Hello System Center,
In this post I’d like to share information gleaned from recent support incidents regarding the Configuration Manager 2007 Software Updates Client Agent. The goal for this post is to help by providing details on common problems driving calls to support.
To lay some groundwork, the Software Updates Client Agent is heavily dependent upon the default software update components on the client system. Thus the Software Updates Client Agent often faces similar challenges as seen by Windows Software Updates Services deployments.
The online TechNet library for Configuration Manager has a cornucopia of data covering Software Update Client Agents and their configurations and so please explore relevant links at need.
Before beginning, ensure you’re familiar with the topic: About the Software Updates Client Agent http://technet.microsoft.com/en-us/library/bb694104.aspx
Some of the common problems related to the Software Update Client Agent:
Windows Update Agent is Misdirected
This is an all too common scenario which has a consistent trigger resulting in settings on the client regarding its Active SUP being incorrect.
The Symptom: With regards to patching, your client goes AWOL. In other words, yesterday your client was reporting for duty and downloading updates just fine, but today, while it may still report inventory and execute software deployments, it’s no longer taking software update related actions. At least not from your Site.
Note: This is observed both when clients attempt the scan action as well as after a successful scan when trying to pull down updates.
The Trigger: If this sounds like your situation then take a look at the client’s effective Policy. The one common driver we’ve seen is application of a Group Policy which overwrites the clients current policy, such as it’s assigned and active SUP. We also see incorrect ports, server names, and related settings passed to Configuration Manager clients by policy. Where do these come from? Good question! They’re not from the Group Policy fairy. Investigate any domain or related policies that may have been configured or orphaned and are being applied to the clients. It’s also possible that the client has local Group Policy disabled or an error was fat fingered into the expected Policy when configured. Find more here: Troubleshooting Group Policy Configuration for Software Updates
Windows Update Agent connection to the SUP blocked on the network
Another common scenario is a configuration that blocks the client from communicating across the network. This problem is seen elsewhere in Configuration Manager but receives significant attention here as the goal of keeping clients patched is very visible.
Note: Like the first issue of policy delivered settings, network connectivity blocks are observed both when clients attempt the scan action as well as after a successful scan when trying to pull down updates.
Two key flavors are noted:
1. Proxy Servers – Blocking traffic in a variety of ways.
2. Ports blocked – On client firewalls, on the SUP server, and at points in-between on the network.
Also keep in mind the traffic involved in Patch Management can quickly run afoul of settings intended to mitigate floods. The following link is a Forums post regarding SUP to MU Sync’s but the issue is also relevant for this topic:
Find more here: Ports Used in Software Updates
Assorted Functional Problems on the Client
1. Registry Settings related to WUA Options. Commonly known as AUOptions, these are often delivered via a Group Policy, or set on clients by other means. These are worth noting as they could drive unexpected client behaviors. These are usually set when WSUS has been directly managing a client and not usually found when managed by Configuration Manager.
Find more here: WSUS Client-side Configuration Options: http://technet.microsoft.com/en-us/library/cc526860.aspx
2. Anti-Virus Software. As in other areas of the product, we can see operational collisions with legitimate patching actions. This can block or slow down the process.
3. BITS on the client. Often impacted by our friend Group Policy, these may not be directly associated with patch configurations. And sometimes BITS just isn’t functional.
Assorted Patch Installation Experience Issues
Many support issues are opened which are not due to direct failures but due to unanticipated behavior or experiences on the client – usually related to a configurable option. These include:
1. Failed Patch Installations – Sometimes a client doesn’t have software that qualifies to be patched despite Administrative expectations. This can happen when a vulnerable file is no longer present or has been updated by another process. This has also been seen where there is confusion over the vulnerable product or product version involved. This can be complex to puzzle out and is further muddled by competing scan solutions which can evaluate compliance using different criteria with different results.
2. Unexpected Patch Installations – It happens: A deployment targets the wrong collection full of systems not intended to be patched or patched with the configured settings. When a patch installs on a system you didn’t expect, check the targeted collections and related details. Let’s avoid the uncomfortable silence on the support phone when the incorrectly targeted collection action is identified. Awkward!
3. Pop-up’s and Notifications – Finally, several issues are opened which are tied to the Pop-up behaviors as seen on clients:
a) Requests to enable Software Updates on clients – triggered by the Windows Security Center. This is external to Configuration Manager but if your users are reporting this you may wish to ensure policy is not disabling Automatic Updates.
b) Enforcement of Mandatory Deployments (Deadlines). Patch installation times, and what behavior can be expected, is a matter of configuration. Enforced deadlines along with the problem noted below make for very unhappy end users.
c) Deployments Hidden from end users. Misconfigurations of deployments, tied with the deadlines mentioned above, often result in the ‘patched and rebooted without warning’ situation. Good times.
Find more here:
The following are links you may find useful when approaching Software Update Client Configuration issues and strategies regarding WSUS specific details for the Update Agent:
Configure Automatic Updates in a Non–Active Directory Environment: http://technet.microsoft.com/en-us/library/cc708449.aspx
Product Quality Program Manager
System Center Configuration Manager 2007