Some Clients won’t Connect to WSUS

I was working for a client and decided to set up WSUS and noticed 1/3 of the PCs were connecting to the WSUS server even though the GPO was configured to have machines check in at least once a day. I found out that this particular client had cloned machines and did not run the sysprep utility. Basically when you clone a machine, all the machines will share registry values that should actually be unique across the machines. Since these machines were cloned, these values were not unique and machines would check in and then replace other machines that showed up in the WSUS console.

Determine Registry Values

Do yourself a favor and before running scripts and focusing on everything outlined in this article- go through a few machines and look up the following registry values (make sure to take note of them):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate SusClientId
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate SusClientIdValidation

If this is during working hours, you can simply use regedit on one machine and remotely connect to other registries with regedit (destination PC needs remoteregistry service enabled for this to work).

Values Match- Now what?

You now need a script that you can run across the machines in your environment and basically delete out those corrupt registry settings so that new unique IDs are generated when the Windows update services starts back up. Luckily I have a script created for you:

net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
net start wuauserv
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

You can also download the Reset Windows Update Agent tool- this is a manual process that requires you to select options on each PC to run the script. This tool is good if my script doesn’t work and you could always copy and paste parts of the code for the parts of the script that actually fix your issue.

Implementing the Reset Script

You can manually run the script with administrator permissions on each PC but that takes too much work. Let’s work smarter not harder. Follow the steps I took below to get all 280 PCs connected to the WSUS console with minimal effort.

Create a New GPO for Script

Let’s open up the Group Policy Management tool on the domain controller. Create a new GPO and lets navigate to Computer Configuration –> Policies –> Windows Settings –> Scripts and then click Startup.

Click the Show Files button and paste the batch script in to that directory. Click Add and add that script (make sure its in the GPO script store we pasted the script in to). Click Ok.

Implementing GPO

Now that the script is in a GPO, lets apply that GPO to either the entire forest or multiple OUs. Your servers most likely aren’t cloned so I would make an OU to contain all your workstations and link the GPO to that. I would then schedule a reboot via a RMM tool you use or GPO for all the workstations that need to run this registry cleaning script. Once the PC reboot, the script will run with administrator permissions and reset the registry values. The last part of the script is a powershell command that forces Windows Updates service to check back in with the configured WSUS server.

Please comment or leave feedback- especially if you have any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *