WSUS clients install updates properly but don't send any status reports back to the server

Here's a cool tip and a cool tool that was sent to me by Joe Tindale, one of the top Support Escalation Engineers in our WSUS group.  If you find that your WSUS clients are not sending status updates back to the server then this is something you'll want to check out:

=================

Issue: You may notice that your clients will check into WSUS and install updates properly but don't send any status reports back to the server even though you can see that events were being generated locally.  If you review the IIS logs you may also see that the client IP addresses never attempt to post to the WSUS servers "reportingwebservice".

We saw the following in the windowsupdate.log so we know it was generating local reporting events:

2008-02-21 05:22:58:989 668 1408 Report REPORT EVENT: {91CFE792-1064-473B-8AA0-C9E392F2E76C} 2008-02-21 05:22:53:989-0500 1 162 101 {671ACCFF-0C42-4DDF-AF69-50DA8004EC29} 100 0 AutomaticUpdates Success Content Download Download succeeded.
2008-02-21 05:22:58:989 668 1408 Report REPORT EVENT: {1060A038-6F4D-49BB-9CA6-E02FADD13DE9} 2008-02-21 05:22:54:001-0500 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ?Friday, ?February ?22, ?2008 at 3:00 AM: - Definition Update for Microsoft Forefront Client Security (Antimalware 1.27.6904.0)

What we didn't see was something like the following which would tell us that the client was uploading those reporting events to the WSUS server:

2008-02-16 00:39:00:494 668 8d0 Report Uploading 2 events using cached cookie, reporting URL = https://some_WSUS_server/ReportingWebService/ReportingWebService.asmx
2008-02-16 00:39:00:932 668 8d0 Report Reporter successfully uploaded 2 events.

Even if you try forcing a report and taking a network trace you'll never see any traffic to the reportingwebservice. 

Note: You can force a report from the command line with the following: wuauclt /reportnow

Cause: This can occur if ConfigMgr 2007 had been previously installed on the server as a Software Update Point (SUP) and Automatic Update reporting events was set to "Do not create WSUS reporting events":

Note: These settings were added specifically for ConfigMgr 2007 to reduce the number of reporting events sent back to the WSUS server. This configuration sets a value within WSUS and then WSUS tells the Automatic Update agent on each client to configure reporting accordingly.

Resolution: In my case ConfigMgr 2007 had already been uninstalled so we could not revert the setting back to "Create all WSUS reporting events" unless ConfigMgr 2007 was reinstalled, however the above settings are exposed via a "clientreportinglevel" property of "IUpdateServerConfiguration" so  I wrote a tool to configure the various members of this property:

All = Clients should send all reporting information to the server
None = Clients should not report update status or activity reports to the server
StatusOnly = Clients should send update status reports to the server, but not activity reports.

For more information on these properties see:

• https://msdn2.microsoft.com/en-us/library/microsoft.updateservices.administration.clientreportinglevel(VS.85).aspx
• https://msdn2.microsoft.com/en-us/library/microsoft.updateservices.administration.iupdateserverconfiguration.clientreportinglevel(VS.85).aspx

The tool I wrote has a "/?" option which will display the help menu.  It first displays the current reporting level and then gives you the options to change the reporting level:

C:\Users\Administrator\Desktop>WSUS_Reporting_Level.exe /?

Current Reporting Level: All

Please enter a numeric option:
Press '1' to set the client reporting level to 'ALL'.
Press '2' to set the client reporting level to 'NONE'.
Press '3' to set the client reporting level to 'STATUS ONLY'.
Press '4' to exit.

Once you set the clientreportinglevel to "All" the clients should start to send status reports within a short period of time.

To download my WSUS_Reporting_Level tool visit https://www.codeplex.com/WSUS/Release/ProjectReleases.aspx?ReleaseId=19272.

========

Keep in mind that the standard disclaimers apply (e.g. Microsoft has not fully tested this tool, use at your own risk, we make no warranties or guarantees as to the suitability of this tool, etc. etc.).

Thanks Joe!

J.C. Hornbeck | Manageability Knowledge Engineer

Comments

• Anonymous
  March 30, 2012
  I have this problem on a freshly installed WSUS 3 SP2 server.  I ran the tool thought and it said I am set to "all".  Any other ideas on this?  Right now when I find one of these machines, I run a script on it that stops the server, creates a new WSUS SID (not A.D.) SID and it reconnects to the server.  This works 90% of the time.  But I would like to fix this on the server end if possible.
• Anonymous
  May 10, 2012
  Amazing - this has been baffling me for 2 months - could not get my clients to report in any more.Thanks!
• Anonymous
  November 05, 2012
  The comment has been removed
• Anonymous
  December 10, 2013
  Thanks so much.  The WSUS_Reporting_Level executable, works as described, on the x64 bit WSUS::Server 2008 R2, transitively instructing the WSUS client machines to once again, begin sending the ReportingWebService update results back upstream.
• Anonymous
  February 18, 2014
  Anyone able to run this on WSUS for Server 2012? gives me an error, even running as Administrator
• Anonymous
  March 12, 2014
  Thank you for this article!
  I've had similar issues after SUP role removed on SCCM 2012 and WSUS Clients went "The computer has not reported status yet".
  You saved me from setting a test virtual machine with second wsus server.
• Anonymous
  May 23, 2014
  doesn't work on Server 2012R2 either
• Anonymous
  May 23, 2014
  I have a problem: installed WSUS role and Update Point on the SCCM 2012R2 server, not liked it and removed it. Clients now not reporting to WSUS. Uninstalled the WSUS role, installed the WSUS role on another server. Clients still not reporting to WSUS (not even trying according to the windowsupdate.log).
  
  Found the solution 9for SCCM2007/WSUS3): http://blogs.technet.com/b/sus/archive/2008/11/12/wsus-clients-install-updates-properly-but-don-t-send-any-status-reports-back-to-the-server.aspx. the tool is not working on 2012R2....
  
  BUT how does this work for me? However the Update Point is uninstalled fromm SCCM I can still configure it (also the reporting settings). But will this have any effect to the clients?? How 'reads' the client this setting?
  
• Anonymous
  May 25, 2014
  This works:
  UPDATE dbo.tbConfiguration SET Value='2' where Name='ClientReportingLevel'
  on the database server