So finally we have solved the issue with the help of Microsoft. Below are the steps taken to solve the issue.
Steps to identify the root cause -
- We initiated the WSUS post installation using PowerShell command line postinstall SQL_INSTANCE_NAME="HOSTNAME" CONTENT_DIT=Drive:\WSUS and used Procmon tool to trace down the issue
01:31:23.4171205 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Query Value, Enumerate Sub Keys, Read Control, Access System Security
01:31:23.4171843 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Read Control, Access System Security
- we enabled the verbose logging to get get more about the access permission issue by doing registry settings thru Powershell
C:\windows\system32> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t Reg_Dword /d 0x30002 /f
Based on above steps we were able to identify the issue with installation account that it was not having correct permission on registry key(HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup) due it below error was noticed in WSUSPostinstallation.log(can be found in C:\Users**loggedinuser**\AppData\Local\Temp) file.
****2021-09-17 07:33:51 Granting registry permissions...
2021-09-17 07:33:51 System.UnauthorizedAccessException: Attempted to perform an unauthorized operation**.**
at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)
To solve this access issue we have given full permission and change the ownership to installation account but didn't work then we checked the group policy on local system and came to know that the "Manage Auditing and Security Log" under "Computer Configuration\Windows Settings\Security Settings\Local Policies\" is only configured for two specific users and managed thru default domain policy. however default configuration should be for Local Administrators group.
to solve this issue we have changed the group policy from specific user to Local administrators group and after that it worked and we were able to complete the WSUS post installation and configuration by following below steps and now it is working fine.
1) Open a PowerShell session as Administrator and uninstall WSUS completely with the following command:
Remove-WindowsFeature –Name UpdateServices,UpdateServices-DB,UpdateServices-RSAT,UpdateServices-API,UpdateServices-UI –IncludeManagementTools
2) Delete the registry key HKLM\SOFTWARE\Microsoft\Update Services
3) Delete the WSUS mmc file from %appdata%\Microsoft\MMC
4) Delete the Folder "%ProgramFiles%\Update Services" along with all of its subfolders and files. in case some files or subfolder left then delete it after reboot of server
5) *Reboot the server *
6) Run the System File Checker to find and repair any inconsistencies by typing the command below into the PowerShell prompt. SFC /scannow
7) *Reboot the server *
8) Verify IIS is installed and working without errors
9) Open Server Manager MMC and select Add Roles & features to install WSUS
10) Once WSUS installation has completed, run PowerShell using Admin rights and change the current working directory to %programfiles%\Update Services\Tools and run the following post-installation commands. in our case we used SQL DB and ran first command
To use a SQL DB:
.\wsusutil.exe postinstall SQL_INSTANCE_NAME=”SERVER\Instance” CONTENT_DIR=”<drive>:\WSUS”
To use WID:
.\wsusutil.exe postinstall CONTENT_DIR=”<drive>:\WSUS”
11) Wait for the command to complete successfully.
12) Open the WSUS console from Server Manager console => Tool => Windows Server Update Services
and configure as per your requirement and wait for initial sync to happen.
Below steps are only required if you are using SCCM/EMCM to manage software update deployment. however this steps required for us as we are using SCCM/EMCM
13) Open the SCCM Console and install the Software Update point role and wait for Sync to happen.
14) If sync doesn't happen and you see error message in Wsyncmgr.log.
Found active SUP SRV.abc.com from SCF File. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:35.568 2021
ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
Sync failed: Class not registered SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:36.579 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X80040154 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Setting sync alert to active state on site CTP SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Sync time: 0d00h00m01s SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
then run below command to register wsyncact.dll file which helps to ensure that sync starts.
A) open command prompt with admin rights
B) C:\windows\Microsoft.NET\Framework64\v4.0.30319>regasm.exe "<<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\bin\X64\wsyncact.dll"
C) Restart SMS_EXECUTIVE service
D) now create a file called "FULL.SYN" in <<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\inboxes\wsyncmgr.box
Hope this will help to all who are having similar issue with WSUS and SCCM/EMCM.