WSUS 3.0 – Client machines replace previous clients in WSUS

Posted on 13/08/2013 · Posted in Microsoft, Miscellaneous

In a virtual environment (VMware, Citrix, Hyper-V ….) it’s easy to clone VM’s back and forth, and sometimes it has some unexpected results which aren’t noticed right away. One of these issues that I noticed was with WSUS and VM’s (clients) replaced each other as soon as they talked with the WSUS server. The client machine name, ip and applied updates changed according to the client in question, but the old one was nowhere to be found.

A Microsoft Knowledge Base article (link below) described this issue for pre-Windows Server 2008 / 2008 R2 / 2012 servers, but this does apply to them as well. In example when you clone a VM and remove it from the domain and re-join it, it will generate a new SID for the OS but not the Windows Update ID. In this case, the client OS will work just fine and you won’t notice this if you use an external (the normal) windows update method. If you use a internal WSUS server, then this becomes a problem :)

To solve this issue, you need to do some editing in Regedit to generate a new ID for Windows Update. This method does not require a reboot and you can verify that the client has registered properly with the WSUS server right after restarting the Windows Update service. I would recommend taking a snapshot of the VM or backing up your registry before continuing, even though I haven’t had any problems with this method.

  1. Stop the Windows Update/Automatic Updates service in elevated command prompt (net stop wuauserv)
  2. Open regedit and locate the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
  3. Delete the following entries (all might not apply)
    • PingID
    • AccountDomainSid
    • SusClientId
    • SusClientIDValidation
  4. Close regedit
  5. Start the Windows Update/Automatic Updates service in elevated command prompt (net start wuauserv)
  6. Run the following command to register the client with the wsus server again ” wuauclt.exe /resetauthorization /detectnow

Once these steps have been completed on a client machine, you can verify that the client has registered properly in the WSUS server. It might take some time for the client to show up, in my experience up to 60 seconds. It might take a while longer, though shouldn’t be that long.

Source: Microsoft KB article 903262