Known Issue – Windows Updates occasionally incorrectly show as not succeeded in Intune
Published Jul 27 2020 06:02 PM 15.1K Views

Updated 6/3/21: To minimize confusion about the update state, (noted in MC254874) we will be removing the End user update status report found in Devices > Windows > Windows 10 Feature updates > Select a Profile. You will be able to find the same information in the Windows Feature Update report under Reports > Windows Updates (preview) > Reports tab > Generate Windows Feature Update report, “Update State” and “Update SubStates” columns.

 

We will also be removing the Update Status column in the June (2106) Intune service release. (Devices > Windows > Windows 10 update rings > Select a Profile).

 

We were recently alerted to an issue whereby a device in the Microsoft Endpoint Manager admin console was showing “failed” for their Windows Update status.

 

Upon investigation, we discovered that the device was not missing any updates – everything had successfully applied. However, we did find two error codes on the device, which then were calculated by Intune as “failed”.  After the policy was re-evaluated, then the device returned to healthy.

 

Here’s the steps we took to replicate this experience: 

  1. Create a basic Windows Update ring policy and apply to Windows 10 devices. 
  2. Trigger a check for updates and refresh the device. 
  3. Download Psexec.exe
  4. Run psexec /sid PowerShell.exe from an elevated command prompt or elevated PowerShell window.  A new PowerShell instance will open, running in system context.
  5. Run the following command in the system-context PowerShell window you created in step 4:

gwmi MDM_Update_FailedUpdates01_01 -Namespace ROOT\CIMV2\mdm\dmmap

 

If nothing is returned, the device does not currently have a failed update.  

WU_1.png

 

If Windows Update returns one of the two error codes as you can see on the device, then you’ll see “failed” in the console: 

 

HResult    : -2145082874   

InstanceID : ec67ed82-8cf6-4fa9-86bf-efdb4e7b5d00

ParentID   : ./Vendor/MSFT/Update/FailedUpdates

State      : 

 

HResult    : -2145082858   

InstanceID : 33e3f18f-c868-4d00-8266-01c100acf444

ParentID   : ./Vendor/MSFT/Update/FailedUpdates

State      : 

 

These two error codes are specific to Windows Update being too busy. It’s rare, but there are times that the service will return these codes. If you run into this, both the Intune policy refresh and then likely the Windows Update policy refresh will need to trigger to ensure policy is evaluated and updated. For more info on Intune policy refresh timelines, see: How long does it take for devices to get a policy, profile, or app after they are assigned? to learn more.

 

Follow Intune Support as a Feature on Twitter as @IntuneSuppTeam for helpful articles, release info, and more!

 

Blog updates:

6/3/21: To minimize confusion about the update state, we will be removing the Update Status column in the June (2106) Intune service release.

6/30/21: Additional note that in the in the May (2105) service release, we have also removed the Alert details column in the Windows 10 Feature Updates report. For accurate information on Alert details, you should use the operational report under Devices > Monitor > Feature update failures (Preview) > Select a Profile and then select an Alert Message. This will provide a pop-up with the description and recommendation to resolve.

12 Comments
Version history
Last update:
‎Nov 30 2023 04:00 PM
Updated by: