During attempt to temporarily free drive space for Disk Defragmenter to run, I had stopped the IIS web service and moved the Update Services folder, which is WSUS, to another disk drive. After running the defragmenter, I moved the folder back and started the service up again. Later that week, I noticed that clients had not been reporting in to WSUS.
After server reboot, the event log reported that a service failed to start. The only automatic service that was not running was “Update Services”. Starting the service manually allowed me to access the WSUS management console, but another event log message was written each time I restarted the service that stated:
“Event ID: 506 - The SelfUpdate Tree is not working. Clients may not be able to update to the latest WUA client software and communicate with the WSUS Server.” [more]
On every server, including the WSUS server, MBSA kept failing to check security updates from the WSUS server. WSUS client check-in is served through IIS as a site called “Selfupdate”. It is important to allow anonymous access to the directory using an IUSR account managed by IIS. I went back to the “Update Services” folder on the disk drive and manually added the Internet Guest Account (the IUSR account that was listed as the anonymous IIS account) and gave it “Read & Execute” permissions. Moving that folder to another drive had likely removed the IUSR permissions for the folder.
I restarted the “Update Services” service and no longer got the Event ID: 506 message. I ran registry commands to get Windows Updates to check for updates again on one of the servers and it reported to WSUS. A little later, other machines began to report in as well.