A few weeks after deploying SCCM to our client machines using WSUS integration no machines were checking in with update requirements. This looked suspiciously like something might be broken somewhere along the line but where as I had double checked all the URLs and everything looked correct…

Identifying the error

The first port of call was one of the built in SCCM reports: Scan2 – Last scan states by site. From here I selected our primary site and our WSUS server. The report showed that all the clients were currently failing. After clicking through to look at the specific status messages for “Scan failed” I got the following error codes:

  • Error status ID: 11423
  • LastErrorCode: –2147219822

So off to Technet to lookup the error:

FFFFFFFF80040692-2147219822 – Group Policy conflict

So looks like its something to do with my Group Policy settings after all but what?

Finding the cause

Ok so that’s the error but what’s wrong with the policy settings? Check the WUAHander.log file for any more information (found C:\Windows\System32\CCM\Logs)

<![LOG[Its a WSUS Update Source type ({xxxxx}), adding it.]LOG]!><time=”17:07:41.600+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1339″>
<![LOG[Enabling WUA Managed server policy to use server: https://SERVER.TEST.COM:8531]LOG]!><time=”17:07:41.601+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1045″>
<![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change…]LOG]!><time=”17:07:42.084+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1051″>
<![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://server.test.com:8531/ and Policy ENABLED]LOG]!><time=”17:07:43.909+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”3″ thread=”6412″ file=”sourcemanager.cpp:1107″>
<![LOG[Failed to Add Update Source for WUAgent of type (2) and id ({xxxxx}). Error = 0x80040692.]LOG]!><time=”17:07:43.910+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”3″ thread=”6412″ file=”cwuahandler.cpp:2358″>

The key lines here being:

  • Enabling WUA Managed server policy to use server: https://SERVER.TEST.COM:8531]
  • Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://server.test.com:8531/ and Policy ENABLED

So SCCM seems to be setting the URL then letting group policy have the chance to overwrite it, in this case it was being overwritten so SCCM then gave up however the only difference between the URLs is that the SCCM URL is in capitals with no / on the end!

Solution

After updating my URL in Group Policy to match exactly the URL that SCCM was trying to use the clients could then successfully inventory for updates. So it was an issue with my Group Policy settings after all but only because I had a trailing “/” on the end!

Case closed.