System doesn’t become a member of a WSUS group

Posted on Updated on

Possibly you have some computer systems you don’t get into one of your WSUS groups, not even in the default “Unassigned Computers” group. Ofcourse you have checked if the Windows Update Agent (WUA) refers to the right WSUS server and yes, the Automatic Updates service is up and running. You have run the following commands:
wuauclt.exe /detectnow
wuauclt.exe /update
and perhaps many, many others.

You started to take a look in WindowsUpdate.log (in %windir%) and you’ve found reporting events, including one telling you the actual report events were uploaded successfully. At the WSUS server you have investigated the IIS log of the WSUS web site and you’ve found this uploading attempt of the client. And what did you see? It was directed at the right place (the ReportingWebService vdir) and resulted in error code 200, which means everything went fine…

I can continue this way, writing about every possible test and check you have performed. The only thing you want is let your system appear in one of those WSUS groups (preferably the right one ofcourse)… Perhaps I could advise you to run the WSUS Client Diagnostics Tool, as a last resort, OK?

After running this tool it’s possible we see the following failure:
Checking AU Settings
AU Option is 1 : Disabled……….PASS
AU Settings do not match……….FAIL

This text is misleading IMHO. The thing is the “Configure Automatic Updates” setting seems to be disabled (possibly through a group policy). Well, if you want your system to appear in a WSUS group, you have to enable this setting, no matter what specific value you set the setting to.

Normally there is no reason to disable this setting, except when you don’t want to use automatic updating through WSUS or Microsoft Update. OK, you could disable the Automatic Updates service, but then updating through the Microsoft Update (MU) site or SCCM won’t work anymore (this service should have the Automatic startup option to update through Microsoft Update and the Automatic or Manual startup type to update through SCCM). And if you don’t use WSUS directly for updating a system automatically then you normally don’t need to let the system appear in a WSUS group, right? Well, there are a few exceptions:
1) It could be you only want your WSUS to use as some kind of central reporting mechanism. Crazy? I don’t know: is it crazy to update the manual way (perhaps for some systems), but still have a central reporting place?
2) If you update through SCCM, the WSUS server is only used for a small number of aspects. Reporting can be done through SCCM. So here there is no need for placing the systems in WSUS. Well… it depends… What if you would like to switch very rapidly from SCCM to WSUS in emergency scenarios? The more settings you need to adapt for this, the longer it takes and the more faults can be made. So having all those systems “ready” in your WSUS groups does seem something good to me. Secondly, WSUS reporting can show you things in a way you prefer above the way SCCM represents them.

1) Set the Automatic Updates service’s startup type to Automatic if you would like to be able to update through Microsoft Update and/or WSUS.
2) Set the Automatic Updates service’s startup type to Manual or Automatic if you would like to be able to update automatically through SCCM.
3) Set the “Configure Automatic Updates” setting to enabled if you want your system to appear in a WSUS group and to avoid the failure in the WSUS Client Diagnostics Tool.
4) If you don’t want to automatically update through Microsoft Update or WSUS, but still need to leave the Automatic Updates service to Automatic (because you need to use MU manually and/or you would like to update automatically through SCCM), then you could choose option 2 (“2 – Notify for download and notify for install”) for the “Configure Automatic Updates” setting. This doesn’t download or install anything, but on the other hand it does create notifications…
5) If you don’t want those notifications for your users and you don’t mind administrators still get them, set the setting “Allow non-administrators to receive update notifications” to disabled.

You see, there is only a problem when you want the system in a WSUS group, no automatic updating through MU/WSUS and no notifications at all. In that case I guess you are forced to choose the smallest “evil”…

Attention: when you disable the “Configure Automatic Updates” setting, not only a system not yet in a WSUS group can’t join one, also a system already in a WSUS group can’t move to another group. Note that reporting itself still works though.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s