When troubleshooting clients, the first thing you’ll want to look at is the windowsupdate.log which will be in c:%windir%Windowsupdate.log. In order to understand how to read the windowsupdate.log , the reference for it is located at:
The first step is to make sure you see the actual WSUS server name in the log – if not that indicates a policy or registry setting used for the policy is not in place.
Next get the errors for the client trying to contact WSUS and check the error code against the error code reference for Windows Update agent. For a reference see:
Appendix G: Windows Update Agent Result Codes : http://technet2.microsoft.com/windowsserver/en/library/061d0423-f7f1-401e-9ef7-b7d02cd50b7a1033.mspx
Another way to obtain the logs is to use the audbgtrace.exe from www.codeplex.com/WSUS.
Using option 2 will trigger the detection cycle for the windows update agent and enable the verbose logging for winhttp and the windows update agent itself.
Check for the logs created on c:audbgtracedata or the cab file to send to a Microsoft Professional in c:audbgtracecabs
In order to understand the failed status for a client machine, you need to check on the WSUS console to see what caused the failed status. Clicking on the affected machine on the bottom, middle pane will show the machine status with the failed update. Click on the failed update and check for any error messages. The 2 most common errors are “download failed” and installation failed”
Download failed is usually when the patch was not downloaded from the WSUS server to the client machine . Check the link on the Windowsupdate.log from the client machine and see if the patch is available on the <drive letter>:WSUSWSUSCONTENT folder on the WSUS server from the client.
For Installation failed you will need to check the error code and the log generated by the installation. On Windows XP it will be on c:%windir%kbXXXXXXX.log.
Lastly, try to install the patch manually to understand what is causing the failure if the message on the log is not clear.
WSUS health check
A good way to test if the WSUS is working properly is by running the wsusutil checkhealth command via the command line. Wsusutil is located in c:program filesupdate servicestools folder. This will create a log in the event viewer if something is not correct on the WSUS with errors/ alerts in the application log.
That should get you started on troubleshooting some of the more common clients issues you may run into.
Joao Madureira | WSUS Support Engineer