I have recently set up two new servers on our domain, labelled CADCS001 and CADCS001. These servers are intended to be almost identical aside from the hostname and have been set up to be as similar as possible. One of these servers is successfully downloading updates from our WSUS server and the other is not.

Both servers are VMware ESXi VMs running Microsoft Windows Server 2008 R2 Standard x64 SP1. Each server was set up from scratch and Windows was installed manually on each of them (i.e. they were not cloned from each other or from any other VM). SP1 was slipstreamed into the installation files, it was not installed separately.

Our WSUS server has been in place for over a year and appears to be functioning as expected. We have around 30 servers and 150 client PCs and as far as I can tell all of them seem to be downloading and installing approved updates. Both servers are in the same OU in Active Directory, have the same applied GPOs (and are successfully applying those GPOs), and both are in the same container on the WSUS console.

Both servers are successfully reporting to the WSUS server. Updates are set to automatically download but wait for manual intervention before installing. Both initially reported 131 pending updates. CADCS002 showed the Windows Updates system tray icon and these updates were then installed - this left 1 pending update which has not yet been approved. CADCS001 did not show the Windows Updates system tray icon at all, but WSUS continued to show that it had 131 pending updates.

Running "wuauclt /detectnow" or selecting "Check for updates" from the Windows Update section in Control Panel creates the following entry in the WindowsUpdates.log file:

2013-07-09  16:57:13:353     772    820 AU  #############
2013-07-09  16:57:13:353     772    820 AU  ## START ##  AU: Search for updates
2013-07-09  16:57:13:353     772    820 AU  #########
2013-07-09  16:57:13:353     772    820 AU  <<## SUBMITTED ## AU: Search for updates [CallId = {0A1B8894-16B0-4ACC-8CBA-59D074B91FA3}]
2013-07-09  16:57:13:353     772    138 Agent   *************
2013-07-09  16:57:13:353     772    138 Agent   ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2013-07-09  16:57:13:353     772    138 Agent   *********
2013-07-09  16:57:13:353     772    138 Agent     * Online = Yes; Ignore download priority = No
2013-07-09  16:57:13:353     772    138 Agent     * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2013-07-09  16:57:13:353     772    138 Agent     * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2013-07-09  16:57:13:353     772    138 Agent     * Search Scope = {Machine}
2013-07-09  16:57:13:369     772    138 Setup   Checking for agent SelfUpdate
2013-07-09  16:57:13:369     772    138 Setup   Client version: Core: 7.6.7600.256  Aux: 7.6.7600.256
2013-07-09  16:57:13:369     772    138 Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2013-07-09  16:57:13:369     772    138 Misc     Microsoft signed: Yes
2013-07-09  16:57:13:369     772    138 Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2013-07-09  16:57:13:369     772    138 Misc     Microsoft signed: Yes
2013-07-09  16:57:13:369     772    138 Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2013-07-09  16:57:13:384     772    138 Misc     Microsoft signed: Yes
2013-07-09  16:57:13:384     772    138 Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2013-07-09  16:57:13:384     772    138 Misc     Microsoft signed: Yes
2013-07-09  16:57:13:400     772    138 Setup   Determining whether a new setup handler needs to be downloaded
2013-07-09  16:57:13:400     772    138 Setup   SelfUpdate handler is not found.  It will be downloaded
2013-07-09  16:57:13:400     772    138 Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-07-09  16:57:13:400     772    138 Setup   Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-07-09  16:57:13:400     772    138 Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-07-09  16:57:13:431     772    138 Setup   Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-07-09  16:57:13:431     772    138 Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-07-09  16:57:13:478     772    138 Setup   Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-07-09  16:57:13:478     772    138 Setup   SelfUpdate check completed.  SelfUpdate is NOT required.
2013-07-09  16:57:13:790     772    138 PT  +++++++++++  PT: Synchronizing server updates  +++++++++++
2013-07-09  16:57:13:790     772    138 PT    + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://al_s0006/ClientWebService/client.asmx
2013-07-09  16:57:16:052     772    138 PT  +++++++++++  PT: Synchronizing extended update info  +++++++++++
2013-07-09  16:57:16:052     772    138 PT    + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://al_s0006/ClientWebService/client.asmx
2013-07-09  16:57:16:286     772    138 Agent     * Found 0 updates and 65 categories in search; evaluated appl. rules of 557 out of 847 deployed entities
2013-07-09  16:57:16:286     772    138 Agent   *********
2013-07-09  16:57:16:286     772    138 Agent   **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2013-07-09  16:57:16:286     772    138 Agent   *************
2013-07-09  16:57:16:286     772    6d8 AU  >>##  RESUMED  ## AU: Search for updates [CallId = {0A1B8894-16B0-4ACC-8CBA-59D074B91FA3}]
2013-07-09  16:57:16:286     772    6d8 AU    # 0 updates detected
2013-07-09  16:57:16:286     772    6d8 AU  #########
2013-07-09  16:57:16:286     772    6d8 AU  ##  END  ##  AU: Search for updates [CallId = {0A1B8894-16B0-4ACC-8CBA-59D074B91FA3}]
2013-07-09  16:57:16:286     772    6d8 AU  #############
2013-07-09  16:57:16:286     772    6d8 AU  Successfully wrote event for AU health state:0
2013-07-09  16:57:16:286     772    6d8 AU  Featured notifications is disabled.
2013-07-09  16:57:16:286     772    6d8 AU  AU setting next detection timeout to 2013-07-10 13:10:52
2013-07-09  16:57:16:286     772    6d8 AU  Successfully wrote event for AU health state:0
2013-07-09  16:57:16:286     772    6d8 AU  Successfully wrote event for AU health state:0
2013-07-09  16:57:21:294     772    138 Report  REPORT EVENT: {DFDBAD4C-18AC-4483-91BA-112B6A866228}    2013-07-09 16:57:16:286+0100    1   147 101 {00000000-0000-0000-0000-000000000000}  0   0   AutomaticUpdates    Success Software Synchronization    Windows Update Client successfully detected 0 updates.
2013-07-09  16:57:21:294     772    138 Report  REPORT EVENT: {17AD4928-509E-47E6-856E-BE1F42AEE74D}    2013-07-09 16:57:16:286+0100    1   156 101 {00000000-0000-0000-0000-000000000000}  0   0   AutomaticUpdates    Success Pre-Deployment Check    Reporting client status.
2013-07-09  16:57:21:294     772    138 Report  CWERReporter finishing event handling. (00000000)

This log file appears to indicate that no updates are pending, but WSUS clearly shows that there are and that CADCS002 has successfully installed them.

Choosing "Check online for updates from Microsoft Update" works fine. It shows all the pending updates (including those we have not approved for installation) and allows them to be installed. Doing so with all Important updates has reduced the number reported as pending in WSUS from 131 to 12, so the server is definitely reporting successfully. Unfortunately there is still no sign of a Windows Updates system tray icon to install the remaining 12 updates, and clicking "Check for updates" from the Windows Update section in Control Panel still displays a "Windows is up to date" message.

I've tried installing the "System Update Readiness Tool for Windows Server 2008 R2 x64 Edition (KB947821)", which installs correctly but then reports no errors:

Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 19.0
2013-07-09 16:16

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Seconds executed: 333
 No errors detected
(w) Unable to get system disk properties    0x0000045D  IOCTL_STORAGE_QUERY_PROPERTY    Disk Cache

The "Unable to get system disk properties" message seems to be normal from what I can tell.

I cannot run the "WSUS Client Diagnostic Tool" as this is a 64-bit Windows 2008 installation.

I have tried deleting the computer from the WSUS console and running "wuauclt /resetauthorization /detectnow", which successfully readds it to the Unassigned Computers container. I then move it into the correct container and wait for it to report, and it goes back to saying there are 12 pending updates, but the server itself still refuses to acknowledge them.

I have tried deleting the SusClientId and SusClientIdValidation registry keys from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate and repeating the above process with exactly the same result.

I have compared the output from the WindowsUpdate.log file on CADCS001 with that from CADCS002 and the only differences aside from the timestamps and the CallID and clientId strings are the following lines:


Agent * Found 0 updates and 65 categories in search; evaluated appl. rules of 557 out of 847 deployed entities


Agent * Found 0 updates and 65 categories in search; evaluated appl. rules of 557 out of 895 deployed entities

The servers have been rebooted multiple times and have had "wuauclt /detectnow" run multiple times. Each time the WindowsUpdate.log file is checked on CADCS001 it shows "0 updates detected".

  • Both servers should be the same.
  • Both are reporting correctly to WSUS and WSUS is correctly stating which updates need to be applied to each server.
  • Neither of the new servers nor the WSUS server are reporting any errors either in Event Viewer, in the WindowsUpdate.log file or via the System Update Readiness Tool.
  • Both new servers are capable of detecting and installing Windows updates directly from Microsoft Update.

But for some reason one of the servers is insisting that there are no updates available from WSUS.

Has anyone else experienced this?

Update - Fixed

The problem seems to have been due to a corruption in the \Windows\SoftwareDistribution folder. The following steps resolved the issue:

  1. Stop the "Windows Updates" service
  2. Rename the \Windows\SoftwareDistribution folder
  3. Restart the "Windows Updates" service
  4. Open a Command Prompt and enter wuauclt /resetauthorization followed by wuauclt /detectnow

After a few minutes the Windows Updates system tray icon appeared and pending updates could be installed. The renamed (old) folder can then be safely deleted.

This could be several things. I've seen updates unpredictably break WSUS clients, for example. I don't think I've seen a client incorrectly report no updates, however, except when there was a prerequisite update missing.

It looks like you already checked the registry keys, so I'll skip past that.

So I'm going to recommend:

  • Check for any "prerequisite" update.
  • The \Windows\SoftwareDistribution directory can get corrupted. Renaming or deleting the folder and running wuauclt /detectnow should help, if so.
  • Microsoft has a list of dlls you can try reregistering, etc., here:

I hope that helps. Good luck!

  I second deleting the \Windows\SoftwareDistribution directory, restarting the wuauserv service, and running wuauclt /detectnow.
  • 1
    Stopping the Windows Updates service, renaming the \Windows\SoftwareDistribution folder, restarting the Windows Updates service and running `wuauclt /detectnow` seems to have done the trick! Thanks very much, Katherine and Jeremy.

2013-07-09 16:57:16:286 772 138 Agent * Found 0 updates and 65 categories in search;

This is the key piece of information. What this log entry means is that there are no updates available for this client at this time.

Availability of updates in a WSUS environment requires two conditions: - The update is approved for a target group of which the client is an assigned member. - The installation file for the update is downloaded to the WSUS server.

In the majority of cases, this condition occurs because the file(s) for the approved update(s) are not yet downloaded to the WSUS server. Sometimes this is a function of having approved too many updates and clogging up the download queue with hundreds of files involving tens of gigabytes of downloads. Sometimes it's a function of downloads actually failing, usually because a web filter or proxy server is interfering.

Check the "Download Status" on the main page of the WSUS console, and inspect the Application Event Log for EventID 364s.

  your tip was way more helpful to me, that is, looking into the failure to download updates. I also found your help on other MS forums about Network Service not having proper ACLs. I changed the user to Local System just to see, and it worked. Changed it back, but will have to wait for updates to not download again before I can try anything else. Another user suggested that %systemdrive%\temp didn't have write permissions from Network Service. I'll try that next time.