Fail installing updates event log

Brass Contributor

Why there is no event log error for fail installing Windows updates in clients?

SCCM push updates using ADR that create new software Update group each time. I noticed that some updates are failed to install in some servers because of maximum run time (it seems some servers take much time to install the update), however there is no event log shows this in windows event log. I checked Systems logs and filtered based on source of WindowsUpdateClient. the only log i got is event ID 43 (Installation Started: Windows has started installing the following update: ). and this keep repeating every time the update agent try to re-install the same update and it failed. I can see this in Updates History in Windows Updates settings window.

 Any idea how to catch this failure in event log in client machines? 

Regards

Bachar

4 Replies

@bacharbader In Event Viewer, under Application and Services Logs\Microsoft\Windows\WindowsUpdateClient should show you return errors.  With not knowing what version of the OS you referring to you can try running the PowerShell command "Get-WindowsUpdateLog"

@bacharbader 

Did you check the Config Mgr logs? 
wuahandler.log
updatesdeployment.log

rebootcoordinator.log

We typically check those 3 in CMTrace (merged view) and can find errors with the updates installing. Sometimes they are general, non-specific errors that aren't helpful, but other times, it will tell you error "time-out exceeded" etc. 

You may need to run a PS script against your Software Updates Catalog to set the max run time. By default it should be 60mins but we've caught a bunch that were reset to 5mins. We have a script that we run now to increase it to 90 or 120mins for CU's etc. (if required).

I would check in those places and then hit the Google machine for the update run time change.


Drew

@drewfortey 

Thanks. the original problem of fail installing updates is the max run time and I can find the error code in Software center or SCCM logs (as you mentioned). can you please share with me the script you mentioned.

 

however, my post was about catching such an issue using 3rd party monitoring tool that is not integrated with SCCM and its logs. this monitoring tool is looking for any event log in client by event ID or any other criteria but this (max run time) doesn't log any error in client machine. I think Widows update agent terminate the installation once max run time finish.

 

Regards

Bachar

Being able to identify failed patches by event ID's will make it helpful for identifying it a SIEM as well.