Tip: Troubleshoot Problems with the Windows Update Client
Occasionally, you might discover a client that isn’t automatically installing updates correctly. Such clients are typically identified during software update audits. To identify the source of the problem, follow these steps:
1. Determine the last time the client was updated. This can be done in two different ways—by checking the client’s registry (the most reliable technique) or, if you use Windows Server Update Services (WSUS), by checking the Reports page on the WSUS Web site.
- To check the client’s registry, open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results registry key. In each of the Detect, Download, and Install subkeys, examine the LastSuccessTime entry to determine when updates were last detected, downloaded, and installed.
- To check the WSUS server, open the Update Services console on the WSUS server. Click the Reports icon and then click Computer Detailed Status. Browse the com¬puters to find the problematic computer and examine the updates that have been successfully installed, as well as those that have not yet been installed.
2. Examine any error messages returned by the Windows Update client by viewing the client’s %SystemRoot%\WindowsUpdate.log file. This text file contains detailed output from the Windows Update client, including notifications for each attempt to find, download, and install updates. You can also use the WindowsUpdate.log file to verify that the client is attempting to access the correct update server. Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information.
3. If you are using WSUS, verify that the client can connect to the WSUS server. Open a Web browser on the client and go to http://<WSUSServerName>/iuident.cab. If you are prompted to download the file, this means that the client can reach the WSUS server and it is not a connectivity issue. Click Cancel. If you are not prompted to download the file, you might have a name resolution or connectivity issue, or WSUS is not config¬ured correctly. Troubleshoot the problem further by identifying why the client cannot communicate with the WSUS server using HTTP.
4. If you can reach the WSUS server, verify that the client is configured correctly. If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to check the computer’s effective configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings.
5. If you think WSUS is not configured correctly, verify the IIS configuration. WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client. For this reason, a Web site must be running on port 80, even if you put the WSUS Web site on a custom port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree. To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server. Next, type the following at the command prompt of the WSUS server:
cscript <WSUSInstallationDrive>:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs
If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle. You can do this using the Services console or by running the following two commands:
net stop wuauserv
net start wuauserv
Within 6 to 10 minutes, Windows Update will attempt to contact your update server.