This post was most recently updated on December 11th, 2018
OVERVIEW
So you have WSUS setup and running, great, your using group policy and its being pushed out to the client machines without a hitch, but wait there is something wrong. For some reason, your client machines keep disappearing from the WSUS admin console. Your previous night drinking escapades are not impairing your vision and making you hallucinate, well maybe some of you! I hope your ready for some magic because I am going to pull out my bag of tricks and show you how to keep those darn clients in WSUS.
IMAGED COMPUTERS = PROBLEM
More often then not this kind of behavior is caused by companies using a standard image for their clients. The problem with this is the SID associated with that machine is the same for every client. Lets say you have 100 Clients all using the same image, and all of the clients have the same SID. WSUS only allows computers to connect that have a unique SID. So in theory only 1 of the 100 computers that you imaged will show up in WSUS at any one given time. When a client syncs with WSUS it will remove the previous one that had the same SID. Now you might be thinking crap! now I have to re-image all these computers or figure out a way to give them a unique SID.
SID’s
The SID value is nothing more then a few simple registry keys on the client computer. Open up regedit and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate. You will see 2-3 registry keys there.
- SUSClientID
- PingID(might not be here)
- AccountDomainSID
WSUS uses the SUSClientID to determine a unique client machine. If you browse to the above registry key on all of your imaged computers you will notice that it is using the same SUSClientID. Alright this isn’t to tough now is it. So now your thinking to yourself I gotta make that value unique, you my good sir deserve a cookie! I have made the work easy for you and created a vbs script that you should add to your WSUS GPO. Make sure you add the script to computer configuration/Windows Settings/Scripts/Startup.
Set oShell = CreateObject(“WScript.Shell”)
sRegKey = “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate”
On Error Resume Next
‘ Delete registry values
oShell.RegDelete sRegKey & “\AccountDomainSid”
oShell.RegDelete sRegKey & “\PingID”
oShell.RegDelete sRegKey & “\SusClientId”
‘ Stop and start the Automatic updates service
oShell.Run “%SystemRoot%\system32\net.exe stop wuauserv”, 0, True
oShell.Run “%SystemRoot%\system32\net.exe start wuauserv”, 0, True
‘ Run wuauclt.exe with resetauthorization
sCmd = “%SystemRoot%\system32\wuauclt.exe /resetauthorization /detectnow”
oShell.Run sCmd, 0, True
MsgBox “Finished!”, vbSystemModal+vbInformation
SCRIPT BREAKDOWN
- First the script checks to see if there is a marker file created(I will get back to this)
- If the marker file does not exist then 3 registry keys will be deleted:AccountDomainSID, PingID,SusClientID
- Then the script restarts the automatic update server
- Finally the script runs the command wuauclt.exe /resetauthorization /detectnow This command pushes a new unique SID down to the client. Within a day all of your computers that have had group policy updated should now be showing up in the admin console of WSUS.
CONCLUSION
So now that your clients are staying in the WSUS admin console lets think about how we can prevent this from happening in the future. Mark Russinovich created a small tool called NewSID which will scan the registry and create unique SID’s for your images computers on boot-up. To read more about how you can deploy this tool with your ghost image go here http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx.