Fix Duplicate WSUS ClientIDs Using PowerShell

A common issue when using a ‘template’ or an OS image that hasn’t been sysprepped is that each client that has the same clientID will appear and disappear from the WSUS console (only 1 client will appear at a time).

A solution to this involves stopping the windows update service (wuauserv), then proceed to remove some Windows Update registry keys such as the following:


  • SusClientId
  • SusClientIdValidation
  • PingID
  • AccountDomainSid


  • LastWaitTimeout
  • DetectionStartTimeout
  • NextDetectionTime
  • AUState

Following that, you can remove the SoftwareDistribution folder on the system and then restart the Windows Update service.

Once that has been completed, you need to run the following command to force a check-in to the WSUS server and receive a new clientID and download required updates.

wuauclt /resetauthorization /detectnow command

In reviewing some of my old scripts and functions, I found this function that I have been wanting to put out to the community and always forgot to do so.

Invoke-WSUSClientIDFix allows you to run all of these fix actions against any system, local or remote.  This function will first use Stop-Service to stop the Windows Update service on the local or remote system.

Because Remoting may not be enabled in a given environment yet, the registry modifications (local or remote) is done via the [Microsoft.Win32.Registry] type that utilizes the OpenRemoteBaseKey() method to make the connection and then proceeds to remove the wsus client registry values.

Write-Verbose ("{0}: Making remote registry connection to {1} hive"`
 -f $Computer, $reghive)
$remotereg = [microsoft.win32.registrykey]::OpenRemoteBaseKey(`
Write-Verbose ("{0}: `
Connection to WSUS Client registry keys" -f $Computer)
$wsusreg1 = $remotereg.OpenSubKey(`
$wsusreg2 = $remotereg.OpenSubKey(`
'Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update',$True)


If (-Not [string]::IsNullOrEmpty($wsusreg1.GetValue('SusClientId'))) {
    If ($PScmdlet.ShouldProcess("SusClientId","Delete Registry Value")) {


Following that, I use Remove-Item to clean out the SoftwareDistribution folder. I use Start-Service to start up the Windows Update service prior to the last command.  I then make use of the Win32_Process WMI class and its Create() method to spawn a remote process to run the wuauclt /detectnow /resetauthoriation command to check back into the WSUS server.

After dot sourcing the function, I can run it against a system/s to perform the client ID fix on the client so it will communicate properly with the WSUS server.

Invoke-WSUSClientIDFix -Verbose


Download Invoke-WSUSClientIDFix

Give it a run and let me know what you think!

This entry was posted in powershell, scripts, WSUS and tagged , , , , . Bookmark the permalink.

6 Responses to Fix Duplicate WSUS ClientIDs Using PowerShell

  1. Steve says:

    hello, so i am testing this out, however during my test i am noticing that it is NOT deleting the reg keys. I commented out the section of the starting of the service & the WSUS re-auth (lines 106-115, Then re-imported it, & ran it assuming that the keys were being recreated when the service was started & the reauth. However still no go,. the keys are still there..

    could you assist? it does appear that evertying else is working, just the deletion of the reg keys is not..

    • Boe Prox says:

      I will have to take a look and see what might be happening. Are you seeing any sort of error message?

      • Steve says:

        ok i figured it out to an extent. i was running it via ISE and remotesigned. then running -confim but would only prompt on the service stop.

        i then tried to run it via the console remotesigned, still no reg work being done.

        i then ran it unrestrictred & it worked as expected.

        the only issue i have at the moment is it seems to hang deleting the distribution folder.
        it sat for about 20 mins..then i killed it. I then went to a cloned server of the one i ran the script against which has the same size folder/items. & manually deleted it but got prompted to confirm to delete since some files were to large for the bin.

        so i went back to the script & noticed it is running -force, which SHOULD basically say yes to the prompt that i got but manually deleting it, but not sure.

        my next test is to add -confirm:$false to it to see if it goes…

  2. _Emin_ says:

    Hi Boe,
    Great work and congrats for your MVP award 🙂
    Your link to the technet doesn’t work for me.
    Here’s the one that is working for me:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s