We repair WSUS clients
WSUS clients do not want to be updated after changing the server?
Then we go to you. (WITH)
Everybody had situations when something stopped working. This article focuses on WSUS (more information on WSUS can be found here and here ). Or rather, how to get WSUS clients (that is, our computers with you) to receive updates again after transferring or restoring an existing update server.
So, the situation is as follows.
')
Dead WSUS server. More precisely, the RAID controller already produced in 2000. But this fact did not add joy. After a brief fuss (with attempts to restore the RAID, ruined by the dying controller), it was decided tosend everything to deploy a new WSUS-server.
As a result, we got a working WSUS, to which for some reason the clients did not connect.
Moments: WSUS is associated with the FQDN through the internal DNS server, the WSUS server is registered in group policies and distributed to clients via AD, the default settings for the server, before starting all actions, update WSUS itself and synchronize the updates.
After analyzing the situation, several key points were identified.
As a result, the entire decision resulted in a small script that is distributed by group policies via AD or with your own hands (and legs). The script uses the most secure version of the repair and has not brought a single negative result for the past six months of use.
I will describe what is being done (for particularly curious)
We park the update server service, clean the WSUS communication link security descriptor, delete existing updates from the previous WSUS, clean the registry from references to the previous WSUS, start the automatic update services (wuauserv), background intelligent transfer service (bits) and cryptography service (cryptsvc), at the very end, we are forcibly knocking on WSUS with zeroing authorization, detecting a new WSUS and generating a report to the server.
And as always: you perform all actions described above and below at your own peril and risk. Please make sure that all the necessary data is saved before executing the script.
Script
Then we go to you. (WITH)
Everybody had situations when something stopped working. This article focuses on WSUS (more information on WSUS can be found here and here ). Or rather, how to get WSUS clients (that is, our computers with you) to receive updates again after transferring or restoring an existing update server.
So, the situation is as follows.
')
Dead WSUS server. More precisely, the RAID controller already produced in 2000. But this fact did not add joy. After a brief fuss (with attempts to restore the RAID, ruined by the dying controller), it was decided to
As a result, we got a working WSUS, to which for some reason the clients did not connect.
Moments: WSUS is associated with the FQDN through the internal DNS server, the WSUS server is registered in group policies and distributed to clients via AD, the default settings for the server, before starting all actions, update WSUS itself and synchronize the updates.
After analyzing the situation, several key points were identified.
- Clinch client (talking about wuauclt) when trying to connect to the SID of the old WSUS server.
- The problem with the uninstalled updates downloaded from the old WSUS-server.
- Parking services affecting the work of wuauclt (talking about wuauserv, bits and cryptsvc). Parking occurred for various reasons that have not been analyzed in detail.
As a result, the entire decision resulted in a small script that is distributed by group policies via AD or with your own hands (and legs). The script uses the most secure version of the repair and has not brought a single negative result for the past six months of use.
I will describe what is being done (for particularly curious)
We park the update server service, clean the WSUS communication link security descriptor, delete existing updates from the previous WSUS, clean the registry from references to the previous WSUS, start the automatic update services (wuauserv), background intelligent transfer service (bits) and cryptography service (cryptsvc), at the very end, we are forcibly knocking on WSUS with zeroing authorization, detecting a new WSUS and generating a report to the server.
And as always: you perform all actions described above and below at your own peril and risk. Please make sure that all the necessary data is saved before executing the script.
Script
net stop wuauserv sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) del /f /s /q %windir%\SoftwareDistribution\download\*.* REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f net start wuauserv && net start bits && net start cryptsvc wuauclt /resetauthorization /detectnow /reportnow Source: https://habr.com/ru/post/445724/
All Articles