GP/XP-SP2 and Windows Update Problem

Ken Belferman · Jan 17, 2005

Greetings:

We recently implemented a Group Policy OU for XP Service Pack 2. Now
computers in this OU can no longer manually access the Windows Update web
site. When clicking on either Express or Custom Install we get an error
page.

I'm thinking that this has something to do with the way the firewall is
configured since all the Windows Update options in the policy are set to Not
Configured.

It appears that updates are still downloaded automatically but we'd like to
have the option of going to the web site and downloading manually.

Any insights greatly appreciated.

Thanks.

Ken B.

Torgeir Bakken \(MVP\) · Jan 17, 2005

Ken said:
Greetings:

We recently implemented a Group Policy OU for XP Service Pack 2. Now
computers in this OU can no longer manually access the Windows Update web
site. When clicking on either Express or Custom Install we get an error
page.

Any specific error messages or error numbers there?

From Start/Run run this exact command:

notepad %windir%\windowsupdate.log

See if you can find any clues and/or error massages/numbers there and
post e.g. the last 30 lines of that log here.

I'm thinking that this has something to do with the way the firewall is
configured since all the Windows Update options in the policy are set to Not
Configured.

If you are thinking about the firewall that comes with WinXP SP2, it
has nothing to do with this problem. As it does not supports blocking
outbound connections, the SP2 firewall is not able to block access to
Windows Update.

Ken Belferman · Jan 18, 2005

Torgeir:

Thanks for your response.

Here are the lines from that log file:

2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuauclt.exe is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuauclt.exe:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuauclt1.exe is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuauclt1.exe:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaucpl.cpl is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaucpl.cpl:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaueng.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaueng.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wuaueng1.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wuaueng1.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wucltui.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wucltui.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:41-0500 3544 ddc Required Version for binary
C:\WINNT\system32\wups.dll is: 5,4,3790,2182
2005-01-17 10:41:41-0500 3544 ddc Binary: C:\WINNT\system32\wups.dll: Target
version: 5.4.3790.2182 Required: 5.4.3790.2182
2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
(hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
service. (hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
hr=80070005
2005-01-17 10:41:47-0500 828 f10 Service Main starts
2005-01-17 10:41:47-0500 828 f10 Using BatchFlushAge = 25577.
2005-01-17 10:41:47-0500 828 f10 Using SamplingValue = 6.
2005-01-17 10:41:47-0500 828 f10 Successfully loaded event namespace
dictionary.
2005-01-17 10:41:47-0500 828 f10 Successfully loaded client event namespace
descriptor.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized local event
logger. Events will be logged at
C:\WINNT\SoftwareDistribution\ReportingEvents.log.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized NT event logger.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized event uploader 0.
2005-01-17 10:41:47-0500 828 f10 Reopened existing event cache file at
C:\WINNT\SoftwareDistribution\EventCache\{7AC5F7C4-F232-45F5-AF48-FBACF453C20C}.bin
for writing.
2005-01-17 10:41:47-0500 828 f10 Successfully initialized event uploader 1.
2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
error 0x80004015
2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
failed to initialize with error 0x80004015 from component agent
2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client: 0x80004015
2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
0x80004015

Torgeir Bakken \(MVP\) · Jan 18, 2005

Ken said:
Here are the lines from that log file:
[snip]
2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
(hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
service. (hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
hr=80070005 [snip]
2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
error 0x80004015
2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
failed to initialize with error 0x80004015 from component agent
2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client: 0x80004015
2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
0x80004015

Hi

You have error 80070005 and 80004015 in there.

This is what my error list says about error 0x80004015:

Error 0x80004015

CO_E_WRONG_SERVER_IDENTITY
The security descriptor on the BITS service was changed by
a security template such that NetworkService account doesn’t
have READ access to BITS service.

Reset the security settings on the BITS service and see if it helps:

http://groups.google.co.uk/[email protected]

(the 'sc sdset bits "D

A;;CC...' part in the link above)

Then, after the above, do the following:

Click Start >> Run >>
Type the follow command in the Open box.
"regsvr32.exe qmgr.dll" (w/o quotes)
Press Ok

Repeat the same for the following command:

regsvr32.exe qmgrprxy.dll

Ken Belferman · Jan 18, 2005

Okay. It worked! Thanks.

Now, my next question is, is there an easier way to do this, i.e., do I have
to do this on every individual machine that is in the OU? Can I change
something in the GP to do this globally?

Torgeir Bakken (MVP) said:
Ken said:

Here are the lines from that log file:
[snip]
2005-01-17 10:41:47-0500 3544 ddc Unable to connect to the service
(hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to establish connection to the
service. (hr=80070005)
2005-01-17 10:41:47-0500 3544 ddc Unable to initiate asynchronous search,
hr=80070005 [snip]
2005-01-17 10:41:47-0500 828 f10 Client call recorder fails to init with
error 0x80004015
2005-01-17 10:41:47-0500 828 f10 WU client with version 5.4.3790.2182
failed to initialize with error 0x80004015 from component agent
2005-01-17 10:41:47-0500 828 f10 Failed to initialize WU client:
0x80004015
2005-01-17 10:41:47-0500 828 f10 WUAUENG ServiceMain exits. Exit code is
0x80004015

Click to expand...

Hi

You have error 80070005 and 80004015 in there.

This is what my error list says about error 0x80004015:

Error 0x80004015

CO_E_WRONG_SERVER_IDENTITY
The security descriptor on the BITS service was changed by
a security template such that NetworkService account doesn’t
have READ access to BITS service.

Reset the security settings on the BITS service and see if it helps:

http://groups.google.co.uk/[email protected]

(the 'sc sdset bits "DA;;CC...' part in the link above)

Then, after the above, do the following:

Click Start >> Run >>
Type the follow command in the Open box.
"regsvr32.exe qmgr.dll" (w/o quotes)
Press Ok

Repeat the same for the following command:

regsvr32.exe qmgrprxy.dll

--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Torgeir Bakken \(MVP\) · Jan 18, 2005

Ken said:
Okay. It worked! Thanks.

Now, my next question is, is there an easier way to do this, i.e., do I have
to do this on every individual machine that is in the OU? Can I change
something in the GP to do this globally?

Hi

Maybe this one:
Computer Configuration\Windows Settings\Security Settings\System Services

Ken Belferman · Jan 21, 2005

I added the Network Service account and gave it Read, then Full permissions
but it didn't work.

If you have any other suggestions, please pass them along.

If not, thanks again. At least I can do the fix manually and I'm not
dealing with a very large domain so although it will be a bit time-consuming
it won't be back-breaking.

Ken B.

Torgeir Bakken \(MVP\) · Jan 21, 2005

Ken said:
I added the Network Service account and gave it Read, then Full permissions
but it didn't work.

If you have any other suggestions, please pass them along.

If not, thanks again. At least I can do the fix manually and I'm not
dealing with a very large domain so although it will be a bit time-consuming
it won't be back-breaking.

Hi

I'm afraid I don't have anything more up my sleeve now...

Windows Updates - WSUS	4	Apr 2, 2008
Will my WinXP SP2 firewall GP affect my Windows 2003 SP1 firewall	1	Oct 25, 2005
XP Firewall Issue - Domain	1	Feb 19, 2010
Firewall settings & group policy not working	1	Jun 14, 2006
GP do not take effect	4	Aug 14, 2007
Windows XP Pro Windows Firewall in a Domain setting	2	Jan 3, 2006
XP SP2 Windows Firewall Local Administration	2	Jul 13, 2005
XP SP2 encryption	3	Nov 7, 2006

GP/XP-SP2 and Windows Update Problem

Ken Belferman

Torgeir Bakken \(MVP\)

Ken Belferman

Torgeir Bakken \(MVP\)

Ken Belferman

Torgeir Bakken \(MVP\)

Ken Belferman

Torgeir Bakken \(MVP\)

Ask a Question

Similar Threads