Troubleshooting Microsoft WSUS connectivity issues

Microsoft Windows Server Update Services may impede your system updates because of IIS and Group Policy settings issues. Find out quick solutions to these WSUS errors in this tip.

Microsoft Windows Server Update Services is one of my favorite Microsoft technologies. It keeps all of my systems...

up to date, and it's free. As much as I rave about WSUS, I have known plenty of people who have had trouble getting it to update the computers on their networks. I have also witnessed situations in which WSUS was performing fine and then suddenly stopped working for an unknown reason.

There are a few common Windows Server Update Services (WSUS) errors you may come across, and once you identify the problems, they're easy to resolve.

Confirm installation of Group Policy settings

Before WSUS can begin functioning properly, you will have to install some Group Policy settings in order to redirect Windows Update to your WSUS server. There are about fifteen Group Policy settings that are related to Windows Update, and you can access them through the Group Policy Object Editor at Computer Configuration\Administrative Templates\Windows Components\Windows Updates.

Of the fifteen Group Policy settings related to Windows Update, only two are critical when using WSUS. The first of these settings is the Automatically Configure Updates setting. This particular Group Policy setting must be enabled. You can use any of the automatic update settings once the policy setting is enabled, but you are generally better off using either option 3: Auto download and notify for install or option 4: Auto download and schedule the install. Keep in mind that if you are automatically downloading the updates and scheduling the installation, then you might get the illusion that WSUS isn't working because the users are never prompted to install any updates.

The Specify Intranet Microsoft Update Service Location setting is the other critical Group Policy setting to be aware of. You must also enable this setting and provide the URL to your WSUS server. This is trickier than it sounds. The server name must be specified as a URL, and if you are using a port number other than 80, the port number must be included along with the URL. For example, if the WSUS server was communicating across port number 8530, then the URL might look like this:


So, how can you tell if your WSUS server is using Port 80? WSUS is really nothing more than a Web application that is being hosted by Internet Information Services (IIS). Therefore, if you want to know which port is being used, you can find out through the IIS Manager, which is accessible through the server's Administrative Tools menu.

When the IIS Manager opens, follow these steps:

  1. Navigate through the console tree to Internet Information Services | <your server> | Web sites | Default Web Site.
  2. Right click on the Default website container.
  3. Select the Properties command from the shortcut menu, (you will see the Default Web site Properties sheet).
  4. Go to the properties sheet's Web site tab.
  5. Verify the port number that the site is using.

I have also seen situations in which an organization has the necessary Group Policy settings in place, but they established the settings in a Group Policy Object that was never applied. I recommend testing to make sure that the Group Policy Object that contains your Windows Update settings is actually being used.

Ensure proper permissions configuration

Another instance of WSUS malfunction may be the result of an NTFS permissions problem. Occasionally, you may find that your Group Policy settings appear to be configured correctly, but that WSUS still isn't working properly. When this occurs, it may be the result of a NTFS permissions problem, and you'll want to confirm that this is the case.

  1. Select the Directory Security tab on the Default Web Site Properties sheet.
  2. Click the Edit button found in the tab's Authentication and Access Control section.
  3. The following screen should confirm that anonymous access is enabled, and it should show you the account that is being used for anonymous access.
    • By default the account is IUSR_<servername>.
  4. Manually log-in using this account to make sure that the account's password hasn't expired.
  5. Verify that the folders used by WSUS do not contain NTFS permissions that would prevent this account from gaining access.

Verify dependency services are functioning

WSUS depends on IIS and on a back-end SQL Server database. If those dependencies are not functioning, then WSUS won't work either. If you are having trouble getting WSUS to function, you must verify that the underlying dependencies are in working order. This can be accomplished by verifying that the various services are started. An easier approach is to simply open the WSUS console. This console is Web-based and it will not work unless IIS and SQL are also working.

WSUS is one of the easier Microsoft products to troubleshoot. If updates are not being applied to clients, then the problem is usually related to IIS or Group Policy settings. Just make sure that you have actually approved the updates you're planning to install.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Patches, alerts and critical updates