Troubleshoot the Windows Update for Business deployment service

• Applies to:

  ✅ Windows 11, ✅ Windows 10

This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business deployment service. For a general troubleshooting guide for Windows Update, see Windows Update troubleshooting.

The device isn't receiving an update that I deployed

• Check that the device doesn't have updates of the relevant category paused. See Pause feature updates and Pause quality updates.
• Feature updates only: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see Safeguard holds and Opt out of safeguard holds.
• Check that the deployment to which the device is assigned has the state offering. Deployments that have the states paused or scheduled won't deploy content to devices.
• Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see Scanning updates.
• Feature updates only: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
• Expedited quality updates only: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in KB 4023057 - Update for Windows 10 Update Service components, or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at C:\Program Files\Microsoft Update Health Tools. You can verify its presence by reviewing Add or Remove Programs or using the following PowerShell script: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}.

The device is receiving an update that I didn't deploy

• Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see Scanning updates.
• Feature updates only: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.

The device installed a newer update then the expedited update I deployed

There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy.

Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots.

A more recent update is deployed when the following conditions are met:

• The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install.

• During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of:

  • When the device restarts to complete installation
  • When the device runs its daily scan
  • When a new update becomes available

  When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update.

While expedite update deployments will override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version.

Log location for the Update Health Tools

The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools.

Log location: %ProgramFiles%\Microsoft Update Health Tools\Logs

• The logs are in .etl format.
  • Microsoft offers PerfView as a download on GitHub, which displays .etl files.

For more information, see Troubleshooting expedited updates.

Policy considerations for drivers

It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service:

Policies that exclude drivers from Windows Update for a device

The following policies exclude drivers from Windows Update for a device:

• Locations of policies that exclude drivers:
  • Group Policy: \Windows Components\Windows Update\Do not include drivers with Windows Updates set to enabled
  • CSP: ExcludeWUDriversInQualityUpdate set to 1
  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates set to 1
  • Intune: Windows Drivers update setting for the update ring set to Block

Behavior with the deployment service: Devices with driver exclusion polices that are enrolled for drivers and added to an audience though the deployment service:

• Will display the applicable driver content in the deployment service
• Won't install drivers that are approved from the deployment service
  • If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending.

Policies that define the source for driver updates

The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS):

• Locations of policies that define an update source:
  • Group Policy: \Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates set to enabled with the Driver Updates option set to Windows Update
  • CSP: SetPolicyDrivenUpdateSourceForDriverUpdates set to 0 for Windows Update as the source
  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates set to 0. Under \AU, UseUpdateClassPolicySource also needs to be set to 1
  • Intune: Not applicable. Intune deploys updates using Windows Update for Business. Co-managed clients from Configuration Manager with the workload for Windows Update policies set to Intune will also use Windows Update for Business.

Behavior with the deployment service: Devices with these update source policies that are enrolled for drivers and added to an audience though the deployment service:

• Will display the applicable driver content in the deployment service
• Will install drivers that are approved from the deployment service

Note

When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device.