Windows Client(s) not ‘appearing’ in WSUS

KB ID 0000591 

Problem

Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.

Here are the steps I usually follow to get the machines listed in the WSUS management console.

Solution

Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;

[box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

 

1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:

Or by running gpresult /R from command line

Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).

2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]

3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.

4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.

5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.

6. If all the above is OK, you can try forcing a registration with the following command;

[box]wuauclt /detectnow[/box]

7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.

8. Scroll all the way to the end, then work upwards looking for errors.

9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.

10. Open the registry Editor and navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]

Locate and delete the SusClientId entry.

11. Restart the Windows Update service and run the following two commands:

[box]wuauclt /resetauthorization /detectnow<br /> wuauclt /reportnow [/box]

Update 16/06/15

Received via Email from Patrick Mauger:

You can add an incorrect binding in IIS to the site WSUS Administration.

You need to add a binding for port 80, because the only ports configured are 8530 and 8531.

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Windows Certificate Services ‘certsrv’ Website displays 403.14

KB ID 0001342 

Problem

I seem to get all the PKI/Certificate services problems! Yesterday I was trying to use the web enrolment portal on a certificate services server, and could not get in locally, (or remotely) via http, (or https) it simply showed me a 403.14 error.

HTTP Error 403.14 Forbidden

Solution

This was an odd one, in IIS Manager select the ‘Certsrv’ virtual directory > Advanced Options > And look at the ‘Path’.

Mine was missing the ‘en-us‘ folder from the end of the path!

Note: You will need to open an administrative command window, and then execute an iisreset command, before the change will take effect.

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Install and Configure a CSC Module

KB ID 0000731 

Problem

The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).

If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.

It is a hardware device that plugs into the back of the ASA, and comes in two flavours.

1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.

2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.

In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).

Solution

Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.

Set the ASA to get time from an External NTP Server

Step 1: License the Cisco CSC Module

1. Connect to the ASA via command line, go to enable mode and issue the following command;


From the output you should be able to get the serial number of the CSC module (write it down).

2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.

3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.

Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.

4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.

5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.

6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).

7. Open the license file (will have a .lic extension) with notepad and you should see two keys.

Step 2: Setup the CSC Module

Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.

1. Connect to the firewall’s ASDM console > Trend Micro Content Security > It should point you straight to the setup wizard.

9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.

10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.

11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.

12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.

13. Review the settings > Finish.

Note: You may get a warning if you set ‘fail open’ above that’s OK.

Connecting to and Managing the Cisco CSC Module

Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443

Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.

Cisco CSC Module – Stop it scanning its own update traffic

Adding a ‘PLUS’ License to a Cisco CSC

If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.

1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.

2. Paste in the new code > Activate.

3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Apple Devices will not Update Though Cisco ASA and CSC Module

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module