GP/XP-SP2 and Windows Update Problem

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Greetings:

We recently implemented a Group Policy OU for XP Service Pack 2. Now
computers in this OU can no longer manually access the Windows Update web
site. When clicking on either Express or Custom Install we get an error
page.

I'm thinking that this has something to do with the way the firewall is
configured since all the Windows Update options in the policy are set to Not
Configured.

It appears that updates are still downloaded automatically but we'd like to
have the option of going to the web site and downloading manually.

Any insights greatly appreciated.

Thanks.


Ken B.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Belferman wrote:

> Greetings:
>
> We recently implemented a Group Policy OU for XP Service Pack 2. Now
> computers in this OU can no longer manually access the Windows Update web
> site. When clicking on either Express or Custom Install we get an error
> page.

Any specific error messages or error numbers there?

From Start/Run run this exact command:

notepad %windir%\windowsupdate.log

See if you can find any clues and/or error massages/numbers there and
post e.g. the last 30 lines of that log here.


> I'm thinking that this has something to do with the way the firewall is
> configured since all the Windows Update options in the policy are set to Not
> Configured.

If you are thinking about the firewall that comes with WinXP SP2, it
has nothing to do with this problem. As it does not supports blocking
outbound connections, the SP2 firewall is not able to block access to
Windows Update.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Torgeir:

Thanks for your response.

Here are the lines from that log file:

2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuauclt.exe is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuauclt.exe:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuauclt1.exe is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuauclt1.exe:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaucpl.cpl is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaucpl.cpl:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaueng.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaueng.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaueng1.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaueng1.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wucltui.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wucltui.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wups.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wups.dll: Target
version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
(hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
service. (hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
hr=80070005
2005-01-17 10:41:47-0500 828 f10 Service Main starts
2005-01-17 10:41:47-0500 828 f10 Using BatchFlushAge = 25577.
2005-01-17 10:41:47-0500 828 f10 Using SamplingValue = 6.
2005-01-17 10:41:47-0500 828 f10 Successfully loaded event namespace
dictionary.
2005-01-17 10:41:47-0500 828 f10 Successfully loaded client event namespace
descriptor.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized local event
logger. Events will be logged at
C:\WINNT\SoftwareDistribution\ReportingEvents.log.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized NT event logger.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized event uploader 0.
2005-01-17 10:41:47-0500 828 f10 Reopened existing event cache file at
C:\WINNT\SoftwareDistribution\EventCache\{7AC5F7C4-F232-45F5-AF48-FBACF453C20C}.bin
for writing.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized event uploader 1.
2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
error 0x80004015
2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
failed to initialize with error 0x80004015 from component agent
2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client: 0x80004015
2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
0x80004015





"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:%231jbwbM$EHA.4004@tk2msftngp13.phx.gbl...
> Ken Belferman wrote:
>
>> Greetings:
>>
>> We recently implemented a Group Policy OU for XP Service Pack 2. Now
>> computers in this OU can no longer manually access the Windows Update web
>> site. When clicking on either Express or Custom Install we get an error
>> page.
>
> Any specific error messages or error numbers there?
>
> From Start/Run run this exact command:
>
> notepad %windir%\windowsupdate.log
>
> See if you can find any clues and/or error massages/numbers there and
> post e.g. the last 30 lines of that log here.
>
>
>> I'm thinking that this has something to do with the way the firewall is
>> configured since all the Windows Update options in the policy are set to
>> Not Configured.
>
> If you are thinking about the firewall that comes with WinXP SP2, it
> has nothing to do with this problem. As it does not supports blocking
> outbound connections, the SP2 firewall is not able to block access to
> Windows Update.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Belferman wrote:

> Here are the lines from that log file:
>
[snip]
> 2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
> (hr=80070005)
> 2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
> service. (hr=80070005)
> 2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
> hr=80070005
[snip]
> 2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
> error 0x80004015
> 2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
> failed to initialize with error 0x80004015 from component agent
> 2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client: 0x80004015
> 2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
> 0x80004015
Hi

You have error 80070005 and 80004015 in there.


This is what my error list says about error 0x80004015:

Error 0x80004015

CO_E_WRONG_SERVER_IDENTITY
The security descriptor on the BITS service was changed by
a security template such that NetworkService account doesn’t
have READ access to BITS service.


Reset the security settings on the BITS service and see if it helps:

http://groups.google.co.uk/groups?selm=O4yhAYjdEHA.996%40TK2MSFTNGP12.phx.gbl

(the 'sc sdset bits "D:(A;;CC...' part in the link above)


Then, after the above, do the following:

Click Start >> Run >>
Type the follow command in the Open box.
"regsvr32.exe qmgr.dll" (w/o quotes)
Press Ok

Repeat the same for the following command:

regsvr32.exe qmgrprxy.dll


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Okay. It worked! Thanks.

Now, my next question is, is there an easier way to do this, i.e., do I have
to do this on every individual machine that is in the OU? Can I change
something in the GP to do this globally?

"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:OB9wfJW$EHA.824@TK2MSFTNGP11.phx.gbl...
> Ken Belferman wrote:
>
>> Here are the lines from that log file:
>>
> [snip]
>> 2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
>> (hr=80070005)
>> 2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
>> service. (hr=80070005)
>> 2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
>> hr=80070005
> [snip]
>> 2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
>> error 0x80004015
>> 2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
>> failed to initialize with error 0x80004015 from component agent
>> 2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client:
>> 0x80004015
>> 2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
>> 0x80004015
> Hi
>
> You have error 80070005 and 80004015 in there.
>
>
> This is what my error list says about error 0x80004015:
>
> Error 0x80004015
>
> CO_E_WRONG_SERVER_IDENTITY
> The security descriptor on the BITS service was changed by
> a security template such that NetworkService account doesn’t
> have READ access to BITS service.
>
>
> Reset the security settings on the BITS service and see if it helps:
>
> http://groups.google.co.uk/groups?selm=O4yhAYjdEHA.996%40TK2MSFTNGP12.phx.gbl
>
> (the 'sc sdset bits "D:(A;;CC...' part in the link above)
>
>
> Then, after the above, do the following:
>
> Click Start >> Run >>
> Type the follow command in the Open box.
> "regsvr32.exe qmgr.dll" (w/o quotes)
> Press Ok
>
> Repeat the same for the following command:
>
> regsvr32.exe qmgrprxy.dll
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Belferman wrote:

> Okay. It worked! Thanks.
>
> Now, my next question is, is there an easier way to do this, i.e., do I have
> to do this on every individual machine that is in the OU? Can I change
> something in the GP to do this globally?
Hi

Maybe this one:
Computer Configuration\Windows Settings\Security Settings\System Services


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I added the Network Service account and gave it Read, then Full permissions
but it didn't work.

If you have any other suggestions, please pass them along.

If not, thanks again. At least I can do the fix manually and I'm not
dealing with a very large domain so although it will be a bit time-consuming
it won't be back-breaking.


Ken B.


"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:OlOjpZX$EHA.3368@TK2MSFTNGP10.phx.gbl...
> Ken Belferman wrote:
>
>> Okay. It worked! Thanks.
>>
>> Now, my next question is, is there an easier way to do this, i.e., do I
>> have to do this on every individual machine that is in the OU? Can I
>> change something in the GP to do this globally?
> Hi
>
> Maybe this one:
> Computer Configuration\Windows Settings\Security Settings\System Services
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ken Belferman wrote:

> I added the Network Service account and gave it Read, then Full permissions
> but it didn't work.
>
> If you have any other suggestions, please pass them along.
>
> If not, thanks again. At least I can do the fix manually and I'm not
> dealing with a very large domain so although it will be a bit time-consuming
> it won't be back-breaking.
Hi

I'm afraid I don't have anything more up my sleeve now...


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom