I've noticed a number of WSUS 3.0 servers are coming up with the following error in the Application event log:
To fix the issue, follow these steps:
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13042
User: N/A
Computer: WSUS01
Description: Self-update is not working.
To fix the issue, follow these steps:
- Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate
- Click the Directory Security tab and ensure that Anonymous Access is allowed
- Restart IIS
Verify that the problem is fixed by running the following command at the command prompt:
C:\Program Files\Update Services\Tools\wsusutil.exe checkhealthThen examine the Application event log for the following event:
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 10000
User: N/A
Computer: WSUS01
Description: WSUS is working correctly.
As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.
Fixed my issue no problem. Just added the Selfupdate VD within whatever site you have running on Port 80.
ReplyDeleteImplemented the fix...works like a charm!
ReplyDeleteFinally a WSUS Server that works!
ReplyDeleteI had this issue and found that Require SSL was selected when I'm not using it for wsus
ReplyDeleteThis work for me too
ReplyDeleteThanks Jeff, great find!
ReplyDeleteNote: I had to restart IIS for the changes to take effect ***
MANY THANKS for this one, my friend :-)
ReplyDeleteThis got me pointed in the right direction. I had to add a VD to the default web site for selfupdate and point it to the same directory. But also, my default website was running something else which required SSL, so I had to turn off SSL for that VD.
ReplyDeleteI have IIS running on port 80 in the lab (in fact, there's no other site running on the server) and I still get the 'Self-update is not working' error in the Application log.
ReplyDeleteAnonymous access was enabled when I checked it, also. Very strange. Would appreciate it if anyone has any suggestions from this point.
I had the same problem but I didn't have IIS running in port 80 but another httpd. I resolved this with linkd.exe available in the windows 2003 server resource kit.
ReplyDeleteSo simply made a link e.g C:\htdocs\selfupdate -> C:\Program Files\Update Services\Selfupdate
And the error is gone. Thanks.
// Tony
Great article, the last paragraph pointed me to the fact that the Default Website must be running. Everything was set properly but the default website was not running which was causing this one event. So even if you set up wsus on different port default website still must be running. Thanks for the info.
ReplyDeletelawson23
How do I access the Directory Security tab?
ReplyDeleteHi, i had the same problem. I found out that under directory security/Secure communications the option "Require SSL" was enabled. That forces the clients to communicate over SSL.
ReplyDeleteI disabled that option, ran C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth and got a working Selfupdate.
Regards,
Johan Nieuwhoff
This post worked perfectly with my SBS 2011 and IIS 7 environment. Thank you, Johan!
DeleteThat didn't do it for me... anything else I can check?
ReplyDeleteDidn't work for me either. I'm running IIS7 with WSUS running on 8053. I dont have these options for for VD:
ReplyDelete•Click the Directory Security tab and ensure that Anonymous Access is allowed
I do have: "Authentication" and it has "Anonymous Authentication" set to "Enabled"
If I hit the URL via browser
http://server:8530/Selfupdate/
I get 403 access denied, so I do think access is the issue as I should get a 403.13 forbidden, directory not configured to list contents.
I had this error and it turned out to be directory browsing being disabled as the last guy suspected may be the case. I don't know why directory browsing is required, but WSUS doesn't enable it for the SelfUpdate VD by default and it appears to be an utter requirement. Enable it if everything else appears to be in order with permissions and whatnot and see what happens.
ReplyDeleteIt's also important to note that SelfUpdate doesn't have to be on *:80. Just edit the WSUS site in IIS. You may or may not be running on port 80.
Thanks Particle, I enabled Directory Browsing for http (port 8530 for me) and for HTTPS (port 8531 for me). Looks like it did the trick!
ReplyDeleteHTTPS/SSL on IIS7 - I had to "Edit Bindings" for the WSUS Administrative site by assigning a "WMSvc-*servername*" SSL Certificate before directory browsing would work (and I assume before any other HTTPS access would function). This was one amongst several steps that I don't recall being in the WSUS install instructions when not using standard ports 80 & 443.
Once completed I have have not receieved a single 13042 error in over 24hrs. Fingers crossed!
I was receiving the same error on an SBS 2008 system with IIS7. I checked the above recommendations and all of those were set correctly but I was still getting the error. I went through and did a line-by-line comparison of this site with another one of our sites also running SBS 2008 and found that the site with the problem had a redirect set to a non-existent page which resulted in returning the same error.
ReplyDeleteThis is an awesome resource.Thanks so much for putting it together in such a well
ReplyDeleteorganized and complete manner.thanks alot for yor help.
Nicely done.
As Particle said, just enable Directory Browsing in Selfupdate VirtualDir, no need to mess with DefaultWebSite. That worked for me!
ReplyDeleteThanks
Thank you! WSUS site on :8530. The site running on :80 required SSL. Disabled SSL on Selfupdate VD in default site. Ran checkhealth and then found a beautiful EventID 10000 in event viewer! "WSUS is working correctly."!
ReplyDeleteWin Svr 2008r2, WSUS3.0 on non-default site:8530
=jabadm
3 years later and you're still getting comments, nice work! This works wonderfully for me, as I have it hosted on 80 and turn off SSL and all is good. Except when I restart IIS SSL is always turned back on. I've tried disabling it at the Default Web Site level and at the Selfupdate level. I'm not so smart with IIS, so why does it turn on Require SSL every time it restarts?
ReplyDeleteI must be dense, I cannot figure out what you are referring to:
ReplyDelete•Click the Directory Security tab and ensure that Anonymous Access is allowed
Right click the folder in Windows Explorer and click the security tab.
ReplyDeleteI had this problem (even thou everything was working) and I checked the logs in C:\Windows\System32\LogFiles\HTTPERR on 2008 R2 and found this...
ReplyDelete2011-10-07 19:39:24 ::1%0 60906 ::1%0 80 HTTP/1.1 GET /selfupdate/iuident.cab 404 - NotFound -
I addedd a new binding for http using ::1 for IP. My errors went away but best practices still shows selfupdate not being correct. Not sure why it is looking for IPv6 since it isn't enable in network settings.
IPv6 is not disabled if you simply uncheck the box in network properties. You must disable it in the registry, too. See my article about this:
ReplyDeletehttp://www.expta.com/2009/02/how-to-configure-ipv6-using-group.html
OK, still not working for me in SBS 2011. Followed everyone's steps and still no working self update. Cannot remove bindings for SSL from the default web site due to MS Exchange OWA.
ReplyDeleteAny further?
An Update to the last post.
ReplyDeleteI have the following error when testing the connection to the SelfUpdate Directory:
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
Even after adding the Network Service and the IUSR accounts witrh read access on the physical directory, the issue persists.
I had this error report and could not find the "•Click the Directory Security tab and ensure that Anonymous Access is allowed" said tab! I ran the check and found one error saying "Self-Update NOT running" but a later one saying it was. Perhaps this is a transient condition in some cases?
ReplyDeleteWSUS SERVER ERRORS:
ReplyDeleteSelf update is not working
The last catalog sync attemtp was unsuccessful
The reporting web service i not working
the API remoting web service is not working
client web service is not working
The DSS authentication web service is not working
Can any one help as my wsus server is keep failing to synchronization
I had a similar problem which I fixed by following the instructions provided by Robbin Meng (MSFT). She addresses both the anonymous access and SSL settings on BOTH the SelfUpdate and ClientWebService virtual directories. I do not have browsing enabled on either and WSUS is working and not generating errors.
ReplyDelete(SBS2003SP2 and WSUS3.0)
From Robbin:
>Generally, this error message may occur if the WSUS related virtual directories are not >correctly configured. Please refer to the following steps to have a try:
>
> Cause
> =============================
> In the directory security tab of SelfUpdate and ClientWebService virtual directories. Following properties are selected.
>
> SSL required.
> SSL 128 required.
>
>
> Suggestion
> ===========================
> 1. Deselect the check box for:
>
> SSL required.
> SSL 128 required.
>
> from Directory Security tab of SelfUpdate and Client WebService virtual directories.
>
> 2. Make sure the Selfupdate and ClientWebService vdir has Anonymous authentication enabled.
>
> 3. Stop and start the Default Web site or IIS service to take effect.
>