The creation of the Windows Update web site a few years ago revolutionized the way people with Microsoft products updated these products with the latest patches. Windows Update made it possible for a "mere mortal" to determine exactly which updates they needed to install and install them automatically. Windows Update greatly improved the the overall security of millions of Windows Desktops worldwide.
Windows Server Update Service (WSUS) is a free product from Microsoft that enables you to deploy your own Windows Update site within your own network and control which updates are installed on your equipment. With WSUS, an administrator can authorize updates for deployment after they are tested and also get detailed reports of which updates each computer needs. Another big benefit of WSUS is it enables updates to be deployed to computer while no one is logged in. The most common scenario is to have users log out each night and install patches during the off hours so the computers can be rebooted if necessary. Although WSUS can deploy patches for most Microsoft applications it is not a complete solution when it comes to maintaining a consistent configuration on all desktops and servers. For large environments, SMS should be considered because it gives you the ability to deploy, applications and Operating Systems. In addition SMS will provide detailed inventory information on the hardware and software you have in your environment.
I have been helping a customer bring their WSUS server back on line so they can get updates deployed until the SMS infrastructure they are designing has been completed. The information below is related to troubleshooting the deployment of WSUS and the Windows Update client.
Windows Update ClientWSUS requires the latest version of the Windows Update client software to be installed. Windows Server 2003 and Windows XP Service Pack 1 computers Will have the client by default. For all other you should go to Microsoft.com/downloads to get the latest WSUS client.
LinksDownload Windows Server Update Services (software & documentation)http://www.microsoft.com/windowsserversystem/updateservices/downloads/WSUS.mspx
Client Diagnostic Toolhttp://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
Server Diagnostic Toolhttp://download.microsoft.com/download/7/7/4/7745a34e-f563-443b-b4f8-3a289e995255/WSUS%20Server%20Debug%20Tool.EXE
WSUS w/ SP1http://www.microsoft.com/windowsserversystem/updateservices/downloads/WSUSSP1.mspx
TroubleshootingMost of the troubleshooting that needs to be performed with WSUS is related to the clients installing updates and/or reporting they have installed updates. Keep one thing in mind when troubleshooting, nothing happens instantly with WSUS. The product is designed to be low maintenance and to have minimal impact on the operation of the computers that are clients. Don't expect updates to be applied instantly. If you need that kinds of response, use SMS.
The WSUS client on each computer can be configured manually for small environments but Group Policy is the preferred way. The Group Policies are located at Computer Configuration > Administrative Templates > Windows Components > Windows Update. Confirm the GPO is configured with the correct server name and the GPO is linked to the correct OUs. At the client side, open a command prompt and run "GPUDATE /FORCE" (XP /2003 only) to apply the GPOs to the computer. Now type "GPRESULT" to see which GPOs are being applied to the computer. Confirm the GPO containing the WSUS settings was applied under Computer Settings.
Client RegistryThere are two keys on the client that indicate that the computer is getting the WSUS settings from the GPO. The first contains the actual policy settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdateHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU
The second set of registry keys contains information specific to the computer such as the "SusClientId", "NextDetectionTime", "ScheduledInstallDate" etc.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Client Log FilesThe are two locations on the local computer where information is logged for the WSUS client. The first tis the WindowsUpdate.log file located in the C:\Windows folder. This file contains a running log of all the activity the WSUS client performs.
The second log is named ReportingEvents.log and is located in the C:\Windows\SoftwareDistribution folder. Open this log file and go the the last few lines to see which updates are available for installation.
The easiest way to see what is happening is to compare the log files from a working computer to the logs on the computer you are troubleshooting.
Another area to look at is the C:\Windows\SoftwareDistribution\Download folder. This folder should contain tempo ray folder for recently downloaded updates pending installation.
Troubleshooting Steps