cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Ongoing Patch Manager issues

Jump to solution

We have the following in our environment:

  • WSUS Server on 2012 R2, WSUS version 6.3.9600.16384 using port 8530
  • Patch Manager Server on 2012 R2, running Version 2.0.2207.2
  • Around 70 Servers all on either 2008 or 2008 R2 being patched
  • GPO being applied to server OU
    • Specifying http://wsusserver.domain.local:8530 as intranet update service & statistics server
    • Automatic updates set to option 3 – Auto download and notify for install Every day at 22:00

My issue is that I have to run a gpupdate /force, then manually search for updates from each server for it to “check-in” to patch manager. Once this is complete, the server shows in PM that it has reported and everything seems happy. I have a list of about 30 of my servers that I would like to fully automate the update install. Currently I have to force a GP update, check for updates from the server, then force a ‘Report Now’ from the Patch Manager console to automate the patching process. This is required each time I want to install the correct patches.

Could this issue have anything to do with the fact that both my WSUS server & Patch manager server are in the same OU that my “WSUS GPO” is being applied?

Is it recommended to Disable intranet Microsoft update service location on my WSUS server?

Sorry for the elementary questions/write-up.

Thanks in advance!Lawrence Garvin

0 Kudos
1 Solution
Level 17
What's odd is that if I log into a server needing updates and "Check for updates" from Control Panel, I receive error code 80070057

0x80070057

ERROR_INVALID_PARAMETER - E_INVALIDARG

One or more arguments are not valid error - Invalid proxy server name was specified in the user’s IE settings and hence WinhttpSetProxySettings call fails with E_INVALIDARG error. BITS puts the job in TRANSIENT_ERROR with the same error code. For ex, if the proxy server is set to http://foo/bar/proxy.pac, this error will be seen. This error is also seen when credentials are supplied such that scheme is not NTLM/Negotiate, but username/password is NULL, since that is not valid (WinhttpSetCredentials fails with E_INVALIDARG. BITS 1.5 puts the job into ERROR state with BG_E_INVALID_RESPONSE in the above 2 cases, because of error code mapping E_INVALIDARG is always mapped to (BG_E_INVALID_SERVER_RESPONSE)


If I do a simple GP update then restart the Windows Update service, I will be able to successfully run the "Check for updates".

Does this allude to an issue with my GPO or either my WSUS or Patch Manager setup?

The fact that a GPUpdate promptly fixes this suggests to me that something that's naturally set by GPO is being changed by some other source (a human or a script). The first step is to find out what the cause of the error actually is; then you can track down where it's being changed.

Last question, on my WSUS server do I need to have it look at "itself" for intranet update location?

That is the conventional practice. In fact, in my article Configuring Your First WSUS Client I describe this as being the first client that should be configured.


From what I understood, if I leave that GP option to Not Configured or Disabled the WSUS server will go to the Microsoft site to download updates instead of looking to itself.

That is correct.  One caveat, though. If the setting has ever previously been enabled, setting it to Not Configured will not change anything. All the GPO setting does is trigger a value change in a RegValue. To trigger an inverse registry change would require explicitly disabling the policy after it has been enabled.

View solution in original post

0 Kudos
4 Replies
Level 17
My issue is that I have to run a gpupdate /force, then manually search for updates from each server for it to “check-in” to patch manager.


Hmmm..... so, systems do not "check in" with Patch Manager. The systems check in with the WSUS server.

Patch Manager is functionally just another WSUS console, although it does need to be manually refreshed to update information.

I have a list of about 30 of my servers that I would like to fully automate the update install.

There are two ways to achieve this.

  • Edit the GPO to set AUOptions='4' and define a scheduled installation day/time.
  • Use the Update Management Wizard to create a recurring task to perform the installations on the desired machines.


Currently I have to force a GP update, check for updates from the server, then force a ‘Report Now’ from the Patch Manager console to automate the patching process.

This really is not necessary if you have configured the clients in the way you say. All of this process is automatic. The only thing that's not automated from the configuration you describe is the actual update installation.


Could this issue have anything to do with the fact that both my WSUS server & Patch manager server are in the same OU that my “WSUS GPO” is being applied?

Absolutely not.


Is it recommended to Disable intranet Microsoft update service location on my WSUS server?

Absolutely not. The WSUS Server is a Windows Server, just like every other Windows Server and it needs to get updates too!





Level 9

Thanks Lawrence!

What's odd is that if I log into a server needing updates and "Check for updates" from Control Panel, I receive error code 80070057. If I do a simple GP update then restart the Windows Update service, I will be able to successfully run the "Check for updates".

Does this allude to an issue with my GPO or either my WSUS or Patch Manager setup?

I receive the following from the Diagnostic Tool for WSUS

# Solarwinds® Diagnostic Tool for the WSUS Agent

# 1/26/2015

Machine state

  User rights:                                       User has administrator rights

  Update service status:                             Running

  Background Intelligent Transfer service status:    Running

  OS Version:                                        Windows Server 2012 R2 Datacenter

  Windows update agent version:                      7.9.9600.17489 (WU Agent is OK)

Windows Update Agent configuration settings

  Automatic Update:                                  Enabled

  Options:                                           Automatically download and notify of installation

  Use WSUS Server:                                   Not found (There is no such key)

  Windows Update Server:                             Not found (There is no such key)

  Windows Update Status Server:                      Not found (There is no such key)

  WSUS URLs are identical:                           Values are empty

WSUS Server Connectivity -- Connectivity check is impossible

  Error description:                                 Connectivity check is impossible because of invalid Windows Update Agent configuration

Last question, on my WSUS server do I need to have it look at "itself" for intranet update location? From what I understood, if I leave that GP option to Not Configured or Disabled the WSUS server will go to the Microsoft site to download updates instead of looking to itself.

Once again, thanks for all you have contributed to this and other topics!

0 Kudos
Level 17
What's odd is that if I log into a server needing updates and "Check for updates" from Control Panel, I receive error code 80070057

0x80070057

ERROR_INVALID_PARAMETER - E_INVALIDARG

One or more arguments are not valid error - Invalid proxy server name was specified in the user’s IE settings and hence WinhttpSetProxySettings call fails with E_INVALIDARG error. BITS puts the job in TRANSIENT_ERROR with the same error code. For ex, if the proxy server is set to http://foo/bar/proxy.pac, this error will be seen. This error is also seen when credentials are supplied such that scheme is not NTLM/Negotiate, but username/password is NULL, since that is not valid (WinhttpSetCredentials fails with E_INVALIDARG. BITS 1.5 puts the job into ERROR state with BG_E_INVALID_RESPONSE in the above 2 cases, because of error code mapping E_INVALIDARG is always mapped to (BG_E_INVALID_SERVER_RESPONSE)


If I do a simple GP update then restart the Windows Update service, I will be able to successfully run the "Check for updates".

Does this allude to an issue with my GPO or either my WSUS or Patch Manager setup?

The fact that a GPUpdate promptly fixes this suggests to me that something that's naturally set by GPO is being changed by some other source (a human or a script). The first step is to find out what the cause of the error actually is; then you can track down where it's being changed.

Last question, on my WSUS server do I need to have it look at "itself" for intranet update location?

That is the conventional practice. In fact, in my article Configuring Your First WSUS Client I describe this as being the first client that should be configured.


From what I understood, if I leave that GP option to Not Configured or Disabled the WSUS server will go to the Microsoft site to download updates instead of looking to itself.

That is correct.  One caveat, though. If the setting has ever previously been enabled, setting it to Not Configured will not change anything. All the GPO setting does is trigger a value change in a RegValue. To trigger an inverse registry change would require explicitly disabling the policy after it has been enabled.

View solution in original post

0 Kudos
Level 9

That gives me something to look into.

Thanks! Lawrence Garvin

0 Kudos