In a virtual environment (VMware, Citrix, Hyper-V ….) it’s easy to clone VM’s back and forth, and sometimes it has some unexpected results which aren’t noticed right away. One of these issues that I noticed was with WSUS and VM’s (clients) replaced each other as soon as they talked with the WSUS server. The client machine name, ip and applied updates changed according to the client in question, but the old one was nowhere to be found.
A Microsoft Knowledge Base article (link below) described this issue for pre-Windows Server 2008 / 2008 R2 / 2012 servers, but this does apply to them as well. In example when you clone a VM and remove it from the domain and re-join it, it will generate a new SID for the OS but not the Windows Update ID. In this case, the client OS will work just fine and you won’t notice this if you use an external (the normal) windows update method. If you use a internal WSUS server, then this becomes a problem :)
To solve this issue, you need to do some editing in Regedit to generate a new ID for Windows Update. This method does not require a reboot and you can verify that the client has registered properly with the WSUS server right after restarting the Windows Update service. I would recommend taking a snapshot of the VM or backing up your registry before continuing, even though I haven’t had any problems with this method.
- Stop the Windows Update/Automatic Updates service in elevated command prompt (net stop wuauserv)
- Open regedit and locate the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
- Delete the following entries (all might not apply)
- PingID
- AccountDomainSid
- SusClientId
- SusClientIDValidation
- Close regedit
- Start the Windows Update/Automatic Updates service in elevated command prompt (net start wuauserv)
- Run the following command to register the client with the wsus server again ” wuauclt.exe /resetauthorization /detectnow“
Once these steps have been completed on a client machine, you can verify that the client has registered properly in the WSUS server. It might take some time for the client to show up, in my experience up to 60 seconds. It might take a while longer, though shouldn’t be that long.
Source: Microsoft KB article 903262
Windows Server NTP Sync from external source
Excellent solution; thank you.
Thats brilliant , i wrote a script in a batch file that automates this process for please see below
@ECHO OFF
:choice
set /P c=Are you sure wish to continue with WSUS fix? (Y/N)
if /I “%c%” EQU “Y” goto :continue
if /I “%c%” EQU “N” goto :exit
goto :choice
:continue
echo “We are proceeding to resolve WSUS Update ID”
pause
net stop wuauserv
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /V PingID
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /V AccountDomainSid
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /V SusClientId
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /V SusClientIDValidation
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
exit
:exit
echo “You selected NO, exiting …”
pause
exit
thank you so much with useful information