Troubleshooting WSUS: Fixing Issues That Not All Computers Report

Windows Server Update Services (WSUS) is a powerful tool for managing updates across multiple computers in a network. It allows administrators to control the distribution of updates, ensuring that all systems are up-to-date and secure. However, sometimes you might encounter issues where not all computers are being managed by WSUS as expected. In this blog post, we'll explore common reasons why this happens and how to fix them.

TL;DR

Potential Causes:

• Group Policy Objects (GPO) are not configured correctly.
• Duplicated SusClientId values on different computers.

Steps to Troubleshoot:

1. Verify GPO settings to ensure they point to the correct WSUS server.
2. Check if the intended GPO is applied to the target computers.
3. Investigate if SusClientId duplication is causing the issue.
4. Resolve SusClientId duplication by regenerating the ID.

Verify GPO Configuration

The first step is to ensure that the GPO settings are correctly configured to point to the right WSUS server. It is defined using GPO what server computers in your system find to fetch Windows Updates.

Check Windows Update Source

To check the GPO configuration, the first thing to confirm is that your AD server actually has a GPO to direct computers to find your intended WSUS server. The WSUS server in your network can be defined by a property, Set the intranet update service for detecting updates, and you need to check if it is correctly pointing to your WSUS server.

• Reference: Microsoft Documentation

Key Points to Verify:

• Ensure there is a GPO that sets the intranet update server.
• Confirm that this GPO is linked to the group containing the target computers.
• Check if any filters are applied to the GPO and review their settings.

If everything seems correct, proceed to verify if the GPO is actually applied to the target computers.

Verify GPO Application on Target Computers

The GPO configured on the AD server is not valid until it is propertly applied to computers. GPRESULT comman can list all applied GPOs on a target computer. The command below can be executed on a missed computer to see if the GPO is applied to it. Note that administrator privileges are required to run this command.

GPRESULT /R /SCOPE COMPUTER

If the intended GPO is listed, then the target computer is expected to report to the WSUS server. In this case the issue might be related to SusClientId duplication. If not, further troubleshooting is needed, and you might want to try forcing a GPO update:

GPUPDATE /FORCE

Investigate SusClientId Duplication

If GPO settings are correct, your computers are expected to correctly report to the intended WSUS server. If the WSUS console continue not to display all computers, it maybe is because of the duplication of SusClientId.

SusClientId is a value stored on the registry of a computer, which is used by the WSUS to distinguish computers. If a single SusClientId is shared among different computers, the WSUS console cannot display them properly even if they all correctly report to the WSUS server. You may consider this possibility especially if you've used cloning to set up computers.

Check Common Symptoms of SusClientId Duplication

The WSUS server will handle computers with the same SusClientId and overwrite an older computer with a newer computer in the console. You can observe this overwriting to confirm if the issue is from the duplication of SusClientId by following the steps below:

1. Pick computers listed in the WSUS console.
2. On computers that are not on the list, manually run "Check for Updates" on these computers.
3. The computers where you run "Check for Updates" may appear on the WSUS console, by replacing some computers.

If another computer disappears from the WSUS console and the one you checked appears instead, it indicates that both computers share the same SusClientId. In such a case, you can fix the issue by refresh SusClientId to solve the duplication.

Optional: Check SusClientId Value

If different computers replace each other on the WSUS console, you can conclude SusClientId is duplicated. Alternatively, you can directly observe SusClientId to confirm its duplication.

The following command displays SusClientId of a computer. This may require administrator privileges.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId

Resolve SusClientId Duplication

To fix SusClientId duplication, you can regenerate the ID by following these steps:

1. Stop the Windows Update Service:

net stop wuauserv

Though sc stop command provides a similar function to net stop, sc stop cannot replace net stop. This fix requires a restart of Windows Update Medic Service, and sc stop wuauserv does not stop it.

2. Delete the SusClientId and SusClientIDValidation registry entries:

reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f

PingID and AccountDomainSid sometimes are not found in the registry. In this case, they are not necessary to be deleted.

3. Restart the Windows Update Service:

net start wuauserv

When restarting the services, SusClientId is automatically issued. In the same way as stop option, this net command cannot be replaced with sc command.

4. Reset Authorization and Detect Updates:

wuauclt.exe /resetauthorization /detectnow

If the number of computers that need new SusClientId is large, you may consider to use startup script function of AD server. In this case, IT administrator needs to encourage users to restart their computers after the GPO of the startup script is applied.

Conclusion

Managing all computers with WSUS can sometimes be tricky. By carefully verifying GPO settings and ensuring unique SusClientId values, you can probably resolve these issues and ensure that all computers are properly managed by WSUS.

Happy updating!