Hi Richel.valdez,
How are you endpoints looking today? Visibility of updates is directly tied to when a device(s) goes through a scan, so if Device A is not displaying the 2024-04 cumulative update, and a scan hasn’t taken place since the time of update release, a scan has to happen in order for it to show up in the Software section of a device. Having a more aggressive group scan interval (manage>groups>(group)>scan interval) alleviates the delay between release/detection on the endpoint. A manual scan is always an option as well.
Hi @richel.valdez while not frequent, this can occur. Automox also relies on the Windows Update Agent running locally to be fully working and pulling down good metadata from Microsoft as to what needs to be patched in regards to those Cumulative Updates.
Here are a few remediation scripts I’ve used to cleanup Windows Update when things don’t seem right:
# Driver Updates - this is unique to everyone. I’ve used this for Dell
# Running the built-in Windows Update Troubleshooter - cannot say the output is that clean, but occasionally it fixes corruption :-)
$tsp = Get-TroubleshootingPack C:\Windows\diagnostics\system\WindowsUpdate
Invoke-TroubleshootingPack -Pack $tsp -AnswerFile .\WUDAnswers.xml -Unattended -Result $env:HomeDrive\WUDResult
rxml]$xml = Get-Content $env:HomeDrive\WUDResult\ResultReport.xml
$xml.ResultReport.Package.Problem.DetectionInformation.DetailedInformation.Detail.Contents.Objects.Object | % { write-output $_.'#text';write-output ". " }
$today = Get-Date
$start = $today.AddDays(-33)
$events = Get-WinEvent -FilterHashtable @{
LogName='Setup'
StartTime=$start
EndTime=$today
}
$events | % {
Write-Output "$($_.TimeCreated) | $($_.ID) | $($_.Message)"
}
# Using DISM Healthchecks and the classic SFC /ScanNow to combat Windows Operating System system file corruption
### Dism OS
Write-Output "Running Dism.exe /Online /Cleanup-Image /CheckHealth"
start-process Dism.exe -ArgumentList '/online /Cleanup-Image /checkhealth' -Wait
Write-Output "Running Dism.exe /Online /Cleanup-Image /ScanHealth"
start-process Dism.exe -ArgumentList '/online /Cleanup-Image /scanhealth' -Wait
Write-Output "Running Dism.exe /Online /Cleanup-Image /RestoreHealth"
start-process Dism.exe -ArgumentList '/online /Cleanup-Image /Restorehealth /NoRestart' -Wait
### SFC
start-process sfc -ArgumentList '/scannow' -Wait
$events = Select-String -path C:\Windows\Logs\CBS\CBS.log -Pattern '\-SR\] Repairing','\pSR\] Verify and Repair'
foreach ($event in $events){
Write-Output $event
}
### Dism Components
start-process Dism.exe -ArgumentList '/Online /Cleanup-Image /AnalyzeComponentStore' -Wait
start-process Dism.exe -ArgumentList '/Online /Cleanup-Image /StartComponentCleanup /NoRestart' -Wait
$events = Get-WinEvent -FilterHashtable @{
LogName='Setup'
ID=1013,1014
} | Select Message
foreach ($event in $events){
Write-Output $event
}
# Resetting Windows Update Agent - built from https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/additional-resources-for-windows-update
$arch = Get-WMIObject -Class Win32_Processor -ComputerName LocalHost | Select-Object AddressWidth
#1. Stopping Windows Update Services...
Stop-Service -Name BITS
Stop-Service -Name wuauserv
Stop-Service -Name appidsvc
Stop-Service -Name cryptsvc
#2. Remove QMGR Data file...
Remove-Item "$env:allusersprofile\Microsoft\Network\Downloader\qmgr*.dat" -ErrorAction SilentlyContinue
#3. Renaming the Software Distribution and CatRoot Folder...
Remove-Item $env:systemroot\SoftwareDistribution -recurse -force -ErrorAction SilentlyContinue
Remove-Item $env:systemroot\SoftwareDistribution.bak -recurse -force -ErrorAction SilentlyContinue
#Rename-Item $env:systemroot\SoftwareDistribution SoftwareDistribution.bak -ErrorAction SilentlyContinue
# This may not work if the folder is locked by having a contained file being accessed
Remove-Item $env:systemroot\System32\Catroot2.bak -recurse -force -ErrorAction SilentlyContinue
Rename-Item $env:systemroot\System32\Catroot2 catroot2.bak -ErrorAction SilentlyContinue
#4. Removing old Windows Update log...
Remove-Item $env:systemroot\WindowsUpdate.log -ErrorAction SilentlyContinue
#5. Resetting the Windows Update Services to default settings...
.void]("sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)")
;void]("sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)")
Set-Location $env:systemroot\system32
#6. Registering some DLLs...
regsvr32.exe /s atl.dll
regsvr32.exe /s urlmon.dll
regsvr32.exe /s mshtml.dll
regsvr32.exe /s shdocvw.dll
regsvr32.exe /s browseui.dll
regsvr32.exe /s jscript.dll
regsvr32.exe /s vbscript.dll
regsvr32.exe /s scrrun.dll
regsvr32.exe /s msxml.dll
regsvr32.exe /s msxml3.dll
regsvr32.exe /s msxml6.dll
regsvr32.exe /s actxprxy.dll
regsvr32.exe /s softpub.dll
regsvr32.exe /s wintrust.dll
regsvr32.exe /s dssenh.dll
regsvr32.exe /s rsaenh.dll
regsvr32.exe /s gpkcsp.dll
regsvr32.exe /s sccbase.dll
regsvr32.exe /s slbcsp.dll
regsvr32.exe /s cryptdlg.dll
regsvr32.exe /s oleaut32.dll
regsvr32.exe /s ole32.dll
regsvr32.exe /s shell32.dll
regsvr32.exe /s initpki.dll
regsvr32.exe /s wuapi.dll
regsvr32.exe /s wuaueng.dll
regsvr32.exe /s wuaueng1.dll
regsvr32.exe /s wucltui.dll
regsvr32.exe /s wups.dll
regsvr32.exe /s wups2.dll
regsvr32.exe /s wuweb.dll
regsvr32.exe /s qmgr.dll
regsvr32.exe /s qmgrprxy.dll
regsvr32.exe /s wucltux.dll
regsvr32.exe /s muweb.dll
regsvr32.exe /s wuwebv.dll
#7) Removing WSUS client settings...
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
#8) Resetting the WinSock...
Svoid](netsh winsock reset)
void](netsh winhttp reset proxy)
#9) Delete all BITS jobs...
Get-BitsTransfer | Remove-BitsTransfer
#10) Attempting to install the Windows Update Agent...
if($arch -eq 64){
#wusa Windows8-RT-KB2937636-x64 /quiet
}
else{
#wusa Windows8-RT-KB2937636-x86 /quiet
}
#11) Starting Windows Update Services...
Start-Service -Name BITS
Start-Service -Name wuauserv
Start-Service -Name appidsvc
Start-Service -Name cryptsvc
#12) Forcing discovery...
wuauclt /resetauthorization /detectnow
Write-Output "Windows Update settings restored to default."
Richel,
We have had the same exact issue with another client. The 2024-04 Cumulative Update for Windows 10/11 does not show available on 50% of the workstations, but all the other security updates are available. We have used the OOB Patch on the workstations and verified they installed. Even though they are installed, Automox does not detect them as installed under the software inventory. It’s a bizarre issue because we can’t pinpoint the root cause of this. I can’t imagine 150 workstations suddenly needing a windows update reset script. Or maybe it’s a bad update released by Microsoft? Who knows.
@PRuffin That does sound strange and would agree that it’s likely not about resetting Windows Update on that many devices.
I’d be looking closer at where Windows Update is looking for updates on all those devices. I’m wondering if maybe some older WSUS server settings are configured. Look under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate if you see these keys WUServer
and WUStatusServe
take steps to remove them so you are going to Microsoft Updates or in-turn, go manage that WSUS server so the updates can actually show as needing to apply. I’ve come across environments where WSUS has not been managed, the database let run without maintenance and it causes all sorts of hardship.
Next, I’d leverage the Get-WindowsUpdateLog cmdlet and analyze that log using a resource like this https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs to help guide you. Or ask the community to help!
Thanks Jack! I’ll review the windows-update-logs.
We noticed that the 2024-04 Cumulative Update for Windows 11 can change to “ Windows 11 23H2 (KB5036893) with a 134GB File Size. We have been able to reproduce this bug on multiple machines for different clients. This may be why Automox does not always detect 2024-04 Cumulative Update for Windows 11 (KB5036893), it will show Windows 11 23H2. I think this is a Microsoft bug. Has anyone else seen this behavior?
Thanks Jack! I’ll review the windows-update-logs.
We noticed that the 2024-04 Cumulative Update for Windows 11 can change to “ Windows 11 23H2 (KB5036893) with a 134GB File Size. We have been able to reproduce this bug on multiple machines for different clients. This may be why Automox does not always detect 2024-04 Cumulative Update for Windows 11 (KB5036893), it will show Windows 11 23H2. I think this is a Microsoft bug. Has anyone else seen this behavior?
Yes, we have the same issue in some of our clients. It does look like a Microsoft issue rather than Automox.
I’ve seen this issue as well. Will look to run the DISM/SFC script. I also currently utilize the ResetWindowsUpdate worklet for devices that show Not Compatible.