Yesterday while I was heading to work I was reading Slashdot Mobile (fantastic WAP site) and noticed the worm concerns. From 9am on Friday until 2am Saturday morning, myself and 2 other network administrators were updating servers and desktop computers.
The servers were straightforward, apply patch and reboot. The desktop computers forced us to pull the trigger on our WSUS strategy early. I had already created a test group and approved all the updates to a small group of 4 users. We were having problems with I knew we were having speed issues. Frantically, I moved our WSUS server from a WMSDE service to a frontend backend SQL server solution.
Today I was able to force an update on the critical patch KB921883 at a time today. As long as the client's checked in to WSUS before that time, I could change our normal behavior of updating at 9am.
I found out that a group of workstations were not updating. From this event log and the link above, I can determine that I need to "computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected"
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Time: 10:01:56 PM
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Here is the meat-and-potatoes of what I think our problem is. My first tests with 'proxycfg -p proxyserver:80 wsusfrontend' didn't help but I think this is the right track. I will next check to see if winhttppxy service is disabled on these workstation.
OK, I solved it!!!! On our ISA 2000 (Proxy) Server, since we use WPAD for Automatic Detection through DNS and DHCP, I had to go into the Client Configuration > Web Browser settings and turn on the Bypass Proxy for Local Servers under the Direct Access tab. I never thought about this cause, I didn't actually realize those particular settings are what actually "write" the wpad.dat file that Automatic IE clients get.And, I found this by finally finding an article that states that WinHTTP clients, which Automatic Updates is if you are not actually manually going out to the Windows Update website, do not use IE settings including the IE exceptions list to access the Windows Update site. So, if you manually open IE and go to the Windows Update site, you are using all IE settings. BUT, if you use any kind of automatic scheduling for Windows Updates, to where you are not manually going out to the website, it uses the WinHTTP (which is the proxycfg tool) which either goes directly out there or through the automatically detect settings, or the wpad.dat or proxy script if you are using that.After figuring that out and doing some narrowing down, I found (as others had said in the past, just didn't make total sense) that since our client PC's use the Automatically Detect config of the wpad.dat through DNS and/or DHCP, then I needed to focus there. After making some changes, and testing, I have all my client PC's now popping up in there. YES!!!!! Case closed.I am going to award the points to Netman66 because 1) He tried hard to help me and narrow things down and 2) he taught me something else about GPO's that I didn't quite know, in that you should disable the settings first and not "not configure" them in order to reverse the settings. Thanks for everything.