Troubleshoot Update Direction bug

  • Article
  • 26 minutes to read

This article discusses bug that y'all might run across when using the Update Management feature to assess and manage updates on your machines. In that location's an agent troubleshooter for the Hybrid Runbook Worker agent to help decide the underlying trouble. To learn more than well-nigh the troubleshooter, see Troubleshoot Windows update amanuensis bug and Troubleshoot Linux update agent problems. For other feature deployment issues, see Troubleshoot feature deployment problems.

Note

If you run into problems when deploying Update Direction on a Windows machine, open up the Windows Event Viewer, and check the Operations Manager upshot log under Application and Services Logs on the local machine. Expect for events with event ID 4502 and event details that incorporate Microsoft.EnterpriseManagement.HealthService.AzureAutomation.HybridAgent.

Scenario: Windows Defender update always show as missing

Issue

Definition update for Windows Defender (KB2267602) e'er shows as missing in an assessment when it'south installed and shows as up to date when verified from Windows Update history.

Crusade

Definition updates are published multiple times in a single day. Every bit a effect, you could encounter multiple releases of KB2267602 published in a single day, but with a different update ID and version.

Update Direction cess runs one time in eleven hours. In this instance, at 10:00 AM an assessment ran and version one.237.316.0 was available at the time. When yous search the Update tabular array in your Log Analytics workspace, the Definition update ane.237.316.0 is shown with an UpdateState of Needed. If a scheduled deployment runs a few hours later, allow's say one:00 PM and version 1.237.316.0 is still bachelor or a newer version is, the newer version is installed and this is reflected in the tape written to the UpdateRunProgress table. Notwithstanding, in the Update table, it would still evidence version 1.237.316.0 every bit Needed until the next assessment is run. When the cess runs again, there may not be a newer definition update bachelor, and then the Update table would non show the definition update version 1.237.316.0 as missing or a newer version available every bit needed. Because of the frequency of definition updates, at that place could exist multiple versions returned in the log search.

Resolution

Run the post-obit log query to confirm definition updates installed are being properly reported. This query returns the time generated, version, and update ID of KB2267602 in the Updates tabular array. Replace the value for Computer with the fully qualified proper name of the machine.

              Update | where TimeGenerated > ago(14h) and OSType != "Linux" and (Optional == simulated or Classification has "Critical" or Nomenclature has "Security") and SourceComputerId in ((     Heartbeat     | where TimeGenerated > ago(12h) and OSType =~ "Windows" and notempty(Reckoner)     | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId     | where Solutions has "updates"     | distinct SourceComputerId)) | summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID | where UpdateState =~ "Needed" and Approved != false and Figurer == "<computerName>" | return table

Your query results should return something similar to the post-obit:

Example showing results of log query from Updates table.

Run the post-obit log query to get the time generated, version, and update ID of KB2267602 in the UpdatesRunProgress table. This query helps u.s. understand if it was installed from Update Management or if it was machine-installed on the machine from Microsoft Update. You need to replace the value for CorrelationId with the runbook chore GUID (that is, the MasterJOBID holding value from the Patch-MicrosoftOMSComputer runbook task) for the update, and SourceComputerId with the GUID of the machine.

              UpdateRunProgress | where OSType!="Linux" and CorrelationId=="<master chore id>" and SourceComputerId=="<source estimator id>" | summarize arg_max(TimeGenerated, Title, InstallationStatus) by UpdateId | project TimeGenerated, id=UpdateId, displayName=Title, InstallationStatus

Your query results should return something similar to the following:

Example showing results of log query from UpdatesRunProgress table.

If the TimeGenerated value for the log query results from the Updates table is earlier than the timestamp (that is, value of TimeGenerated) of the update installation on machine or from the log query results from the UpdateRunProgress table, then wait for the next assessment. After, run the log query confronting the Updates table again. Either an update for KB2267602 won't appear or it appears with a newer version. However, even later on the well-nigh contempo assessment if same version shows upwardly as Needed in the Updates tabular array but it is already installed, y'all should open an Azure support incident.

Scenario: Linux updates shown as pending and those installed vary

Issue

For your Linux auto, Update Management shows specific updates available under classification Security and Others. But when an update schedule is run on the machine, for case to install simply updates matching the Security classification, the updates installed are different from or a subset of the updates shown earlier matching that classification.

Cause

When an assessment of Bone updates pending for your Linux machine is washed, Open Vulnerability and Assessment Linguistic communication (OVAL) files provided by the Linux distro vendor is used by Update Management for classification. Categorization is done for Linux updates as Security or Others, based on the OVAL files which states updates addressing security bug or vulnerabilities. But when the update schedule is run, it executes on the Linux machine using the appropriate parcel manager similar YUM, APT or ZYPPER to install them. The bundle manager for the Linux distro may take a dissimilar mechanism to classify updates, where the results may differ from the ones obtained from OVAL files past Update Direction.

Resolution

Yous can manually check the Linux auto, the applicative updates, and their classification per the distro's packet manager. To understand which updates are classified as Security by your package managing director, run the following commands.

For YUM, the following command returns a non-zero list of updates categorized as Security by Red Chapeau. Notation that in the case of CentOS, information technology always returns an empty listing and no security classification occurs.

              sudo yum -q --security check-update

For ZYPPER, the post-obit command returns a non-zero list of updates categorized as Security by SUSE.

              sudo LANG=en_US.UTF8 zypper --non-interactive patch --category security --dry out-run

For APT, the post-obit control returns a non-goose egg list of updates categorized equally Security by Canonical for Ubuntu Linux distros.

              sudo grep security /etc/apt/sources.list > /tmp/oms-update-security.listing LANG=en_US.UTF8 sudo apt-get -s dist-upgrade -oDir::Etc::Sourcelist=/tmp/oms-update-security.list

From this listing you so run the command grep ^Inst to become all the awaiting security updates.

Scenario: You receive the mistake "Failed to enable the Update solution"

Issue

When yous attempt to enable Update Management in your Automation account, you get the following error:

              Fault details: Failed to enable the Update solution

Cause

This error can occur for the following reasons:

  • The network firewall requirements for the Log Analytics agent might non exist configured correctly. This situation tin crusade the amanuensis to fail when resolving the DNS URLs.

  • Update Management targeting is misconfigured and the machine isn't receiving updates every bit expected.

  • You might also discover that the motorcar shows a status of Non-compliant under Compliance. At the aforementioned time, Agent Desktop Analytics reports the agent as Disconnected.

Resolution

  • Run the troubleshooter for Windows or Linux, depending on the Bone.

  • Become to Network configuration to learn most which addresses and ports must exist immune for Update Management to work.

  • Check for scope configuration problems. Telescopic configuration determines which machines are configured for Update Management. If your machine is showing up in your workspace but non in Update Management, you lot must prepare the scope configuration to target the machines. To learn about the scope configuration, see Enable machines in the workspace.

  • Remove the worker configuration by following the steps in Remove the Hybrid Runbook Worker from an on-bounds Windows computer or Remove the Hybrid Runbook Worker from an on-premises Linux computer.

Scenario: Superseded update indicated equally missing in Update Direction

Effect

Old updates are appearing for an Automation account equally missing even though they've been superseded. A superseded update is one that y'all don't have to install considering a subsequently update that corrects the same vulnerability is bachelor. Update Direction ignores the superseded update and makes information technology not applicable in favor of the superseding update. For information about a related issue, see Update is superseded.

Cause

Superseded updates aren't declined in Windows Server Update Services (WSUS) so that they can be considered not applicable.

Resolution

When a superseded update becomes 100 percent not applicable, you lot should change the approval state of that update to Declined in WSUS. To modify approval land for all your updates:

  1. In the Automation account, select Update Management to view machine status. See View update assessments.

  2. Check the superseded update to make sure that information technology'south 100 percentage not applicative.

  3. On the WSUS server the machines report to, decline the update.

  4. Select Computers and, in the Compliance column, force a rescan for compliance. See Manage updates for VMs.

  5. Repeat the steps in a higher place for other superseded updates.

  6. For Windows Server Update Services (WSUS), clean all superseded updates to refresh the infrastructure using the WSUS Server cleanup Wizard.

  7. Echo this procedure regularly to correct the display issue and minimize the amount of disk space used for update management.

Scenario: Machines don't bear witness up in the portal under Update Management

Result

Your machines have the following symptoms:

  • Your automobile shows Non configured from the Update Management view of a VM.

  • Your machines are missing from the Update Management view of your Azure Automation account.

  • You lot take machines that show as Not assessed under Compliance. Nevertheless, you encounter heartbeat information in Azure Monitor logs for the Hybrid Runbook Worker but not for Update Management.

Cause

This issue can exist caused by local configuration issues or by improperly configured telescopic configuration. Possible specific causes are:

  • You might take to re-register and reinstall the Hybrid Runbook Worker.

  • You might have defined a quota in your workspace that's been reached and that's preventing further data storage.

Resolution

  1. Run the troubleshooter for Windows or Linux, depending on the Os.

  2. Make sure that your auto is reporting to the correct workspace. For guidance on how to verify this aspect, come across Verify agent connectivity to Azure Monitor. Also brand sure that this workspace is linked to your Azure Automation account. To confirm, go to your Automation account and select Linked workspace under Related Resources.

  3. Make sure that the machines bear witness up in the Log Analytics workspace linked to your Automation account. Run the following query in the Log Analytics workspace.

                      Heartbeat | summarize past Computer, Solutions

    If y'all don't run into your machine in the query results, it hasn't recently checked in. In that location's probably a local configuration outcome and you should reinstall the agent.

    If your auto is listed in the query results, verify under the Solutions property that updates is listed. This verifies information technology is registered with Update Management. If it is not, check for scope configuration problems. The scope configuration determines which machines are configured for Update Management. To configure the scope configuration for the target the machine, see Enable machines in the workspace.

  4. In your workspace, run this query.

                      Performance | where OperationCategory == 'Data Collection Status' | sort by TimeGenerated desc

    If you get a Data collection stopped due to daily limit of free information reached. Ingestion condition = OverQuota effect, the quota defined on your workspace has been reached, which has stopped data from existence saved. In your workspace, go to data volume management under Usage and estimated costs, and alter or remove the quota.

  5. If your upshot is still unresolved, follow the steps in Deploy a Windows Hybrid Runbook Worker to reinstall the Hybrid Worker for Windows. For Linux, follow the steps in Deploy a Linux Hybrid Runbook Worker.

Scenario: Unable to register Automation resource provider for subscriptions

Issue

When you piece of work with feature deployments in your Automation account, the following error occurs:

              Error details: Unable to annals Automation Resource Provider for subscriptions

Crusade

The Automation resource provider isn't registered in the subscription.

Resolution

To register the Automation resource provider, follow these steps in the Azure portal.

  1. In the Azure service list at the bottom of the portal, select All services, and then select Subscriptions in the General service grouping.

  2. Select your subscription.

  3. Under Settings, select Resource Providers.

  4. From the list of resource providers, verify that the Microsoft.Automation resource provider is registered.

  5. If information technology's not listed, register the Microsoft.Automation provider by following the steps at Resolve errors for resource provider registration.

Scenario: Scheduled update did non patch some machines

Issue

Machines included in an update preview don't all appear in the list of machines patched during a scheduled run, or VMs for selected scopes of a dynamic grouping are not showing up in the update preview list in the portal.

The update preview list consists of all machines retrieved by an Azure Resource Graph query for the selected scopes. The scopes are filtered for machines that have a system Hybrid Runbook Worker installed and for which you lot have access permissions.

Cause

This issue can accept one of the following causes:

  • The subscriptions defined in the scope in a dynamic query aren't configured for the registered Automation resource provider.

  • The machines weren't available or didn't have appropriate tags when the schedule executed.

  • You don't accept the correct access on the selected scopes.

  • The Azure Resource Graph query doesn't think the expected machines.

  • The system Hybrid Runbook Worker isn't installed on the machines.

Resolution

Subscriptions not configured for registered Automation resource provider

If your subscription isn't configured for the Automation resource provider, you tin't query or fetch information on machines in that subscription. Utilize the following steps to verify the registration for the subscription.

  1. In the Azure portal, access the Azure service list.

  2. Select All services, and then select Subscriptions in the General service group.

  3. Detect the subscription defined in the telescopic for your deployment.

  4. Under Settings, cull Resource Providers.

  5. Verify that the Microsoft.Automation resource provider is registered.

  6. If information technology'south not listed, annals the Microsoft.Automation provider by following the steps at Resolve errors for resource provider registration.

Machines not available or not tagged correctly when schedule executed

Use the following procedure if your subscription is configured for the Automation resource provider, only running the update schedule with the specified dynamic groups missed some machines.

  1. In the Azure portal, open the Automation account and select Update Management.

  2. Check Update Management history to determine the exact fourth dimension when the update deployment was run.

  3. For machines that you suspect to accept been missed by Update Direction, utilise Azure Resource Graph (ARG) to locate car changes.

  4. Search for changes over a considerable period, such as one day, before the update deployment was run.

  5. Check the search results for any systemic changes, such as delete or update changes, to the machines in this flow. These changes can alter motorcar condition or tags so that machines aren't selected in the machine list when updates are deployed.

  6. Conform the machines and resource settings equally necessary to correct for machine status or tag issues.

  7. Rerun the update schedule to ensure that deployment with the specified dynamic groups includes all machines.

Incorrect access on selected scopes

The Azure portal only displays machines for which y'all accept write access in a given telescopic. If you lot don't have the correct access for a scope, run into Tutorial: Grant a user access to Azure resources using the Azure portal.

Resource Graph query doesn't return expected machines

Follow the steps below to find out if your queries are working correctly.

  1. Run an Azure Resources Graph query formatted equally shown below in the Resource Graph explorer blade in Azure portal. If you are new to Azure Resource Graph, see this quickstart to acquire how to work with Resource Graph explorer. This query mimics the filters you selected when you created the dynamic grouping in Update Management. See Utilize dynamic groups with Update Management.

                      where (subscriptionId in~ ("<subscriptionId1>", "<subscriptionId2>") and type =~ "microsoft.compute/virtualmachines" and properties.storageProfile.osDisk.osType == "<Windows/Linux>" and resourceGroup in~ ("<resourceGroupName1>","<resourceGroupName2>") and location in~ ("<location1>","<location2>") ) | project id, location, name, tags = todynamic(tolower(tostring(tags))) | where  (tags[tolower("<tagKey1>")] =~ "<tagValue1>" and tags[tolower("<tagKey2>")] =~ "<tagValue2>") // use this if "All" option selected for tags | where  (tags[tolower("<tagKey1>")] =~ "<tagValue1>" or tags[tolower("<tagKey2>")] =~ "<tagValue2>") // use this if "Any" option selected for tags | projection id, location, name, tags

    Hither is an example:

                      where (subscriptionId in~ ("20780d0a-b422-4213-979b-6c919c91ace1", "af52d412-a347-4bc6-8cb7-4780fbb00490") and blazon =~ "microsoft.compute/virtualmachines" and properties.storageProfile.osDisk.osType == "Windows" and resourceGroup in~ ("testRG","withinvnet-2020-01-06-ten-global-resources-southindia") and location in~ ("australiacentral","australiacentral2","brazilsouth") ) | project id, location, name, tags = todynamic(tolower(tostring(tags))) | where  (tags[tolower("ms-resources-usage")] =~ "azure-cloud-shell" and tags[tolower("temp")] =~ "temp") | project id, location, name, tags

  2. Cheque to meet if the machines you're looking for are listed in the query results.

  3. If the machines aren't listed, in that location is probably an issue with the filter selected in the dynamic grouping. Suit the group configuration as needed.

Hybrid Runbook Worker non installed on machines

Machines do appear in Azure Resource Graph query results, but still don't show up in the dynamic group preview. In this case, the machines might non exist designated as system Hybrid Runbook workers and thus can't run Azure Automation and Update Management jobs. To ensure that the machines you're expecting to see are ready equally organization Hybrid Runbook Workers:

  1. In the Azure portal, get to the Automation business relationship for a auto that is not appearing correctly.

  2. Select Hybrid worker groups under Procedure Automation.

  3. Select the Organisation hybrid worker groups tab.

  4. Validate that the hybrid worker is present for that motorcar.

  5. If the machine is not set upward every bit a system Hybrid Runbook Worker, review the methods to enable using one of the following methods:

    • From your Automation account for one or more Azure and non-Azure machines, including Azure Arc-enabled servers.

    • Using the Enable-AutomationSolution runbook to automate onboarding Azure VMs.

    • For a selected Azure VM from the Virtual machines folio in the Azure portal. This scenario is available for Linux and Windows VMs.

    • For multiple Azure VMs past selecting them from the Virtual machines folio in the Azure portal.

    The method to enable is based on the surroundings the auto is running in.

  6. Repeat the steps in a higher place for all machines that have non been displaying in the preview.

Scenario: Update Management components enabled, while VM continues to show as being configured

Issue

You continue to see the following bulletin on a VM fifteen minutes later deployment begins:

              The components for the 'Update Direction' solution take been enabled, and at present this virtual auto is being configured. Please exist patient, as this tin sometimes accept up to 15 minutes.

Cause

This mistake tin occur for the post-obit reasons:

  • Communication with the Automation account is being blocked.

  • At that place is a duplicate computer proper noun with different source calculator IDs. This scenario occurs when a VM with a particular computer name is created in different resources groups and is reporting to the same Logistics Agent workspace in the subscription.

  • The VM image beingness deployed might come up from a cloned machine that wasn't prepared with System Training (sysprep) with the Log Analytics agent for Windows installed.

Resolution

To aid in determining the verbal problem with the VM, run the following query in the Log Analytics workspace that's linked to your Automation business relationship.

              Update | where Computer contains "fillInMachineName" | project TimeGenerated, Computer, SourceComputerId, Title, UpdateState

Communication with Automation business relationship blocked

Get to Network planning to learn about which addresses and ports must exist allowed for Update Management to work.

Indistinguishable figurer proper name

Rename your VMs to ensure unique names in their surroundings.

Deployed image from cloned auto

If you're using a cloned image, different computer names accept the same source computer ID. In this case:

  1. In your Log Analytics workspace, remove the VM from the saved search for the MicrosoftDefaultScopeConfig-Updates scope configuration if information technology'south shown. Saved searches tin can be institute under General in your workspace.

  2. Run the post-obit cmdlet.

                      Remove-Detail -Path "HKLM:\software\microsoft\hybridrunbookworker" -Recurse -Forcefulness

  3. Run Restart-Service HealthService to restart the health service. This operation recreates the key and generates a new UUID.

  4. If this approach doesn't piece of work, run sysprep on the paradigm kickoff and and so install the Log Analytics amanuensis for Windows.

Scenario: You receive a linked subscription error when you create an update deployment for machines in another Azure tenant

Issue

You lot encounter the following fault when y'all try to create an update deployment for machines in another Azure tenant:

              The client has permission to perform action 'Microsoft.Compute/virtualMachines/write' on telescopic '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroupName/providers/Microsoft.Automation/automationAccounts/automationAccountName/softwareUpdateConfigurations/updateDeploymentName', however the current tenant '00000000-0000-0000-0000-000000000000' is not authorized to access linked subscription '00000000-0000-0000-0000-000000000000'.

Cause

This error occurs when yous create an update deployment that has Azure VMs in another tenant that's included in an update deployment.

Resolution

Use the following workaround to get these items scheduled. You can use the New-AzAutomationSchedule cmdlet with the ForUpdateConfiguration parameter to create a schedule. So, use the New-AzAutomationSoftwareUpdateConfiguration cmdlet and pass the machines in the other tenant to the NonAzureComputer parameter. The following case shows how to practice this:

              $nonAzurecomputers = @("server-01", "server-02")  $startTime = ([DateTime]::Now).AddMinutes(x)  $s = New-AzAutomationSchedule -ResourceGroupName mygroup -AutomationAccountName myaccount -Proper name myupdateconfig -Description test-OneTime -Erstwhile -StartTime $startTime -ForUpdateConfiguration  New-AzAutomationSoftwareUpdateConfiguration  -ResourceGroupName $rg -AutomationAccountName $aa -Schedule $s -Windows -AzureVMResourceId $azureVMIdsW -NonAzureComputer $nonAzurecomputers -Elapsing (New-TimeSpan -Hours two) -IncludedUpdateClassification Security,UpdateRollup -ExcludedKbNumber KB01,KB02 -IncludedKbNumber KB100

Scenario: Unexplained reboots

Issue

Even though you've set the Reboot Command option to Never Reboot, machines are however rebooting afterwards updates are installed.

Cause

Windows Update tin can be modified past several registry keys, any of which can modify reboot beliefs.

Resolution

Review the registry keys listed under Configuring Automated Updates by editing the registry and Registry keys used to manage restart to make certain your machines are configured properly.

Scenario: Machine shows "Failed to get-go" in an update deployment

Consequence

A car shows a Failed to start or Failed status. When you lot view the specific details for the automobile, yous see the post-obit error:

              For one or more machines in schedule, UM task run resulted in either Failed or Failed to start state. Guide bachelor at https://aka.ms/UMSucrFailed.

Crusade

This error tin occur for one of the post-obit reasons:

  • The machine doesn't exist anymore.
  • The machine is turned off and unreachable.
  • The machine has a network connectivity issue, and therefore the hybrid worker on the automobile is unreachable.
  • There was an update to the Log Analytics agent that changed the source computer ID.
  • Your update run was throttled if you hit the limit of 200 concurrent jobs in an Automation business relationship. Each deployment is considered a task, and each motorcar in an update deployment counts as a job. Any other automation chore or update deployment currently running in your Automation account counts toward the concurrent chore limit.

Resolution

You tin can call back more details programmatically past using the REST API. See Software Update Configuration Machine Runs for information on retrieving either a listing of update configuration machine runs, or a single software update configuration machine run by ID.

When applicable, apply dynamic groups for your update deployments. In addition, you tin can take the following steps.

  1. Verify that your machine or server meets the requirements.
  2. Verify connectivity to the Hybrid Runbook Worker using the Hybrid Runbook Worker amanuensis troubleshooter. To learn more than about the troubleshooter, encounter Troubleshoot update agent issues.

Scenario: Updates are installed without a deployment

Issue

When yous enroll a Windows machine in Update Management, you see updates installed without a deployment.

Cause

On Windows, updates are installed automatically as soon as they're available. This behavior tin cause confusion if you lot didn't schedule an update to be deployed to the machine.

Resolution

The HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU registry primal defaults to a setting of 4: auto download and install.

For Update Direction clients, we recommend setting this key to 3: machine download but practice not auto install.

For more information, see Configuring Automatic Updates.

Scenario: Car is already registered to a different account

Upshot

You receive the post-obit error message:

              Unable to Register Machine for Patch Management, Registration Failed with Exception Arrangement.InvalidOperationException: {"Message":"Machine is already registered to a different account."}

Cause

The machine has already been deployed to another workspace for Update Management.

Resolution

  1. Follow the steps under Machines don't show upward in the portal under Update Direction to make certain the motorcar is reporting to the correct workspace.
  2. Clean upwards artifacts on the automobile by deleting the hybrid runbook grouping, so try again.

Scenario: Auto can't communicate with the service

Issue

You receive one of the following mistake messages:

              Unable to Register Auto for Patch Management, Registration Failed with Exception System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connectedness was closed: An unexpected fault occurred on a receive. ---> Arrangement.ComponentModel.Win32Exception: The customer and server tin't communicate, because they do non possess a mutual algorithm                          
              Unable to Annals Auto for Patch Management, Registration Failed with Exception Newtonsoft.Json.JsonReaderException: Error parsing positive infinity value.                          
              The document presented past the service <wsid>.oms.opinsights.azure.com was non issued by a certificate authority used for Microsoft services. Contact your network ambassador to see if they are running a proxy that intercepts TLS/SSL communication.                          
              Access is denied. (Exception form HRESULT: 0x80070005(E_ACCESSDENIED))

Cause

A proxy, gateway, or firewall might be blocking network communication.

Resolution

Review your networking and make sure advisable ports and addresses are allowed. Meet network requirements for a list of ports and addresses that are required by Update Management and Hybrid Runbook Workers.

Scenario: Unable to create self-signed certificate

Issue

You lot receive i of the post-obit error letters:

              Unable to Register Machine for Patch Management, Registration Failed with Exception AgentService.HybridRegistration. PowerShell.Certificates.CertificateCreationException: Failed to create a self-signed certificate. ---> System.UnauthorizedAccessException: Access is denied.

Crusade

The Hybrid Runbook Worker couldn't generate a self-signed certificate.

Resolution

Verify that the arrangement account has read access to the C:\ProgramData\Microsoft\Crypto\RSA folder, and endeavour once again.

Scenario: The scheduled update failed with a MaintenanceWindowExceeded fault

Event

The default maintenance window for updates is 120 minutes. You can increase the maintenance window to a maximum of half dozen hours, or 360 minutes. You might receive the error message For i or more machines in schedule, UM job run resulted in Maintenance Window Exceeded state. Guide available at https://aka.ms/UMSucrMwExceeded.

Resolution

To empathize why this occurred during an update run subsequently it starts successfully, check the chore output from the affected machine in the run. You might find specific error messages from your machines that you tin research and accept activity on.

You lot tin can recollect more than details programmatically by using the Rest API. See Software Update Configuration Motorcar Runs for data on retrieving either a listing of update configuration machine runs, or a unmarried software update configuration auto run by ID.

Edit any declining scheduled update deployments, and increase the maintenance window.

For more information on maintenance windows, meet Install updates.

Scenario: Machine shows as "Not assessed" and shows an HRESULT exception

Result

  • You have machines that show equally Not assessed under Compliance, and y'all see an exception message below them.
  • You see an HRESULT error code in the portal.

Cause

The Update Agent (Windows Update Agent on Windows; the packet manager for a Linux distribution) isn't configured correctly. Update Management relies on the machine's Update Agent to provide the updates that are needed, the status of the patch, and the results of deployed patches. Without this information, Update Management can't properly report on the patches that are needed or installed.

Resolution

Try to perform updates locally on the machine. If this operation fails, it typically ways that there'south an update agent configuration error.

This problem is frequently acquired by network configuration and firewall issues. Use the post-obit checks to right the issue.

  • For Linux, check the appropriate documentation to make sure you tin can attain the network endpoint of your package repository.

  • For Windows, check your amanuensis configuration as listed in Updates aren't downloading from the intranet endpoint (WSUS/SCCM).

    • If the machines are configured for Windows Update, make certain that y'all tin reach the endpoints described in Issues related to HTTP/proxy.
    • If the machines are configured for Windows Server Update Services (WSUS), brand sure that you can accomplish the WSUS server configured by the WUServer registry cardinal.

If you see an HRESULT, double-click the exception displayed in red to run across the entire exception message. Review the following table for potential resolutions or recommended actions.

Exception Resolution or action
Exception from HRESULT: 0x……C Search the relevant error lawmaking in Windows update error code listing to find additional details about the cause of the exception.
0x8024402C
0x8024401C
0x8024402F 		These betoken network connectivity issues. Make sure your auto has network connectivity to Update Direction. Encounter the network planning section for a list of required ports and addresses.
0x8024001E The update performance didn't complete because the service or system was shutting down.
0x8024002E Windows Update service is disabled.
0x8024402C If you're using a WSUS server, make sure the registry values for WUServer and WUStatusServer under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry cardinal specify the correct WSUS server.
0x80072EE2 There's a network connectivity issue or an event in talking to a configured WSUS server. Check WSUS settings and make sure the service is attainable from the client.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with information technology. (Exception from HRESULT: 0x80070422) Brand sure the Windows Update service (wuauserv) is running and non disabled.
0x80070005 An admission denied fault can be caused by whatsoever one of the post-obit:
Infected calculator
Windows Update settings not configured correctly
File permission error with %WinDir%\SoftwareDistribution folder
Insufficient deejay space on the organisation drive (C:).
Whatsoever other generic exception Run a search on the internet for possible resolutions, and work with your local Information technology back up.

Reviewing the %Windir%\Windowsupdate.log file can also assistance you determine possible causes. For more than information about how to read the log, see How to read the Windowsupdate.log file.

You can as well download and run the Windows Update troubleshooter to check for any issues with Windows Update on the car.

Scenario: Update run returns Failed status (Linux)

Event

An update run starts just encounters errors during the run.

Crusade

Possible causes:

  • Bundle manager is unhealthy.
  • Update Agent (WUA for Windows, distro-specific package manager for Linux) is misconfigured.
  • Specific packages are interfering with cloud-based patching.
  • The machine is unreachable.
  • Updates had dependencies that weren't resolved.

Resolution

If failures occur during an update run subsequently it starts successfully, check the chore output from the affected machine in the run. You lot might observe specific error messages from your machines that yous tin research and take action on. Update Direction requires the bundle manager to be healthy for successful update deployments.

If specific patches, packages, or updates are seen immediately before the job fails, you can effort excluding these items from the next update deployment. To gather log information from Windows Update, see Windows Update log files.

If you tin can't resolve a patching issue, brand a copy of the /var/opt/microsoft/omsagent/run/automationworker/omsupdatemgmt.log file and preserve it for troubleshooting purposes earlier the adjacent update deployment starts.

Patches aren't installed

Machines don't install updates

Effort running updates direct on the motorcar. If the machine can't employ the updates, consult the listing of potential errors in the troubleshooting guide.

If updates run locally, attempt removing and reinstalling the agent on the machine by following the guidance at Remove a VM from Update Direction.

I know updates are bachelor, only they don't testify as available on my machines

This often happens if machines are configured to get updates from WSUS or Microsoft Endpoint Configuration Manager but WSUS and Configuration Manager haven't approved the updates.

You lot tin can check to see if the machines are configured for WSUS and SCCM by cantankerous-referencing the UseWUServer registry key to the registry keys in the Configuring Automated Updates past Editing the Registry section of this commodity.

If updates aren't approved in WSUS, they're not installed. You can check for unapproved updates in Log Analytics by running the post-obit query.

              Update | where UpdateState == "Needed" and ApprovalSource == "WSUS" and Approved == "False" | summarize max(TimeGenerated) by Computer, KBID, Title

Updates show as installed, only I tin can't observe them on my motorcar

Updates are often superseded by other updates. For more information, see Update is superseded in the Windows Update Troubleshooting guide.

Installing updates by nomenclature on Linux

Deploying updates to Linux by nomenclature ("Disquisitional and security updates") has important caveats, specially for CentOS. These limitations are documented on the Update Direction overview page.

KB2267602 is consistently missing

KB2267602 is the Windows Defender definition update. It's updated daily.

Next steps

If you don't see your problem or can't resolve your issue, try ane of the following channels for additional support.

  • Become answers from Azure experts through Azure Forums.
  • Connect with @AzureSupport, the official Microsoft Azure account for improving client feel.
  • File an Azure back up incident. Become to the Azure support site and select Get Back up.