Repairing WSUS Clients

WSUS clients do not want to be updated after a server change?
Then we go to you. (C)

Everyone had situations when something stopped working. This article will talk about WSUS (more information about WSUS can be obtained here and here ). More specifically, how to make WSUS clients (that is, our computers) retake updates after transferring or restoring an existing update server.

So, the situation is as follows

: The WSUS server is dead. More precisely, the RAID controller is already in 2000. But this fact did not add joy. After a short fuss (with attempts to restore RAID ruined by a dying controller), it was decided to send everything to deploy a new WSUS server.

As a result, we got a working WSUS, which for some reason clients did not connect to.
Moments: WSUS is tied to FQDN through the internal DNS server, the WSUS server is registered in group policies and applies to clients through AD, the settings for the server are the default, update WSUS itself and synchronize updates before starting all actions.

After analyzing the situation, several key points were identified

  1. Client clinch (talking about wuauclt) when trying to connect to the SID of the old WSUS server.
  2. There is a problem with uninstalled updates downloaded from the old WSUS server.
  3. Parking services affecting wuauclt (we are talking about wuauserv, bits and cryptsvc). Parking occurred for various reasons, which were not analyzed in detail.

As a result, the whole solution resulted in a small script that is distributed by group policies through AD or with your own hands (and feet). The script uses the most secure repair option and has not brought a single negative result for the past six months of use.

I will describe what is being done (for those especially curious)

We park the update server service, clean the security descriptor of the communication service with WSUS, delete existing updates from the previous WSUS, clean the registry from references to the previous WSUS, start the automatic update service (wuauserv), the background intelligent transfer service ( bits) and the cryptography service (cryptsvc), at the very end we forcefully knock on WSUS with zeroing authorization, detecting a new WSUS and generating a report on the server.

And as always: you carry out all the actions described above and below at your own peril and risk. Please make sure that all necessary data is saved before the script is executed.


net stop wuauserv
del /f /s /q %windir%\SoftwareDistribution\download\*.*
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f 
net start wuauserv && net start bits && net start cryptsvc
wuauclt /resetauthorization /detectnow /reportnow

Also popular now: