4 Replies Latest reply on Jan 26, 2015 2:01 PM by rgtheitman

    Ongoing Patch Manager issues

    rgtheitman

      We have the following in our environment:

      • WSUS Server on 2012 R2, WSUS version 6.3.9600.16384 using port 8530
      • Patch Manager Server on 2012 R2, running Version 2.0.2207.2
      • Around 70 Servers all on either 2008 or 2008 R2 being patched
      • GPO being applied to server OU
        • Specifying http://wsusserver.domain.local:8530 as intranet update service & statistics server
        • Automatic updates set to option 3 – Auto download and notify for install Every day at 22:00

      My issue is that I have to run a gpupdate /force, then manually search for updates from each server for it to “check-in” to patch manager. Once this is complete, the server shows in PM that it has reported and everything seems happy. I have a list of about 30 of my servers that I would like to fully automate the update install. Currently I have to force a GP update, check for updates from the server, then force a ‘Report Now’ from the Patch Manager console to automate the patching process. This is required each time I want to install the correct patches.

      Could this issue have anything to do with the fact that both my WSUS server & Patch manager server are in the same OU that my “WSUS GPO” is being applied?

      Is it recommended to Disable intranet Microsoft update service location on my WSUS server?

      Sorry for the elementary questions/write-up.

      Thanks in advance!LGarvin

        • Re: Ongoing Patch Manager issues
          Lawrence Garvin
          My issue is that I have to run a gpupdate /force, then manually search for updates from each server for it to “check-in” to patch manager.


          Hmmm..... so, systems do not "check in" with Patch Manager. The systems check in with the WSUS server.

          Patch Manager is functionally just another WSUS console, although it does need to be manually refreshed to update information.

           

           

          I have a list of about 30 of my servers that I would like to fully automate the update install.

           

          There are two ways to achieve this.

          • Edit the GPO to set AUOptions='4' and define a scheduled installation day/time.
          • Use the Update Management Wizard to create a recurring task to perform the installations on the desired machines.


           

          Currently I have to force a GP update, check for updates from the server, then force a ‘Report Now’ from the Patch Manager console to automate the patching process.

           

          This really is not necessary if you have configured the clients in the way you say. All of this process is automatic. The only thing that's not automated from the configuration you describe is the actual update installation.


           

          Could this issue have anything to do with the fact that both my WSUS server & Patch manager server are in the same OU that my “WSUS GPO” is being applied?

           

          Absolutely not.


           

          Is it recommended to Disable intranet Microsoft update service location on my WSUS server?

           

          Absolutely not. The WSUS Server is a Windows Server, just like every other Windows Server and it needs to get updates too!





          1 of 1 people found this helpful
            • Re: Ongoing Patch Manager issues
              rgtheitman

              Thanks Lawrence!

              What's odd is that if I log into a server needing updates and "Check for updates" from Control Panel, I receive error code 80070057. If I do a simple GP update then restart the Windows Update service, I will be able to successfully run the "Check for updates".

              Does this allude to an issue with my GPO or either my WSUS or Patch Manager setup?

               

              I receive the following from the Diagnostic Tool for WSUS

              # Solarwinds® Diagnostic Tool for the WSUS Agent

              # 1/26/2015

              Machine state

                User rights:                                       User has administrator rights

                Update service status:                             Running

                Background Intelligent Transfer service status:    Running

                OS Version:                                        Windows Server 2012 R2 Datacenter

                Windows update agent version:                      7.9.9600.17489 (WU Agent is OK)

              Windows Update Agent configuration settings

                Automatic Update:                                  Enabled

                Options:                                           Automatically download and notify of installation

                Use WSUS Server:                                   Not found (There is no such key)

                Windows Update Server:                             Not found (There is no such key)

                Windows Update Status Server:                      Not found (There is no such key)

                WSUS URLs are identical:                           Values are empty

              WSUS Server Connectivity -- Connectivity check is impossible

                Error description:                                 Connectivity check is impossible because of invalid Windows Update Agent configuration

               

              Last question, on my WSUS server do I need to have it look at "itself" for intranet update location? From what I understood, if I leave that GP option to Not Configured or Disabled the WSUS server will go to the Microsoft site to download updates instead of looking to itself.

               

              Once again, thanks for all you have contributed to this and other topics!

                • Re: Ongoing Patch Manager issues
                  Lawrence Garvin
                  What's odd is that if I log into a server needing updates and "Check for updates" from Control Panel, I receive error code 80070057

                  0x80070057

                  ERROR_INVALID_PARAMETER - E_INVALIDARG

                  One or more arguments are not valid error - Invalid proxy server name was specified in the user’s IE settings and hence WinhttpSetProxySettings call fails with E_INVALIDARG error. BITS puts the job in TRANSIENT_ERROR with the same error code. For ex, if the proxy server is set to http://foo/bar/proxy.pac, this error will be seen. This error is also seen when credentials are supplied such that scheme is not NTLM/Negotiate, but username/password is NULL, since that is not valid (WinhttpSetCredentials fails with E_INVALIDARG. BITS 1.5 puts the job into ERROR state with BG_E_INVALID_RESPONSE in the above 2 cases, because of error code mapping E_INVALIDARG is always mapped to (BG_E_INVALID_SERVER_RESPONSE)


                  If I do a simple GP update then restart the Windows Update service, I will be able to successfully run the "Check for updates".

                  Does this allude to an issue with my GPO or either my WSUS or Patch Manager setup?

                  The fact that a GPUpdate promptly fixes this suggests to me that something that's naturally set by GPO is being changed by some other source (a human or a script). The first step is to find out what the cause of the error actually is; then you can track down where it's being changed.

                   

                  Last question, on my WSUS server do I need to have it look at "itself" for intranet update location?

                  That is the conventional practice. In fact, in my article Configuring Your First WSUS Client I describe this as being the first client that should be configured.


                   

                  From what I understood, if I leave that GP option to Not Configured or Disabled the WSUS server will go to the Microsoft site to download updates instead of looking to itself.

                   

                  That is correct.  One caveat, though. If the setting has ever previously been enabled, setting it to Not Configured will not change anything. All the GPO setting does is trigger a value change in a RegValue. To trigger an inverse registry change would require explicitly disabling the policy after it has been enabled.