Confirm your permissions for WSUS
https://www.ajtek.ca/wsus/wsus-permissions-wsuscontent-registry-and-iis/
Also, it could be a bad SPN record that needs updating due to the renaming of the domain?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Greetings all,
I have been trying to nail down why my windows updates are failing on my client machines.
We did an AD Rename (rendom) at the end of the year and ever since we've not had the windows updates work. Everything else appears to be working fine. I have tried a wide variety of things, including this week by building a new server and placing a new WSUS install upon it.
The problem is that the "downloading - 0%" never moves beyond 0% eventually, after a long wait, the updates will fail. The client machines have detected the new WSUS server and have correctly identified which updates need to be applied so this shows that the WSUS server is being responsive and the clients are getting to it.
The client machines are Server 2019 and I have used the Get-Windowsupdatelog cmdlet to examine the logs on one of the affected machines. I am finding the log fairly impenetrable however. I can see some "FAILED" but I can't see anything that points to anything specific.
This is happening across all machines since the AD rename and I'm at a loss as to what, exactly, is wrong and thus also stymied trying to find a solution.
I can tell from the log that the client machine is reaching the new server.
One of the sets of messages is this:
"StatusCode for transaction returned from WinHttpQueryHeaders is 401"
"FAILED [800710DD] Send request"
"FAILED [800710DD] WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)"
(there is no proxy)
A 401 is Unauthorized, which I suspect is pointing to the root of the problem. I suspect, but cannot find, that the service is attempting to use an invalid credential/identification. In an AD rename, the SIDs don't actually change, but the names (NBT and domain both) do change. So if formerly the login was AAA\Name1, the new name might be BBB\Name1.
I have disjoined and rejoined machines to the AD, no change. I've reset the WSUS parameters I usually reset when I do a clone, no change.
Stuck and looking for advice.
-g
Confirm your permissions for WSUS
https://www.ajtek.ca/wsus/wsus-permissions-wsuscontent-registry-and-iis/
Also, it could be a bad SPN record that needs updating due to the renaming of the domain?