In my case, we had a SonicWALL device and one of the IDS signatures on the SonicWALL was blocking Windows Update traffic.
On a 3.0 RC box, we were having a problem getting the large updates (SP2 for Windows Server 2003, SP2 for Windows XP, etc.), though everything else worked OK. We had seen this problem with WSUS 2.0 as well. Here is what to do:
1. Go to the “Windows Server Update Services Downloads” page.
2. Download the Server Diagnostic Tool.
3. Extract it somewhere on the machine (e.g. I created C:\Tools and extracted the file there).
4. Open a command prompt, go to C:\Tools and run the following command:
“WsusDebugTool.exe /Tool:SetForegroundDownload”. More information on this tool can be found in the readme.txt file (see the Windows Server Update Services Downloads page).
This solved our problem.
This problem was coming up on a WSUS server environment for one workstation out of 200. I installed MS Hotfix ME927891
for Windows XP, rebooted, and it started working.
I tried many of the things that were suggested here. In my case, on a Windows 2000 SP4 server there were no ISA firewall, no proxy settings (set to automatically detect settings). To resolve the problem I copied proxycfg.exe from an XP workstation, opened a command prompt, and ran the following:
net stop wuauserv
net start wuauserv.
for more details on the proxycfg.exe configuration tool.
WSUS was not downloading updates (WSUSAdmin page reported that the server had 10GB worth of updates to download, and had downloaded 0.00MB). I also found this error in the system log. I deleted the files in the WSUSContent folder, ran "wsusutil reset", restarted the Automatic Updates service and WSUS began downloading.
Automatic Updates with WSUS doesn’t work if the workstation is installed via Disk Imaging or Disk Cloning. See ME555452
This can occur if you have specified your WSUS client to use HTTPS for communicating with the WSUS server, and the WSUS server is using a certificate that is not installed on the client computer (e.g., if you are using a certificate generated by your company’s CA and not using one of the well-known ones such as Verisign, etc.).
As per Microsoft: "This behavior may occur if both of the following conditions are true:
1) In your computer's Local Area Network (LAN) settings, the Automatically detect settings check box is selected.
2) You cannot ping the Web Proxy Auto-Discovery (WPAD) server by its Domain Name System (DNS) name". See ME824208
for more information.
See "Troubleshooting Windows Update v.5 Authentication Issue" for information on troubleshooting authentication issues.
Also, check ME328010
to find out how to configure Automatic Updates by using Group Policy or registry settings.
As per Microsoft: "This behavior occurs because the Automatic Update service runs under the Local System account. The Local System account is not a member of the BackOffice Internet Users group and does not have permissions to use the Internet through ISA Server". See ME838177
for a workaround.
if the event description cannot be found.
In our case, the cause had to do with imaged client systems with the same SID. Microsoft PSS suggested following steps to be run on problem workstation:
1. Stop the Automatic Update service: “net stop wuauserv”.
2. Open Regedit and browse to the following Registry Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate.
3. Save a copy of this WindowsUpdate key (File / Export or Right-click / Export).
4. Delete the following registry values: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID.
5. Close Regedit.
6. Start the Automatic Update service: “net start wuauserv”.
7. On this client, force synchronization with the WSUS Server: “wuauclt /detectnow”.
Within 30 minutes, the client in question showed up in the WSUS Console on the server and error 16 was no more.
We have Oracle Managment Console installed and there was no interaction possible between WSUS and the server. After shutting down the service from Oracle, everything works fine.
The cause is inability for the Automatic Updates service to get out through HTTPS (port 443) to the MS Update server. Enable the port and all automatic updates will start working.
See also ME241783
for errors Using Windows Update through a proxy server or firewall.