Update Services not going to local server

I have defined a gpo to set the following two attributes:

Computer Configuration \ Policies \ Administrative Templates \ Windows
Components \ Windows Update

Configure Automatic Updates = Enabled
Automatic Updating = 5 - Allow local admin to choose setting

Specify intranet microsoft update service location
update service = wsus.x.y
statistics server = wsus.x.y


I have gone into the registry and verified that:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUServer
= wsus.x.y
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUStatusServer
= wsus.x.y

To verify that the system is hitting the internal server, I ran WireShark
and noticed that WU never hits my internal wsus server. Instead it appears
to be going externally.

Does anything appear incorrect in how I have the system configured? Am I
missing a policy setting? Any other things to sniff to try and track down
what is going on?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

I statred to think about this, maybe what I am expecting is incorrect. If I
open a browser and point it to http://update.microsoft.com/windowsupdate, is
this the same as allowing WU to run? This doesn't seem logical, since I
don't see it redirect so it shouldn't be hitting the internal server.

I'm now thinking this is working correctly I am just testing incorrectly.

Feedback?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" wrote in message
...
I have defined a gpo to set the following two attributes:

Computer Configuration \ Policies \ Administrative Templates \ Windows
Components \ Windows Update

Configure Automatic Updates = Enabled
Automatic Updating = 5 - Allow local admin to choose setting

Specify intranet microsoft update service location
update service = wsus.x.y
statistics server = wsus.x.y


I have gone into the registry and verified that:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUServer
= wsus.x.y
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUStatusServer
= wsus.x.y

To verify that the system is hitting the internal server, I ran WireShark
and noticed that WU never hits my internal wsus server. Instead it
appears to be going externally.

Does anything appear incorrect in how I have the system configured? Am I
missing a policy setting? Any other things to sniff to try and track down
what is going on?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Since I don't know which NG you'll see this from Paul, I've x-posted it
to the WSUS NG and left the other x-posts:
news://msnews.microsoft.com/microsof...pdate_services

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"


Paul Bergson [MVP-DS] wrote:

I have defined a gpo to set the following two attributes:

Computer Configuration \ Policies \ Administrative Templates \ Windows
Components \ Windows Update

Configure Automatic Updates = Enabled
Automatic Updating = 5 - Allow local admin to choose setting

Specify intranet microsoft update service location
update service = wsus.x.y
statistics server = wsus.x.y


I have gone into the registry and verified that:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUServer
= wsus.x.y
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUStatusServer
= wsus.x.y

To verify that the system is hitting the internal server, I ran WireShark
and noticed that WU never hits my internal wsus server. Instead it appears
to be going externally.

Does anything appear incorrect in how I have the system configured? Am I
missing a policy setting? Any other things to sniff to try and track down
what is going on?

Paul Bergson [MVP-DS] wrote:

Hi Paul!

I have defined a gpo to set the following two attributes:

Computer Configuration \ Policies \ Administrative Templates \ Windows
Components \ Windows Update

Configure Automatic Updates = Enabled
Automatic Updating = 5 - Allow local admin to choose setting

Specify intranet microsoft update service location
update service = wsus.x.y
statistics server = wsus.x.y


I have gone into the registry and verified that:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUServer
= wsus.x.y
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUStatusServer
= wsus.x.y

To verify that the system is hitting the internal server, I ran WireShark
and noticed that WU never hits my internal wsus server. Instead it
appears to be going externally.

The most likely cause for this is either UseWUServer is set to false
(dword:0x0) in the registry, or there are conflicting values configured in
the registry (and not overridden by your GPO) causing the WUAgent to ignore
the configured values in the registry and use its internal defaults (which
is to use AU).

Incidentally, verifying that the client system is hitting the internal
server can be done without packet sniffing, and truly, a more authoritative
source is that:
1. A client which successfully connects with a WSUS server will be listed in
the All Computers node of the WSUS console with a Last Contact Date
representative of the actual contact.
2. The WindowsUpdate.log records all WUAgent activity, in extensive detail,
including every contact with every webservice available on the WSUS server.

While I've not tested this, it's also possible that the AUOptions=5 policy
setting is not causing the WUAgent to reread its configuration on the policy
refresh and is still operating under the locally configured AU settings.
Restarting the AU service will force the WUAgent to re-read the current
registry settings and respond to the configured WSUS preferences.

In general, to verify the configuration of the client:
a. Use GPRESULT or RSOP to verify that the configured WSUS GPO is actually
being applied.
b. Validate all registry values in the ~\WindowsUpdate policy keys, as
matching the configured or desired policy settings, particularly as relates
to values corresponding to "Not Configured" policy settings.
c. Restart the AU service and inspect the configuration values being
recorded in the WindowsUpdate.log at service startup.





--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

My question now is, if I pull up WU in a browser where does the client
connect to? Microsoft or my internal server? I think Microsoft is there a
way to point internally?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Lawrence Garvin [MVP]" wrote in message
...
Paul Bergson [MVP-DS] wrote:

Hi Paul!

I have defined a gpo to set the following two attributes:

Computer Configuration \ Policies \ Administrative Templates \ Windows
Components \ Windows Update

Configure Automatic Updates = Enabled
Automatic Updating = 5 - Allow local admin to choose setting

Specify intranet microsoft update service location
update service = wsus.x.y
statistics server = wsus.x.y


I have gone into the registry and verified that:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUServer
= wsus.x.y
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\WUStatusServer
= wsus.x.y

To verify that the system is hitting the internal server, I ran
WireShark and noticed that WU never hits my internal wsus server.
Instead it appears to be going externally.

The most likely cause for this is either UseWUServer is set to false
(dword:0x0) in the registry, or there are conflicting values configured in
the registry (and not overridden by your GPO) causing the WUAgent to
ignore the configured values in the registry and use its internal defaults
(which is to use AU).

Incidentally, verifying that the client system is hitting the internal
server can be done without packet sniffing, and truly, a more
authoritative source is that:
1. A client which successfully connects with a WSUS server will be listed
in the All Computers node of the WSUS console with a Last Contact Date
representative of the actual contact.
2. The WindowsUpdate.log records all WUAgent activity, in extensive
detail, including every contact with every webservice available on the
WSUS server.

While I've not tested this, it's also possible that the AUOptions=5 policy
setting is not causing the WUAgent to reread its configuration on the
policy refresh and is still operating under the locally configured AU
settings. Restarting the AU service will force the WUAgent to re-read the
current registry settings and respond to the configured WSUS preferences.

In general, to verify the configuration of the client:
a. Use GPRESULT or RSOP to verify that the configured WSUS GPO is actually
being applied.
b. Validate all registry values in the ~\WindowsUpdate policy keys, as
matching the configured or desired policy settings, particularly as
relates to values corresponding to "Not Configured" policy settings.
c. Restart the AU service and inspect the configuration values being
recorded in the WindowsUpdate.log at service startup.





--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Paul Bergson [MVP-DS]" wrote in message
...

My question now is, if I pull up WU in a browser where does the client
connect to?

When you pull up MU/WU in a brower, that connection is *always* to
Microsoft.com.

I think Microsoft is there a way to point internally?

WSUS does not provide a web-based client-side UI. It's strictly a
corporate-level implementation of "Automatic Updates", albeit with a larger
catalog of products.

To initiate a client-side detection against the WSUS Server, run the
command: wuauclt /detectnow.
In addition, on Vista and later systems, you can target the scan against the
WSUS server using the WUApp in Control Panel. If you click on "Check for
updates" in the task pane, the scan will be executed against the WSUS server
on a WSUS-enabled client, or against MU otherwise; you can force the scan to
be run against MU on a WSUS-enabled client by clicking on the link in the
main pane that says "Check online for updates from Microsoft Update"


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

This is exactly what I was looking for.

Thank-You!

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Lawrence Garvin [MVP]" wrote in message
...
"Paul Bergson [MVP-DS]" wrote in message
...

My question now is, if I pull up WU in a browser where does the client
connect to?

When you pull up MU/WU in a brower, that connection is *always* to
Microsoft.com.

I think Microsoft is there a way to point internally?

WSUS does not provide a web-based client-side UI. It's strictly a
corporate-level implementation of "Automatic Updates", albeit with a
larger catalog of products.

To initiate a client-side detection against the WSUS Server, run the
command: wuauclt /detectnow.
In addition, on Vista and later systems, you can target the scan against
the WSUS server using the WUApp in Control Panel. If you click on "Check
for updates" in the task pane, the scan will be executed against the WSUS
server on a WSUS-enabled client, or against MU otherwise; you can force
the scan to be run against MU on a WSUS-enabled client by clicking on the
link in the main pane that says "Check online for updates from Microsoft
Update"


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

The browser will load update.microsoft.com but the actual binding of the WUA
agent will be to which ever service it is registered for.

In this case, WSUS managed means updates will come from WSUS ... so the
browser experience will be a falsetto of what is truly going on under the
covers since the activeX is trolling over WUA.

--
thanks
..paul

/*++

Paul Russell

--*/

"Lawrence Garvin [MVP]" wrote in message
...
"Paul Bergson [MVP-DS]" wrote in message
...

My question now is, if I pull up WU in a browser where does the client
connect to?

When you pull up MU/WU in a brower, that connection is *always* to
Microsoft.com.

I think Microsoft is there a way to point internally?

WSUS does not provide a web-based client-side UI. It's strictly a
corporate-level implementation of "Automatic Updates", albeit with a
larger catalog of products.

To initiate a client-side detection against the WSUS Server, run the
command: wuauclt /detectnow.
In addition, on Vista and later systems, you can target the scan against
the WSUS server using the WUApp in Control Panel. If you click on "Check
for updates" in the task pane, the scan will be executed against the WSUS
server on a WSUS-enabled client, or against MU otherwise; you can force
the scan to be run against MU on a WSUS-enabled client by clicking on the
link in the main pane that says "Check online for updates from Microsoft
Update"


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Paul Russell" wrote in message
...
The browser will load update.microsoft.com but the actual binding of the
WUA agent will be to which ever service it is registered for.

In this case, WSUS managed means updates will come from WSUS ... so the
browser experience will be a falsetto of what is truly going on under the
covers since the activeX is trolling over WUA.

I'm sorry, Paul, but this is not a true statement, and the proof is logged
in the WindowsUpdate.log when such an event occurs.

If you want unequivocal proof, however, just pull the plug on the WSUS
Server and watch the WUA trip happily along downloading from WU -- oblivious
to the fact that the WSUS server has gone away. Only when the WUA executes
the next regularly scheduled "WSUS" detection will it log errors that it
cannot connect.

Furthermore, if what you say were true, it would be *impossible* to install
updates from Microsoft Update in a WSUS environment unless the *content*
were actually physically present on the WSUS Server -- where would the WUA
get the content from? Since I have routinely used MU to download and install
service packs (because I don't generally keep SP content on my WSUS server),
I can empirically attest to the fact that the WUA will happly detect and
acquire content from =WU/MU=, irrespective of the setting of the UseWUServer
registry value, and regardless of whether the content is even synchronized
to that WSUS server.

For the sake of convenience,though, here's a scan against WU/MU just
performed on my WSUS-configured Windows 7 system by clicking on "Check for
updates from Microsoft Update", and then immediately after reran a detection
against my WSUS server. (Note: I have declined any "RC" updates on my WSUS
server, and currently I have =zero= updates on the WSUS Server reported as
"Needed" by this system.)

Results from WU:
2009-10-30 00:43:08:318 1116 11c4 PT + ServiceId =
{7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL =
https://www.update.microsoft.com/v6/...ce/client.asmx
2009-10-30 00:43:31:361 1116 11c4 Agent * Found 50 updates and 63
categories in search; evaluated appl. rules of 1090 out of 1520 deployed
entities

Results from WSUS:
2009-10-30 00:43:41:312 1116 11c4 PT + ServiceId =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://sbs2003r2:8530/ClientWebService/client.asmx
2009-10-30 00:43:50:749 1116 11c4 Agent * Found 0 updates and 61
categories in search; evaluated appl. rules of 574 out of 794 deployed
entities

Note also that the number of categories (WU: 63; WSUS: 61), the total number
of updates in the catalog (WU: 1520; WSUS: 794), and the number of updates
actaully evaluated (WU: 1090; WSUS: 574) is different in every case, and
scanning against WU identified =50= applicable updates.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin