Troubleshooting WSUS

From Client End

1. Check whether the WSUS service in running status or not. Then Stop and restart WSUS service on WSUS client
PC.

2. Check whether the relevant group policy settings are applied or not.
Open cmd and run:

i. gpresult /r

1
Udara Kaushalya http://www.uktech.space/
 ii. rsop.msc

iii. Check availability of registry entries.

HKLM->Software->Policies->Microsoft->Window->WindowsUpdate

2
Udara Kaushalya http://www.uktech.space/
 3. Make sure he WSUS client can see the WSUS website by navigating to :
http://(Name Of WSUS Server):8530/Selfupdate/iuident.cab
and make sure open/download the file

4. Check Connectivity to WSUS Server(Telnet to WSUS Server)

telnet wsus.example.com 8530

5. View Proxy configuration on WSUS client

Open cmd and run :
i. netsh winhttp show proxy
ii. netsh winhttp import proxy source=ie

6. Open cmd and Run ‘wuauclt / detectnow’ command

7. Check WSUS log file in below path for errors

c:\windows\WindowsUpdate.log

8. Sometimes image a machine (or a clone a VM) keeps it’s unique update ID.
If this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if
this is the problem,
i. locate and stop the WSUS service on the affected client.
ii. Open Registry Editor and navigate to:
HKLM->Software->Microsoft->Windows->Current Version->WinowsUpdate
iii. Delete SusClientID entry.
iv. Restart WSUS service and run below commands.
Wuauclt /resetauthorization /detectnow
Wuauclt /reportnow

3
Udara Kaushalya http://www.uktech.space/
 From Server End

9. Troubleshoot from WSUS Server end

i. Check WSUS Service.

In this instance the WSUS service is reporting as running. If it’s not you can run the ‘Restart-Service -
name WsusService’ to attempt to restart it. This service runs as the Network Service user by default.

ii. Check IIS Service

Additionally, we need to ensure that the W3SVC service is running which is IIS, as this is the service that
listens for incoming connections on TCP ports 8530 for HTTP and 8531 for HTTPS. This service runs as
the local system account by default.

iii. Check WSUS port listening

Use netstat command to confirm that the WSUS server is correctly listening for incoming traffic.

WSUS server is listening for connections on the correct ports does not mean that your client machines
are able to connect in. By default, Windows firewall will be running on the WSUS server, however when
you installed WSUS it would have automatically configured two inbound rules called “WSUS” that allow
both TCP 8530 and 8531 through, as shown below.
Check that these allowed inbound rules are still in place.

4
Udara Kaushalya http://www.uktech.space/
 iv. Check log file
C:\Program Files\Update Services\LogFiles\ – This file contains information about things that have
changed in WSUS, it may be useful for seeing any recent changes that have taken place and caused the
problem you’re having.

Tools
1. Tool for reset Windows Update Agent is most useful tool to troubleshoot most of client end issues.
It can be downloaded from TechNet Gallery.
https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc

2. WSUS Client Diagnostic Tool

https://www.microsoft.com/en-us/download/confirmation.aspx?id=30827

5
Udara Kaushalya http://www.uktech.space/