When you count your computers in Active Directory and compare it to computers in Windows Server Update Services, you probably see a difference. In my case I saw several computers missing in WSUS. After investigating, I realized that those computers were cloned.
In administrative PowerShell window on WSUS server computer I checked, that the computer really doesn’t exist:
Get-WsusComputer –NameIncludes PartOfYourComputerName | ft -a
Actually you don’t need to sysprep those working systems. All you need is following four lines (in web browser they will wrap to a little more lines) running in administrative command prompt on WSUS client computer:
net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
And almost instantly you can see this computer appear on WSUS management:
The above script needs a couple of extra tweeks.
ReplyDeleteFirst, it's not necessary to stop or start the service to remove values from the ~\CurrentVersion tree.
Second, in addition to the *SusClientID* value, you also need to delete the *SusClientIDValidation* value.
Third, in the context used above the last command does absolutely nothing. I discuss in dozens of other places the significance (and lack thereof) of the /reportnow parameter.
Thus, a functional version of this script might look like this:
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
wuauclt /resetauthorization /detectnow
/reportnow switch works as intended. After running "wuauclt /reportnow" the computer appears almost instantly in WSUS management. If you don't run this command, the report will be done according to the WSUS client schedule. But I will not argue on this topic. Maybe I'm wrong.
ReplyDeleteThe removal of SusClientIDValidation is not necessary according to tests I have done.
Nice to hear, that stopping the service is also not needed. For your information wuauclt command will start the wuauclt service.
This is also good instruction to actually forcing the talk with WSUS server https://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand/
ReplyDeleteIf the above link is down, then this is the command:
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates