Troubleshooting Windows Updates
Because Microsoft has moved to a continuous update cycle known as Windows as a Service, Workspace ONE UEM can now manage the update life cycle. It is important to keep devices secure and up-to-date—this helps to protect your devices from security risks and viruses.
This exercise helps you to explore some of the high-level troubleshooting tasks to get updates working and validate they are set correctly.
1. Windows As a Service with Workspace ONE UEM
To understand how Windows Update management works with Workspace ONE UEM, see the following high-level workflow:
- Devices connect to Microsoft Update Servers for latest patches.
- Devices report patches (GUIDs) to Workspace ONE UEM.
- Workspace ONE UEM calls Microsoft API to obtain information about the patches to display in the console.
- Based on configured policies and admin actions, Workspace ONE UEM grants or declines the patch to be installed.
- Devices connect to Microsoft Update Servers to download and apply the patches.
- If Delivery Optimization is enabled, devices can also obtain patches from other devices and not directly from Microsoft.
Note: Workspace ONE UEM never handles the patches. Workspace ONE UEM is a management and reporting utility for the updates unlike Windows Server Update Services (WSUS) which downloads the patches from Microsoft then transfers the patches directly to the devices when on the corporate network. Therefore, with the modern approach, updates happen in real-time, in the cloud, backed by delivery optimization.
2. Run Windows Update Troubleshooter
The fastest way to troubleshoot Windows Update issues on your Windows 10 device is to run the Windows Update Troubleshooter. This tool stops the Windows Update Service (wuauserv), clears out the download cache (
C:\Windows\SoftwareDistribution) then restarts the Windows Update Service. Therefore, you do not have to check if the service is running or if there are any issues with the cache manually.
3. Confirm Updates on Device
The next steps help you to validate that the device is receiving the correct updates information from Workspace ONE UEM.
3.1. Validate the Device Received the Profile
First, check that the device installed the profile successfully. If not, see the troubleshooting steps in the Troubleshooting Profiles section.
3.2. Validate Windows Update UI Shows Correct Values
If you recently pushed out a profile and do not see the Windows Update settings UI update (left screenshot), then perform the next steps:
- Restart the Windows Update Service (wuauserv).
- Click Check for Updates.
- Close and re-open settings and the settings should be updated (right screenshot).
Note: You can now View configured update policies (this setting does not show values). This displays all the settings that Workspace ONE UEM is controlling. These configured settings will also be grayed out for the end-user.
3.3. Validate Settings Using Registry
If you cannot update the Windows Update settings menu UI, then check the registry to view all the configured update values. For more details on using the registry to troubleshoot profiles, see the Troubleshooting Profiles section. This registry location shows only what was sent through MDM. If the domain is pushing out settings using GPO, these settings could be overridden on the device.
3.4. Delivery Optimization Activity Monitor
Organizations want to confirm if Delivery Optimization is reducing network traffic across the WAN. You can validate each device's delivery optimization activity by navigating to Settings > Update & Security > Windows Update > Advanced Options > Delivery Optimization > Activity Monitor. The activity monitor displays the download and upload statistics for this target machine.
4. Use Event Viewer
If you have verified the Workspace ONE UEM configuration but the device still cannot apply or obtain updates, you need to seek further assistance. You can use Event Viewer to gather detailed error and status messages to check in Google or report back to Microsoft.
5. Use PowerShell Cmdlets
The following PowerShell cmdlets are helpful:
- The Get-Hotfix cmdlet retrieves hotfixes (also called updates) that have been installed on either the local computer (or on specified remote computers) by Windows Update, Microsoft Update, or Windows Server Update Services; the cmdlet also retrieves hotfixes or updates that have been installed manually by users.
- The Get-WindowsUpdateLog cmdlet merges and converts Windows Update event trace log (ETL) files into a single, readable
WindowsUpdate.logfile. Windows Update Agent uses Event Tracing for Windows (ETW) to generate diagnostic logs. Windows Update no longer directly produces a
WindowsUpdate.logfile. Instead, it produces ETL files that are not immediately readable as written.