WSUS updates download stuck

ISSUE

WSUS updates download stuck

BACKGROUND

This issue happened on an offline internal WSUS server, which does not have internet access. Its data was imported from another internet-accessible external source WSUS server. How to export and import WSUS data, refer to – Synchronize software updates from a disconnected software update point

BEHAVIOUR

WSUS console shows:

The files for this update have not yet been downloaded. The update can be approved but will not be available to computers until the download is complete.

SoftwareDistribution.log shows and nothing else about bits download:

UTC Info WsusService.22 ContentSyncAgent.Download Item: ed4fe8f2-08e3-4533-baf9-824531bcae8b has been submitted to BITS for Download

SOLUTION

When I ran in an elevated command prompt this command

bitsadmin /list /allusers /verbose

to list all the jobs, I observed 10 jobs in failed state due to being unable to resolve the download address.

GUID: {B179C08E-B3A6-4E53-A67C-2216F753EE78} DISPLAY: 'ed4fe8f2-08e3-4533-baf9-824531bcae8b'
TYPE: DOWNLOAD STATE: TRANSIENT_ERROR OWNER: NT AUTHORITY\NETWORK SERVICE
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / UNKNOWN
CREATION TIME: 25/5/2022 5:28:27 PM MODIFICATION TIME: 26/5/2022 11:02:09 AM
COMPLETION TIME: UNKNOWN ACL FLAGS: 
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3
RETRY DELAY: 600 NO PROGRESS TIMEOUT: 86400 ERROR COUNT: 107
PROXY USAGE: NO_PROXY PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE:    http://download.windowsupdate.com/c/msdownload/eula/useterms_t1c_2r_ed_client_volume_1_et-ee-0631e9b6-a6be-4014-a512-db457f7e7bfe.txt -> D:\WSUS\WsusContent\83\E1084A7E5C68A4D0774CDEF8E8D90EDEC36A2C83.txt
ERROR CODE:    0x80072ee7
ERROR CONTEXT: 0x00000005
DESCRIPTION: SUSFile
JOB FILES: 
	0 / UNKNOWN WORKING http://download.windowsupdate.com/c/msdownload/eula/useterms_t1c_2r_ed_client_volume_1_et-ee-0631e9b6-a6be-4014-a512-db457f7e7bfe.txt -> D:\WSUS\WsusContent\83\E1084A7E5C68A4D0774CDEF8E8D90EDEC36A2C83.txt
NOTIFICATION COMMAND LINE: none
owner MIC integrity level: SYSTEM
owner elevated ?           true
This job is read-only to the current CMD window because the job's mandatory 
integrity level of SYSTEM is higher than the window's level of HIGH.
Peercaching flags
	 Enable download from peers      :false
	 Enable serving to peers         :false

CUSTOM HEADERS: NULL
...
Listed 10 job(s).

It was apparent that some EULA license files are missing. I downloaded those 10 missing files and put them in the correct WsusContent subfolders. Again, updates download stuck. Running the bitsadmin command again to list all user jobs, I found another 10 missing EULA license files. Okay. I realized what went wrong. The copied content from the source WSUS server had missing EULA license files. To fix that once and for all, I did the following:

1. Go to the source WSUS server
2. Open an elevated command prompt
3. Navigate into C:\Program Files\Update Services\Tools
4. Run: .\WsusUtil.exe RESET
5. Copy all the folders again to the destination WSUS server
6. Restart bits service (PowerShell): Restart-Service BITS
7. Restart Wsus Service (PowerShell): Restart-Service WsusService

NOTE

By default, WSUS allows 10 simultaneous bits download jobs. This limit is defined in the table tbConfigurationB.

SELECT MaxSimultaneousFileDownloads FROM [SUSDB].[dbo].[tbConfigurationB]

If the first 10 jobs get stuck, all the remaining updates download will have to wait and show up in Downloading state, giving the impression that they are stuck. This is exactly what we are discussing in this article.

If you want more simultaneous jobs, you can change the setting in the database, eg. increase it to 20.

UPDATE [SUSDB].[dbo].[tbConfigurationB] SET MaxSimultaneousFileDownloads = 20

References

• Synchronize software updates from a disconnected software update point

Catalog of Third-Party Softeware Updates Sync now failed

We followed the official guide to configure third-party software updates for Configuration Manager. After having added custom catalog, we tried the menu Sync now on the head ribbon. Unfortunately, it does not work.

Logs show the following exceptions:

WSUSCtrl:
Attempting connection to local WSUS server 2720 (0x0AA0)
System.Net.WebException: The request failed with HTTP status 403: Forbidden. at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args) at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) 2720 (0x0AA0)
Failures reported during periodic health check by the WSUS Server CONTOSO.COM. Will retry check in 1 minutes 2720 (0x0AA0)
Waiting for changes for 1 minutes 2720 (0x0AA0)
Timed Out… 2720 (0x0AA0)

SMS_ISVUPDATES_SYNCAGENT.log:
==================== Exception Detail Start ======================= 5184 (0x1440)
Exception type: WebException 5184 (0x1440)
Exception HRESULT: -2146233079 5184 (0x1440)
Exception Message: The request failed with HTTP status 403: Forbidden. 5184 (0x1440)
Exception source Microsoft.UpdateServices.Administration 5184 (0x1440)
Exception TargetSite Microsoft.UpdateServices.Administration.IUpdateServer CreateUpdateServer(System.Object[]) 5184 (0x1440)
Stack at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.WSUS.UpdateServicesWrapper.Connect() 5184 (0x1440)
===================== Exception Detail End ======================== 5184 (0x1440)

WCM.log:
Successfully connected to server: CONTOSO.com, port: 8531, useSSL: True 70592 (0x113C0)
Waiting for changes for 59 minutes 70592 (0x113C0)
Wait timed out after 59 minutes while waiting for at least one trigger event. 70592 (0x113C0)
Timed Out… 70592 (0x113C0)

In addition, SCCM SMS_WSUS_CONTROL_MANAGER kept printing repeated Error 7000 and 7003.

WSUS Control Manager failed to monitor WSUS Server “CONTOSO.COM”. Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted. Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.

Then we checked the health on SUP:

1. Open CMD as admin
2. Navigate to C:\Program Files\Update Services\Tools
3. Run: WSUSUtil.exe checkhealth

I found Event ID 12002, 12052, 12042, 12022, 12032, 12012 in Windows Server Update Services event log-

The description for Event ID 12052 from source Windows Server Update Services cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

The DSS Authentication Web Service is not working.

The only step we missed was configure wsus for ssl with wsusutil configuressel. So we tried the following steps:

1. Open CMD as admin and navigate to C:\Program Files\Update Services\Tools
2. Run (Case sensitive): wsusutil.exe configuressl <FQDN-OF-WSUS-SERVER>
3. Restart WSUS Service from services and WSUS Administration from IIS Administration control

Wonderful! The issue was gone.

References

• https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates#enable-third-party-updates-on-the-sup
• https://msunleashed.wordpress.com/2011/05/02/sms_wsus_control_manager-event-id-7000-7003/

All WSUS clients fail to connect to WSUS server for updates – 0x8024401f

The issue is that all the wsus clients suddenly fail to connect to wsus server for updates, the Windows Update window showing 0x8024401f error which means “Same as HTTP status 500 – an error internal to the server prevented fulfilling the request.“.

Looking into Windows Update log, the following exceptions caught my eyes:

2020-05-28 17:26:02:714 776 1120 WS WARNING: Nws Failure: errorCode=0x803d000f
2020-05-28 17:26:02:714 776 1120 WS WARNING: …………http://x.x.x.x/ClientWebService/client.asmx………………………………………
2020-05-28 17:26:02:714 776 1120 WS WARNING: ……………… HTTP ……………500 (0x1F4)………………System.ServiceModel.ServiceActivationException……
2020-05-28 17:26:02:714 776 1120 WS WARNING: ……………………………

I tried to visit http://x.x.x.x/ClientWebService/client.asmx (you need to enable trace in iis) from the client and it showed the following in the browser:

Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http]

With this, I know that there is something wrong with IIS configuration. However, I could not find what went wrong after hours of struggling. To save time, I deleted WSUS Administration application (IIS Admin console>right click on WSUS Administration and select Remove) from IIS and reinstalled it via the steps below:

1. Delete the site from IIS Administration
2. Open CMD as admin
3. Navigate to C:\Program Files\Update Services\Tools and run: WsusUtil.exe postinstall CONTENT_DIR=C:\WSUS

If you use SQL Server for WSUS, run: WsusUtil.exe postinstall SQL_INSTANCE_NAME=”<SQLSVR_SERVER_NAME>” CONTENT_DIR=C:\WSUS

For example:

C:\Program Files\Update Services\Tools>WsusUtil.exe postinstall CONTENT_DIR=C:\WSUS
Log file is located at C:\Users\Administrator\AppData\Local\Temp\tmpFA1D.tmp
Post install is starting
Post install has successfully completed