKHOME-SVR:8530/ClientWebService/client.asmx
2011-03-14 12:22:21:305 936 1f2c Agent * Found 0 updates and 59 categories in search; evaluated appl. rules of 590 out of 925 deployed entities
2011-03-14 12:22:21:305 936 1f2c Agent *********
2011-03-14 12:22:21:305 936 1f2c Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2011-03-14 12:22:21:305 936 1f2c Agent *************
2011-03-14 12:22:21:321 936 698 AU >>## RESUMED ## AU: Search for updates [CallId = {4B2343F3-2E54-4FF3-86BF-B9DE7FCA38E1}]
2011-03-14 12:22:21:321 936 698 AU # 0 updates detected
2011-03-14 12:22:21:321 936 698 AU #########
2011-03-14 12:22:21:321 936 698 AU ## END ## AU: Search for updates [CallId = {4B2343F3-2E54-4FF3-86BF-B9DE7FCA38E1}]
2011-03-14 12:22:21:321 936 698 AU #############
2011-03-14 12:22:21:321 936 698 AU Successfully wrote event for AU health state:0
2011-03-14 12:22:21:321 936 698 AU Featured notifications is disabled.
2011-03-14 12:22:21:321 936 698 AU AU setting next detection timeout to 2011-03-14 13:22:19
2011-03-14 12:22:21:321 936 698 AU Successfully wrote event for AU health state:0
2011-03-14 12:22:21:321 936 698 AU Successfully wrote event for AU health state:0
2011-03-14 12:22:26:313 936 1f2c Report REPORT EVENT: {D294C2B3-A964-40B7-A363-8352D657E270} 2011-03-14 12:22:21:305-0000 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Windows Update Client successfully detected 0 updates.
2011-03-14 12:22:26:313 936 1f2c Report REPORT EVENT: {2462B315-1028-40C3-B5E0-080077809916} 2011-03-14 12:22:21:305-0000 1 156 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
2011-03-14 12:22:26:313 936 1f2c Report CWERReporter finishing event handling. (00000000)
2011-03-14 12:34:05:848 936 1f2c PT WARNING: Cached cookie has expired or new PID is available
2011-03-14 12:34:05:848 936 1f2c PT Initializing simple targeting cookie, clientId = c4fe28cc-8444-4b42-ae90-a7737408da68, target group = , DNS name = thirskhome-svr.homeitsolutions.local
2011-03-14 12:34:05:848 936 1f2c PT Server URL = http://THIRSKHOME-SVR:8530/SimpleAuthWebService/SimpleAuth.asmx
2011-03-14 12:34:06:050 936 1f2c Report Uploading 6 events using cached cookie, reporting URL = http://THIRSKHOME-SVR:8530/ReportingWebService/ReportingWebService.asmx
2011-03-14 12:34:06:082 936 1f2c Report Reporter successfully uploaded 6 events.
2011-03-14 12:38:03:899 936 11f8 AU Triggering AU detection through DetectNow API
2011-03-14 12:38:03:899 936 11f8 AU Triggering Online detection (interactive)
2011-03-14 12:38:03:899 936 18fc AU #############
2011-03-14 12:38:03:899 936 18fc AU ## START ## AU: Search for updates
2011-03-14 12:38:03:899 936 18fc AU #########
2011-03-14 12:38:03:899 936 18fc AU <<## SUBMITTED ## AU: Search for updates [CallId = {C4B7F445-9947-44ED-8C9D-FD9B42905D82}]
2011-03-14 12:38:03:899 936 1f2c Agent *************
2011-03-14 12:38:03:899 936 1f2c Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2011-03-14 12:38:03:899 936 1f2c Agent *********
2011-03-14 12:38:03:899 936 1f2c Agent * Online = Yes; Ignore download priority = No
2011-03-14 12:38:03:899 936 1f2c Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2011-03-14 12:38:03:899 936 1f2c Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2011-03-14 12:38:03:915 936 1f2c Agent * Search Scope = {Machine}
2011-03-14 12:38:03:915 936 1f2c Setup Checking for agent SelfUpdate
2011-03-14 12:38:03:915 936 1f2c Setup Client version: Core: 7.4.7600.226 Aux: 7.4.7600.226
2011-03-14 12:38:03:915 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2011-03-14 12:38:03:915 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:38:03:930 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2011-03-14 12:38:03:946 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:38:03:946 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2011-03-14 12:38:03:961 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:38:03:977 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2011-03-14 12:38:03:977 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:38:04:102 936 1f2c Setup Determining whether a new setup handler needs to be downloaded
2011-03-14 12:38:04:102 936 1f2c Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe:
2011-03-14 12:38:04:102 936 1f2c Misc Microsoft signed: Yes
2011-03-14 12:38:04:102 936 1f2c Setup SelfUpdate handler update NOT required: Current version: 7.4.7600.226, required version: 7.4.7600.226
2011-03-14 12:38:04:102 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:38:04:117 936 1f2c Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:38:04:117 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:38:04:180 936 1f2c Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:38:04:180 936 1f2c Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226"
2011-03-14 12:38:04:273 936 1f2c Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.4.7600.226" is already installed.
2011-03-14 12:38:04:273 936 1f2c Setup SelfUpdate check completed. SelfUpdate is NOT required.
2011-03-14 12:38:05:412 936 1f2c PT +++++++++++ PT: Synchronizing server updates +++++++++++
2011-03-14 12:38:05:412 936 1f2c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://THIRSKHOME-SVR:8530/ClientWebService/client.asmx
2011-03-14 12:38:09:390 936 1f2c PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2011-03-14 12:38:09:390 936 1f2c PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://THIRSKHOME-SVR:8530/ClientWebService/client.asmx
2011-03-14 12:38:10:061 936 1f2c Agent * Found 0 updates and 59 categories in search; evaluated appl. rules of 590 out of 925 deployed entities
2011-03-14 12:38:10:061 936 1f2c Agent *********
2011-03-14 12:38:10:061 936 1f2c Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2011-03-14 12:38:10:061 936 1f2c Agent *************
2011-03-14 12:38:10:077 936 206c AU >>## RESUMED ## AU: Search for updates [CallId = {C4B7F445-9947-44ED-8C9D-FD9B42905D82}]
2011-03-14 12:38:10:077 936 206c AU # 0 updates detected
2011-03-14 12:38:10:077 936 206c AU #########
2011-03-14 12:38:10:077 936 206c AU ## END ## AU: Search for updates [CallId = {C4B7F445-9947-44ED-8C9D-FD9B42905D82}]
2011-03-14 12:38:10:077 936 206c AU #############
2011-03-14 12:38:10:077 936 206c AU Successfully wrote event for AU health state:0
2011-03-14 12:38:10:077 936 206c AU Featured notifications is disabled.
2011-03-14 12:38:10:077 936 206c AU AU setting next detection timeout to 2011-03-14 13:27:56
2011-03-14 12:38:10:077 936 206c AU Successfully wrote event for AU health state:0
2011-03-14 12:38:10:077 936 206c AU Successfully wrote event for AU health state:0
2011-03-14 12:38:15:068 936 1f2c Report REPORT EVENT: {5A28F3D7-A1BF-40A0-979D-F6FF0AC8AA36} 2011-03-14 12:38:10:061-0000 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Windows Update Client successfully detected 0 updates.
2011-03-14 12:38:15:068 936 1f2c Report REPORT EVENT: {3012A149-A3A8-4F5E-9070-68EAB0F0ACD4} 2011-03-14 12:38:10:061-0000 1 156 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
2011-03-14 12:38:15:068 936 1f2c Report CWERReporter finishing event handling. (00000000)


--------------------------------------------------------------------------------

TLE

 

[MobileTechie]

Did you configure any of this in the WSUS console as opposed to the SBS console? The reason I ask is that in SBS2008 at least, doing certain things in the WSUS console breaks the link between the two consoles and causes problems. I've no idea if the same problem exists in 2011. With SBS 2008 the rule is: if you can do it in the console then do it there because doing normal Server 2008/IIS/WSUS/Exchange things outside of the console occasionally screws it up.

Have you run the best practice analyser? Often that will find and help you solve various underlying problems.

I had WSUS problems with 2008 out of the box too which were solved by installing the latest rollups for SBS2008, service packs for 2008 Server and updating IIS and WSUS to the latest recommended versions.

Best place to ask is here: http://social.technet.microsoft.com/Forums/en/smallbusinessserver/threads

I got useful help here troubleshooting 2008, although I did end up reinstalling in the end. It can be tricky to troubleshoot as there is a lot going on one server.

 

[TLE]

Hey MT, I thought you would be first\only one to reply...

Yes I have used the WSUS console rather than the SBS console as I didn't want it downloading updates for every single product. This does break the connection with the console but apparantly doesn't stop WSUS from working. I may reverse that and check it out.

I will run the Best Practice Analyser this evening and see what the results are.

I have also posted this in the WSUS section of the technet forum, but it seems very slow to respond which is why I thought I would chance it here as well.

TLE

 

[MobileTechie]

Out of the box you'd expect it to work but SBS is so damned sensitive at times. I think the best way to deal with it is to do everything by the book and using the console until you have confirmed everything is running as it should be. This shouldn't require any special settings like changing permissions, but may require updates/SPs/rollups. Then take a full backup and only then start configuring it. Once it starts going wrong it can be a big headache sorting it out.

I think the problem is that it's lots of different things packaged together and it's the installation and subsequent wizards that hold it all together, giving each element (OS, exchange, IIS, WSUS etc) the settings that form ithem into a complete system. Normally you'd install these things yourself and with settings you made up. So to a certain extent it's like coming into a system someone else setup even though it's just been installed.

I've spent hours trying to work out exactly what a particular wizard is actually doing under the hood.

If you've not done so I highly recommend getting the trainsignal course and watching the videos from start to finish. I found it incredibly helpful. Plus if you absorb all of it, you'd be able to take the relevant MCP and pass which is cool. I find SBS quite rewarding as it's like a mini corporate environment in a box. There is a enough learning to be had to keep you occupied for a long time.

 

[TLE]

I managed to get to the bottom of this by reviewing the installation logs. A SharePoint update failed to install during the installation of SBS 2011. I downloaded the package but it wouldn't install successfully. The reason it failed?? I removed the installation media after the initial set up...Doh!!! I can only assume it shafted the web services which WSUS relies on so heavily.

Re-installed last night, and it is happily chugging away installing it updates from WSUS.

I have been backing it up at every possible opportunity, just in case. I will be installing Forefront this evening and spending a few hours adding the various exclusions in again!!!

 

[MobileTechie]

Oh good news. So in a way it was the same problem I had with not having up to date Sharepoint.

So which Forefront product are you installing?

 

[TLE]

Yeah, sound like the same issue. Just a shame it wouldn't install using the standalone fix. Oh well, lesson learnt.

I am using the older ForeFront Client, not the newer Endpoint version as it wouldn't install.

I have looked at Avast, Trend, AVG, Kaspersky, Eset and a few other but they are all just to expensive, or they have require that you get a minimum of 5 licences.

I decided to try out Forefront after speaking to the admins at my work as we use it on all of our servers here. The main thing is getting all the exceptions added which is time consuming and mundane. In addition to this, at heart, I'm a Yorkshire Man and don't like opening my wallet unless really necessary

The main thing when installing Forefront as a standalone client is that you use the 'clientsetup.exe /nomom' switch. You have to install it using cmd.

What AV did you go with in the end MT?

 

[MobileTechie]

Yeah, sound like the same issue. Just a shame it wouldn't install using the standalone fix. Oh well, lesson learnt.

I am using the older ForeFront Client, not the newer Endpoint version as it wouldn't install.

I have looked at Avast, Trend, AVG, Kaspersky, Eset and a few other but they are all just to expensive, or they have require that you get a minimum of 5 licences.

I decided to try out Forefront after speaking to the admins at my work as we use it on all of our servers here. The main thing is getting all the exceptions added which is time consuming and mundane. In addition to this, at heart, I'm a Yorkshire Man and don't like opening my wallet unless really neccasery

The main thing when installing Forefront as a standalone client is that you use the 'clientsetup.exe /nomom' switch. You have to install it using cmd.

What AV did you go with in the end MT?

I tried Avast but found their support bordering on rude so dropped that. However I believe the new version which might be out of beta by now has exceptions for SBS built in which would be attractive.

For a recent client I installed Eset Exchange for the server as a trial and MSE for the clients. As you know there doesn't appear to be an officially complete list of exceptions for SBS so you have to add up the exceptions for Exchange, Server, IIS, Sharepoint and SQL so it take quite a while. So far Eset hasn't caused any problems. It's not caught anything either but then it wouldn't by now. It seems pretty OK value-wise.