Turning 'How to Melt a SUP' into 'How to Melt a DC'

I recently discovered an issue with the CM client which can lead to the client (2012 R2 SP1 CU1 on Win 7 x64 in my case) repeatedly triggering a Group Policy update.  Seems like a House of Cards type of scenario which can quickly turn into the House of Horrors, so I figured best to share.   Essentially this can lead to the How to Melt a SUP scenario turning into how to Melt a DC.

This situation can occur if you are using Group Policy to set the WSUS/SUP server location for the Windows Update Agent and your SUP is unavailable.  As it turns out, the WSUS server URLs you use in group Policy are case sensitive.  You will want to ensure the URLs in your Group Policy settings match exactly what ConfigMgr is using.  In this case the GPO was configured with HTTP://SERVER.CONTOSO.COM:8530 and the client was using http://server.contoso.com:8530 from the ConfigMgr configuration.  When the Software Updates Assignment Evaluation cycle it triggered ({00000000-0000-0000-0000-000000000108} the client attempts to evaluate if the correct WSUS server is in use.  Not an issue so long as your SUP is available, however the client will begin throwing a ‘Scan failed with error = 0x80072ee2’ when it is unable to access the SUP.  

 SUPMeltdown

If your SUP goes down, and you are not aware when it does, you should ensure you are.  You should be using SCOM, or another monitoring system, to receive alerts.  The PowerShell script below provides a quick way to ensure that you receive and alert and automatically try to restart the WSUS App Pool.  This can be run as a Scheduled Task on your WSUS server to ensure the House of Cards is in fact still standing.

################## Check WSUS AppPool PS Script ######################

#
# Check the state of the WSUS Web Pool And restart it if it is not running
#

#Script Variables
$strLog = "c:\temp\WSUSAppPoolCheck.log"
$smtpServer = "This email address is being protected from spambots. You need JavaScript enabled to view it.;
$smtpTo = "This email address is being protected from spambots. You need JavaScript enabled to view it.;

Function Write-Log{
Param ([string]$strToLog)
$now=Get-Date -format "dd-MMM-yyyy HH:mm:ss"
Write-Host "$now $strToLog"
Add-Content $($strLog) "$now $strToLog"
}

Function Send-Alert([string]$MsgBody) {
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($smtpTo,"WSUS AppPool Alert",$MsgBody)
}

Write-Log "Starting WSUS AppPool check."

#Get the AppPool State
$APStatus = (Get-WebItemState 'IIS:\AppPools\WsusPool').Value

If ($APStatus -ne 'Started') {
#log state detection
Write-Log "The AppPool is stopped, attempting start."
#start the AppPool
Start-WebAppPool -Name "WSUSPool"
#Wait a tick or 2
Sleep -Seconds 5
#Validate successful start
$APStatusVerify = (Get-WebItemState 'IIS:\AppPools\WsusPool').Value
if ($APStatusVerify -ne "Started") {
#The AppPool is still not running!
Write-Log "AppPool still does not appear to be running, calling for help"
Send-Alert "The WSUS AppPool could not be restarted, please connect and investigate the issue."
} ELSE {
Write-Log "Successfully restarted the AppPool."
Send-Alert "The WSUS AppPool was not running and has been restarted."
}
} Else {
#Log current state
Write-Log "The AppPool is currently $APStatus"
}

############################### End Script #################################

Still testing if this issue exists in the latest CM build, but in the mean time, you have been warned.

https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/2260694/wsus-server-urls-used-in-group-policy-are-case-sensitive-in-some-cases 

  • Created on .
Copyright © 2018 - The Minnesota System Center User Group