Fix for Self-Update is Not Working in WSUS 3.0

Wednesday, June 25, 2008

I've noticed a number of WSUS 3.0 servers are coming up with the following error in the Application event log:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13042
User: N/A
Computer: WSUS01
Description: Self-update is not working.


To fix the issue, follow these steps:
  • Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate

  • Click the Directory Security tab and ensure that Anonymous Access is allowed

  • Restart IIS

Verify that the problem is fixed by running the following command at the command prompt:

C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth

Then examine the Application event log for the following event:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 10000
User: N/A
Computer: WSUS01
Description: WSUS is working correctly.

As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.

32 comments:

  1. Fixed my issue no problem. Just added the Selfupdate VD within whatever site you have running on Port 80.

    ReplyDelete
  2. Implemented the fix...works like a charm!

    ReplyDelete
  3. Finally a WSUS Server that works!

    ReplyDelete
  4. I had this issue and found that Require SSL was selected when I'm not using it for wsus

    ReplyDelete
  5. This work for me too

    ReplyDelete
  6. Thanks Jeff, great find!

    Note: I had to restart IIS for the changes to take effect ***

    ReplyDelete
  7. MANY THANKS for this one, my friend :-)

    ReplyDelete
  8. This got me pointed in the right direction. I had to add a VD to the default web site for selfupdate and point it to the same directory. But also, my default website was running something else which required SSL, so I had to turn off SSL for that VD.

    ReplyDelete
  9. I have IIS running on port 80 in the lab (in fact, there's no other site running on the server) and I still get the 'Self-update is not working' error in the Application log.

    Anonymous access was enabled when I checked it, also. Very strange. Would appreciate it if anyone has any suggestions from this point.

    ReplyDelete
  10. I had the same problem but I didn't have IIS running in port 80 but another httpd. I resolved this with linkd.exe available in the windows 2003 server resource kit.

    So simply made a link e.g C:\htdocs\selfupdate -> C:\Program Files\Update Services\Selfupdate

    And the error is gone. Thanks.

    // Tony

    ReplyDelete
  11. Great article, the last paragraph pointed me to the fact that the Default Website must be running. Everything was set properly but the default website was not running which was causing this one event. So even if you set up wsus on different port default website still must be running. Thanks for the info.

    lawson23

    ReplyDelete
  12. How do I access the Directory Security tab?

    ReplyDelete
  13. Hi, i had the same problem. I found out that under directory security/Secure communications the option "Require SSL" was enabled. That forces the clients to communicate over SSL.
    I disabled that option, ran C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth and got a working Selfupdate.

    Regards,

    Johan Nieuwhoff

    ReplyDelete
    Replies
    1. This post worked perfectly with my SBS 2011 and IIS 7 environment. Thank you, Johan!

      Delete
  14. That didn't do it for me... anything else I can check?

    ReplyDelete
  15. Didn't work for me either. I'm running IIS7 with WSUS running on 8053. I dont have these options for for VD:
    •Click the Directory Security tab and ensure that Anonymous Access is allowed

    I do have: "Authentication" and it has "Anonymous Authentication" set to "Enabled"

    If I hit the URL via browser
    http://server:8530/Selfupdate/
    I get 403 access denied, so I do think access is the issue as I should get a 403.13 forbidden, directory not configured to list contents.

    ReplyDelete
  16. I had this error and it turned out to be directory browsing being disabled as the last guy suspected may be the case. I don't know why directory browsing is required, but WSUS doesn't enable it for the SelfUpdate VD by default and it appears to be an utter requirement. Enable it if everything else appears to be in order with permissions and whatnot and see what happens.

    It's also important to note that SelfUpdate doesn't have to be on *:80. Just edit the WSUS site in IIS. You may or may not be running on port 80.

    ReplyDelete
  17. Thanks Particle, I enabled Directory Browsing for http (port 8530 for me) and for HTTPS (port 8531 for me). Looks like it did the trick!

    HTTPS/SSL on IIS7 - I had to "Edit Bindings" for the WSUS Administrative site by assigning a "WMSvc-*servername*" SSL Certificate before directory browsing would work (and I assume before any other HTTPS access would function). This was one amongst several steps that I don't recall being in the WSUS install instructions when not using standard ports 80 & 443.

    Once completed I have have not receieved a single 13042 error in over 24hrs. Fingers crossed!

    ReplyDelete
  18. I was receiving the same error on an SBS 2008 system with IIS7. I checked the above recommendations and all of those were set correctly but I was still getting the error. I went through and did a line-by-line comparison of this site with another one of our sites also running SBS 2008 and found that the site with the problem had a redirect set to a non-existent page which resulted in returning the same error.

    ReplyDelete
  19. This is an awesome resource.Thanks so much for putting it together in such a well
    organized and complete manner.thanks alot for yor help.

    Nicely done.

    ReplyDelete
  20. As Particle said, just enable Directory Browsing in Selfupdate VirtualDir, no need to mess with DefaultWebSite. That worked for me!

    Thanks

    ReplyDelete
  21. Thank you! WSUS site on :8530. The site running on :80 required SSL. Disabled SSL on Selfupdate VD in default site. Ran checkhealth and then found a beautiful EventID 10000 in event viewer! "WSUS is working correctly."!

    Win Svr 2008r2, WSUS3.0 on non-default site:8530

    =jabadm

    ReplyDelete
  22. 3 years later and you're still getting comments, nice work! This works wonderfully for me, as I have it hosted on 80 and turn off SSL and all is good. Except when I restart IIS SSL is always turned back on. I've tried disabling it at the Default Web Site level and at the Selfupdate level. I'm not so smart with IIS, so why does it turn on Require SSL every time it restarts?

    ReplyDelete
  23. I must be dense, I cannot figure out what you are referring to:
    •Click the Directory Security tab and ensure that Anonymous Access is allowed

    ReplyDelete
  24. Right click the folder in Windows Explorer and click the security tab.

    ReplyDelete
  25. I had this problem (even thou everything was working) and I checked the logs in C:\Windows\System32\LogFiles\HTTPERR on 2008 R2 and found this...

    2011-10-07 19:39:24 ::1%0 60906 ::1%0 80 HTTP/1.1 GET /selfupdate/iuident.cab 404 - NotFound -

    I addedd a new binding for http using ::1 for IP. My errors went away but best practices still shows selfupdate not being correct. Not sure why it is looking for IPv6 since it isn't enable in network settings.

    ReplyDelete
  26. IPv6 is not disabled if you simply uncheck the box in network properties. You must disable it in the registry, too. See my article about this:

    http://www.expta.com/2009/02/how-to-configure-ipv6-using-group.html

    ReplyDelete
  27. OK, still not working for me in SBS 2011. Followed everyone's steps and still no working self update. Cannot remove bindings for SSL from the default web site due to MS Exchange OWA.

    Any further?

    ReplyDelete
  28. An Update to the last post.
    I have the following error when testing the connection to the SelfUpdate Directory:
    The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
    Even after adding the Network Service and the IUSR accounts witrh read access on the physical directory, the issue persists.

    ReplyDelete
  29. I had this error report and could not find the "•Click the Directory Security tab and ensure that Anonymous Access is allowed" said tab! I ran the check and found one error saying "Self-Update NOT running" but a later one saying it was. Perhaps this is a transient condition in some cases?

    ReplyDelete
  30. WSUS SERVER ERRORS:
    Self update is not working
    The last catalog sync attemtp was unsuccessful
    The reporting web service i not working
    the API remoting web service is not working
    client web service is not working
    The DSS authentication web service is not working
    Can any one help as my wsus server is keep failing to synchronization

    ReplyDelete
  31. I had a similar problem which I fixed by following the instructions provided by Robbin Meng (MSFT). She addresses both the anonymous access and SSL settings on BOTH the SelfUpdate and ClientWebService virtual directories. I do not have browsing enabled on either and WSUS is working and not generating errors.

    (SBS2003SP2 and WSUS3.0)

    From Robbin:
    >Generally, this error message may occur if the WSUS related virtual directories are not >correctly configured. Please refer to the following steps to have a try:
    >
    > Cause
    > =============================
    > In the directory security tab of SelfUpdate and ClientWebService virtual directories. Following properties are selected.
    >
    > SSL required.
    > SSL 128 required.
    >
    >
    > Suggestion
    > ===========================
    > 1. Deselect the check box for:
    >
    > SSL required.
    > SSL 128 required.
    >
    > from Directory Security tab of SelfUpdate and Client WebService virtual directories.
    >
    > 2. Make sure the Selfupdate and ClientWebService vdir has Anonymous authentication enabled.
    >
    > 3. Stop and start the Default Web site or IIS service to take effect.
    >

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.