Windows update error?!?

Hi guys,

Uptill reacently we start getting messages in our client system logs stating something like;
The Automatic Updates service terminated with the following error: The class is configured to run as a security id different from the caller. 

To be honost, we tried different aproaches and researched different angles on this issue. Found articles about BITS and other security stuff, but none realy helped. The following is true in our envirnoment.

1. We dont use WSUS.
2. We have a Native 2003 Domain
3. We use Windows XP servicepack 2
4. We do use network policies but for some illusive buisness requirements we dont enforce updates (developers…. )

Here are some things that where true on the issue.
1. We couldnt start or stop the windows update service (wuauserv.dll / wuaueng.dll) and got an access denied message.
2. We couldnt register the various dlls into windows.
3. We couldnt rewrite the BITS entries also getting an access denied message.
4. We couldnt enable “interactive” mode in the security>logon tab of the service getting… Yea an access denied message.

“Update on this Issue”

The problem was somewhat illusive to us, but we found the problem!🙂

 The behaviour as described above is caused when a network policy is used to enforce the service configuration (Windows Update Service) itself.

In the Machine portion of a GPO you can browse down to : Computer Configuration >Windows Settings > Security > System Services. Here you can configure various aspects of the winows services, like force the messanger service to be disabled. In our case the Windows Update Service was forced to be Automatic and with thus (check the permisssions button) the rights on that service…

Just remove the policy from the Windows Update service service and control the update service using the aprop. policies found under : Computer Configuration > Administrative templates > Windows Components > Windows Update instead.

This should fix the Id is other then caller issue ;-)

Just use the “gpupdate /force” command on the clients that realy need some updates, and or wait till the next logon, or 90 Minutes (default gpo refresh time)…

Gl & Rgrds, Chris

About Chris Gralike

Momenteel ben ik manager van de afdeling business continuity bij de zakelijke IT dienstverlener AMIS Services BV. Sinds 2003 ben ik actief in de ICT branche. Tussen 2003 en nu heb ik verschillende rollen vervuld. In de rollen: systeem- en netwerkbeheer, system engineer, servicemanager en nu practice manager ben ik in contact gekomen met uiteenlopende technologieën, methodologieën, ideeën, oplossingen en innovaties. Een rijke ervaring waarmee ik de klanten van Conclusion en AMIS elke dag probeer te ondersteunen. Mijn credo: 'Altijd opzoek een win-win tussen business en technologie.'

Posted on March 19, 2009, in Windows Command Line, Windows Compontents, Windows XP SP2 and tagged , , , , , , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: