I have recently installed WSUS (v3.2.7600.226) on a Windows 2008 Std server, and configured 4 test PCs to connect to it through group policy. They are detected by WSUS, and the PCs are downloading some updates from the WSUS server, but not all.
The updates which WSUS Console says are missing from the PC have been approved.
If I run wuauclt.exe /detectnow, nothing changes, even after a reboot. If I perform the following, nothing changes:
- Stop the Automatic Updates service.
- Rename C:\Windows\SoftwareDistribution folder.
- Restart the Automatic Updates service.
- Go into Internet Explorer and delete the history, cookies, and temp internet files.
- Reboot then from a command prompt run wuauclt.exe /detectnow.
I have also set a deadline on a package to be in the past, and then run wuauclt.exe /detectnow on the PC, but checking Windows Update after that shows there are still no updates available.
If I remove the PC from the computer group with the WSUS policy, and run gpupdate /forcenow, the PC is able to see updates are available from Microsoft Internet Updates.
I have tried running this script to force the PC to retreive updates, but that says there are no updates available also.
Update: In the WSUS Console, if I right-click on the update & choose File Information, I see that it exists in the WSUS data directory and is 2.8 MB in file size. If I force an update check on the Win7 PC which WSUS says needs this update, it detects no new updates. The update has been approved for all computer groups, including the one the problem PC is a member of.
Update: The Windows Update log (C:\windows\windowsupdate.log) only displays a couple of errors:
- WARNING: Cached cookie has expired or new PID is available
- WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013
- 0 updates detected
I deleted cookies from Internet Explorer, and I receive similar:
- WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013
- 0 updates detected
Update: The IIS7 logs display only '200 okay'. There are no 404s etc, but the last log entry is from around 8:20am, while I have been checking for updates from the PC client in the afternoon. The time & timezone on the WSUS server is correct, as for the client.
Update: Apaprently 0x80242013 means: WU_E_UH_BADCBSPACKAGEID The update metadata contains an invalid CBS package identifier. There is a MS KB article on this. Checking against the listed possible causes:
- The folder c:\windows\system32\CatRoot2 does not exist
- Only catroot and CatRoot2_2011915163738 exist.
- I've scheduled a disk check to occur on next reboot in case system files are corrupt.
- Windows and the 1st level of subfolders are not hidden.
- I doubt it is a security or permissions issue as other updates install on the problem machine without any problem.
- I have renamed c:\windows\SoftwareDistribution and the same error is generated in c:\windows\windowsupdate.log (WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013)
- I tried using the Microsoft Fixit tool, and rebooted but the same isssue occurs.
Go onto your WSUS server and in the command prompt run WSUSutil.exe /reset. This will Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.
Try the steps given below:
Are you sure WSUS is downloading all updates correctly? Find the update and make sure it's not pending a download or reporting a failed download.
I ran across a similar problem a while back when certain updates weren't downloading and certain updates were. It ended up being a problem with the security policy on a Fortinet firewall. Once we excluded the WSUS server from that policy, everything started working.
Check the windowsupdate.log on one of the client machines to see if the clients are seeing a problem. How to read the Windowsupdate.log There's a tonne of info and it may point you to what the problem is.
That you aproved an update does not mean it will be automatically available for the clients PCs. It will need to be downloaded first. So maybe this is your problem. You approve the update and you want to have it and your clients instantally and it does not work this way.
You need to wait to the update is completed downloaded in your WSUS server.
Are those machines in a WSUS Group?
Are updates approved to that group?
IIRC, groups created after an update approval won't inherit that setting. If that is the case, you have to approve install again for the new group.