Nov 07 2021 08:32 AM
We have experienced a huge swell in our WSUS DB size. The table that's causing the swell in tbEventInstance. This table seems to hold all events that the clients send up to the WSUS server. Out clients are looping on a windows defender update (install -> fail -> install loop) and hence each machine has thousands of events to send up. We are investigating why the update is failing separately. I'm curious though around the columns TimeAtTarget and TimeAtServer in this table. I would have though that TimeAtTarget would be the timestamp of the event as seen at the client but seems like its the timestamp when it was successfully uploaded o the WSUS server. is theer any way to see when this event was raised at the client other than inspecting the clients event logs?
Nov 08 2021 02:52 AM
Not really, no - at least not by default. If you're running something like System Center Configuration Manager then you get centralised reporting, but if you're operating at the "bare bones" level, you have these basic to mid-level options (using Windows 10 Enterprise as the reference):
Technically, for Get-WindowsUpdateLog, it still uses the WindowsUpdate.log file, but rather than being the live file into which events are dropped by the Automatic Updates service (the old paradigm), now it's only generated on-demand by methods such as this commandlet.
That said, if you pair Get-WindowsUpdateLog with Invoke-Command (assuming you have WinRM configured across the client fleet), you at least have a "poor man's" automation option for generating and fetching the logs from multiple clients over the wire (connectivity permitting) to then inspect/diagnose locally.
In any case, all three options will give you the actual time of the event on the affected client.