Monday, 10 March 2025

Troubleshooting of SCCM Windows Update Deployment with PowerShell Scripts

 

Introduction

Managing and deploying Windows Updates in an enterprise environment can sometimes become a challenging task. Often, updates fail to install or are stuck in a pending state. When troubleshooting such issues in an SCCM (System Center Configuration Manager) environment, PowerShell scripts can be a powerful tool to monitor, remediate, and resolve common issues. This blog post will guide you through using PowerShell scripts within SCCM Configuration Items (CI) for monitoring and remediating Windows Update deployment issues.

We'll walk through:

  1. Monitoring Windows Update Folder Activity with a PowerShell script.
  2. Remediation of Common Windows Update Issues using PowerShell, such as stopping update services, clearing cache, and resetting configurations.

1. Monitoring Script: Checking Windows Update Folder Activity

The first step in troubleshooting Windows Update issues is to ensure the update files are being handled correctly. The SoftwareDistribution folder stores update-related files, and if it's not being updated regularly, it could indicate a problem with the update process.

Monitor Script:

# Define the folder path you want to check

$folderPath = "C:\Windows\SoftwareDistribution"

# Get the current date

$currentDate = Get-Date

# Get the folder's LastWriteTime property

$folderLastModified = (Get-Item $folderPath).LastWriteTime

# Calculate the time span between the current date and the folder's last modification date

$timeSpan = $currentDate - $folderLastModified

# Check if the folder was last modified within the last 15 days

if ($timeSpan.TotalDays -le 15) {

    Write-Host "Compliant"

} else {

    Write-Host "Non-Compliant"

}

2. Remediation Script: Resolving Windows Update Issues

When updates aren't working as expected, it's time to run a remediation script. This script will:

  • Stop Windows Update services.
  • Clear out old update cache and logs.
  • Rename the SoftwareDistribution and CatRoot2 folders (which may become corrupted).
  • Reset client settings and force discovery of new updates.

Remediation Script:

$arch = Get-WMIObject -Class Win32_Processor -ComputerName LocalHost | Select-Object AddressWidth

$ErrorActionPreference = 'SilentlyContinue'

Write-Host "1. Stopping Windows Update Services..."

Stop-Service -Name BITS -Force

Stop-Service -Name wuauserv -Force

Stop-Service -Name appidsvc -Force

Stop-Service -Name cryptsvc -Force

Write-Host "2. Remove QMGR Data file..."

Remove-Item "$env:allusersprofile\Application Data\Microsoft\Network\Downloader\qmgr*.dat" -ErrorAction SilentlyContinue

Stop-Service -Name BITS -Force

Stop-Service -Name wuauserv -Force

Stop-Service -Name appidsvc -Force

Stop-Service -Name cryptsvc -Force

Write-Host "3. Renaming the Software Distribution and CatRoot Folder..."

Remove-Item $env:systemroot\SoftwareDistribution.bak -Force -Recurse

Rename-Item $env:systemroot\SoftwareDistribution SoftwareDistribution.bak -ErrorAction SilentlyContinue

Rename-Item $env:systemroot\System32\Catroot2 catroot2.bak -ErrorAction SilentlyContinue

Write-Host "4. Removing old Windows Update log..."

Remove-Item $env:systemroot\WindowsUpdate.log -ErrorAction SilentlyContinue

Stop-Service -Name BITS -Force

Stop-Service -Name wuauserv -Force

Stop-Service -Name appidsvc -Force

Stop-Service -Name cryptsvc -Force

Write-Host "5. Resetting the Windows Update Services to default settings..."

"sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

"sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

Set-Location $env:systemroot\system32

Write-Host "6) Removing WSUS client settings..."

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

Write-Host "7) Delete all BITS jobs..."

Get-BitsTransfer | Remove-BitsTransfer

Write-Host "8) Starting Windows Update Services..."

Start-Service -Name BITS -Force

Start-Service -Name wuauserv -Force

Start-Service -Name appidsvc -Force

Start-Service -Name cryptsvc -Force

Start-Sleep -Seconds 10

Invoke-WmiMethod -Namespace "root\ccm" -Class "SMS_Client" -Name "ResetPolicy" -ArgumentList 1

Start-Sleep -Seconds 10

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule "{00000000-0000-0000-0000-000000000021}"

Start-Sleep -Seconds 10

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule "{00000000-0000-0000-0000-000000000113}"

Start-Sleep -Seconds 10

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule "{00000000-0000-0000-0000-000000000114}"

Start-Sleep -Seconds 10

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule "{00000000-0000-0000-0000-000000000026}"

Write-Host "9) Forcing discovery..."

wuauclt /resetauthorization /detectnow

 

Write-Host "Process complete. Please reboot your computer."

Conclusion

By using SCCM Configuration Items (CI) and PowerShell scripts, you can efficiently monitor and remediate Windows Update issues in your environment. The monitoring script helps identify whether updates are happening, while the remediation script tackles common update failures and clears the way for a successful update process.

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Windows Update Management from SCCM to Intune

Moving Windows Update Workload from SCCM to Intune and Cleanup GPO Registry Keys for Smooth Intune Update Deployment As organizations incr...