Articles in this section

Troubleshooting Windows Client Reporting Issues: Not Yet Reported or Not Reported in Over 24 Hours (Red X WUA Communication)

 If a windows endpoint is not reporting to WSUS/Windows Update or hasn’t updated its status in over 24 hours (default Red X WUA Communication in Endpoint Readiness), follow these steps to diagnose and resolve the issue:

Step 0: Verify Prerequisites

Before troubleshooting, ensure the endpoint meets the prerequisites for WSUS. Use JetPatch Endpoint Readiness to analyze and pinpoint missing configurations.

Step 1: Run Prerequisite Checks with JetPatch Endpoint Readiness

  1. Open Endpoint Readiness in JetPatch (Endpoints > Readiness)

    • Filter on Endpoint Readiness > Not Ready and Unknown
    • If prerequisites are met, then the affected devices should only have a red X or yellow ? on WUA Communication column.  If other columns are red X or yellow ?, then prerequisites are not met.  Stop this process and ensure the endpoints meet the prerequisites for WSUS

  2. Manually Run Readiness Test:

    • Filter on Unmet Criteria > WUA Communication
    • Select all rows and go to Actions > Run Readiness Test
    • Wait a couple of minutes for the results to refresh
    • If there is still a red X or yellow ?, then move to Step 2
        •  

Step 2: Check Windows Update Service

  1. Open services.msc on the endpoint.
  2. Locate Windows Update Service (wuauserv).
  3. Ensure it is Running and set to Automatic

Step 3: PowerShell WUA Test

This direct test determines if the client can successfully query windows update source and returns an HRESULT code if it fails.

  1. On the endpoint, open PowerShell as Administrator and run: 
    $updateSession = New-Object -ComObject Microsoft.Update.Session
    $searcher = $updateSession.CreateUpdateSearcher()
    $result = $searcher.Search("IsInstalled=0")
  2. Success
    • $result.Updates.Count shows the number of available updates (or zero if none). This means the endpoint successfully connected to WSUS.
  3. Failure
    • The command throws an HRESULT error (e.g., 0x8024402C). Look up the error code at Microsoft’s Windows Update Error Reference. Common causes include DNS issues, proxy misconfiguration, or firewall blocking.

Step 4: Confirm Network and Proxy Communication to WSUS

  • Browser Check: Open a browser and attempt to access WSUS directly:
    • HTTPS (port 8531): https://<WSUS_Server_FQDN_or_IP>:8531
    • HTTP (port 8530) (if WSUS configured without SSL): http://<WSUS_Server_FQDN_or_IP>:8530
    • Success: Browser loads without certificate or connection errors.
    • Failure: Proceed to next step.
  • Port Connectivity Test: Open PowerShell as Administrator
    • Verify network-level connectivity: Test-NetConnection <WSUS_Server_FQDN_or_IP> -Port 8531
    • TcpTestSucceeded: True → Network port is reachable.
    • TcpTestSucceeded: False → Network issue (firewall, routing, etc.). Investigate connectivity.
  • SSL Certificate Validation (HTTPS only) (Required if WSUS uses HTTPS/8531)
    • In PowerShell (as Admin), run:
Invoke-WebRequest -Uri https://<WSUS_Server_FQDN_or_IP>:8531 -UseBasicParsing
    • Success (200 OK): Endpoint trusts SSL certificate.
    • Failure (SSL errors): Endpoint does not trust WSUS certificate; investigate certificate issues.
  • Proxy Configuration Check Open Command Prompt as Admin)
    • Verify proxy settings:
netsh winhttp show proxy
  • If proxy settings exist, temporarily bypass proxy or SSL inspection to test direct communication.

Step 5: Analyze Windows Update Logs

Manually Check for Updates

Generate and Review Windows Update Logs

  1. Open PowerShell as Administrator on the endpoint, then run:
    Get-WindowsUpdateLog
  2. The log file is created on your desktop. Look for error codes (e.g., 0x80244010 or 0x80072EE2). Use the Windows Update Error Reference to interpret any codes you see.

Related articles

Comments

0 comments

Please sign in to leave a comment.