Friday, February 17, 2012

WSUS 3.0 issue with virtual machine templates

I came across an interesting issue at work where I was building a WSUS server in the hopes of better control over update application through GPO. What changed in how WSUS seeks client computers is significant if you run a highly virtualized environment.

In WSUS 3.0, it stopped looking for machine names and IP as unique identifier, no; the server looks at a GUID generated when a Window's machine contacts Update Services via Automatic Updates. Apparently MS felt that a combination of computer name and IP just wasn't unique enough. This GUID that is generated also does not change from Sysprep either, which means if you like myself launch VMs from templates, this GUID will not longer be unique and the strange signs will occur where VMs made from the same template, only one will be able to report to the WSUS server at any time. Signs of this behavior is simple, force add one client machine from the target computer via command line, wuauclt /detectnow and then another VM that was created from the same template....highlander rules suddenly apply and there can be only one as the GUID is not unique.

To verify the same GUID issue, check the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate and look at two values, SusClientId and SusClientValidation. If those are the same, you have this issue.

To fix; delete the registry entries, than restart the Automatic Updates service than force report via command line, which will force the registry to create a new fresh GUID from the WSUS server as none exist. If you have a bunch of computers to deal with as I do, I would recommend scripting the fix.

Here is a simple batch file that can resolve the issue for you (copy below, paste in notepad and save as .bat);

net stop wuauserv /y
net stop bits /y

Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f

net start wuauserv /y
net start bits /y

echo Initiating Windows Updates detection cycle...

wuauclt.exe /resetauthorization
wuauclt.exe /detectnow
wuauclt.exe /reportnow


  1. God bless you Ken, saved me a world of pain and thanks for publishing!

    1. I am glad that it was helpful to you!