Troubleshoot issues with WSUS client agents

This article helps you diagnose and resolve issues with the Windows Server Update Services (WSUS) client agents.

Original product version:   Windows Server Update Services
Original KB number:   10132

When you experience issues with the WSUS client agents, they can manifest themselves in many ways. Some common problems are listed here:

  • It could be an issue with the client settings for Group Policy.
  • It could be an issue with BITS.
  • It could be an issue with the WSUS agent service.
  • It could be related to a network issue that prevents the client from reaching the server.
  • It could be an issue with the Automatic Update Agent Store.
  • It could be an issue in which clients have duplicate WSUS client IDs caused by disk cloning.

Verify that the client is configured correctly

When you troubleshoot issues with a WSUS client agent, the first thing is to make sure the client is properly configured. Make sure that the proper Active Directory Group Policy is being received by the client and that the details of the WSUS server are present. You can do this by running the following command from a Command Prompt:

GPRESULT /V > GPRESULT.TXT

Open the text file in Notepad and find the name of your WSUS policy. For example, if your WSUS policy is named WSUS, it will be visible in the GPRESULT.TXT file within the Computer Settings section under the Applied Group Policy Objects heading as shown in the example below:

Applied Group Policy Objects
-----------------------------
Default Domain Policy
WSUS
Local Group Policy

If the WSUS settings aren't present, possible causes include:

  • The system doesn't have the Group Policy from the domain.
  • The Group Policy isn't targeted to the client system.

To fix this issue, ensure that the Group Policy is successfully updated on each client and that the WSUS setting is properly configured.

To update the Group Policy on the client, run GPUpdate /force from a Command Prompt.

For more information about configuring Group Policy for WSUS clients, see Configure Automatic Updates by Using Group Policy.

Check for issues relating to BITS

Background Intelligent Transfer Service (BITS) is the service used by WSUS to download updates from Microsoft Update to the main WSUS server, as well as from WSUS servers to their clients. Some download issues may be caused by problems with BITS on the server or client computers. When you troubleshoot download problems, you should ensure that BITS is running properly on all affected computers.

The BITS service must run under the LocalSystem account by default. To configure the service to run under the correct account, follow these steps:

  1. Open a Command Prompt and run the following command:

    sc config bits obj= LocalSystem
    

    A space must occur between obj= and LocalSystem. If successful, you should receive the following output:

    [SC] ChangeServiceConfig SUCCESS

  2. Stop and restart BITS.

To view the BITS service status, open a Command Prompt and run the following command:

sc query bits

If BITS is running, you should see the following output:

SERVICE_NAME: bits
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 4 RUNNING

If BITS isn't running, you will see the following output:

SERVICE_NAME: bits
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 1 STOPPED

Usually it's possible to resolve BITS issues by stopping the service and restarting it. To stop and restart the BITS service, run the following commands from a Command Prompt:

sc stop bits
sc start bits

Note

You must be logged on as a local administrator to stop and restart BITS.

BITS fails to start

If the BITS service fails to start, look in the event log for any BITS-related error. You can use the following table to diagnose the cause of these errors.

Error name Error code Description
ERROR_SERVICE_DOES_NOT_EXIST 0x80070424 See the section on repairing the BITS configuration below.
ERROR_SERVICE_NOT_IN_EXE 0x8007043B BITS is not listed as one of the services in the netsvcs svchost group
ERROR_SERVICE_DISABLED 0x80070422 BITS has been disabled. Enable the BITS service.
ERROR_SERVICE_DEPENDENCY_DELETED ERROR_SERVICE_DEPENDENCY_FAIL 0x80070433, 0x8007042c A service appearing in the BITS service dependency list cannot be started. Make sure the dependency list for the BITS service is correct:
Windows Vista: RpcSs, EventSystem (also http.sys and LanManWorkstation when peercaching is enabled)
Windows Server 2003: Rpcss, EventSystem
Windows XP: Rpcss
Windows 2000: Rpcss, SENS, Wmi
ERROR_PATH_NOT_FOUND  0x80070003 Pre-Windows Vista: %ALLUSERSPROFILE%\Microsoft\Network doesn't exist
ERROR_FILE_NOT_FOUND  0x80070002 The Parameters key is missing. Ensure that the following keys and values exist:
HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ServiceDll= %SystemRoot%\System32\qmgr.dll

REGDB_E_CLASSNOTREG, EVENT_E_INTERNALERROR 0x80040154, 0x80040206 BITS for Windows 2000 is dependent on SENS and EventSystem services. If the COM+ catalog is corrupted, BITS may fail with this error code.

BITS jobs are failing

If the client is properly configured to receive updates, BITS is configured correctly, and BITS appears to start and run properly, you may be experiencing an issue where BITS jobs themselves are failing. To verify this, look in the event log for any BITS-related errors. You can use the following table to diagnose the cause of these errors.

Error name Error code Description
 E_INVALIDARG 0x80070057 An incorrect proxy server name was specified in the user's Internet Explorer proxy settings. This error is also seen when credentials are supplied for authentication schemes that are not NTLM/Negotiate, but the user name or password is null. Change the user's Internet Explorer proxy settings to be a valid proxy server. Or change the credentials not to be NULL user name/password for schemes other than NTLM/Negotiate. 
 ERROR_WINHTTP_NAME_NOT_RESOLVED  0x80072ee7 The server/proxy could not be resolved by BITS. Internet Explorer on the same machine in the context of the job owner would see the same problem. Try downloading the same file via the web browser using the context of the job owner.
 ERROR_HTTP_INVALID_SERVER_RESPONSE  0x80072f78 This is a transient error and the job will continue downloading.
 BG_E_INSUFFICIENT_RANGE_SUPPORT  0x80200013 BITS uses range headers in HTTP requests to request parts of a file. If the server or proxy server doesn't understand range requests and returns the full file instead of the requested range, BITS puts the job into the ERROR state with this error. Capture the network traffic during the error and examine if HTTP GET requests with Range header are getting valid responses. Check proxy servers to ensure that they are configured correctly to support Range requests. 
 BG_E_MISSING_FILE_SIZE  0x80200011 When BITS sends a HEAD request and the server/proxy doesn't return Content-Length header in the response, BITS puts the job in ERROR state with this error. Check the proxy server and WSUS server to ensure that they are configured correctly. Some versions of the Apache 2.0 proxy server are known to exhibit this behavior.
 BG_E_HTTP_ERROR_403  0x80190193 When the server returns HTTP 403 response in any of the requests, BITS puts the job in ERROR state with this error code. HTTP 403 corresponds to Forbidden: Access is denied. Check access permissions for the account running the job.
 ERROR_NOT_LOGGED_ON  0x800704dd The SENS service is not receiving user logon notifications. BITS (version 2.0 and later) depends on logon notifications from Service Control Manager, which in turn depends on the SENS service. Ensure that the SENS service is started and running correctly.

Repair a corrupted BITS configuration

To repair corrupted BITS service configuration, you can enter the BITS service configuration manually.

Note

This action should only be taken in circumstances where all other troubleshooting attempts have failed. You must be an administrator to modify the BITS configuration.

To repair a corrupted BITS configuration, follow these steps:

  1. Open a Command Prompt.

  2. Enter the following commands, press ENTER after you type each command:

    sc config bits binpath= "%systemroot%\system32\svchost.exe –k netsvcs"
    sc config bits depend= RpcSs EventSystem
    sc config bits start= delayed-auto
    sc config bits type= interact
    sc config bits error= normal
    sc config bits obj= LocalSystem
    sc privs bits privileges= SeCreateGlobalPrivilege/SeImpersonatePrivilege/SeTcbPrivilege/SeAssignPrimaryTokenPrivilege/SeIncreateQuotaPrivilege
    sc sidtype bits type= unrestricted
    sc failure bits reset= 86400 actions=restart/60000/restart/120000
    
  3. Stop and restart BITS.

Issues with the WSUS agent service

Make sure that the Windows Update service is able to start successfully.

To view the current status of the Windows Update service, open a Command Prompt and run the following command:

sc query wuauserv

If WUAUSERV is running, you should see the following output:

SERVICE_NAME: wuauserv
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 4 RUNNING

If WUAUSERV isn't running, you will see the following output:

SERVICE_NAME: wuauserv
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 1 STOPPED

Verify that you can start the WUAUSERV service successfully. You must be logged on as a local administrator to stop and restart WUAUSERV.

To start the WUAUSERV service, run the following commands from a Command Prompt:

sc start wuauserv

If the client agent fails to start and run properly, check the Windows Update Agent version. If the agent is not up to date, update the Windows Update Agent to the latest version. For more information, see How to Install the Windows Update Agent on Client Computers.

You can also reset Windows Update components.

After you run the fix or update the agent, run wuauclt /detectnow from a Command Prompt and check windowsupdate.log to make sure there is no issues.

Make sure the WSUS server is reachable from the client

Make sure that you can access the URL http://<WSUSSERVER:port>/iuident.cab and download the file without errors.

If the WSUS server is unreachable from the client, the most likely causes include:

  • There is a name resolution issue on the client.
  • There is network-related issue, such as a proxy configuration issue.

Use standard troubleshooting procedures to verify name resolution is working on the network. If name resolution is working, the next step is to check for proxy issues. Check windowsupdate.log (C:\windows) to see if there are any proxy related errors. If yes then you can run the proxycfg command to check the WinHTTP proxy settings.

If there are proxy errors, go to Internet Explorer > Tools > Connections > LAN Settings, configure the correct proxy, and then make sure you can access the WSUS URL specified.

Once done, you can copy these user proxy settings to the WinHTTP proxy settings by using the proxycfg -u command. After the proxy settings are specified, run wuauclt /detectnow from a Command Prompt and check windowsupdate.log for errors.

Rebuild the Automatic Update Agent Store

When there are issues downloading updates and there are errors relating to the software distribution store, complete the following steps on the client:

  • Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.
  • Rename the software distribution folder (for example, C:\Windows\SoftwareDistribution).
  • Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.
  • From a Command Prompt, run wuauclt /resetauthorization /detectnow.
  • From a Command Prompt, run wuauclt /reportnow.

Check for clients with the same SUSclient ID

You may experience an issue where only one WSUS client appears in the console. Or you may notice that out of a group of clients, only one appears in the console at a time but the exact one that does appear may change over time. This issue can happen when systems are imaged and the clients end up having the same SUSclientID.

For those clients that are not working properly due to having the same SUSclientID, complete the following steps:

  • Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.

  • Delete the SUSclientID registry key from the following location:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

  • Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.

  • From a Command Prompt, run wuauclt /resetauthorization /detectnow.

  • From a Command Prompt, run wuauclt /reportnow.