Troubleshooting expedited updates
Published Jul 29 2021 04:11 PM 25.3K Views
Microsoft

As we work through the Public Preview of expedited updates in Microsoft Endpoint Manager, we wanted to share troubleshooting tips based on the feedback we've received to date.

We are continuing to build and enhance the expedited update capabilities currently available in public preview. We investigate issues and feedback. We update documentation. We make improvements. For those eager to utilize this feature, but who may be experiencing issues, we wanted to share some information to help efficiently troubleshoot your devices independently. Most of the tips included in this post are based on the assumption that you are using Microsoft Intune to create and manage an expedited update policy, if you are using the expedited updates feature through the Microsoft Graph APIs or PowerShell, most of the steps remain the same, but you'll be able to see reporting in Update Compliance if you are a current Update Compliance customer.

Common errors

The two most common errors we've seen are related to not meeting the prerequisites or not having diagnostic data turned on. Our reporting and logs don't currently distinguish between some causes; however, we have heard this feedback and are working on reporting improvements for these cases.

Issue

Error in Intune

Error in client logs (see advanced troubleshooting techniques)

The licensing for your tenant must include the expedited updates feature, which means that you need one of the following:

Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)

Windows 10 Virtual Desktop Access (VDA) per user

Microsoft 365 Business Premium

See prerequisites for more detail.

Not Registered

UpdateHealthToolsServiceBlockedByNoDSSJoin

Windows Update must be configured as the scan source for quality updates You must be enrolled in Intune MDM or utilizing co-management with the Windows Update policies workload set to Intune or Pilot Intune.

Not Registered

UpdateHealthToolsServiceBlockedByNoDSSJoin

The system must be Azure AD joined or Hybrid Azure AD joined. Workplace Join machines are not supported.

Not Registered

UpdateHealthToolsServiceBlockedByNoDSSJoin

Update Health Tools (KB4023057 and its successors) are installed. See below on how to check for this.

Not Registered

Client isn't installed, so there are no client logs to look at. See the section below about how to check whether the client is installed.

You much turn on Windows Health Monitoring to see reporting. See below for instructions.

Won't see Update State and Substate in the Intune reports.

Client logs will look normal, but won't upload the client telemetry to Intune, so the client data won't show up in the reports.

Reporting flow for common errors

Here is a subset of Update States within the expedited updates workflow as the policy progresses, with a focus on what you'll see in the common error cases noted above. For more information, see the Update states section of the documentation on Expedite Windows 10 quality updates in Microsoft Intune.

Update State

Update Substate

Comments

Pending

Validation

The device has been added to the expedited updates policy and is being validated.

Note: You might see devices stuck in this state if any of the prerequisites mentioned above are not met. So please double-check the requirements.

Pending

Scheduled

The device has passed validation and will be expedited soon.

Offering

OfferReady

The expedite instructions have been sent to the device. Device should start scan of Windows Update shortly.

Installed

UpdateInstalled

Update has successfully been expedited. This is the final state in the workflow.

I see the Not Registered error for certain devices and want to check if the client is installed

If you meet the prerequisites, one other possibility for a Not Registered error is that the Update Health Tools client is not running on the device.

Normally, these are installed automatically when the device is eligible, so no action is required. This client is deployed through Windows Update as a small, separate KB. However, if the device isn't receiving quality updates from Windows Update (or it just switched it over recently to scan Windows Update), it may not have the client. Also, if your device isn't regularly receiving quality updates, whatever is causing that (for example, low disk space or not enough time active and connected to the internet) may have also prevented the device from installing the Update Health Tools.

If you currently don't have the client installed, you can then try forcing a normal Windows Update scan on an example device to see if there are any problems. Alternatively, you can manually download and install Update Health Tools from the Microsoft Download Center.

To verify that Update Health Tools are running on the device correctly:

  1. Look for the installation files at this location (C:\Program Files\Microsoft Update Health Tools).
  2. Check if the Microsoft Update Health service is running on the device.

    01_troubleshoot-expedite.png
  3. Check the device enrollment status.

    The client service contacts the cloud service and checks if the tenant is enrolled or not in the Windows Update for Business deployment service (called DSS in the logs). Check the ETL logs (see How to read Windows Update Health Tools ETL Logs for more details).

    If the tenant is not registered in the cloud service, the ETL logs would have text similar to the following example: “UpdateHealthToolsServiceBlockedByNoDSSJoin”.

    12/03/2020 12:52:14.95242 AM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2020.11B; [Message] : Failed to check for dss membership hr = 0x80072ee7; [HResult] : -2147012889 (0x80072EE7);

    12/03/2020 12:52:14.95243 AM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2020.11B; [Message] : Device doesn't belong to any dss tenant: HR = 0x80072ee7; [HResult] : -2147012889 (0x80072EE7);

    12/03/2020 12:52:14.95269 AM {Microsoft.Windows.UpdateHealthTools} | *UpdateHealthToolsServiceBlockedByNoDSSJoin* -> [PartA_PrivTags] : 2147483648; [PackageVersion] : 2020.11B;

    If the device is registered with the service, the ETL file would have following text UpdateHealthToolsServiceIsDSSJoin”

    07/13/2021 02:13:13.15761 PM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2021.06C; [Message] : Finished parsing enrollment status info hr = 0x00000000;

    07/13/2021 02:13:13.15788 PM {Microsoft.Windows.UpdateHealthTools} | *UpdateHealthToolsServiceIsDSSJoin* -> [PartA_PrivTags] : 2147483648; [PackageVersion] : 2021.06C;

    Once the enrollment check is complete, the client registers the device with the cloud service so that it can contact the device when an Expedite policy is created at some point in the future. Here are some items to check to ensure the device has successfully communicated with the cloud service.

    02_troubleshoot-expedite.png
  4. Make sure the device can POST to the expediated updates service.

    If the client can register with the cloud service, the ETL logs would have the text starting “UpdateHealthToolsDeviceInformationUploaded

    Look for the following logging information in the ETL logs for Microsoft Update Health Tools like below:

    12/02/2020 10:57:39.50645 AM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2020.11B; [Message] : Session connected to devicelistenerprod.microsoft.com port 443;

    12/02/2020 10:57:39.93683 AM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2020.11B; [Message] : Status code from POST 200;

    12/02/2020 10:57:39.93704 AM {Microsoft.Windows.UpdateHealthTools} | *Information* -> [PackageVersion] : 2020.11B; [Message] : Completed upload to: devicelistenerprod.microsoft.com, /api/v1.0/Devices;

    12/02/2020 10:57:39.93729 AM {Microsoft.Windows.UpdateHealthTools} | *UpdateHealthToolsDeviceInformationUploaded* -> [PartA_PrivTags] : 2147483648; [PackageVersion] : 2020.11B;

    If the client fails to register with the cloud service, the ETL logs would contain the text “UpdateHealthToolsDeviceInformationUploadFailed” with an error code. A common reason for failure to register with the cloud service is due to an HTTPS error and the nature of that error would be recorded in the logs. In case of failure, the logs would contain the text “Failed to get status code”. If there is a successful HTTPS post the logs would contain the text “Status code from POST”.

    You will need to allow the following endpoints if they are blocked in the device's firewall settings, or an upstream firewall:
    • *.blob.core.windows.net port 443
    • deploymentscheduler.microsoft.com port 443
    • Devicelistenerprod.microsoft.com port 443
    • Devicelistenerprod.eudb.microsoft.com (required for EU organizations only)

  5. Ensure that devices are regularly polling for expedited update content.

    Once the client on the device has successfully registered with the cloud service, it is ready to receive expedited updates. The client polls and checks if an expedited update policy has been created. It could also receive a notification from the cloud service to start working on an expedited update policy. If the device is set up correctly, an expedited update policy has been created, and the device update state has still not been updated, here are couple of things to check:
    • Polling happens at certain intervals. Check if the logs have the recent text “Not enough time passed since last poll action”. If so, then you need to wait some time for the device to find the new policy in the next poll.
    • You can check the last poll time at this registry location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\uhs\polling
    • When the device receives the information about the policy, the ETL logs would contain the text “Received the following push content:”.
    • You can validate this information in the registry as the device starts working on the policy: \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate\exp\Policies

The client saves useful information about the execution of that policy at that location.

My device is not showing any update state and substate

Make sure the Windows Health Monitoring policy is enabled in Intune. Windows Health Monitoring is an important prerequisite for Windows diagnostic data events to flow through and show in Intune. Without it being set, you will get status from the cloud service, but not client status. If there are existing policies, make sure that Windows Health Monitoring is enabled and targeted to the Intune group being used to create the expediated update policy.

For detailed documentation explaining the steps, see Create a Windows Health Monitoring profile in Microsoft Intune .

Here is a summary:

  1. Create a new Windows Health Monitoring profile: Configuration Profiles > Create Profile.

    03_troubleshoot-expedite.png
  2. Complete the wizard and apply the required Intune group.

    04_troubleshoot-expedite.png

How to read Update Health Tools ETL files

This is advanced troubleshooting for what's happening to a particular client. Should you require use of these steps to determine what is happening, and it is not one of the common errors above, please let us know because we'd like to improve future reporting.

The ETL files for Microsoft Update Health Tools are in the following folder:

C:\Program Files\Microsoft Update Health Tools\Logs (reference your device program files folder using %ProgramFiles% if your system drive is not C:)

In order to read the ETL files, you can use the Microsoft application Perfview.

  1. Download PerfView
  2. The download will contain a single compressed exe file.
  3. Copy the PerfView binary to your desktop or desired folder.
  4. Start the PerfView application, type the location of the Microsoft Update Health Tools Logs folder, and select Enter.

    05_troubleshoot-expedite.png
  5. You will see the list of ETL files located in the folder.

    06_troubleshoot-expedite.png
  6. Double click on any of these files (the low numbered logs are the most recent) to parse the ETL format in PerfView.

    07_troubleshoot-expedite.png
  7. Double click on the “Events” node and click on the Microsoft.Windows.UpdateHealthTools/Information.

    08_troubleshoot-expedite.png
  8. The ETL files provide rich debugging information for the Microsoft Update Health Tools client.

How to contact us

We'd love to hear your feedback on how expedited updates are working for you, including challenges and opportunities. Should you find an issue that you'd like us to investigate, or if you encounter any of the issues documented here, please reach out directly to our team at askwufb@microsoft.com. Please include your tenant ID, your policy ID, and the Azure AD IDs of any devices you'd like us to look at.

Microsoft formal customer support channels also work, but we welcome your emails during this public preview period if you'd like to discuss your ideas with us directly.

If more troubleshooting is required on a specific client, one of the best ways is to submit feedback using the Feedback Hub. If you're on a commercial device, you may have to install Feedback Hub from the Microsoft Store if it's not already present on the device. Once you have feedback hub installed, navigate to: Start > Feedback Hub > Report a problem and select category for Downloading, installing, and configuring Windows Updates.

09_troubleshoot-expedite.png

In the summary text, please use the word “Expedite” along with a few words about what is going wrong. This makes it easier and faster to get the issue to the right part of the team. For example, you could type “Expedite: Device not registered even though it has the Update Health Tools running” and provide some basic information about your issues.

After you submit your feedback, you will see a Share my feedback link. If you are also contacting Microsoft Support or sending us an email about the same issue, please select that option so that you can copy and include a link to your Feedback Hub entry in your communications.

Learn more

To learn more about expediting updates, please see Expedite Windows 10 quality updates in Microsoft Intune. While the documentation for Use Update Compliance reports for Windows Updates in Microsoft Intune doesn't specifically discuss expedited updates, much of the information around Windows 10 feature updates reporting applies to this scenario. For example, there is good information concerning data latency from cloud service components and client components.

Thank you for trying our feature – we're really excited about this feature and your feedback during this Public Preview is critical to making it even better!

 

11 Comments
Co-Authors
Version history
Last update:
‎Apr 03 2023 12:28 PM
Updated by: