WSUS Gotchas
Firstly, use this tool for extended troubleshooting, the Client Diagnostic Tool is invaluable in seeing what is going wrong.
Gotcha 1. - updates failling with error : Windows Update is disabled by policy for user
Make sure this is not disabled:
“Turn off access to all Windows Update features”
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
I find that although this is stated as ok and recommended in the MS documentation here its actually not ok and breaks all my users.
Gotcha 2. - Assign one pc to multiple WSUS groups
The big gotcha can come if you assign a computer to more than one group in your WSUS organisation and like me have more than one WSUS server.
Scenario: you are using site based OU’s to assign people to their respective WSUS server, this does wonders when people move sites and they are assigned to their local WSUS server based on IP address. This means they don’t span your WAN links for updates and you don’t have to be as on top of employees moving offices.
If like me you like to have a different set of rules for your employees machines to that of your servers then you will create a servers group, move all your servers into an OU so they are assigned that group exclusively and apply your server patches only to that group.
Problem: my servers are all assigned the root server as their location for updates, because of site based OU’s the group policy is pushing them their local sites server and assigning them to their site based wsus location where they are fed the rules the clients get. This causes some sort of conflict which means WSUS just gives up, it sees them assigned the “Server” group as well as a “Site based OU” which are different and assigned to different servers and as such wsus will never update for this server until you get it out of one of those groups.
Solution: at this stage my only advice is to make sure your normal(site based OU) WSUS update isn’t forcibly rebooting systems and take your servers out of their “SERVER” group and let site based OU’s take over. This required assigning all server updates to that group as well so don’t forget that if you were like me and trying to be neat.
This site here is a great resource for client deployment and explaining all the various fields in the Group Policy that you may need to use.