WSUS is usually pretty straight forward. Install the service on a server and configure a GPO to point your server’s and workstation’s Windows Update clients at it. I like to use Server Side targeting and a series of scripts to get the most flexibility from it.
Every once in a while you’ll end up with machines that won’t connect to the WSUS server for various reasons. For the most part the only feedback you receive are some hex error codes. You can look them up on-line but they generally fall into either connectivity or software issues. Rather than spend a lot of time researching each individual code I follow my own troubleshooting steps until I get to the culprit.
- Connectivity – Many of the problems I have run into were caused by the client and sever losing contact with each other.
- Try to telnet from your client machine to your server’s ip address on port 8530 or 8531 if you’re encrypting traffic. If you see a blinking cursor the port is open, a failed to connect message means you should start checking firewalls.
- If you don’t have telnet installed, try PowerShell’s Test-connection. Example: Test-NetConnection -Port 8530 -ComputerName WSUSSERVER
- The connection from client to server is a type of web request and occasionally proxy servers and other security systems get in the way. Open a browser on your client machine and go to http://wsus.server.fqdn:8530/ClientWebService/client.asmx or https://wsus.server.fqdn:8531/ClientWebService/client.asmx you should land on the simple auth service page.
- If the port is open but the page won’t load, open an admin console window and run: netsh winhttp reset proxy.
- Software – If your client is able to talk to the server then your issue is with the software itself. Fear not, there are still several fixes you can employ.
- Check the logs. On the client computer you’ll find the log @ C:\Windows\Windowsupdate.log there’s a bunch of data but use the find function of your app to search for error and failed. You may find the cause of your issue.
- Windows update also writes some errors to the Application and System even logs.
- If all else fails, start over. Occasionally the client and server disagree about what patches are installed or something has been corrupted. Follow the steps below to completely reset the problem machine.
- Open the WSUS console, right click on the computer and delete it.
- On the client computer:
- Stop the Windows Update Service
- Delete the contents of the C:\Windows\SoftwareDistribution folder
- Open the registry and remove the contents of the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key
- Open an Administrator CMD or PowerShell prompt and type: gpupdate /force
- Start the Windows Update Service
- In the Administrator CMD or PowerShell prompt type: wuauclt /detectnow
- Run windows update