SOLVED: How To Determine The Source Of Your Windows Updates on Windows 10

where-are-updates-coming-from-windows-10-wsus_smUPDATE: VALIDATED THIS PROCESS ON WINDOWS 10 1909 – SEPT 18 2020

If you have Windows 10 clients on a WSUS server and you want to confirm that they are receiving patches from that WSUS server and not going directly to Microsoft to update, you used to just read the %SystemRoot%\WindowsUpdate.log.  Under Windows 10 however, that log now looks like:

Windows Update logs are now generated using ETW (Event Tracing for Windows).
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
For more information, please visit http://go.microsoft.com/fwlink/?LinkId=518345

where-are-updates-coming-from-windows-10-wsus-logThis is quite frustrating because it is the only way to easily confirm that your clients are taking updates from WSUS.  The really good news is that when you run the command they suggest to build a log, it requires a “symbols” to be installed which is just another big pain in the butt.  To get around this I found a blog that suggested the following command in POWERSHELL (ADMIN):

 wuauclt /detectnow

Get-WindowsUpdateLog -SymbolServer https://msdl.microsoft.com/download/symbols -LogPath C:\windowsupdate.log

UPDATE: Oct 13, 2016: Microsoft Partner Support tells me that at least on Windows 10, specifying the SYMBOL SERVER is not required as it will automatically pull down any missing symbols without the switch so you can use:

wuauclt /detectnow

Get-WindowsUpdateLog -LogPath C:\windowsupdate.log

I have tested this and found it definitely works on Windows 10 1607.

If you want to run this on a remote machine use:

Get-WindowsUpdateLog -ETLPath \\<HOSTNAME>\C$\windows\Logs\WindowsUpdate -SymbolServer https://msdl.microsoft.com/download/symbols -LogPath C:\LOGS\windowsupdate_<HOSTNAME>.log

You can then open the log with notepad and look for “WSUS” like:


2016-09-22 15:08:04.9264690 724   25384 Agent           WSUS server: http://ch-ms:8530
2016-09-22 15:08:04.9264694 724   25384 Agent           WSUS status server: http://ch-ms:8530
2016-09-22 15:08:04.9264697 724   25384 Agent           Target group: (Unassigned Computers)

or the URL of your WSUS Server like:


2016-09-22 15:08:05.9325837 724   24984 ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCBB7}, Server URL = http://ch-ms:8530/ClientWebService/client.asmx

If you want to look further into your Windows 10 client’s you can check the registry to see what it:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

but that is only a confirmation that your Windows 10 PC received the registry entries from your GPO… not that it is paying attention to that GPO.  For instance, I am currently troubleshooting all my customers Windows 10 Enterprise 1607 Anniversary PC’s that have the GPO applied (according to GPRESULT /R) and the correct registry entry but NOT taking updates from WSUS.  When I find an answer, I will post it here.

Comments

  1. Avatar
    Rose B August 31, 2020 at 3:05 pm

    This worked for me in build 1909, however, I don’t see a date/time stamp in the log file. Did this change or am I missing something?

    • Ian Matthews
      Ian Matthews September 18, 2020 at 11:28 am

      Hi Rose;

      I just ran the two lines in PowerShell again:

      wuauclt /detectnow

      Get-WindowsUpdateLog -LogPath C:\windowsupdate.log

      and found that the log did show the date and time:


      2020-09-17 17:25:27.5260937 77112 87432 Agent Initializing global settings cache
      2020-09-17 17:25:27.5260947 77112 87432 Agent WSUS server: http://cal-mss2:8530
      2020-09-17 17:25:27.5260957 77112 87432 Agent WSUS status server: http://cal-mss2:8530
      2020-09-17 17:25:27.5260965 77112 87432 Agent Alternate Download Server: (null)

      Can you post a sample of what your log looked like?

  2. Avatar
    nooboffduty July 24, 2019 at 1:02 pm

    Thanks for this!

  3. Avatar
    Joe June 27, 2017 at 8:23 am

    Hello,

    At the end there you said you would post the answer when you find it.

    Did you ever find it? Or is it posted somewhere else?

    Thanks,

    Joe

    • Ian Matthews
      Ian Matthews July 4, 2017 at 2:30 pm

      Sorry Joe, I did not find anymore useful information on the source of Windows Updates.

  4. Avatar
    Roman May 26, 2017 at 9:04 am

    In cmd.exe (or even in powershell.exe) type:
    findstr “WSUS server:” c:\windows\WindowsUpdate.log

    This will give you output similar to:
    2016-11-09 09:39:45:820 872 a8c AU # WSUS server: http://wsus-XX:8530
    2016-11-11 04:02:41:404 852 53c Agent * WSUS server: http://wsus-XX:8530

    That’s your WSUS server.
    Cheers,
    —Roman

  5. Avatar
    Jon January 17, 2017 at 4:18 am

    Hi, Thanks for posting this – couldn’t find the info anywhere else. Unfortunately when I generate the log files they have no info in them about the source of the updates (no ‘Agent’ tags, URL etc) . I have 1607. Am I missing something? Thanks, Jon

    • Ian Matthews
      Ian Matthews January 18, 2017 at 7:58 pm

      Hi Jon;

      I have run that command on 1511 and 1607 and both produced the results shown in post. Have you searched for the name of your WSUS server in the logs?

      • Avatar
        Jon January 19, 2017 at 2:43 am

        Hi Ian, Thanks for your reply. No sign of anything to do with the WSUS server in the log files, even though I now know that it is at last going to the WSUS server for updates.

Questions or Comments?