Solution for Slow Cisco NAC WSUS Requirement Check

Slow NAC posture validation can be one of the biggest stumbling blocks for a successful NAC deployment. One of the biggest reasons for slow posture validation is the time it takes for the WSUS Requirement check. I've come up with a list of troubleshooting steps to try to reduce the time it takes for the WSUS Requirement checks

Troubleshooting Option 1: Use the Latest version of Windows Update Agent
The latest version of Windows Update Agent includes new features that speed up the WSUS check process. First, make sure that Windows Update Agent 3.0 release is being used on the client. Also, the KB927891 patch must be installed if you are running XP SP2. You can verify the version by looking at the version of the c:\WINDOWS\System32\wuaueng.dll file. The version should be 7.2.6001.784 as shown in the picture


Based on the links listed below, this Windows Update Agent release is backwards compatible with WSUS release 2.0.

Because of the major changes that have been made with the new Windows Update Agent, this troubleshooting step should be done before any other troubleshooting is done. In addition to the faster checks, this latest version includes a number of fixes that controls the CPU utilization. Below are two links explaining the changes

• http://blogs.technet.com/wsus/archive/2007/04/28/update-on.aspx
• http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follow-up.aspx
  

The first link actually starts off with the following statement

In addition to the next week’s WSUS 3.0 release, we are making the new client portion available via the following plan to our customers who continue to experience performance issues like UI hang and long scan times.

In one instance, I saw a 90 second scan time go down to 5 seconds. I used the PT (Protocol Tracker) lines of the c:\windows\WindowsUpdate.log file to verify this. Below are screenshots with long time with Windows Update Agent 2.0 followed by the short time after the Windows Update Agent 3.0 upgrade.


This first screen shows the version, start time and end time in bold. You'll notice that updates take 98 seconds to complete.


This second screen also shows the version, start time and end time in bold. You'll notice that updates takes 2 seconds to complete

Troubleshooting Option 2: Defragment datastore.edb
The c:\windows\SoftwareDistribution\DataStore\DataStore.edb file is a database file that stores the local information about Microsoft Updates. When the Windows Update Agent downloads the WSUS data store, it compares it with the local data store in the DataStore.edb database. I found the instruction for defragementing the database on a Microsoft Forum Link I've posted the relevant information below.

The detection scan hits DataStore.edb causing a buffer overflow.
One can run esentutl from a Command Prompt to defragment DataStore.edb
instead of deleting it in hopes that will resolve the issue -

esentutl /d %windir%\SoftwareDistribution\Datastore\datastore.edb

If that doesn't resolve the issue, attempt to Recover the file -

esentutl /r %windir%\SoftwareDistribution\Datastore\datastore.edb

[This command performs recovery, bringing all databases to a
consistent state]

The next to last resort is to attempt to Repair it -

esentutl /p %windir%\SoftwareDistribution\Datastore\datastore.edb

NOTE: MS recommends that if the system is imaged regularly that a new
system image be done after running ANY of the above operations

* On XP Home Edition, one must stop the Automatic Updates service PRIOR
to running the above. This wasn't the case when doing so on XP Pro *

Troubleshooting Option 3: Remove Corrupted Database
This troubleshooting step removes the database directory entirely. The downside of this solution is that you will lose any history of updates. I found this procedure on the following website: http://myitkb.net/category/windows-updates. I've posted the relevant information below

1. type in net stop wuauserv and then hit
   
2. then enter cd /d %windir%\SoftwareDistribution hit
   
3. rd /s DataStore
   
4. click Yes at prompt
   
5. and then type in net start wuauserv and hit
   

**Note: On one machine I was testing with, I corrupted something that was required for Windows Update Agent to start. I used the commands from the on a web forum to fix the problem:

sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

Use at your own risk

Microsoft WSUS Guide for Cisco NAC deployments

Microsoft Windows Server Update Services (WSUS) provides a method for managing Microsoft updates for company computers. Within a company, there are one or more WSUS servers that gets updates from Microsoft. Computers, within the company network, check in with this WSUS server to get their Microsoft updates. There are a number of benefits for using a WSUS server. Some of the benefits are

• Control when updates are installed - This allows companies to test updates before deploying them to the user community.
  
• Lower internet bandwidth usage - Keep the bandwidth, used for downloading Microsoft updates, within the internal network. This would keep the internet connection from becoming overloaded by users downloading updates directly from Microsoft
  

From a security perspective, keeping current with the latest Microsoft updates is very important. Computers are vulnerable to attacks if they do not have they do not have the latest security updates installed. Cisco NAC can make sure computers have approved Microsoft updates by using a WSUS Requirement. This requirement uses the WSUS API, on the the end computer, to poll the WSUS server for an index of all approved Microsoft updates. The end computer then uses the local Windows Update Agent to compare the local index, called a data store, with the index received from the WSUS server. Any differences would cause the Cisco NAC remediation dialog box to appear and guide the end user through downloading and installing the Microsoft updates.

In theory this should be a seamless process that occurs quickly. In practice, there are a number of problems that can occur. Some common problems are problems connecting to the WSUS server and errors when connecting to the WSUS server. Below are some common tools to use for troubleshooting WSUS problems.

Common Troubleshooting Tools

1. wuauclt.exe /detectnow - This is a great command to initiate detection of the WSUS server manually. Without this command you need to wait for the Automatic Update process to kick off.
   
2. c:\WINDOWS\WindowsUpdate.log - This file provides invaluable logs regarding the status of the Windows update progress.
3. esentutl.exe - This command is a database utility that can recover and repair the database used, on the end computer. The database is stored in c:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
4. WSUS Client Diagnostics Tool - This tool checks the basic settings required for WSUS to work. The link above provides access to the Microsoft website providing more information about the tool along with a link to download

Here's an example on how the first two tools would be used.

A user is having problems getting Microsoft updates from the WSUS server. You go to the users computer and check out the c:\WINDOWS\windowsupdate.log file. In the file, you notice the following error message

WARNING: WU client failed Searching for update with error 0x8024400e

You run "wuauclt.exe /detectnow" and check the windowsupdate.log file again to make sure the problem is still occurring. After verifying that it still occurring, you do a Google search on "error 0x8024400e" and find a link to a website describing a similar problem and offering a solution. You contact the WSUS team and have them implement the change to fix the problem.

While Google searches are excellent ways of obtaining information about WSUS, I've found a number of links to start your troubleshooting efforts with. Below are the best links I've found to start your research

1. Main Microsoft WSUS Site including Configuration Guides
   
2. Free Microsoft Support
3. WSUS Wiki Site
4. How to read the WindowsUpdate.log File
5. Microsoft Blog about WSUS
6. WSUS Forum
7. WindowsUpdate Posts on Eggheadcafe.com
8. Microsoft WSUS Discussion Group