Advertisement
brianfgonzalez

winupdate troubleshooting sccm

Sep 20th, 2024 (edited)
264
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 13.31 KB | Source Code | 0 0
  1. #Troubleshoot Win Updates
  2. # ISE tip -- F8 = run highlighted text
  3. #Other CM Powershell Scripts
  4. # https://gitlab.engr.illinois.edu/engrit-epm/sccm-ts-scripts
  5.  
  6. # changelog:
  7. # 20231023 - added capi2 eventvwr enable and pshell script to view iis logs.
  8. # 20231026 - added more filtering options to iis log script and support to output to csv.
  9. # 20231110 - added script to read through capi2 event logs with a searchstring.
  10. # 20240118 - added utc->localTime to IIS results
  11. # 20240321 - added Microsoft.Update.ServiceManager call to see responsible for win update
  12. # 20240628 - check client settings concerning sw updates - #14
  13.  
  14. #region ccmVerbose
  15.  
  16. # 1\ enable ccm verbose
  17. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogLevel" -Value "0" -ErrorAction SilentlyContinue
  18. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxSize" -Value "10485760" -ErrorAction SilentlyContinue
  19. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxHistory" -Value "10" -ErrorAction SilentlyContinue
  20. New-Item -Path "HKLM:\Software\Microsoft\CCM\Logging\DebugLogging" -ErrorAction SilentlyContinue
  21. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\DebugLogging' -Name "Enabled" -Value "True" -ErrorAction SilentlyContinue
  22. Stop-Service -Name CcmExec
  23. Start-Service -Name CcmExec
  24.  
  25. #endregion ccmVerbose
  26.  
  27. # see who is in charge for win update, wsus or microsoft
  28. $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
  29. $MUSM.Services | ft name,IsDefaultAUService
  30.  
  31. # gather more info - must be run from ISE
  32. gwmi -ns root\ccm\softwareupdates\updatesstore -class ccm_updatestatus |
  33.     ? status -eq 'Missing' |
  34.     select Title, UniqueId, UpdateClassification, ScanTime, Sources |
  35.     ogv
  36.  
  37. # pull updates from avail from deployments
  38. Get-WmiObject -namespace "root\ccm\clientsdk" -class CCM_SoftwareUpdate
  39.  
  40.  
  41. # 2\ perform verbose win update scan
  42. # equiv to
  43. #  reg add %_TRACEREGKEY% /v %_TRACEREGVALUE% /d 1 /t REG_DWORD /f
  44. #  set _TRACEREGKEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
  45. #  set _TRACEREGVALUE=WPPLogDisabled
  46. # TODO
  47. #  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
  48. #  Add a new DWORD key named Flags with a value of 7
  49. #  Add a new DWORD key named Level with a value of 4
  50. #  Then perform a NET STOP and NET START wuauserv
  51. Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace' -Name "WPPLogDisabled" -Value "1" -ErrorAction SilentlyContinue
  52.  
  53. # stop some services
  54. Stop-Service CcmExec, usosvc, wuauserv -Force
  55. # make sure they are stopped
  56. Get-Service CcmExec, usosvc, wuauserv
  57.  
  58. # start winupdate verbose trace
  59. saps 'logman' 'start WindowsUpdateLOGPS1 -o c:\windows\temp\winupdate.etl -ets -ft 00:00:05 -nb 2 24 -bs 128 -p {0b7a6f19-47c4-454e-8c5c-e868d637e4d8} 8380415 5' -NoNewWindow
  60. # confirm its running
  61. logman query WindowsUpdateLOGPS1 -ets
  62.  
  63. # restart services
  64. Start-Service CcmExec, usosvc, wuauserv
  65.  
  66. # kick off scan via ccmexec action
  67. Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000113}"
  68. Get-Content C:\windows\ccm\logs\WUAHandler.log -Tail 10
  69.  
  70. # stop the trace after scan is complete.. check wuahandler
  71. logman stop WindowsUpdateLOGPS1 -ets
  72. explorer c:\windows\temp
  73.  
  74. # 3\ check for successful scans in wuahandler
  75. $ret = Get-Content 'C:\Windows\CCM\Logs\WUAHandler.log' | `
  76. ? { $_ -match 'Successfully completed scan.' } | `
  77. #select -Last 1 | `
  78. ogv
  79.  
  80. # 4\ check lgpo reg values
  81. Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  82. Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  83.  
  84. # 5\ tnc against wsus server port
  85. $wsusAddress = ( ( (Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).WUServer -split '//')[1] -split ':' )[0]
  86. $wsusPort = ( ( (Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).WUServer -split '//')[1] -split ':' )[1]
  87. tnc $wsusAddress -port $wsusPort -InformationLevel Detailed
  88.  
  89. # 6\ list cert info\
  90. # certlm.msc
  91. # gpresult /h c:\windows\temp\gpresult.html /scope computer
  92. # in pers store (along with templ names)
  93. Get-ChildItem "Cert:\LocalMachine\My" | `
  94. select Name, FriendlyName, Thumbprint, Issuer, EnhancedKeyUsageList, NotAfter | `
  95. ogv
  96.  
  97. # 7\ check ccm client update settings in wmi
  98. # looking for this in Reserved2
  99. # <property name="O365Management" ><value>1</value></property>
  100. gwmi -ns root\ccm\policy\machine\actualconfig -class CCM_SoftwareUpdatesClientConfig
  101.  
  102. # in trusted root
  103. Get-ChildItem "Cert:\LocalMachine\Root" | `
  104. select Name, FriendlyName, Thumbprint, Issuer, EnhancedKeyUsageList, NotAfter | `
  105. ogv
  106.  
  107. # 8\ open wsus test web pages
  108. Invoke-WebRequest "http://$($wsusAddress):8530/ClientWebService/Client.asmx" -UseBasicParsing
  109. Invoke-WebRequest "http://$($wsusAddress):8530/SelfUpdate/iuident.cab" -UseBasicParsing
  110. Invoke-WebRequest "http://$($wsusAddress):8530/SelfUpdate/wuident.cab" -UseBasicParsing
  111.  
  112. # now here are the https tests (will need proper thumbprint from previous step)
  113. $ThumbPrint = "849b978fbcd91730015efbe31c397241ee3ba1cf"
  114. $Cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -like $ThumbPrint}
  115. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  116. Invoke-WebRequest "http://$($wsusAddress):8531/ClientWebService/Client.asmx" -UseBasicParsing -Certificate $Cert
  117. Invoke-WebRequest "http://$($wsusAddress):8531/SelfUpdate/iuident.cab" -UseBasicParsing -Certificate $Cert
  118. Invoke-WebRequest "http://$($wsusAddress):8531/SelfUpdate/wuident.cab" -UseBasicParsing -Certificate $Cert
  119.  
  120. # 9\ check for 500 statemsgs (need unique updateid)
  121. #i.e. Microsoft 365 Apps Update - Monthly Enterprise Channel Extended Quality Update for x64 based Edition Version 2212 (Build 15928.20298) 3104046 0   0   0   Yes Yes 0e7916d2-eecf-4346-a6af-9d8b038bbc93
  122. gwmi -ns ROOT\ccm\StateMsg -query 'select * from CCM_StateMsg where topicid like "%b5c69c07-71bd-4c95-9323-edd74bdd0bec%"' | `
  123. select topictype, stateid, topicid, messagetime, messagesent
  124.  
  125. <#
  126. 500 STATE_TOPTCTYPE_SUM_UPDATE_DETECTION
  127. 1   STATE_STATEID_UPDATE_NOT_REQUIRED
  128. 2   STATE_STATEID_UPDATE_MISSING
  129. 3   STATE_STATEID_UPDATE_INSTALLED
  130. #>
  131.  
  132. # next is deployment statemsg
  133. # i.e Microsoft Software Updates - 2023-07-07 05:29:12 PM   Individual  All Systems Yes 7/7/2023 5:31:00 PM {9A129251-9A5E-448E-80CE-83F3A8C02EE4} 
  134. gwmi -ns ROOT\ccm\StateMsg -query 'select * from CCM_StateMsg where topicid like "%9A129251-9A5E-448E-80CE-83F3A8C02EE4%"' |`
  135. select topictype, stateid, topicid, messagetime, messagesent
  136.  
  137. <#
  138. 300 STATE_TOPICTYPE_SUM_ASSIGNMENT_COMPLIANCE
  139.  
  140.     1   STATE_STATEID_ASSIGNMENT_COMPLIANT
  141.     2   STATE_STATEID_ASSIGNMENT_NONCOMPLIANT
  142.  
  143. 301 STATE_TOPICTYPE_SUM_ASSIGNMENT_ENFORCEMENT
  144.  
  145.     1   STATE_STATEID_ASSIGNMENT_ENFORCE_INSTALLING
  146.     2   STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_REBOOT
  147.     3   STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_INSTALL
  148.     4   STATE_STATEID_ASSIGNMENT_ENFORCE_SUCCESS
  149.     5   STATE_STATEID_ASSIGNMENT_ENFORCE_PENDING_REBOOT
  150.     6   STATE_STATEID_ASSIGNMENT_ENFORCE_FAILED
  151.     7   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_STARTED
  152.     8   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_SUCCESS
  153.     9   STATE_STATEID_ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_FAILED
  154.     10  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_SERVICE_WND
  155.     11  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_ORCHESTRATION
  156.     12  STATE_STATEID_ASSIGNMENT_ENFORCE_WAIT_SUPERSEDING
  157.  
  158. 302 STATE_TOPICTYPE_SUM_ASSIGNMENT_EVALUATION
  159.  
  160.     1   STATE_STATEID_ASSIGNMENT_EVALUATE_ACTIVATED
  161.     2   STATE_STATEID_ASSIGNMENT_EVALUATE_SUCCESS
  162.     3   STATE_STATEID_ASSIGNMENT_EVALUATE_FAILED
  163. #>
  164.  
  165. # 10\ clean up local softwaredist
  166. Stop-Service -Name wuauserv, cryptSvc, bits, msiserver
  167. Rename-Item -Path 'C:\WINDOWS\SoftwareDistribution' -NewName 'SoftwareDistribution.bak'
  168. Rename-Item -Path 'C:\Windows\System32\catroot2' -NewName 'Catroot2.old'
  169. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'PingID' -Force
  170. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'AccountDomainSid' -Force
  171. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'SusClientId' -Force
  172. Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate' -Name 'SusClientIDValidation' -Force
  173. Start-Service -Name wuauserv, cryptSvc, bits, msiserver
  174.  
  175. # 11\ enable verbose logging on wsus - softwaredistribution
  176. Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Update Services\Server\Setup' -Name LogLevel -Value 5 -Force
  177. # Restart-Service WsusService -Force
  178. # Restart-Service W3SVC -force
  179. notepad "$env:programfiles\update services\logfiles\softwaredistribution.log"
  180. Get-Content "$env:programfiles\update services\logfiles\softwaredistribution.log" -Tail 30
  181. Get-Content "C:\Program Files\update services\logfiles\Change.log" -tail 30
  182. # check change.log for updateid to make sure it wasnt declined
  183. Get-Content "C:\Program Files\update services\logfiles\Change*" | Select-String "dfa9b735-1248-4f4d-bbff-e5d9920976b2"
  184. Get-Content "C:\Program Files\update services\logfiles\Change*" | Select-String "KB5002456"
  185.  
  186. # 12\ view iis logs using pshell ogv - filtering
  187. $iisLog = "C:\InetPub\Logs\LogFiles\W3SVC1\u_ex$(Get-Date -F 'yyMMdd').log"
  188. $numOfRecords = $iisLog.Length
  189. # $numOfRecords = 10000
  190. $headers = @((Get-Content -Path $iisLog -ReadCount 4 -TotalCount 4)[3].split(' ') | `
  191. Where-Object { $_ -ne '#Fields:' })
  192. Get-Content $iisLog -Tail $numOfRecords | Where-Object { $_.date -notlike '#*' } | `
  193. Out-File "$env:temp\iisLogResults.csv" -Force
  194.  
  195.  
  196. Import-Csv -Delimiter ' ' -Header $headers -Path "$env:temp\iisLogResults.csv" | `
  197. % {
  198. $oldDate = (Get-Date "$($_.date) $($_.time)")
  199. $tzone = Get-TimeZone -Id "Eastern Standard Time"
  200. $newDate = $oldDate.AddHours($tzone.BaseUtcOffset.totalhours)
  201. $newDate = $newDate.ToString("yyyy-MM-dd HH:mm:ss")
  202. $_ | Add-Member -type NoteProperty -name localTime -value $newDate -PassThru
  203. } | `
  204. #? { $_."sc-status" -ne 404 } |
  205. #? { $_."cs-uri-query" -eq "MPLIST" } |
  206. #? { $_."c-ip" -like "192.168.4.20" } |
  207. sort localTime -Descending | `
  208. #Export-Csv "$env:temp\iisLogResultsFiltered.csv" -Force
  209. Out-GridView -Title "IIS log: $iisLog"
  210. #. "$env:temp\iisLogResultsFiltered.csv"
  211.  
  212. # 13\ view capi2 logs using pshell ogv - filtering
  213. function Format-XML {
  214.     [CmdletBinding()]
  215.     Param (
  216.         [Parameter(ValueFromPipeline=$true,Mandatory=$true)][string]$xmlcontent
  217.     )
  218.  
  219.     $xmldoc = New-Object -TypeName System.Xml.XmlDocument
  220.     $xmldoc.LoadXml($xmlcontent)
  221.     $sw = New-Object System.IO.StringWriter
  222.     $writer = New-Object System.Xml.XmlTextWriter($sw)
  223.     $writer.Formatting = [System.XML.Formatting]::Indented
  224.     $xmldoc.WriteContentTo($writer)
  225.     $sw.ToString()
  226. }
  227.  
  228. # 14\ check client settings concerning sw updates
  229. gwmi -ns ROOT\ccm\Policy\Machine\ActualConfig -class CCM_SourceUpdateClientConfig
  230.  
  231. # Filter to get events with error level from CAPI
  232. $filterHashtable = @{
  233.     LogName = 'Microsoft-Windows-CAPI2/Operational'
  234. }
  235.  
  236. # Retrieve CAPI events with error level
  237. $errorCapiEvents = Get-WinEvent -FilterHashtable $filterHashtable -MaxEvents 100
  238.  
  239.  
  240. # Get-ChildItem -Path Cert:\LocalMachine\My
  241. $searchString = '8B3C5B9B867D4BE46D1CB5A01D45D67DC8E94082'
  242.  
  243. $filteredEvents = $capiEvents.ToXML() | select-string $searchString
  244. $filteredEvents |  Format-XML
  245.  
  246. #
  247. Remove-Item $env:USERPROFILE\Desktop\WindowsUpdate.log -Force
  248. Stop-Service wuauserv, bits -force
  249. Move-Item C:\windows\SoftwareDistribution C:\windows\SoftwareDistribution.old -Force
  250. #Move-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.old -Force
  251. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name UseWUServer -Value 0
  252. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForDriverUpdates -Value 0
  253. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForFeatureUpdates -Value 0
  254. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForOtherUpdates -Value 0
  255. Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name SetPolicyDrivenUpdateSourceForQualityUpdates -Value 0
  256. Start-Service wuauserv
  257. <# Open Settings and click on link to check for updates ONLINE
  258. Get-WindowsUpdateLog
  259. notepad.exe $env:USERPROFILE\Desktop\WindowsUpdate.log
  260. #>
  261.  
  262. # revert\ disable ccm verbose
  263. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogLevel" -Value "1" -ErrorAction SilentlyContinue
  264. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxSize" -Value "10485760" -ErrorAction SilentlyContinue
  265. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\@GLOBAL' -Name "LogMaxHistory" -Value "10" -ErrorAction SilentlyContinue
  266. New-Item -Path "HKLM:\Software\Microsoft\CCM\Logging\DebugLogging" -ErrorAction SilentlyContinue
  267. Set-ItemProperty -Path 'HKLM:\Software\Microsoft\CCM\Logging\DebugLogging' -Name "Enabled" -Value "False" -ErrorAction SilentlyContinue
  268. Stop-Service -Name CcmExec
  269. Start-Service -Name CcmExec
  270.  
  271. # enable CAPI2/Operational logging
  272. $logsource = Get-LogProperties 'Microsoft-Windows-CAPI2/Operational'
  273. $logsource.Enabled = $true
  274. Set-LogProperties -LogDetails $logsource
  275. # certutil.exe -verify -urlfetch c:\temp\CertName.cer > c:\temp\CertOut.txt
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement