where-are-updates-coming-from-windows-10-wsus_smUPDATE: VALIDATED THIS PROCESS ON WINDOWS 10 1909 – SEPT 18 2020

If you have Windows 10 clients on a WSUS server and you want to confirm that they are receiving patches from that WSUS server and not going directly to Microsoft to update, you used to just read the %SystemRoot%\WindowsUpdate.log.  Under Windows 10 however, that log now looks like:

Windows Update logs are now generated using ETW (Event Tracing for Windows).
Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.
For more information, please visit http://go.microsoft.com/fwlink/?LinkId=518345

where-are-updates-coming-from-windows-10-wsus-logThis is quite frustrating because it is the only way to easily confirm that your clients are taking updates from WSUS.  The really good news is that when you run the command they suggest to build a log, it requires a “symbols” to be installed which is just another big pain in the butt.  To get around this I found a blog that suggested the following command in POWERSHELL (ADMIN):

 wuauclt /detectnow

Get-WindowsUpdateLog -SymbolServer https://msdl.microsoft.com/download/symbols -LogPath C:\windowsupdate.log

UPDATE: Oct 13, 2016: Microsoft Partner Support tells me that at least on Windows 10, specifying the SYMBOL SERVER is not required as it will automatically pull down any missing symbols without the switch so you can use:

wuauclt /detectnow

Get-WindowsUpdateLog -LogPath C:\windowsupdate.log

I have tested this and found it definitely works on Windows 10 1607.

If you want to run this on a remote machine use:

Get-WindowsUpdateLog -ETLPath \\<HOSTNAME>\C$\windows\Logs\WindowsUpdate -SymbolServer https://msdl.microsoft.com/download/symbols -LogPath C:\LOGS\windowsupdate_<HOSTNAME>.log

You can then open the log with notepad and look for “WSUS” like:


2016-09-22 15:08:04.9264690 724   25384 Agent           WSUS server: http://ch-ms:8530
2016-09-22 15:08:04.9264694 724   25384 Agent           WSUS status server: http://ch-ms:8530
2016-09-22 15:08:04.9264697 724   25384 Agent           Target group: (Unassigned Computers)

or the URL of your WSUS Server like:


2016-09-22 15:08:05.9325837 724   24984 ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCBB7}, Server URL = http://ch-ms:8530/ClientWebService/client.asmx

If you want to look further into your Windows 10 client’s you can check the registry to see what it:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

but that is only a confirmation that your Windows 10 PC received the registry entries from your GPO… not that it is paying attention to that GPO.  For instance, I am currently troubleshooting all my customers Windows 10 Enterprise 1607 Anniversary PC’s that have the GPO applied (according to GPRESULT /R) and the correct registry entry but NOT taking updates from WSUS.  When I find an answer, I will post it here.


10 Comments

Rose B · August 31, 2020 at 3:05 pm

This worked for me in build 1909, however, I don’t see a date/time stamp in the log file. Did this change or am I missing something?

    Ian Matthews · September 18, 2020 at 11:28 am

    Hi Rose;

    I just ran the two lines in PowerShell again:

    wuauclt /detectnow

    Get-WindowsUpdateLog -LogPath C:\windowsupdate.log

    and found that the log did show the date and time:


    2020-09-17 17:25:27.5260937 77112 87432 Agent Initializing global settings cache
    2020-09-17 17:25:27.5260947 77112 87432 Agent WSUS server: http://cal-mss2:8530
    2020-09-17 17:25:27.5260957 77112 87432 Agent WSUS status server: http://cal-mss2:8530
    2020-09-17 17:25:27.5260965 77112 87432 Agent Alternate Download Server: (null)

    Can you post a sample of what your log looked like?

nooboffduty · July 24, 2019 at 1:02 pm

Thanks for this!

Joe · June 27, 2017 at 8:23 am

Hello,

At the end there you said you would post the answer when you find it.

Did you ever find it? Or is it posted somewhere else?

Thanks,

Joe

    Ian Matthews · July 4, 2017 at 2:30 pm

    Sorry Joe, I did not find anymore useful information on the source of Windows Updates.

Roman · May 26, 2017 at 9:04 am

In cmd.exe (or even in powershell.exe) type:
findstr “WSUS server:” c:\windows\WindowsUpdate.log

This will give you output similar to:
2016-11-09 09:39:45:820 872 a8c AU # WSUS server: http://wsus-XX:8530
2016-11-11 04:02:41:404 852 53c Agent * WSUS server: http://wsus-XX:8530

That’s your WSUS server.
Cheers,
—Roman

Jon · January 17, 2017 at 4:18 am

Hi, Thanks for posting this – couldn’t find the info anywhere else. Unfortunately when I generate the log files they have no info in them about the source of the updates (no ‘Agent’ tags, URL etc) . I have 1607. Am I missing something? Thanks, Jon

    Ian Matthews · January 18, 2017 at 7:58 pm

    Hi Jon;

    I have run that command on 1511 and 1607 and both produced the results shown in post. Have you searched for the name of your WSUS server in the logs?

      Jon · January 19, 2017 at 2:43 am

      Hi Ian, Thanks for your reply. No sign of anything to do with the WSUS server in the log files, even though I now know that it is at last going to the WSUS server for updates.

SOLVED: Window 10 1607 Not Applying GPO’s For Windows Update - Up & Running Technologies Calgary · October 14, 2016 at 8:17 am

[…] Worse, the Windows Update log shows it cannot talk to the WSUS server: If you want to read your Windows 10 Windows Update Log, we have the process detailed HERE. […]

Leave a Reply to Ian Matthews Cancel reply

Avatar placeholder

Your email address will not be published. Required fields are marked *