?

Log in

No account? Create an account

Previous Entry | Next Entry

I've been fighting an issue with both my Automatic Updates service and Background Intelligent Transport Service stopping on client machines. Automatic Updates is failing with Event ID 7023 from Service Control Manager, with the description "The class is configured to run as a security id different from the caller" and BITS is getting an Event ID 7024 also from Service Control Manager, with the description "The Background Intelligent Transfer Service service terminated with service-specific error 2147500053 (0x80004015)."

This could also be related to SMS agents not downloading policy from the associated Management Point.

There are many links out there on the network that discuss these, but I found an interesting one that I hadn't seen before. Basically, we are rolling out SMS agents to client machines, and that part went well. However, once the SMS Agent got to the workstation, it could not pull down any policies.

After a Premier Microsoft call, it was determined that the BITS service on the workstation, which is needed for SMS to pull down policy from a Management Point, was not starting. See that error message up at the top there. It was at that point that we noticed that the Automatic Updates service, which is set to Automatic, was not started. The error for that is above too.

While I did find an article to specifically change the security settings on Automatic Updates, that wasn't the root cause of the problem. We had a Group Policy Object for these services which had specific settings for Administrators, Interactive, and System. What I found out, via this link, was that Network Service needed Read access to these services. I'm still confused on if this specifically because of the Active Directory provided by Windows Server 2003 SP1 or not. However, I changed this GPO to also add Network Service the read access to the two services. After that modified GPO applied to the desktop computers, the services were able to start as expected, and the SMS Agent was able to download policy as expected.

Pretty weird, huh?

If this was helpful, feel free to drop me a comment to let me know. Also, I have written several other WSUS helps in this journal, available here. This is the first SMS article I've written, but there may be more available later here.

Tags:

Comments

rialtus
Jun. 21st, 2006 04:33 pm (UTC)
x-posted to email...

First, if you don't already have it, get the Group Policy Management Console from Microsoft.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

I'm guessing there is probably already a policy in effect that has improperly configured the service permissions. I'd start with finding that policy and/or the person who created it. You are specifically looking for Computer Configuration/Windows Settings/Security Settings/System Services, then both Background Intelligent Transfer Service and Automatic Updates.

To change the setting, edit the appropriate GPO, navigate to that string above, and click the Edit Security button. Add the NETWORK SERVICE and give it Allow Read. There is no save, since this is dynamic so tread lightly.
(Anonymous)
May. 31st, 2007 12:46 pm (UTC)
No luck for me.
Ever since I installed WSUS 3.0 my Auto Updates have stopped. I tried your fix with no luck. I usually have to run this: SC sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU).

It fixes my error for a little bit and Auto Updates will start but in a couple of days it gives the error again. I've even removed WSUS in my GPO and no more machines report to the server but it still hasn't resolved my problem.