2

I installed WSUS on Server 2012 R2. Installation went well on the server side. I do not have an Active Directory environment so I have to use registry settings on the clients. I used the following registry settings: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
"AcceptTrustedPublisherCerts"=dword:00000001 
"ElevateNonAdmins"=dword:00000001 
"TargetGroup"="Servers" 
"TargetGroupEnabled"=dword:00000000 
"WUServer"="http://serveripaddress:8530" 
"WUStatusServer"="http://serveripaddress:8530"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
"AUOptions"=dword:00000004 
"AUPowerManagement"=dword:00000001 
"AutoInstallMinorUpdates"=dword:00000001 
"DetectionFrequency"=dword:0000000a 
"DetectionFrequencyEnabled"=dword:00000001 
"IncludeRecommendedUpdates"=dword:00000001 
"NoAUAsDefaultShutdownOption"=dword:00000001 
"NoAUShutdownOption"=dword:00000001 
"NoAutoRebootWithLoggedOnUsers"=dword:00000001 
"NoAutoUpdate"=dword:00000000 
"RebootRelaunchTimeout"=dword:0000000a 
"RebootRelaunchTimeoutEnabled"=dword:00000001 
"RescheduleWaitTime"=dword:0000000a 
"RescheduleWaitTimeEnabled"=dword:00000001 
"ScheduledInstallDay"=dword:00000000 
"ScheduledInstallTime"=dword:00000003 
"UseWUServer"=dword:00000001

I run regedit and confirm that the settings are in the registry. After adding the registry settings I ran:

wuauclt /reportnow
wuauclt /detectnow

I waited 2 days to see my test clients report in, I used 4 Servers and 4 desktops. Only two have reported in, 1 server and 1 desktop. I manually created the "Servers" group and "Desktops" group on WSUS but the server reported to "Unassigned Computers" and the desktop reported to "All Computers". None of the others checked in. When I looked at the %windir%\WindowsUpdate.log on each machine it appeared that registry settings were being ignored.
On the server (2008 R2) that reported in these lines stood out:

2017-08-12          18:13:12:040       852        f88          Agent      * WSUS server: http://serveripaddress:8530
2017-08-12          18:13:12:040       852        f88          Agent      * WSUS status server: http://serveripaddress:8530
2017-08-12          18:13:12:040       852        f88          Agent      * Target group: (Unassigned Computers)

But the registry says the Target Group is Servers On the desktop (Windows 10) I ran Get-WindowsUpdateLog in Powershell and checked the generated file. these lines stood out:

2017/08/13 00:00:14.5525097 1188  9088  Agent           [0]04A4.2380::08/13/2017-00:00:14.552 [agent]WSUS server: http://serveripaddress:8530
2017/08/13 00:00:14.5525101 1188  9088  Agent           [0]04A4.2380::08/13/2017-00:00:14.552 [agent]WSUS status server: http://serveripaddress:8530
2017/08/13 00:00:14.5525109 1188  9088  Agent           [0]04A4.2380::08/13/2017-00:00:14.552 [agent]Alternate Download Server: NULL
2017/08/13 00:00:14.5525117 1188  9088  Agent           [0]04A4.2380::08/13/2017-00:00:14.552 [agent]Fill Empty Content Urls: No
2017/08/13 00:00:14.5525121 1188  9088  Agent           [0]04A4.2380::08/13/2017-00:00:14.552 [agent]Target group: (Unassigned Computers)

Once again, Instead of Target Group being "Desktops" like in the registry it says Unassigned Computers. In this case it does not appear in Unassigned Computers on the WSUS server though it is in All Computers group.
The computers that don't report in to the WSUS server have different registry related issues. Another Server 2008 R2 reports the following:

2017-08-13  00:18:12:188     880    1ba0    PT  WARNING: Cached cookie has expired or new PID is available
2017-08-13  00:18:12:188     880    1ba0    PT  Initializing simple targeting cookie, clientId = f47c77db-1416-44dd-88e7-6130b4f7a123, target group = , DNS name = data-server
2017-08-13  00:18:12:188     880    1ba0    PT    Server URL = http://serveripaddress/SimpleAuthWebService/SimpleAuth.asmx
2017-08-13  00:18:14:207     880    1ba0    Misc    WARNING: Send failed with hr = 80072efd.
2017-08-13  00:18:14:207     880    1ba0    Misc    WARNING: SendRequest failed with hr = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2017-08-13  00:18:14:207     880    1ba0    Misc    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072efd
2017-08-13  00:18:14:207     880    1ba0    PT    + Last proxy send request failed with hr = 0x80072EFD, HTTP status code = 0
2017-08-13  00:18:14:207     880    1ba0    PT    + Caller provided credentials = No
2017-08-13  00:18:14:207     880    1ba0    PT    + Impersonate flags = 0
2017-08-13  00:18:14:207     880    1ba0    PT    + Possible authorization schemes used = 
2017-08-13  00:18:14:207     880    1ba0    PT  WARNING: GetAuthorizationCookie failure, error = 0x80072EFD, soap client error = 5, soap error code = 0, HTTP status code = 200
2017-08-13  00:18:14:207     880    1ba0    PT  WARNING: Failed to initialize Simple Targeting Cookie: 0x80072efd
2017-08-13  00:18:14:207     880    1ba0    PT  WARNING: PopulateAuthCookies failed: 0x80072efd
2017-08-13  00:18:14:207     880    1ba0    PT  WARNING: RefreshCookie failed: 0x80072efd
2017-08-13  00:18:14:207     880    1ba0    PT  WARNING: RefreshPTState failed: 0x80072efd
2017-08-13  00:18:14:208     880    1ba0    PT  WARNING: PTError: 0x80072efd
2017-08-13  00:18:14:208     880    1ba0    Report  WARNING: Reporter failed to upload events with hr = 80072efd.

In this case the server is ignoring the port at the end of the ip address. When I originally set up WSUS I set the server url in the registry without the port because I didn't realize the newer version didn't use port 80 anymore. I changed the registry to include the port but it doesn't seem to have taken the setting.
On one of the desktops (Windows 7) that didn't report in, the logs show the system validating signatures but then i see this:

2017-08-12  21:52:05:983    1008    53c PT  +++++++++++  PT: Synchronizing extended update info  +++++++++++
2017-08-12  21:52:05:983    1008    53c PT    + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
2017-08-12  21:52:06:529    1008    53c Agent     * Added update {C2D37DE8-9638-468D-9575-5764F0D086D1}.200 to search result
2017-08-12  21:52:06:529    1008    53c Agent     * Found 1 updates and 89 categories in search; evaluated appl. rules of 3722 out of 5816 deployed entities

It appears that this one is reaching out to the windows update url instead of my WSUS server. Why aren't the registry settings having any effect on the various systems?

Aaron Martin
  • 163
  • 1
  • 5

2 Answers2

2

The answer turned out to be extremely basic and embarrassing. The WSUS setting do not require a computer reboot on the first time they are set however if they are ever changed apparently the computer must be rebooted. I did not try this initially since the registry settings took effect immediately when I set up the server the first time without the proper port. Once I rebooted the logs reflected the updated registry settings.

Aaron Martin
  • 163
  • 1
  • 5
1

You can try this command to force the clients to check in with the WSUS server wuauclt /resetauthorization /detectnow /ReportNow

I would also suggest using the local group policy editor on the clients and other servers, this doesn't require Active Directory.

To do this run gpedit.msc on each client.

You will then find the settings you need under Computer Configuration/Administrative Templates/Windows Components/Windows Update/

martin81
  • 197
  • 7