WSUS SQL Service Manager shows Not Connected

You might have noticed WMSDE SQL Service Manager shows Not Connected in system tray. Wondering why it shows as Not Connected??!!

This is because you are running WMSDE on WSUS where there is no default instance & so SQL Service Manager cannot see it. This is normal behaviour.


Why does my SQL Server Service Manager say the database is stopped?

WSUS: Automatic Update Client call recorder fails to init with Error 0x80004015


You see error 0x80004015 in WindowsUpdate.log and Automatic Update Client fails to update using Windows Server Updates Service, Client call recorder fails to init with error 0x80004015, Failed to initialize WU client: 0x80004015.


You see the following error in WindowsUpdate.log and Automatic Update Client fails to update using Windows Server Update Service, WSUS

2005-09-26 08:10:27 1724 ac4 Agent FATAL: Client call recorder fails to init with error 0x80004015
2005-09-26 08:10:27 1724 ac4 Agent * FATAL: Failed to initialize with error 0x80004015 from component Agent
2005-09-26 08:10:27 1724 ac4 Service FATAL: Failed to initialize WU client: 0x80004015
2005-09-26 08:10:27 1724 ac4 Service *********
2005-09-26 08:10:27 1724 ac4 Service ** END ** Service: Service exit [Exit code = 0x80004015]


Error 0x80004015 translates to CO_E_WRONG_SERVER_IDENTITY which means, “The class is configured to run as a security id different from the caller.”


This is due to lack of permissions for Automatic Update Client – when you change the properties of  the Automatic Updates service (via Group Policy – Computer Configuration, Windows Settings, Security Settings, System Services) to set it as Disabled or edited the Access Control, ACL on Automatic Update Client (WUAUSERV) service.

Since, the ACL (permissions) on the Automatic Update Service (WUAUSERV) is changed, we have to reset the security settings on the Automatic Updates Service (WUAUSERV) & BITS Service to the default settings;

To reset the ACL on the BITS & WUAUSERV services to default, run the following command (in one line) as Domain Administrator or Local System account on the machine. (Only these accounts can modify the ACL on these services on your machine)

sc sdset bits

sc sdset wuauserv  

Note: Both the commands needs to be on one-line from a command prompt (disable word wrap). See the batch file which can automate the process.

To automatically run the commands, save the following code in the Notepad & use this simple SetServiceObjectSecurity.cmd batch file & double click to run

@echo off
Echo This batch file will Set Service Object Security for WUAUSERV & BITS.
REM Result will be written to %temp%\SetServiceObjectSecurity.log and then launched in Notepad.
Echo Please wait…
@echo on
@echo off

notepad %temp%\SetServiceObjectSecurity.log
Echo Open %temp%\SetServiceObjectSecurity.log for SUCCESS entry.
Echo Open the Services applet from control panel to see if the services are started.
Echo For any errors; report on
@echo off



The Automatic Updates Service starts and then stops automatically

WSUS: SelfUpdate Tree is not working


You see the following error on WSUSAdmin Page;

Check your server configuration
One or more Update Service components could not be contacted. Check your server status and ensure that the Windows Server Update Service is running.

Non-running services: SelfUpdate

And, the following event is logged;

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Update Services Service
Event ID: 506
User: N/A
The SelfUpdate Tree is not working. Clients may not be able to update to the latest WUA client software and communicate with the Windows Server Update Services (WSUS) Server.


·        The SelfUpdate tree MUST be installed into port 80 regardless of whether you are running WSUS on port  80 / 8530.

·        The SelfUpdate tree does not work if you have the website bound to a specific IP address in your IIS configuration.


Procedure to enable SelfUpdate tree;

1.      Open IIS Manager from Administrative Tools

2.      In the website running on port 80, create a virtual directory called ‘Selfupdate’.

3.      Point the physical path to ‘C:\Program Files\Update Services\Selfupdate’.

4.      Make sure you allow anonymous users to connect to it under the ‘Directory Security’ tab – Enable Anonymous Access.

5.      Change the security of the ‘Selfupdate’ virtual directory (right click, properties) and tick the ‘Directory Browsing’ check box.


The workaround is either to set your IIS Configuration to respond to “All unassigned” addresses or add to the list of IP addresses used for Selfupdate.

WSUS: Automatic Update Client Logged in users are popped to accept Office EULA


You notice, the Office Updates as approved on Windows Server Update Services (WSUS) Server when installed by Automatic Update Client forces the logged in user to accept the EULA, End User License Agreement every time they open an Office application


This behavior occurs if your user account does not have permissions to modify the Microsoft Windows Registry.





Right-click the HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0 subkey or the HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0, and then click Permissions.


Click Users (Computer_name\Users), and then click to select the Allow check box for the Full Control permission

Accidentally deleted WSUS Computer/Computer Group from WSUSAdmin Console


Computer group accidentally deleted from WSUSAdmin Console??


Don’t panic, this is at least not the DR situation!! All you have to do is to re-create the COMPUTER GROUP in WSUSAdmin console with the same name. Be patient, till WUA completes the next detection cycle & the computers will re-populate again in the newly created group using Client Side Targeting. If you are not using CST, then you have to manually move the computers from “Unassigned Computers” to the newly created group.


Computer/PC accidentally deleted from the respective Computer group in WSUSAdmin Console??


The same logic applies here. It will re-register at the time of next detection cycle.


WSUS Clients Showing Unknown in Reports Status of Computers

Quick Automatic Update Client Detection & Installation with Windows Server Updates Services:

WSUS: Script to Force the Update Detection from Automatic Update Client for updates on WSUS Server:

Where can I find find the wuau.adm file that includes all the new WSUS options?

There are several places to find this file;

  1. It’s available on every XP SP2 machine in the WINDOWS\INF folder.

  2. Additionally, you can find this file on the Windows Server Update Services (WSUS) server itself.  Browse to the the %ProgramFiles%\Update Services\Selfupdate\au\x86 folder and locate the file under your language folder (en=English).  Open the cabinet file to find the updated wuau.adm file.

  3. You can also download All Group Policy ADM Files directly from

WSUS Mandatory Updates

Windows Server Update Services Updates are needed to ensure computers can be updated correctly. If Windows Server Update Services (WSUS) updates are not approved, some updates may not be correctly detected by computers. Currently, this includes Windows Installer 3.1 and Background Intelligent Transfer 2.0 (MSI 3.1 & BITS 2.0)


So, this means Windows Server Update Services Updates are needed to ensure computers can be updated correctly. These updates (MSI 3.1 & BITS 2.0) are mandatory critical updates and they will be automatically downloaded by AU Client.


Where is the option to ‘Automatically approve WSUS updates?’


Open WSUSAdmin Console and click on Options – Automatic Approval Options – Scroll down to the bottom of the page and you will find automatically approve WSUS updates option in Windows Server Update Services Updates section.


How do I turn off this option?


It is not recommended to turn off this option since these Updates are needed to ensure computers can be updated correctly. Even if you uncheck this option from WSUSAdmin Console and click on Options – Automatic Approval Options – Uncheck Automatically approve WSUS updates this will not work as these updates are mandatory and will be downloaded by the clients.


The only way is to manually Un-Approve these updates which is again not recommended.

Review Synchronization Settings in TO DO LIST incorrectly displays new product classifications

This post applies to September 2005 Synchronization;


On WSUSAdmin page, in the To Do List, You might see “1 new product and 0 new classifications were added in the last 30 days.”


What is the new product & how to find that?


Normally, you can see if a new product or classification is added by looking under options, synchronization options, products & classifications in the UI. But, in this case, the UI does not show-up. This is strange!


According to Windows Server Update Services (WSUS) Team, “This is because a revision to the Office product family was published on or around 9/1.  I’m not sure why it was revised, or what the revision was and it is certainly a bug that revisions to Products/Categories would trigger the “new products” notification on the WSUS home page.”

WSUS: Encryption Key Cannot be Retrieved


You may see an error when trying to make changes to the synchronization options such as trying to set a proxy server password or changing the time for synchronization. The error looks like:

System.Security.Cryptography.CryptographicException: The encryption key cannot be retrieved. —>

System.Security.Cryptography.CryptographicException: An error occurred in the DPAPI. HRESULT: 0x800F0005 at Microsoft.UpdateServices.Internal.DataProtectionApi.Decrypt(Byte[] toDecrypt, Byte[] entropy, EncryptionLevel level) at

This is what you get when you click on the show details button:

— End of inner exception stack trace —

at Microsoft.UpdateServices.Internal.EncryptionUtilities.GetEncryptionKey()
at Microsoft.UpdateServices.Internal.EncryptionUtilities.EncryptString(String stringToEncrypt)
at Microsoft.UpdateServices.Internal.BaseApi.UpdateServerConfiguration.set_Proxy Password(String value)
<SNIP>.Manage.Subscriptions.SubscriptionProxy.SaveSynchronizationValues(XPostHandler& xPostHandler)
at Administration.Manage.Subscriptions.SubscriptionProxy.ValidateSynchronizationValues(String xPostXml)
at Administration.Manage.Subscriptions.SubscriptionXPost.Page_Load(Object sender,EventArgse)


On Windows 2003 Server, make sure the NetworkService account has read access to the system drive. You can use the CACLS command to adjust the ACLs.


For Windows Server 2003 a possible cause is that the NetworkService user account does not have read access to root drive of %systemdrive%.