forums.wsusoffline.net

Hello. New user here.

Been using this product for several years. Never had any problems, until recently.

It will not update. I get the message "No update found. Nothing to do." I am 100% sure the system needs updates; verified with vulnerability scanner.

Some things I have tried:
Reinstalled Windows Update Client
Ran wuauclt /resetauthorization
Logged on with a different admin user
Ran two Microsoft tools that were supposed to fix Windows Update issues
Deleted the Software Distribution contents after stopping Windows Update Service
Re-downloaded the updates and created new ISO files
Checked Event Logs
Tried running a single update (successful)
Research this on the internet and tried all sorts of suggestions.

The system has updated previous, but admittedly I have done a required security lock down hardening. I backtracked the original scans prior to the lockdown and don't see anything that relates to Windows Update.

Any suggestions?
There is no way to hook this thing to the internet; it is strictly a stand alone system.

Please check the system using MBSA ( https://www.microsoft.com/en-us/downloa ... px?id=7558).
Howto: http://blogs.msdn.com/b/ashishme/archiv ... ocess.aspx

Does it report any missing update?

I set everything up as suggested and installed the .cab files. I've never used MBSA before, but under the "Security Update Scan Results" section, it says:

! Security Updates Cannot load security CAB file.

I put the three CAB files on C: root, is that where MBSA expects them?

And just to clarify, this system was last updated in March using Offline WSUS. I ran NESSUS on it and there is a whole WAD of missing Microsoft patches for Windows 7 and Office 2010. So if the purpose of using MBSA is to identify missing patches, well, I can say without no doubt whatsoever, 100% sure, this system is missing patches.

Ran MBSA as suggested.

Under the Security Update Scan Results section, I get Cannot load security CAB file.

Just a note: If what we are trying to prove using MBSA is that patches are truly missing, there is no doubt that the patches are missing. A NESSUS scan reports them as missing and I know it hasn't been updated since March.

I just want to make sure, that there is no code problem in wsusou. As MBSA uses wsusscn2.cab, too (as wsusou does), it is perfect to check the results.
The blog site I posted provided a guide, how to search for updates using the command line tool mbsacli. Example code copied from there and slightly modified:

Code: Select all

mbsacli /catalog ...\wsusscn2.cab /wi /nvc /nd /xmlout ...\report.xml


Please adjust the paths and check, if missing updates are listed.

I've seen this problem happen with five computers (2 Windows 7 64 bit and 2 Server 2008 R2) when I visited one of our customer sites to patch their computers. I was able to determine that if I uninstalled KB2949927, WSUS would then apply patches. After the reboot, however, these WSUS would then respond with "nothing to do" whereas other computers at the site would indicate that the IE11 program is blacklisted (they currently have IE9). If I uninstall KB3033929 and/or KB3004394, WSUS functionality would be restored -- tests show that either patch will knock WSUS back to displaying the "nothing to do" message.

Godzilla, I would like to ask some questions:
1. Does KB3035131 show up on the list of installed updates? The KB3033929 article indicates that if 3035131 is installed before 3033929, it shows up on that list. If 3033929 is installed first, 3035131 won't show up and it won't install saying that it is already installed.
2. If you uninstall KB3033929, does WSUS start working? And does it stop again after you reboot?
3. If KB3035131 does not show up on the list of installed updates, if you uninstall KB3045999 and KB3033929, can you install KB3035131 (testing in my lab indicates that it will install)? Next can you run WSUS to install the additional updates and, after the reboot, does WSUS continue to operate normally or does it revert back to responding "nothing to do" even if there are updates it could install. This last might be impossible to test until next month unless you don't have IE 11 and/or the latest Microsoft's Malicious Code Removal tool installed. Or perhaps if you uninstall a patch and then check if WSUS will install it again.

I would like to try the above myself but I don't have access to the computers at this time.

Thanks.
TLH854

Finally got one of the problem computers back to my lab where I could investigate in more detail than while at the customer site. To shorten the story

1. KB3035131 doesn't help.

2. My investigation included running the listmissingupdateids.vbs script and checking the WindowsUpdate.log for messages. The forum topic at viewtopic.php?f=4&t=4863 from March 2015 shows the same results as what I found -- listmissingupdateids.vbs responding with "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." and WindowsUpdate.log indicating a problem verifying the source.cab file ("WARNING: Digital Signatures on file (:\Windows\SoftwareDistribution\ScanFile\*******\Source.cab are not trusted: Error 0x800b0109").

Capturing the source.cab file, if KB3033929 is uninstalled, the file shows only one digital signature. After it is installed, it shows two digital signatures. One signature has a sha1 digest algorithm and the other sha256.

WindowsUpdate.log has a lines "WARNING: WVT was not able to determine online revocation. Continuing ..." and "Microsoft signed: No". On a working computer, it responds with "Microsoft signed: Yes". What I'm not sure about is why one computer tries a revocation check but the other one doesn't and thus how to turn it off.

One more item: trying a no-reformat reinstall of Windows 7 on the computer restored WSUS functionality. I'm hesitant about doing it on the Server 2008 R2 computers -- testing this with a spare computer showed problems with a program that uses NET Framework and I would prefer a less drastic solution.

Any suggestions would be appreciated.

TLH854