Folder URL with FDQN

Topics: Configuration Issue, Enhancement Request
Jun 2, 2015 at 1:42 PM
We have a multi domain / DNS environment. Is there a way to configure WSUS Package Publisher to reference the Folder URL via an FDQN?

Currently the Folder references http://servername:8530/Content/ etc.
Jul 1, 2015 at 9:26 PM
I am having the same issue, with no success finding a solution.
Jul 2, 2015 at 4:09 PM
what if you go to Tools -> settings -> server tab and put the FQDN of the wsus server ?
Jul 2, 2015 at 4:33 PM
I do have the FQDN in the server name and it is connected to the local server.

Trying to figure a way to display photos.
Jul 2, 2015 at 4:37 PM
Here you go:

Jul 2, 2015 at 4:44 PM
Edited Jul 2, 2015 at 4:51 PM
Jul 2, 2015 at 7:16 PM
Exactly the same scenario for me. Ultimately I have machines throughout my environment that are experiencing name resolution issues to the hostname only (without FQDN).

Clearly DNS and machine settings have a bearing, but best practice for most applications is to use FQDN - especially around URLs.

Is this addressed in a newer version of the application? Is there a mechanism to formerly request this configuration be added to the next version of the product?

The side question is - is the FQDN here relevant if using a fully functioning FQDN WSUS environment or as we suspect, the machine is downloading this specific update from the URL defined in WSUS Package Publisher or through the WSUS process?
Jul 3, 2015 at 6:35 PM
What is your expectation regarding this modification request ?

Be aware that WPP doesn't break or change the way WSUS work. The URL display in front of "Folder" is here only for your convenience, to easily reach the folder where WsUS store the package. It doesn't take part in the process where clients download the package.
Jul 3, 2015 at 8:14 PM
I feel your latter comment suggests that the FQDN is not relevant with the download issues we are seeing on some machines (through the WPP console). However I'm struggling to understand how those machines are happily downloading Windows Updates from the WSUS server (which is defined by GPO with FQDN), but failing to download the updates defined in WPP e.g. Adobe through SCUP and signed with certificate on all machines concerned. The WPP error itself suggests the inability to download the update.

Our environment is 10,000+ machines and all predominately works well with the exception of ~200 machines that cannot resolve the WSUS / WPP (same server) by hostname only, but can using FQDN.

This is what lead me to believe that the URL defined in WPP needed to be fully qualified. This would be the requested modification request.

Jul 3, 2015 at 8:34 PM
Original Problem - WPP Update Event History
Error Code: -21467262748
Message: Error: Download failed.
Status: DownloadFailed

Various Operating Systems - XP, 7, 8, 8.1 and Server 2008
Successfully deployed / installed on 4000+ machines, with 78 failed (failure message above).
Windows updates are successfully being installed.
Confirmed certificates are applied to all machines including WSUS servers.
Jul 4, 2015 at 7:53 PM
Ok, so only 2% of client computers have this problem.
Can you do these steps on a client :
  • Stop "Windows udpdate" service (Wuauserv)
  • Delete C:\Windows\SoftwareDistribution folder
  • Delete C:\Windows\WindowsUpdate.log file
  • Start "Windows Update" Service (Wuauserv)
  • Wait 1 minute and launch wuauclt /DetectNow
  • Wait 1 minute and look at C:\Windows\WindowsUpdate.log
What error message do you see in this file ?
Jul 6, 2015 at 2:40 PM
I can confirm what Brian is saying.

In my environment the WSUS and all other company wide infrastructure servers are in their own domain in our forest. Each physical site (36 across the country) has it's own domain in the forest as well, with DNS working fine across all domains as long as I use the FQDN which always ends in '.local'

I have tested the System Center Updates Publisher 2011 to deploy the same update, within it's system and the only thing I do different is that I am able to specify the FQDN in the download URL field and it does deploy the updates to the client machines across the various domains with success. But, I do not like the SCUP interface at all, and would much prefer to use WPP, even if I have to go manually make a DB edit in SQL each time.

My site is approx 8000 Windows clients and approx 400 MS servers of various 2008 and 2012 versions.
Jul 9, 2015 at 7:26 PM
I need the error code you can find in the WindowsUpdate.log (it should start with 0x802...)
Jul 9, 2015 at 7:43 PM
Error 0x800B0100
Jul 9, 2015 at 7:49 PM
Edited Jul 9, 2015 at 7:50 PM
Mike_KC wrote:
Error 0x800B0100
This Error looks your WSUS is not up2date.
If the OS from your WSUS W2008R2 or lower, look at the Startpage from WSUS: What Build is your WSUS?

WSUS 3.0 (SP2): Build 3.2.7600.226
WSUS 3.0 (SP2) KB2720211: Build 3.2.7600.251
WSUS 3.0 (SP2) KB2734608: Build 3.2.7600.256
WSUS 3.0 (SP2) KB2828185: Build 3.2.7600.262
WSUS 3.0 (SP2) KB2938066: Build 3.2.7600.274

If it is lower .274 pls update your WSUS to Build .0274. After this, restart WSUS and try again.
Jul 9, 2015 at 8:31 PM
Edited Jul 9, 2015 at 8:34 PM
Yes I am on Server2008R2 ver 3.2.7600.274

If you read above, the issue is not being able to modify the FQDN. I have tested it using SCUP and it does work, I just want to use WPP if at all possible.

That error is from the client side running Win 7
Jul 10, 2015 at 6:54 PM
Mike_KC wrote:
Error 0x800B0100
This error code means : Trust Error, No Signature (No signature was present in the subject)

You have a problem with your certificate.
Jul 10, 2015 at 6:58 PM
I will have to build another install package in WPP and test again. I did get that issue resolved.

I will report back shortly.
Jul 10, 2015 at 6:59 PM
BrianJamesKelly wrote:
Original Problem - WPP Update Event History
Error Code: -21467262748
Message: Error: Download failed.
Status: DownloadFailed
I can't found this error code. Do you have one that start with 0x802 or 0x800 ?
You have to look in WindowsUpdate.log in C:\Windows\
Jul 31, 2015 at 4:41 AM
The error code displayed is Error code 800B0109 when the client machine is not in the same domain as the WSUS server.

Once I join the client to the same domain the update installs with no errors.

Sorry it took so long to get back to this issue.
Jul 31, 2015 at 9:46 AM
The error code displayed is Error code 800B0109
This error code means : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Jul 31, 2015 at 2:07 PM
Please help me here then:
I have a real signed CA certificate and then created a subCA for coding signing. I then deployed the subCA from the root domain via GPO to all the 26 lower domains. That replicated with no issue and both WPP and SCUP2011 allows me to create updates. Once I deploy it from SCUP2011 it keeps the FQDN when I look into the update details and it will install on the clients thru WSUS. When I publish an update thru WPP the download URL doesn't keep the FQDN and the updates fail with the above error code. Even if I can just figure out what table in the DB that field is stored in I will gladly manually edit the database if you can guide me in the correct direction.

Here is the SCUP:

Here is the WPP:
Jul 31, 2015 at 3:45 PM
I'm sure at 99% that your issue are not related with FQDN path. You need to know that WPP is not responsible for the path where Wsus store package. The path you can see on the 'Informations' tab is create by WPP only to be displayed. It is not used for download/installation by Workstations.
Try this :
  • From the screenshot, click on the id (8f8a8ce-...). This will open a new window.
  • Open the folder where you can find the exe or the msi you have publish
  • Copy it on a Workstation that have the problem
  • Right click on the file and choose 'Properties'
  • Open "Signature" tab and see if the certificate is trusted.
Jul 31, 2015 at 3:59 PM
I did check that earlier, but here is a screen grab that shows both the file and that the cert is good as well as the error from WU.

Jul 31, 2015 at 4:06 PM
Can you send me by mail the file C:\Windows\windowsupdate.log
Jul 31, 2015 at 9:54 PM
I FINALLY FIGURED IT OUT!!!!!!!!!!!!! Image

I just kept messing with the errors and Goggling and finally came across a post that mentioned and additional WU security setting:

In Group policy: Computer configuration > Policies > Admin Templates > Windows Components > Windows Update

The setting is: "Allow signed updates from an intranet Microsoft update service location" - This must be set to Enabled otherwise the client will not accept it even if the signed certificate is valid and configured correctly.

This is one piece of info that might be good to put into the document just for users to check.
Hope this helps someone else.
Marked as answer by DCourtel on 7/31/2015 at 10:13 PM
Aug 1, 2015 at 5:13 AM
This is one piece of info that might be good to put into the document just for users to check.
It's write in the "Installation Guide" page 5 !!!