I developed a tool to collect SCCM information. This tool is not perfect, but it can save you a lot of time and efforts in daily troubleshooting sccm / mecm issues.
Used to collect from the following endpoints:
general computer information
enable/disable sccm verbose
information of computers which have SCCM/MECM installed
information of computers which have Software Update Point role installed
information of computers which have Distribution Point role installed
information of computers which have Management Point role installed
We followed the official guide to configure third-party software updates for Configuration Manager. After having added custom catalog, we tried the menu Sync now on the head ribbon. Unfortunately, it does not work.
Logs show the following exceptions:
WSUSCtrl: Attempting connection to local WSUS server 2720 (0x0AA0) System.Net.WebException: The request failed with HTTP status 403: Forbidden. at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args) at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) 2720 (0x0AA0) Failures reported during periodic health check by the WSUS Server CONTOSO.COM. Will retry check in 1 minutes 2720 (0x0AA0) Waiting for changes for 1 minutes 2720 (0x0AA0) Timed Out… 2720 (0x0AA0)
SMS_ISVUPDATES_SYNCAGENT.log: ==================== Exception Detail Start ======================= 5184 (0x1440) Exception type: WebException 5184 (0x1440) Exception HRESULT: -2146233079 5184 (0x1440) Exception Message: The request failed with HTTP status 403: Forbidden. 5184 (0x1440) Exception source Microsoft.UpdateServices.Administration 5184 (0x1440) Exception TargetSite Microsoft.UpdateServices.Administration.IUpdateServer CreateUpdateServer(System.Object[]) 5184 (0x1440) Stack at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.WSUS.UpdateServicesWrapper.Connect() 5184 (0x1440) ===================== Exception Detail End ======================== 5184 (0x1440)
WCM.log: Successfully connected to server: CONTOSO.com, port: 8531, useSSL: True 70592 (0x113C0) Waiting for changes for 59 minutes 70592 (0x113C0) Wait timed out after 59 minutes while waiting for at least one trigger event. 70592 (0x113C0) Timed Out… 70592 (0x113C0)
In addition, SCCM SMS_WSUS_CONTROL_MANAGER kept printing repeated Error 7000 and 7003.
WSUS Control Manager failed to monitor WSUS Server “CONTOSO.COM”. Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted. Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.
Then we checked the health on SUP:
Open CMD as admin
Navigate to C:\Program Files\Update Services\Tools
Run: WSUSUtil.exe checkhealth
I found Event ID 12002, 12052, 12042, 12022, 12032, 12012 in Windows Server Update Services event log-
The description for Event ID 12052 from source Windows Server Update Services cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
The DSS Authentication Web Service is not working.
The only step we missed was configure wsus for ssl with wsusutil configuressel. So we tried the following steps:
Open CMD as admin and navigate to C:\Program Files\Update Services\Tools
Run (Case sensitive): wsusutil.exe configuressl <FQDN-OF-WSUS-SERVER>
Restart WSUS Service from services and WSUS Administration from IIS Administration control
There are several ways to install SCCM Client on client end computers. Manual is one of the most used ways, especially when you are deploying SCCM Client to UNIX/Linux, Mac OS X.
Here is an example to show you how to do manual client installation.
Open PowerShell(Admin): Set-ExecutionPolicy Unrestricted
Run the script: .\inst-sccm-client.ps1
This script will first create a directory Client on the client end, then copy \Client (shared location is \\<site server name>\SMS_<site code>\Client\, eg. \Shps1\sms_ps1\Client) content to the directory Client. Make sure you have read permission to \Client. Then it sets the current location to Client directory and runs the installation command.
“specifies a source management point for computers to connect to”.
“Computers use this management point to find the nearest distribution point for the installation files”.
CCMDEBUGLOGGING, SMSSITECODE and CCMLOGLEEVEL are Client.msi switches:
CCMDEBUGLOGGING – Enables logging if this property is set to TRUE. By default, logging is enabled.
CCMLOGLEVEL – Specify an integer ranging from 0 to 3, where 0 is the most verbose logging and 3 logs only errors. The default is 1.
SMSSITECODE – Specifies the Configuration Manager site to assign the Configuration Manager client to. This can either be a three-character site code or the word AUTO.
File C:\Windows\ccmsetup{7E31AE3A-2706-4A34-9970-73A5526B5346}\client.msi installation failed. Error text: ExitCode: 1603
Action: CcmRegisterWmiMofFile.
ErrorMessages:
Setup was unable to compile the file DiscoveryStatus.mof
The error code is 80041002
Issue
During SCCM 1810 client installation process, installation failed with ccmsetup.log showing the following exceptions:
File C:\Windows\ccmsetup{7E31AE3A-2706-4A34-9970-73A5526B5346}\client.msi installation failed. Error text: ExitCode: 1603 Action: CcmRegisterWmiMofFile. ErrorMessages: Setup was unable to compile the file DiscoveryStatus.mof The error code is 80041002
As you can see, the direct reason was that DiscoveryStatus.mof compilation failed.
Solution
Open command prompt as administrator
Navigate into C:\Program Files\Microsoft Policy Platform
Run: mofcomp ExtendedStatus.mof
Retry SCCM client installation
Note that my case happened in SCCM 1810. However, this solution also applies to SCCM 2012. If you come across the issue in other versions of SCCM, just give it a try.
A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.
A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.
In order to check the WSUS server that the clients are contacting and also check for any GPOs affecting those clients, you will need to check the following aspects.
RsoP.msc on the client
Check the Computer Configuration > Administrative Templates > Windows Components > Windows Update – Does it show the correct WSUS server?
Registry settings
Compare the following registry keys on the “problematic” machine with the same registry keys from a “working” machine:
When an Active Directory Group Policy setting overrides the local Group Policy setting, you will see the following:
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://newwsussvr.sccmpeek.com:8530 and Policy ENABLED WUAHandler
WUAUClt no longer works on Windows 10 or Windows Server 2016 / 2019. There is a replacement for WUAUClt named USOClient located in C:\WINDOWS\SYSTEM32\ directory.
I believe some of you must have noticed that WUAUClt no longer works on Windows 10 or Windows Server 2016 / 2019. There is a replacement for WUAUClt named USOClient located in C:\WINDOWS\SYSTEM32\ directory.
WUAUclt Utility
Before Windows 10 and Windows Server 2016 / 2019, you can use WUAUClt to search for and download and install new updates.
WUAUClt.exe /detectnow - forcing an update detection. If there are updates approved for install that client needs, it ill download them when the command run.
WUAUClt.exe /updatenow - installs the downloaded updates
Note that WUAUClt.exe /detectnow works only when Automatic Update is enabled and that WUAUClt.exe /updatenow works only when 4 – Auto download and schedule the install is selected for Configure Automatic Updates. You can enable Automatic Updates via Group Policy.
Other command line switches for WUAuclt utility
Option
Description
/a /ResetAuthorization
Initiates an asynchronous background search for applicable updates. If Automatic Updates is disabled, this option has no effect.
/r /ReportNow
Sends all queued reporting events to the server asynchronously.
Sometimes you may need to re-register a client with WSUS server. In that case you can run the following command.
gpupdate /forceWUAUclt.exe /detectnow
Note that for Windows 10 and Windows Server 2016 / 2019 +, you need to run USOClient.exe StartScan instead of WUAUclt.exe /detectnow. Read further for USOClient utility.
USOClient Utility
USO stands for Update Session Orchestrator, and it’s the replaced Windows Update Agent. Windows Update service, USOClient.exe, is basically a command to run either scan for updates, install or resume updates.
USOClient utility works on Windows 10 and Windows 2016 / 2019 + as a replacement of WUAUclt.
USOClient utility switches
Option
Description
StartScan
Used To Start Scan
StartDownload
Used to Start Download of Patches
StartInstall
Used to Install Downloaded Patches
RefreshSettings
Refresh Settings if any changes were made
StartInteractiveScan
May ask for user input and/or open dialogues to show progress or report errors