Resolving the duplicate SUSClientID issue, or “Why don’t all my clients show up in the WSUS console?”

image

A common issue we seem to get calls on again and again is the issue where a customer has WSUS configured but when he or she goes to the admin console some clients appear and others do not.  You may even notice that it seems to change on a random basis, where today some clients appear and others don’t, and then tomorrow the ones that were there yesterday are now gone and the ones that were missing have now appeared. 

So what’s going on?  99% of the time this happens because the clients in question have duplicate SUSClientID values.  This can happen for a couple different reasons (see KB903262 for one example) but either way, duplicate SUSClientID values are likely the problem.

Fortunately the fix is pretty painless:

1. Create a batch file named ResetSUSClientID.bat using the text below:

Rem - Batch script to delete duplicate SusClientIDs
Rem - Implement this script as a "Startup" or "Logon" script
Rem - Script creates an output file called %Systemdrive%\SUSClientID.log
Rem - If the %Systemdrive%\SUSClientID.log is already present, then the script simply exits

@Echo off
if exist %systemdrive%\SUSClientID.log goto end
net stop wuauserv
net stop bits
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f > %systemdrive%\SUSClientID.log 2>&1
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f >> %systemdrive%\SUSClientID.log 2>&1
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f >> %systemdrive%\SUSClientID.log 2>&1
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
:end
exit

 

2. Run this script directly on the problem client, or copy the batch file to a domain share and create a Domain/OU level GPO to launch it as Startup or Logon script on the affected clients:

clip_image002

That’s it. 

Note that several days after doing this there may be some WSUS client computers that will show up in the WSUS Console as not having checked in for xx amount of days.  This is because the old SUSClientIds are no longer there and are not checking in.  If you start seeing this, run the Server cleanup wizard in order to clean old records but remember that it may take up to 90 days to clean all records completely.

J.C. Hornbeck | Manageability Knowledge Engineer

Special thanks to Joao Madureira and Greg Cottingham for contributing to this article.