SCCM WSUS Scan agent is not functoning (Scan failed with error = 0x8024400a - WUAHandler.log) wpad issue

i have same error as below worked the soultion in single client i have 1200 clients how can i do for all

i have tried to add my sccm srver fqdn in wpad  for by pass no luck

regards

ankith

SCCM WSUS Scan agent is not functoning (Scan failed with error = 0x8024400a - WUAHandler.log) I have seen couple of SCAN agent errors in the environment especially with Windows 2008 R2 core server ( And I found it difficult to find Windows 2008 CORE servers related details in this topic)

The scan error was due to the incorrect proxy settings in the environment. System context proxy settings should be blank ( that means the internal FQDN should have direct access). In our case system context proxy setting was also pointing to the proxy server hence all the internal FQDN communications were going through proxy server due to that the SCCM clients were not able to reach WSUS server.

Windows 2008 R2 Core server patching issue

Issue

Scan agent is getting failed hence the SCCM patching is also getting failed for all the Windows 2008 R2 servers.

Cause

Proxy settings configured in the core servers is creating the communication block for client to reach WSUS server. All the communications initiated by client to reach WSUS/SCCM server (FQDN) are getting stopped at the proxy server.


Ideally, all the internal FQDN (WSUS/SCCM server) communication should not go to/through proxy server. In our case all the communications are going to proxy server and producing unexpected results.

Solution

Reset the proxy settings in the Windows 2008 core server as mentioned in the below.

- “netsh winhttp reset proxy”

Run “netsh winhttp show proxy” command from CORE server.

Restart “Windows Update” (for windows 7 and windows 2008) service to reinitiate scanning and patching processes.

General patching issue - Group Policy conflict



Ensure that the following three policies mentioned should not be configured from domain level. The SCCM client will apply the policy whenever it is required.
a. Allow signed content from intranet Microsoft update service location.
b. Specify intranet Microsoft update service location
c. Automatic Updates Configuration


Group Policy Settings
The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.
Note

If users running the Windows Vista® operating system on Configuration Manager 2007 clients use Windows Update to check for new updates, they will see only updates that have been approved in WSUS instead of all applicable updates. To prevent confusion, you should consider preventing users from checking for updates using Group Policy. For more information about using Group Policy to control the Windows Update experience, see http://go.microsoft.com/fwlink/?LinkId=94680.

Specify intranet Microsoft update service location

When the active software update point is created for a site, client computers receive a machine policy that provides the active software update point server name and configures the Specify intranet Microsoft update service location local policy on the computer. The WUA retrieves the server name specified in the Set the intranet update service for detecting updates setting, and then connects to this server when it scans for software updates compliance. When a domain policy has been created for the Specify intranet Microsoft update service location setting, it overrides the local policy, and the WUA might connect to a server other than the active software update point. If this happens, the client computer might scan for software update compliance based on different products, classifications, and languages. It is recommended that this domain policy not be configured for Configuration Manager 2007 client computers.

Allow signed content from intranet Microsoft update service location

Before the WUA 3.0 on computers will scan for updates that were created and published with the System Center Updates Publisher, the Allow signed content from intranet Microsoft update service location Group Policy setting must be enabled. When the policy setting is enabled, WUA 3.0 will accept updates received through an intranet location if the updates are signed in the Trusted Publishers certificate store on the local computer. For more information about the Group Policy settings required for Updates Publisher, see the Updates Publisher help file. For more information about Updates Publisher, see About System Center Updates Publisher.

Automatic Updates Configuration

Automatic Updates allows security updates and other important downloads to be received on client computers. Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive update notifications and, depending on the configured settings, download and install required updates. When Automatic Updates coexists with software updates, each might display notification icons and popup display notification.

Additional information if above steps are not resolving the issue. Following steps will help to segregate or Identify the issue

This can't be treated as a solution for the issue.

1. On the affected machine, disable the SCCM Agent. To do this, you can run the following commands:
Disable the Service  sc config CcmExec start= disabled
Stop the Service  net stop CcmExec

2. Ensure that the following policy is not enforced on the system:
User Configuration\Administrative Templates\Windows Components\Windows Update\Remove access to use all Windows Update Features

Check this first in the local system policy (you can pull this up using gpedit.msc – Local Group Policy Editor). After that, please run RSOP.msc and ensure that the policy is not configured either. This will give you information from domain policies too. If the policy is enabled please either remove the policy or disable it.

3. Restart the Automatic Updates service.
4. Now, from the command line, run the following command:
Configure Proxy  proxycfg.exe –p <8080>“WSUS SERVER FQDN”

By doing this, we are configuring WinHTTP so that server access in upper case is also bypassed.

At this point, we need to test an update scan. Since the SMS Host Agent service is disabled and stopped, we won’t be able to use the agent to run the scan. In this case, we would need to run a scan using the command below:

wuauclt /resetauthorization /detectnow</8080><8080></8080>