Skip to main content
All CollectionsTroubleshooting
Windows Update Troubleshooting
Windows Update Troubleshooting

This article provides a comprehensive guide for troubleshooting Windows Update errors in the context of Level's patch management system.

Updated over a week ago

Guide to troubleshooting Windows Update errors.

Microsoft WUA API

Level uses the Microsoft WUA ("Windows Update Agent”) and pulls available patches using the WUA API. More details about WUA here.

Therefore, results in Level should not be matched with results from Windows Update History.

Below are the commands provided by Microsoft to run and use with their WUA API. Based on these commands, Level fetches the available and installed list of patches that you see in the console:

PS script for installed patches:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | ft -a title

PS script for not installed patches:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher() $Searcher.Search("IsInstalled=0").Updates | ft -a title

Migrating from Windows Server Update Services (WSUS)

If your organization was previously using WSUS, then it's possible that the WSUS server is still referenced by devices instead of using Windows Update servers. If Level is reporting no new update, and the commands above show no new updates, then check if WSUS is still being used as the source of updates by running the following command in PowerShell:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

If you see references to the old WSUS server, then it has not been disabled on the device. The best course of action is to reverse the Group Policy Object that pushed out WSUS to the devices. If that is not possible, then the following script can be run to eliminate old WSUS settings.

This script is provided as a convenience for our clients. Please test this script first before deploying to production systems!

# Stop the BITS and Windows Update services
Stop-Service -Name BITS, wuauserv -Force

# Remove WSUS client configuration properties
$wsusProperties = @("AccountDomainSid", "PingID", "SusClientId", "SusClientIDValidation")
foreach ($property in $wsusProperties) {
Remove-ItemProperty -Name $property -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\" -ErrorAction SilentlyContinue
}

# Remove the SoftwareDistribution folder
Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue

# Start the BITS and Windows Update services
Start-Service -Name BITS, wuauserv

# Optionally, reset the Windows Update client settings
# This step ensures that the client re-registers and checks for updates from the correct source
$wuaucltPath = "$env:SystemRoot\System32\wuauclt.exe"
if (Test-Path -Path $wuaucltPath) {
Start-Process -FilePath $wuaucltPath -ArgumentList "/resetauthorization /detectnow" -NoNewWindow
} else {
Write-Output "wuauclt.exe not found. Ensure the Windows Update client is available."
}

If the group policy is still in place to push WSUS settings, then they will return until the policy is removed from the computer.

Did this answer your question?