The following steps describe operations and checks you can do on the endpoint itself in case the endpoint didn't report any status to WSUS (Not Yet Reported) or it has been more than 24 hours.
Verify Prerequisites
Endpoint Configuration for WSUS
From Endpoint
1. Check Automatic Update Service
First, make sure the Automatic Update service is running
- Open services.msc
- Right click on Windows Update Service
- Make sure the Startup type is set to Automatic and start the service now if it is disabled
If it was disabled, then enable it and wait a few minutes before running the following commands. If it was already enabled, then run the following commands immediately
For a computer running on Windows version 10/2016 or later:
USOClient.exe RefreshSettings
USOClient.exe StartScan
For a computer running on Windows version less than 10/2016:
wuauclt /detectnow
wuauclt.exe /resetauthorization /detectnow
If the endpoint still not reporting to WSUS, run the following Powershell command:
$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
2. Check Firewall
Try to access the WSUS server via the browser over port 8530. If there is an issue, check firewall rules locally and centrally.
3. Check Windows Update Agent
Verify that there are no problems with the Windows Update agent by checking for updates. If you get error code 0x80244010, check for this error in the Windows Update Log, and if you see it, read this Microsoft article for more information. You have two options (a) wait a few days for the natural 22 hour cycles to complete or (b) increase Automatic Update detection frequency from 22 hours to 1 hour and wait a few hours to verify status is being reported before setting it back to the default.
Note: you can also leverage the built-in Check for potential Windows Update Agent issues task to check the status across multiple endpoints
- Go to Endpoints > Management
- Filter on the Windows Endpoint Group(s) you are looking to patch
- Select all rows and select Action > Run Task
- Search for Check for potential Windows Update Agent issues
- Click on Run Task
- Wait a minute
- Go to Endpoints > Activities
- Filter Task: Check for potential Windows Update Agent issues
4. Check Windows Update Log
Generate logs for Windows 10 / Server 2016 or above:
Open an elevated PowerShell and run the following command:
Get-WindowsUpdateLog
This will generate a log that is saved on the endpoint's desktop.
For other Windows versions:
The "WindowsUpdate.log" file is located in %systemroot% - %systemroot%\WindowsUpdate.log
For more information about Windows Update Log please check Microsoft article - Windows Update Logs
5. Other Ideas
- https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-issues-with-wsus-client-agents
- https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127648
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/re-register-windows-clientserver-in-wsus
From JetPatch
Use JetPatch Scripts
JetPatch has made at your disposition a few scripts to resolve some difficult tasks like Regenerate Windows Update Agent Authorization properties for WSUS.
This script is available both in Windows Batch or Powershell. Each one can be used for different approach methods.
- Reset WUA Authorization for WSUS (Powershell) - If the connector is deployed and policy in place then Powershell Script can be used.
- Reset WUA Authorization for WSUS (Windows Batch) - If only the connector is installed the Batch file should be used.
Totally reset WindowsUpdate on the client:
- Advanced WUA RESET - Will delete WIndowsUpdateCatalog and a few registry parameters. BeCarefull this script is resetting all windows update elements on the machine.
How to Monitor after Reset?
Use Endpoint Readiness, specifically look at the WUA communication column (default 24 hours, which is configurable in Endpoint Readiness settings)
Comments
0 comments
Please sign in to leave a comment.