January 16, 2010

ITMU Fixes

Troubleshooting ITMU
There are 5 main reasons why ITMU doesn’t work.

•Microsoft Updates issues
•McAfee EPO issues
•WMI Issues
•System drive and Registry security
•Trusted Sites

Microsoft Updates issues
ITMU uses the same tools as MicrosoftUpdate.com, so we can treat it like we are trying to fix the website. Open internet Explorer and go to :


This website will update the system that you are trouble shooting to the new Windows Update version 6.0. Follow the on screen prompts. When it asks you to setup automatic update set it to disabled. If the website works properly then ITMU should be functioning properly. If you receive an error then review the log below. Most of the errors can be fixed by running the Bat file that is listed below. In some situations you may need to search the internet for the error code that is listed in the log.

You can troubleshoot ITMU/ Microsoft Update by reviewing the following log.

Microsoft Update/ ITMU log:

Note: You can view this log in real time by making the Log viewer in the SMS toolkit v2 your default log viewer.

System Security
One of the main reasons that ITMU fails is because someone removed the System\Everyone security group from the c drive and didn’t setup the new security properly. Error code 0x80070005.

ITMU uses the following account:

This account is used to install updates. If this account is missing then ITMU/ Microsoft Updates will not work properly. This account must have full control of the c drive and all folders to work properly. It will also need control of certain registry Keys.

Reset Permissions
This step will reset the permission settings on this system

Step 1: Download SubInACL (SubInACL.exe)
2. Install it on the system that needs fixed.
3. Select the C:\Windows\System32 as the Destination Folder during the Installation. Later we will use this tool to reset the permission setting on the current Machine.
Step 2:
1. Create a bat file with the following text:
@echo off
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
@Echo =========================
@Echo Finished.
@Echo =========================

2. Execute the Bat file on the system with issues then run Windows Update again.

Mcafee EPO Exemptions
In order to get ITMU working correctly you will need to add the following exemptions to McAfee EPO:

Some of the exemptions are listed in this KB article:


ITMU System Setup
You will need to make sure that the Automatic update service in enabled. You will also need to make sure that the Automatic Update schedule settings are disabled. It should look like this:

You can disable this setting though a group policy. For ITMU to work properly we do not need automatic updates running. If it is setup to run it will cause false proxy errors in the log. This can cause some confusion so just disable it. Disabling it will not harm the system because ITMU will be doing the patching.

ITMU Common Fix

The most common issue with ITMU is an improperly register WU or XML dll.

Running the following bat file fixes most systems. Copy the lines of text between the **** into a txt file called ITMU_fix.bat . After you manually test this script on a few machines you can delete the “pause”, this will make the script silent if pushed though SMS.

@echo on
net stop wuauserv /Y
net stop bits /Y
CD /D %SystemRoot%\System32
regsvr32 /S Msxml3.dll
regsvr32 /S Wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /S Wuapi.dll
regsvr32 /S Atl.dll
regsvr32 /S Wucltui.dll
regsvr32 /S Wups.dll
regsvr32 /s wups2.dll
regsvr32 /s wuweb.dll
rd /s /Q %SystemRoot%\SoftwareDistribution
net start bits
net start wuauserv
Rem Delete or Rem the Pause to make script run silent with SMS.
Trusted Sites

You may also need to add the following to a GPO for trusted sites:

This doesn’t usually FIX ITMU, but it is needed in some cases to get MicrosoftUpade.com working.


Known issue with ITMU

Microsoft has reports of systems that are running at 100% when running ITMU but in most cases this has been resolved. As per expert's understanding, machines that are still experiencing this problem are usually very old slow machines to begin with.


No comments:

Post a Comment