Tag: WSUS

PowerShell: Backup and Repair/ Reset Windows Update.

Posted in MicrosoftTagged , , , , Leave a comment

Troubleshooting Windows update can be a fruitless waste of time. The update service is complicated and often intertwined with third-party management tools. Thanks to supply chain attacks, updates get super scrutinized by security tools. That extra level can cause interference issues. In short, the Windows update process breaks a lot for a lot of reasons.

From my point of view, the best way to fix Windows update in many cases is to reset it. To do that, we need to stop the services so that the files are not in use. Then we’ll need to delete them. We also need to delete all of the Windows update settings from the registry.

In organizations that are audited it is ideal to make backups before altering settings or files. This script makes copies of all the files and settings before any changes are made. The backup copies are named with a date value known as ticks which generates a new number on every run. This makes the script an easy one to schedule as a repeating task using various methods. 

# This script executes the following actions:
# 1. Stops the Windows Services that access files in the SoftwareDistribution and CatRoot2 folders.
# 2. Appends the SoftwareDistribution and CatRoot2 folder names with a date stamp.
#       The SoftwareDistribution folder contains the cache for downloaded and installed updates.
#       The CatRoot2 folder contains the cache for downloaded and installed updates.
#       These folder contain the cache for downloaded and installed updates. Refreshing them often clears
#       patching issues.
# 3. Backs up, then removes the registry records under the key HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\*
#       The records will automatically repopulate when Windows Update is run or on the next GPO cycle.
# 4. Starts the services that were stopped.
# If at all possible you should immediately run Windows update on a system after executing this script.
# Before the next GPO cycle runs and the changes are reverted.
# This script backs up the SoftwareDistribution and CatRoot2 folders by renaming them with a date stamp.
# This script is intended to be run as a local administrator on the system that needs repaired.
$DateStamp = Get-Date |Select-Object Ticks -ExpandProperty Ticks
Write-Host -ForegroundColor Yellow "Stopping Services that access Windows Update's files."
    Stop-Service "Windows Update" -Force -Confirm:$false
    Stop-Service "Background Intelligent Transfer Service"
    Stop-Service "Cryptographic Services"
    Stop-Service "Windows Installer" -Force -Confirm:$false
Write-Host  -ForegroundColor Yellow "Renaming C:\Windows\SoftwareDistribution to SoftwareDistribution.$DateStamp"
    Rename-Item -Path "C:\Windows\SoftwareDistribution" -NewName "SoftwareDistribution.$DateStamp" -Force -ErrorAction SilentlyContinue
Write-Host  -ForegroundColor Yellow "Renaming C:\Windows\System32\CatRoot2 to CatRoot2.$DateStamp"
    Rename-Item -Path "C:\Windows\System32\CatRoot2" -NewName "CatRoot2.$DateStamp" -Force -ErrorAction SilentlyContinue
Write-Host  -ForegroundColor Yellow "Renaming C:\Windows\System32\Catroot to Catroot.$DateStamp"
Write-Host  -ForegroundColor Yellow "Resetting WindowsUpdate Registry Keys to Default"
    # The registry keys will be recreated when Widows Update is run or on the next GPO cycle.
    If (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue) {
        Write-Host -ForegroundColor Yellow "Backing up the Windows Update registry keys to $env:USERPROFILE\Downloads\widowsupdateregistrykeys.$DateStamp.txt"
        Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" | Out-File -FilePath $env:USERPROFILE\Downloads\widowsupdateregistrykeys.$DateStamp.txt
        Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Recurse -Force
        Write-Host -ForegroundColor Green "The Windows Update registry keys have been removed."
     } Else {
        Write-Host -ForegroundColor Green "The Windows Update registry keys do not exist."
    }    
Write-Host -ForegroundColor Green "Starting services that were previously stopped."
    Start-Service "Windows Update"
    Start-Service "Background Intelligent Transfer Service"
    Start-Service "Cryptographic Services"
    Start-Service "Windows Installer"
Write-Host -ForegroundColor Green "The script is complete. Windows Update has been repaired, please try your updates again ASAP."
Write-Host -ForegroundColor Red "The following errors occurred."
Write-Host -ForegroundColor Red $error
Pause
Exit
I tried to include some good feedback. Errors are displayed at the end.

I have relied on this script for a while. In its current form, it is intended to be run interactively in an admin PowerShell session. If you remove the write-host lines, the rest of the code makes a good function to add to the beginning of your patching processes.

WSUS 2016 Client Connectivity Troubleshooting

Posted in MicrosoftTagged Leave a comment

WSUS is usually pretty straight forward. Install the service on a server and configure a GPO to point your server’s and workstation’s Windows Update clients at it. I like to use Server Side targeting and a series of scripts to get the most flexibility from it.

Every once in a while you’ll end up with machines that won’t connect to the WSUS server for various reasons. For the most part the only feedback you receive are some hex error codes. You can look them up on-line but they generally fall into either connectivity or software issues. Rather than spend a lot of time researching each individual code I follow my own troubleshooting steps until I get to the culprit.

  • Connectivity – Many of the problems I have run into were caused by the client and sever losing contact with each other.
    • Try to telnet from your client machine to your server’s ip address on port 8530 or 8531 if you’re encrypting traffic. If you see a blinking cursor the port is open, a failed to connect message means you should start checking firewalls.
    • If you don’t have telnet installed, try PowerShell’s Test-connection. Example: Test-NetConnection -Port 8530 -ComputerName WSUSSERVER
    • The connection from client to server is a type of web request and occasionally proxy servers and other security systems get in the way. Open a browser on your client machine and go to http://wsus.server.fqdn:8530/ClientWebService/client.asmx or https://wsus.server.fqdn:8531/ClientWebService/client.asmx you should land on the simple auth service page.
      • If the port is open but the page won’t load, open an admin console window and run: netsh winhttp reset proxy.
  • Software –  If your client is able to talk to the server then your issue is with the software itself. Fear not, there are still several fixes you can employ.
    • Check the logs. On the client computer you’ll find the log @ C:\Windows\Windowsupdate.log there’s a bunch of data but use the find function of your app to search for error and failed. You may find the cause of your issue.
    • Windows update also writes some errors to the Application and System even logs.
    • If all else fails, start over. Occasionally the client and server disagree about what patches are installed or something has been corrupted. Follow the steps below to completely reset the problem machine.
      • Open the WSUS console, right click on the computer and delete it.
      • On the client computer:
      • Stop the Windows Update Service
      • Delete the contents of the C:\Windows\SoftwareDistribution folder
      • Open the registry and remove the contents of the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key
      • Open an Administrator CMD or PowerShell prompt and type: gpupdate /force
      • Start the Windows Update Service
      • In the Administrator CMD or PowerShell prompt type: wuauclt /detectnow
      • Run windows update