winupdate troubleshooting sccm

1. #Troubleshoot Win Updates
2. # ISE tip -- F8 = run highlighted text
3. #Other CM Powershell Scripts
4. # https://gitlab.engr.illinois.edu/engrit-epm/sccm-ts-scripts
5.  
6. # changelog:
7. # 20231023 - added capi2 eventvwr enable and pshell script to view iis logs.
8. # 20231026 - added more filtering options to iis log script and support to output to csv.
9. # 20231110 - added script to read through capi2 event logs with a searchstring.
10. # 20240118 - added utc->localTime to IIS results
11. # 20240321 - added Microsoft.Update.ServiceManager call to see responsible for win update
12. # 20240628 - check client settings concerning sw updates - #14
13.  
14. #region ccmVerbose
15.  
16. # 1\ enable ccm verbose
17. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogLevel" -Value "0" -ErrorAction SilentlyContinue
18. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxSize" -Value "10485760" -ErrorAction SilentlyContinue
19. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxHistory" -Value "10" -ErrorAction SilentlyContinue
20. New-Item -Path "HKLM:\Software\Microsoft\CCM\Logging\DebugLogging" -ErrorAction SilentlyContinue
21. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\DebugLogging' -Name "Enabled" -Value "True" -ErrorAction SilentlyContinue
22. Stop-Service -Name CcmExec
23. Start-Service -Name CcmExec
24.  
25. #endregion ccmVerbose
26.  
27. # see who is in charge for win update, wsus or microsoft
28. $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
29. $MUSM.Services | ft name,IsDefaultAUService
30.  
31. # gather more info - must be run from ISE
32. gwmi -ns root\ccm\softwareupdates\updatesstore -class ccm_updatestatus |
33.     ? status -eq 'Missing' |
34.     select Title, UniqueId, UpdateClassification, ScanTime, Sources |
35.     ogv
36.  
37. # pull updates from avail from deployments
38. Get-WmiObject -namespace "root\ccm\clientsdk" -class CCM_SoftwareUpdate
39.  
40.  
41. # 2\ perform verbose win update scan
42. # equiv to
43. #  reg add %_TRACEREGKEY% /v %_TRACEREGVALUE% /d 1 /t REG_DWORD /f
44. #  set _TRACEREGKEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
45. #  set _TRACEREGVALUE=WPPLogDisabled
46. # TODO
47. #  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
48. #  Add a new DWORD key named Flags with a value of 7
49. #  Add a new DWORD key named Level with a value of 4
50. #  Then perform a NET STOP and NET START wuauserv
51. Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace' -Name "WPPLogDisabled" -Value "1" -ErrorAction SilentlyContinue
52.  
53. # stop some services
54. Stop-Service CcmExec, usosvc, wuauserv -Force
55. # make sure they are stopped
56. Get-Service CcmExec, usosvc, wuauserv
57.  
58. # start winupdate verbose trace
59. saps 'logman' 'start WindowsUpdateLOGPS1 -o c:\windows\temp\winupdate.etl -ets -ft 00:00:05 -nb 2 24 -bs 128 -p {0b7a6f19-47c4-454e-8c5c-e868d637e4d8} 8380415 5' -NoNewWindow
60. # confirm its running
61. logman query WindowsUpdateLOGPS1 -ets
62.  
63. # restart services
64. Start-Service CcmExec, usosvc, wuauserv
65.  
66. # kick off scan via ccmexec action
67. Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000113}"
68. Get-Content C:\windows\ccm\logs\WUAHandler.log -Tail 10
69.  
70. # stop the trace after scan is complete.. check wuahandler
71. logman stop WindowsUpdateLOGPS1 -ets
72. explorer c:\windows\temp
73.  
74. # 3\ check for successful scans in wuahandler
75. $ret = Get-Content 'C:\Windows\CCM\Logs\WUAHandler.log' | `
76. ? { $_ -match 'Successfully completed scan.' } | `
77. #select -Last 1 | `
78. ogv
79.  
80. # 4\ check lgpo reg values
81. Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
82. Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
83.  
84. # 5\ tnc against wsus server port
85. $wsusAddress = ( ( (Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).WUServer -split '//')[1] -split ':' )[0]
86. $wsusPort = ( ( (Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).WUServer -split '//')[1] -split ':' )[1]
87. tnc $wsusAddress -port $wsusPort -InformationLevel Detailed
88.  
89. # 6\ list cert info\
90. # certlm.msc
91. # gpresult /h c:\windows\temp\gpresult.html /scope computer
92. # in pers store (along with templ names)
93. Get-ChildItem "Cert:\LocalMachine\My" | `
94. select Name, FriendlyName, Thumbprint, Issuer, EnhancedKeyUsageList, NotAfter | `
95. ogv
96.  
97. # 7\ check ccm client update settings in wmi
98. # looking for this in Reserved2
99. # <property name="O365Management" ><value>1</value></property>
100. gwmi -ns root\ccm\policy\machine\actualconfig -class CCM_SoftwareUpdatesClientConfig
101.  
102. # in trusted root
103. Get-ChildItem "Cert:\LocalMachine\Root" | `
104. select Name, FriendlyName, Thumbprint, Issuer, EnhancedKeyUsageList, NotAfter | `
105. ogv
106.  
107. # 8\ open wsus test web pages
108. Invoke-WebRequest "http://$($wsusAddress):8530/ClientWebService/Client.asmx" -UseBasicParsing
109. Invoke-WebRequest "http://$($wsusAddress):8530/SelfUpdate/iuident.cab" -UseBasicParsing
110. Invoke-WebRequest "http://$($wsusAddress):8530/SelfUpdate/wuident.cab" -UseBasicParsing
111.  
112. # now here are the https tests (will need proper thumbprint from previous step)
113. $ThumbPrint = "849b978fbcd91730015efbe31c397241ee3ba1cf"
114. $Cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -like $ThumbPrint}
115. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
116. Invoke-WebRequest "http://$($wsusAddress):8531/ClientWebService/Client.asmx" -UseBasicParsing -Certificate $Cert
117. Invoke-WebRequest "http://$($wsusAddress):8531/SelfUpdate/iuident.cab" -UseBasicParsing -Certificate $Cert
118. Invoke-WebRequest "http://$($wsusAddress):8531/SelfUpdate/wuident.cab" -UseBasicParsing -Certificate $Cert
119.  
120. # 9\ check for 500 statemsgs (need unique updateid)
121. #i.e. Microsoft 365 Apps Update - Monthly Enterprise Channel Extended Quality Update for x64 based Edition Version 2212 (Build 15928.20298) 3104046 0   0   0   Yes Yes 0e7916d2-eecf-4346-a6af-9d8b038bbc93
122. gwmi -ns ROOT\ccm\StateMsg -query 'select * from CCM_StateMsg where topicid like "%b5c69c07-71bd-4c95-9323-edd74bdd0bec%"' | `
123. select topictype, stateid, topicid, messagetime, messagesent
124.  
125. <#
126. 500 STATE_TOPTCTYPE_SUM_UPDATE_DETECTION
127. 1   STATE_STATEID_UPDATE_NOT_REQUIRED
128. 2   STATE_STATEID_UPDATE_MISSING
129. 3   STATE_STATEID_UPDATE_INSTALLED
130. #>
131.  
132. # next is deployment statemsg
133. # i.e Microsoft Software Updates - 2023-07-07 05:29:12 PM   Individual  All Systems Yes 7/7/2023 5:31:00 PM {9A129251-9A5E-448E-80CE-83F3A8C02EE4} 
134. gwmi -ns ROOT\ccm\StateMsg -query 'select * from CCM_StateMsg where topicid like "%9A129251-9A5E-448E-80CE-83F3A8C02EE4%"' |`
135. select topictype, stateid, topicid, messagetime, messagesent
136.  
137. <#
138. 300 STATE_TOPICTYPE_SUM_ASSIGNMENT_COMPLIANCE
139.  
140.     1   STATE_STATEID_ASSIGNMENT_COMPLIANT
141.     2   STATE_STATEID_ASSIGNMENT_NONCOMPLIANT
142.  
143. 301 STATE_TOPICTYPE_SUM_ASSIGNMENT_ENFORCEMENT
144.  
145.     1   STATE_STATEID_ASSIGNMENT_ENFORCE_INSTALLING
146.     2   STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_REBOOT
147.     3   STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_INSTALL
148.     4   STATE_STATEID_ASSIGNMENT_ENFORCE_SUCCESS
149.     5   STATE_STATEID_ASSIGNMENT_ENFORCE_PENDING_REBOOT
150.     6   STATE_STATEID_ASSIGNMENT_ENFORCE_FAILED
151.     7   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_STARTED
152.     8   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_SUCCESS
153.     9   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_FAILED
154.     10  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_SERVICE_WND
155.     11  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_ORCHESTRATION
156.     12  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_SUPERSEDING
157.  
158. 302 STATE_TOPICTYPE_SUM_ASSIGNMENT_EVALUATION
159.  
160.     1   STATE_STATEID_ASSIGNMENT_EVALUATE_ACTIVATED
161.     2   STATE_STATEID_ASSIGNMENT_EVALUATE_SUCCESS
162.     3   STATE_STATEID_ASSIGNMENT_EVALUATE_FAILED
163. #>
164.  
165. # 10\ clean up local softwaredist
166. Stop-Service -Name wuauserv, cryptSvc, bits, msiserver
167. Rename-Item -Path 'C:\WINDOWS\SoftwareDistribution' -NewName 'SoftwareDistribution.bak'
168. Rename-Item -Path 'C:\Windows\System32\catroot2' -NewName 'Catroot2.old'
169. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'PingID' -Force
170. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'AccountDomainSid' -Force
171. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'SusClientId' -Force
172. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'SusClientIDValidation' -Force
173. Start-Service -Name wuauserv, cryptSvc, bits, msiserver
174.  
175. # 11\ enable verbose logging on wsus - softwaredistribution
176. Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Update Services\Server\Setup' -Name LogLevel -Value 5 -Force
177. # Restart-Service WsusService -Force
178. # Restart-Service W3SVC -force
179. notepad "$env:programfiles\update services\logfiles\softwaredistribution.log"
180. Get-Content "$env:programfiles\update services\logfiles\softwaredistribution.log" -Tail 30
181. Get-Content "C:\Program Files\update services\logfiles\Change.log" -tail 30
182. # check change.log for updateid to make sure it wasnt declined
183. Get-Content "C:\Program Files\update services\logfiles\Change*" | Select-String "dfa9b735-1248-4f4d-bbff-e5d9920976b2"
184. Get-Content "C:\Program Files\update services\logfiles\Change*" | Select-String "KB5002456"
185.  
186. # 12\ view iis logs using pshell ogv - filtering
187. $iisLog = "C:\InetPub\Logs\LogFiles\W3SVC1\u_ex$(Get-Date -F 'yyMMdd').log"
188. $numOfRecords = $iisLog.Length
189. # $numOfRecords = 10000
190. $headers = @((Get-Content -Path $iisLog -ReadCount 4 -TotalCount 4)[3].split(' ') | `
191. Where-Object { $_ -ne '#Fields:' })
192. Get-Content $iisLog -Tail $numOfRecords | Where-Object { $_.date -notlike '#*' } | `
193. Out-File "$env:temp\iisLogResults.csv" -Force
194.  
195.  
196. Import-Csv -Delimiter ' ' -Header $headers -Path "$env:temp\iisLogResults.csv" | `
197. % {
198. $oldDate = (Get-Date "$($_.date) $($_.time)")
199. $tzone = Get-TimeZone -Id "Eastern Standard Time"
200. $newDate = $oldDate.AddHours($tzone.BaseUtcOffset.totalhours)
201. $newDate = $newDate.ToString("yyyy-MM-dd HH:mm:ss")
202. $_ | Add-Member -type NoteProperty -name localTime -value $newDate -PassThru
203. } | `
204. #? { $_."sc-status" -ne 404 } |
205. #? { $_."cs-uri-query" -eq "MPLIST" } |
206. #? { $_."c-ip" -like "192.168.4.20" } |
207. sort localTime -Descending | `
208. #Export-Csv "$env:temp\iisLogResultsFiltered.csv" -Force
209. Out-GridView -Title "IIS log: $iisLog"
210. #. "$env:temp\iisLogResultsFiltered.csv"
211.  
212. # 13\ view capi2 logs using pshell ogv - filtering
213. function Format-XML {
214.     [CmdletBinding()]
215.     Param (
216.         [Parameter(ValueFromPipeline=$true,Mandatory=$true)][string]$xmlcontent
217.     )
218.  
219.     $xmldoc = New-Object -TypeName System.Xml.XmlDocument
220.     $xmldoc.LoadXml($xmlcontent)
221.     $sw = New-Object System.IO.StringWriter
222.     $writer = New-Object System.Xml.XmlTextWriter($sw)
223.     $writer.Formatting = [System.XML.Formatting]::Indented
224.     $xmldoc.WriteContentTo($writer)
225.     $sw.ToString()
226. }
227.  
228. # 14\ check client settings concerning sw updates
229. gwmi -ns ROOT\ccm\Policy\Machine\ActualConfig -class CCM_SourceUpdateClientConfig
230.  
231. # Filter to get events with error level from CAPI
232. $filterHashtable = @{
233.     LogName = 'Microsoft-Windows-CAPI2/Operational'
234. }
235.  
236. # Retrieve CAPI events with error level
237. $errorCapiEvents = Get-WinEvent -FilterHashtable $filterHashtable -MaxEvents 100
238.  
239.  
240. # Get-ChildItem -Path Cert:\LocalMachine\My
241. $searchString = '8B3C5B9B867D4BE46D1CB5A01D45D67DC8E94082'
242.  
243. $filteredEvents = $capiEvents.ToXML() | select-string $searchString
244. $filteredEvents |  Format-XML
245.  
246. #
247. Remove-Item $env:USERPROFILE\Desktop\WindowsUpdate.log -Force
248. Stop-Service wuauserv, bits -force
249. Move-Item C:\windows\SoftwareDistribution C:\windows\SoftwareDistribution.old -Force
250. #Move-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.old -Force
251. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name UseWUServer -Value 0
252. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForDriverUpdates -Value 0
253. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForFeatureUpdates -Value 0
254. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForOtherUpdates -Value 0
255. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForQualityUpdates -Value 0
256. Start-Service wuauserv
257. <# Open Settings and click on link to check for updates ONLINE
258. Get-WindowsUpdateLog
259. notepad.exe $env:USERPROFILE\Desktop\WindowsUpdate.log
260. #>
261.  
262. # revert\ disable ccm verbose
263. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogLevel" -Value "1" -ErrorAction SilentlyContinue
264. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxSize" -Value "10485760" -ErrorAction SilentlyContinue
265. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxHistory" -Value "10" -ErrorAction SilentlyContinue
266. New-Item -Path "HKLM:\Software\Microsoft\CCM\Logging\DebugLogging" -ErrorAction SilentlyContinue
267. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\DebugLogging' -Name "Enabled" -Value "False" -ErrorAction SilentlyContinue
268. Stop-Service -Name CcmExec
269. Start-Service -Name CcmExec
270.  
271. # enable CAPI2/Operational logging
272. $logsource = Get-LogProperties 'Microsoft-Windows-CAPI2/Operational'
273. $logsource.Enabled = $true
274. Set-LogProperties -LogDetails $logsource
275. # certutil.exe -verify -urlfetch c:\temp\CertName.cer > c:\temp\CertOut.txt