TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: ConfigMgr (SCCM) – Troubleshooting Tips to Resolve Scan Issues in Software Updates
Wiki
>
TechNet Articles
>
ConfigMgr (SCCM) – Troubleshooting Tips to Resolve Scan Issues in Software Updates
Article
History
Title
<html> <body> <p>Thought of sharing one of the interesting issue which I faced. The SCAN was not getting completed successfully. Most of the machines are windows 2008 core servers so with GUI it was not that much easy to troubleshoot (at least for me :) </p> <blockquote> <p><strong>Issue</strong></p> </blockquote> <p> </p> <p>Scan agent was not able to compete the scan successfully. Hence the Software Update patching was not working all the Windows 2008 Core servers. </p> <blockquote> <p><strong>Cause</strong></p> </blockquote> <p> </p> <p>After the troubleshooting and network capture, it has been noticed that the proxy server was blocking the communication between the client and WSUS server. Proxy settings configured in the core servers was creating the communication block for client to reach WSUS server. All the communications initiated by client to reach WSUS/SCCM server (FQDN) were getting terminated at the proxy server. </p> <p>Ideally, all the internal FQDN (WSUS/SCCM server) communication should not go to/through proxy server. In our case all the communications were going to proxy server and producing unexpected results. </p> <blockquote> <p><strong>Solution</strong></p> </blockquote> <p> </p> <p>Reset the proxy settings in the Windows 2008 core server as mentioned in the below. </p> <p>“netsh winhttp reset proxy” </p> <p>Ran “netsh winhttp show proxy” command from CORE server. </p> <p>Restarted “Windows Update” (for windows 7 and windows 2008) service to reinitiate scanning and patching processes. </p> <blockquote> <p><strong>General software update troubleshooting Tips </strong></p> <p><strong>A.</strong> Group Policy conflict</p> </blockquote> <p> </p> <p>Ensure that the following three policies mentioned are not be configured from domain level. The SCCM client will apply the policy whenever it is required. </p> <p>a. Allow signed content from intranet Microsoft update service location. </p> <p>b. Specify intranet Microsoft update service location </p> <p>c. Automatic Updates Configuration </p> <p>See Technet article for more details – <a href="http://go.microsoft.com/fwlink/?LinkId=94680"> <span style="color:rgb(82,158,129)">http://go.microsoft.com/fwlink/?LinkId=94680</span></a> </p> <blockquote> <p><strong>B.</strong> Additional information if above steps are not resolving the issue. Following steps will help to segregate or Identify the issue</p> </blockquote> <p> </p> <p><strong>1.</strong> On the affected machine, disable the SCCM Agent. To do this, you can run the following commands:<br> Disable the Service  sc config CcmExec start= disabled<br> Stop the Service  net stop CcmExec </p> <p><strong>2.</strong> Ensure that the following policy is not enforced on the system:<br> User Configuration\Administrative Templates\Windows Components\Windows Update\Remove access to use all Windows Update Features </p> <p>Check this first in the local system policy (you can pull this up using gpedit.msc – Local Group Policy Editor). After that, please run RSOP.msc and ensure that the policy is not configured either. This will give you information from domain policies too. If the policy is enabled please either remove the policy or disable it. </p> <p><strong>3.</strong> Restart the Automatic Updates service. </p> <p><strong>4.</strong> Now, from the command line, run the following command:<br> Configure Proxy  proxycfg.exe –p “WSUS SERVER FQDN” </p> <p>By doing this, we are configuring WinHTTP so that server access in upper case is also bypassed. </p> <p>At this point, we need to test an update scan. Since the SMS Host Agent service is disabled and stopped, we won’t be able to use the agent to run the scan. In this case, we would need to run a scan using the command below: </p> <p>wuauclt /resetauthorization /detectnow </p> <p>Check Windowsupdate.log for the outcome of the testing </p> <p>How to Bypass Proxy server for testing purpose using proxycfg untility. (More details <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms761351(v=vs.85).aspx"> <span style="color:rgb(82,158,129)">http://msdn.microsoft.com/en-us/library/windows/desktop/ms761351(v=vs.85).aspx</span></a>). Also find the registry entries you can check for bypass list – “HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\” . </p> <blockquote> <p><strong>C.</strong> I’ve similar problem explained in the <a href="http://social.technet.microsoft.com/Forums/en-US/configmgrsum/threads"> <span style="color:rgb(82,158,129)">technet thread</span></a> and we had taken network traces and found that internal communication to WSUS server is also going to external proxy (even though that is applicable only for internet communications).</p> </blockquote> <p> </p> <p>At last it turns out to be incorrect proxy settings in a WPAD entry in the DHCP scope (“252 WPAD” Wpad entry). As we are using group policy for proxy setting, WPAD entry in the the DHCP scope is not required. We removed the WPAD setting and the problem got resolved. </p> <p>Hope this helps !!</p> </body> </html>
Comment
Tags
Please add 3 and 5 and type the answer here: