SOLVED: Windows Update & WSUS Troubleshooting Commands You Need To Know

UPDATED: Feb 20, 2024

We use WSUS for Windows Update with the vast majority of our corporate clients large and small and while it is usually seamless come up when it goes wrong there’s a few commands we’re always struggling to find so we decided to list them out here so we can find them easily. You like them too.

---

1 – How To Determine Where Windows Updates Are Coming From

$(New-Object -ComObject "Microsoft.Update.ServiceManager").Services | Select-Object Name, IsDefaultAUService

---

2 – How To Force Windows Update Clients To Check in With WSUS

Officially to get your Windows 10, Windows 11 and Windows Server clients to check in with WSUS you simply have to run wuauclt /reportnow, but any tech that has done this for a few years knows how frustrating it can be to not have this command work.

For the last few years we have used two commands to really force the Windows client computers to check in with WSUS:

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

Running this command will “prime” the Windows Update engine to submit its most recent status on the next poll. To trigger that next poll, use:

wuauclt /reportnow

https://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand/

---

3 – How To Force Windows To Check For Updates

There are two Command Line Interface (CLI) programs to manage Windows Update so, which one you need is dependent on the version of Windows you are using.

Don’t forget to run these in an elevated command prompt.

3a – Windows Update CLI For Windows 10, 11 & 12, Windows Server 2016 2019 2022 2025

Usoclient is the ‘new’ command line app for Window Update and it comes with many useful switches:

• usoclient StartScan : Start scanning for new patches
  • we use this one frequently when a server has already checked for updates and only offers the INSTALL NOW button
    • If you want your computer to check for updates again, before you click INSTALL NOW, this is the command for you
    • you can see the GUI start checking immediately in Windows Server 2016, but the Windows 11 Windows Update window shows nothing
• usoclient StartDownload : Start download of patches
• usoclient StartInstall : Install downloaded patches
• usoclient RefreshSettings : Refresh settings (i.e. check for changes)
• usoclient StartInteractiveScan : Ask for user input and/or open dialogues to show progress or report errors if required
• usoclient RestartDevice : Restart device to finish update installation
• usoclient ScanInstallWait : Combined scan, download, & install
• usoclient ResumeUpdate : Resume update installation after rebooting

3b – Windows Update CLI For Windows 7 & 8, Windows Server 2008 2012 R2

WUAUCLT.exe is the old command line app for Window Update and it comes with a few useful switches:

• wuauclt /detectnow – forces Windows to Check for Updates
• wuauclt /reportnow – forces Windows to check in with its update manager (i.e. WSUS)
  • We know this often does not work, so see #2 above for a helper command
• wuauclt /updatenow – forces Windows to install updates

These three switches can be combined. For instance wuauclt.exe /detectnow /updatenow should have Windows scan for new updates and then install them.

---

4 – Command To Create a Searchable Windows Update Log in Text Format

Get-WindowsUpdateLog

This command merges and converts Windows Update trace files (.etl files) into a single human readable WindowsUpdate.log file on your desktop named WindowsUpdate.log.

You can then open the log with Notepad and search for the word ERROR and we also like to confirm where our Windows Updates are actually coming from:

1. Scroll to the very bottom
2. Press CNTL+F (ie. find)
3. Enter ProtocolTalker
4. Click Direction = UP (radio button)
5. Click the FIND NEXT button

---

5 – How To Confirm Connection Can Be Established to Your WSUS Server

Test-NetConnection (wsus-server-name) -PORT 8530

---

6 – Easy Way To Check Connectivity with WSUS

http://(name-of-wsus-server):8530/selfupdate/iuident.cab

Change the (name-of-wsus-server) to whatever yours is and it should download the iuident.cab file in second or two.

If this does not happen, ty using the IP address instead of the host name of your WSUS SERVER:

1. If it works with the IP address but not the name, you have a DNS (name resolution problem). You should fix that, but you can get around the issue by using the IP address in the GPO that specifies the intranet location of your WSUS server
2. If it doesn’t work either way, you have a firewall (i.e. blocking the traffic) or permissions problem (i.e. perhaps you are working across different domains).

---

7 – How To Reset Your Windows Update Client Connection To WSUS

We used to run these steps separately but ajek has a nice little all in one script.

Step 1 – In WSUS, right click on the problematic machine and click DELETE

Step 2 – On the problematic machine, open a PowerShell as an Administrator and paste this script in all at once:

Stop-Service -Name BITS, wuauserv -Force
Remove-ItemProperty -Name AccountDomainSid, PingID, SusClientId, SusClientIDValidation -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ -ErrorAction SilentlyContinue
Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue
Start-Service -Name BITS, wuauserv
wuauclt /resetauthorization /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Usually the results show up in a hour or two but it could take a full day. If you don’t see any change, “this was not the fix you are looking for”.

---