This document provides systematically troubleshoot patch update failures on Windows devices using SanerCVEM. This guide covers error identification, Windows Update service checks, policy investigations, and detailed remediation steps.

Table of Contents

• 
  

  • Purpose

  • Procedure

    • 1. Initial Check

    • 2. Error Handling

      • a. Known Error Message

      • b. Unknown Error Message

    • 3. Windows Update Service Investigation

      • a. Repository Check

      • b. Service Status

      • c. Policy Settings Review

    • 4. Policy Investigation

      • a. If a Policy is Found

      • b. If No Policy is Found

    • 5. Patch Investigation

      • a. If Specific KB Issue Identified

      • b. If No Specific KB Issue

    • 6. PowerShell Command Outcome Handling

    • 7. Remediation Steps

    • 8. Log Analysis

    • 9. Final Verification

Purpose

This document provides a detailed troubleshooting process for addressing patch update failures detected through the Patch Management (PM) Status page. It guides through known errors, Windows Update Service issues, policy settings, and remediation steps.

Procedure

1. Initial Check

• Check the PM Status page for any error messages.

• Focus on identifying Windows-related error codes.

This is a clear indication of some issues with some of the components related to windows update, it could be issues with windows update service, software distribution folder or some few other services related to windows update

2. Error Handling

a. Known Error Message

• If a known error is found (e.g., Patch not found, Schedule missed, Remediation not available):

  • Review the error message details.

  • Provide a straightforward response based on the error.

• 

  • Verify the agent logs (spsaneragent.log) for confirmation and gather additional information.

b. Unknown Error Message

• If the error message is unknown:

  • Proceed to check if it relates to Windows Update Service issues.

3. Windows Update Service Investigation

a. Repository Check

• Review the PM Security patches card repository.

• Verify if the repository status is True/False.

b. Service Status

• Confirm that the Windows Update Service is running.

c. Policy Settings Review

• Check Windows Update Settings for any policy indicator (typically marked with a "*").

• Note: Presence of a policy does not automatically mean an issue; the policy's intent must be verified.

4. Policy Investigation

a. If a Policy is Found:

• Identify the policy type:

  • Local Group Policy

  • Registry Changes

  • GPO (Group Policy Object) from Domain Controller

• Verify if the policy restricts:

  • Windows Update Connection( for example does it allow you to connect to Windows update service online or WSUS)

  • Automatic Updates being disabled(if so check what is the condition being provided, does it prevent any installation through any of the services related to windows update)

b. If No Policy is Found:

• Check if the issue is related to a specific KB

If no policy or any other KB is causing issues, then narrow down to any specific patch is causing this issue

5. Patch Investigation

a. If Specific KB Issue Identified:

• Verify if the patch is Security or Non-Security.

• For Security patches, check the presence of Compliance Remediation Evidence (CRE).

b. If No Specific KB Issue:

• Run a PowerShell command to check patch availability.

6. PowerShell Command Outcome Handling

This command checks your system for available updates without installing them.

What does this command do 

This command checks a Windows computer for available updates that are not hidden and not yet installed. It uses PowerShell to create an update searcher, finds those updates, and then lists just their titles (names). In simple words, it shows you the list of pending updates that can be installed.

a. If the Command Returns an Error:

• Recheck policy restrictions (refer back to Section 4).

b. If No Results:

• Verify if the latest patches are already installed.

• If the patches are not installed, and still you feel the patch are not listing then definitelyetly there is some issues with windows update services, it could be WSUS or some device level or firewall restrictions 

7. Remediation Steps

• Run the Windows Update Reset Script.

• Reapply Remediation tasks.

• Review the following logs:

  • spsaneragent.log (update search status)

  • Windows Update Logs (use Get-WindowsUpdateLog command)

8. Log Analysis

• Analyse logs for:

  • Update search time    >>What does it do? as soon as saner agent picks up the remediation job, it uses the windows update search to search for the available updates- Take a note of the time started and time ended, check how long does the windows update search is used to retrieve the available missing patches(see the below screenshot)

  •  

  • Connectivity issues - any restrictions related reaching to the respective repository(online of WSUS)

  • Patch download status

9. Final Verification

a. If Issue Persists:

• Rerun the Reset Script and Reapply the Patch.

• Retrieve and correlate logs (spsaneragent.log and WindowsUpdateLog) for deeper analysis.