A few weeks after deploying SCCM to our client machines using WSUS integration no machines were checking in with update requirements. This looked suspiciously like something might be broken somewhere along the line but where as I had double checked all the URLs and everything looked correct…
Identifying the error
The first port of call was one of the built in SCCM reports: Scan2 – Last scan states by site. From here I selected our primary site and our WSUS server. The report showed that all the clients were currently failing. After clicking through to look at the specific status messages for “Scan failed” I got the following error codes:
- Error status ID: 11423
- LastErrorCode: –2147219822
So off to Technet to lookup the error:
FFFFFFFF80040692-2147219822 – Group Policy conflict
So looks like its something to do with my Group Policy settings after all but what?
Finding the cause
Ok so that’s the error but what’s wrong with the policy settings? Check the WUAHander.log file for any more information (found C:\Windows\System32\CCM\Logs)
<![LOG[Its a WSUS Update Source type ({xxxxx}), adding it.]LOG]!><time=”17:07:41.600+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1339″>
<![LOG[Enabling WUA Managed server policy to use server: https://SERVER.TEST.COM:8531]LOG]!><time=”17:07:41.601+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1045″>
<![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change…]LOG]!><time=”17:07:42.084+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”1″ thread=”6412″ file=”sourcemanager.cpp:1051″>
<![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://server.test.com:8531/ and Policy ENABLED]LOG]!><time=”17:07:43.909+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”3″ thread=”6412″ file=”sourcemanager.cpp:1107″>
<![LOG[Failed to Add Update Source for WUAgent of type (2) and id ({xxxxx}). Error = 0x80040692.]LOG]!><time=”17:07:43.910+-60″ date=”07-13-2009″ component=”WUAHandler” context=”” type=”3″ thread=”6412″ file=”cwuahandler.cpp:2358″>
The key lines here being:
- Enabling WUA Managed server policy to use server: https://SERVER.TEST.COM:8531]
- Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://server.test.com:8531/ and Policy ENABLED
So SCCM seems to be setting the URL then letting group policy have the chance to overwrite it, in this case it was being overwritten so SCCM then gave up however the only difference between the URLs is that the SCCM URL is in capitals with no / on the end!
Solution
After updating my URL in Group Policy to match exactly the URL that SCCM was trying to use the clients could then successfully inventory for updates. So it was an issue with my Group Policy settings after all but only because I had a trailing “/” on the end!
Case closed.
Hello There. I discovered your weblog the use of msn.
This is a very smartly written article. I will make sure to bookmark it and
come back to learn extra of your helpful information.
Thanks for the post. I’ll definitely comeback.