WSUS 3.0 SP2 - Update Cloned Virtual Machines

Introduction

After some point we had too many virtual machines to keep track of updates locally. So we decided to try Microsoft’s solution called WSUS. It took some time to install, the whole process could have been easier, cause I had to google every part of it. When we finally had it working, there was a problem with detection of our virtual machines.

Technical

So we had 3 virtual machines, all with different IPs and MACs, being detected as one. Literally, only of them was randomly selected and shown for audit in WSUS console. Once you reopen the console, you see another one. After some googling I found some sysprep routine to get my VHDs prepared for cloning, which needed to be done prior to that. Unfortunately, I already had those machines working in test environment and we could not afford to start all over again.

There was a script on some website, which recreated registry IDs. It worked perfectly for us, so I decided to publish a working part of it here:

net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

According to the output, only the last REG DELETE line actually solved the problem, so I believe you can shrink it down to the following and still have the same effect:

net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

If you have PowerShell, you do not even need to create a .BAT file for this, just copy/paste the lines into PS command prompt and press ENTER. If you are interested about behavior of PS paste, it does so on the character level, same as CMD, with end of line being is treated as ENTER. That’s why if you copy the contents from here, it will execute the whole script line by line, until it encounters the last line, waiting for user input, because it does not have a trailing line break. Powershell will not give you a chance to review the whole thing before you execute it. Be sure you know what you are doing.

Conclusion

A need to reset virtual machine’s update ID was the only problem we had so far with WSUS. Overall, it’s a decent piece of software with powerful audit capabilities and not very sophisticated, but still pretty good filter. Anyway we don’t have many PCs and rules to manage, so it works perfectly for our environment.