Log in

No account? Create an account

Previous Entry | Next Entry

I've been fighting an issue with both my Automatic Updates service and Background Intelligent Transport Service stopping on client machines. Automatic Updates is failing with Event ID 7023 from Service Control Manager, with the description "The class is configured to run as a security id different from the caller" and BITS is getting an Event ID 7024 also from Service Control Manager, with the description "The Background Intelligent Transfer Service service terminated with service-specific error 2147500053 (0x80004015)."

This could also be related to SMS agents not downloading policy from the associated Management Point.

There are many links out there on the network that discuss these, but I found an interesting one that I hadn't seen before. Basically, we are rolling out SMS agents to client machines, and that part went well. However, once the SMS Agent got to the workstation, it could not pull down any policies.

After a Premier Microsoft call, it was determined that the BITS service on the workstation, which is needed for SMS to pull down policy from a Management Point, was not starting. See that error message up at the top there. It was at that point that we noticed that the Automatic Updates service, which is set to Automatic, was not started. The error for that is above too.

While I did find an article to specifically change the security settings on Automatic Updates, that wasn't the root cause of the problem. We had a Group Policy Object for these services which had specific settings for Administrators, Interactive, and System. What I found out, via this link, was that Network Service needed Read access to these services. I'm still confused on if this specifically because of the Active Directory provided by Windows Server 2003 SP1 or not. However, I changed this GPO to also add Network Service the read access to the two services. After that modified GPO applied to the desktop computers, the services were able to start as expected, and the SMS Agent was able to download policy as expected.

Pretty weird, huh?

If this was helpful, feel free to drop me a comment to let me know. Also, I have written several other WSUS helps in this journal, available here. This is the first SMS article I've written, but there may be more available later here.



( 18 comments — Leave a comment )
Jun. 20th, 2006 03:36 pm (UTC)
Hi Rialtus,

That was a great article. I am facing the exact problem in my current infrastructure.

Sorry I'm a bit new to AD...Can I know how do you construct your gpo to give Network Service Read Access to BITS & AU?

I hope you can share your expertise. I can be contacted via lcie1979@yahoo.com. Thank you.
Jun. 21st, 2006 04:33 pm (UTC)
x-posted to email...

First, if you don't already have it, get the Group Policy Management Console from Microsoft.


I'm guessing there is probably already a policy in effect that has improperly configured the service permissions. I'd start with finding that policy and/or the person who created it. You are specifically looking for Computer Configuration/Windows Settings/Security Settings/System Services, then both Background Intelligent Transfer Service and Automatic Updates.

To change the setting, edit the appropriate GPO, navigate to that string above, and click the Edit Security button. Add the NETWORK SERVICE and give it Allow Read. There is no save, since this is dynamic so tread lightly.
May. 31st, 2007 12:46 pm (UTC)
No luck for me.
Ever since I installed WSUS 3.0 my Auto Updates have stopped. I tried your fix with no luck. I usually have to run this: SC sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU).

It fixes my error for a little bit and Auto Updates will start but in a couple of days it gives the error again. I've even removed WSUS in my GPO and no more machines report to the server but it still hasn't resolved my problem.
Nov. 2nd, 2006 06:22 pm (UTC)
sweet solution
thanks for the article! this effectively resolves my problem of bits and auto update not starting on the wsus client machines! thanks a bunch! andrew
Nov. 2nd, 2006 06:52 pm (UTC)
Re: sweet solution
Glad I could help, Andrew.
Oct. 17th, 2007 06:20 pm (UTC)
Helpful Indeed!
Hey rialtus, thanks so much for your note. It was indeed very helpful as we were having the exact same issues and all I was able to find in MS.com was to reset the security descriptor (SD) to the default values which temporarily solved the problem until the Domain GPO was refreshed into the workstations.

Thanks Again!

Mar. 24th, 2008 04:13 pm (UTC)
hey — just wanted to swing by and thank you — this did the trick for me. we leave the service disabled (we use a 3rd party patching system), but my techs can now re-enable the service temporarily and run WU if needed.

cheers! thanks again! :)
Sep. 16th, 2009 11:52 am (UTC)
Let's try it out ... ;)
Nov. 19th, 2009 09:06 pm (UTC)
Fixing BITS Service
Adding NETWORK SERVICE with ALLOW READ permission fix our issue, which was the same as Rialtus described. Thanks very much!
Nov. 19th, 2009 09:24 pm (UTC)
BITS Service fails to start
Adding the NETWORK SERVICE with ALLOW READ permission to our Group Policy enabled the BITS Service to start successfully. We had exactly the same issue you describe, and it fixed it. Thanks for sharing!
Nov. 20th, 2009 04:30 am (UTC)
Re: BITS Service fails to start
Glad this helped. I'm surprised that this article continues to help people almost four years after I first wrote it!
Feb. 26th, 2010 08:50 pm (UTC)
Re: BITS Service fails to start
Great Article!!!. Time /Life Saver :)
Jan. 5th, 2010 03:59 am (UTC)
Amazing! I had a problem a few months back with confiker going nuts on our network disabling BITS. I set a GP to force it to Auto startup. For some reason the default permissions window does not include the network service when you enable this. I have been using the SC.exe tool to 'fix' the machines, not even knowing it was my GP that broke it!

Even removing the GP does not set the permissions back to what it should be so googling brought me here to find the permissions needed to apply to the GP and it's all good again.

Many thanks for taking the time to post this!

Jan. 5th, 2010 04:32 am (UTC)
Awesome! Glad this helped!
Mar. 22nd, 2010 06:52 pm (UTC)
Hoping for more detail
This has gotten me halfway there...
btis must be set to manual, not automatic (ugh).
Automatic Updates set to auto.
Added just Network Service to both with just read, and start\stop\pause permissions.
Now as an administrator I can't do anything on the machine - not ideal.
So I add domain admins group to this list, but then the service will not start.
Can someone go as far as to give me a screen shot of exactly how this should look or something? Windows Update starts, but WSUS is having issues surrounding these permissions now.
This all stems from someone disabling these services as part of an image or something.
Thanks a ton :)
Mar. 30th, 2010 09:33 pm (UTC)
Re: Hoping for more detail
Here are my settings.

SYSTEM - Full control
(no subject) - diamondjez - Jul. 10th, 2011 10:54 pm (UTC) - Expand
Nov. 3rd, 2011 04:48 pm (UTC)
Re: Интересно читать
It was an interesting read, and all the fun is written. (Good thing there was no link to spam on this... )
( 18 comments — Leave a comment )