Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Troubleshooting Clients with Unknown Update State in Configuration Manager (SCCM)

We have seen an increase of cases where update states may show as Unknown for a large number of devices. Customers facing this issue will generally see third-party updates not applying when the updates are applicable to the devices.

An Unknown update state means the device(s) haven’t successfully scanned against the WSUS server or haven’t been able to report the scan results to the Configuration Manager site. There are a variety of possible causes that could cause scan issues. Please see the Microsoft doc Troubleshoot software update scan failures in Configuration Manager – Compliance results unknown.

Topics covered in this article:

Determine if You are Affected

If you are affected by scan issues, you will likely see a high percentage of devices showing an Unknown state in the ConfigMgr console’s All Software Updates node. Although this issue isn’t specific to Patch My PC, we will review some troubleshooting methods below as best-effort support.

ConfigMgr Updates Showing Unknown Software Update Status

More InformationNote: Depending on your Windows Update for Business (WUfB) policies, it’s possible Microsoft updates can still apply from WUfB even if results show unknown in the ConfigMgr console. Third-party updates will never be applied if the update is in an Unknown state. Please see Using ConfigMgr With Windows 10 WUfB Deferral Policies for more details about WUfB policies.

Troubleshooting Step 2: Review the Troubleshooting 1 – Scan errors Report

In most cases, the Microsoft troubleshooting guide is step 1 will help you resolve the issue. We will also share some common issues and troubleshooting methods we have found helpful.

The following report Software Updates – E Troubleshooting > Troubleshooting 1 – Scan errors can be run if you have the reporting services point installed in your ConfigMgr site.

In this report, you can review if there are a large number of devices reporting scan errors.

Troubleshooting 1 - Scan errors

Troubleshooting Step 3: Can the Client Find the WSUS/SUP Server?

Another common reason that can cause clients to show unknown is being unable to locate a WSUS server to scan against. Please see the Microsoft article WSUS server location to understand how clients receive the WSUS server to scan against.

If the software update point isn’t associated with a boundary group the clients are in, it will cause the clients to not scan against the WSUS server causing Unknown states for updates. For more details, please see the article Configure boundary groups for Configuration Manager.

More InformationFrom Microsoft DocsClients use boundary groups to find a new software update point. To control which servers a client can find, add individual software update points to different boundary groups.

If you add all existing software update points to the default site boundary group, the client selects a software update point from the pool of available servers. This behavior is similar to earlier versions of Configuration Manager current branch. For controlled selection and fallback behavior, add individual software update points to different boundary groups.

If you install a new site, software update points aren’t added to the default site boundary group. Assign software update points to a boundary group so that clients can find and use them.

Troubleshooting Step 4: Group Policy Conflict Causes Error 0x87d00692

One of the most common reasons we see for scan failures is a GPO conflict overwriting the WSUS server ConfigMgr is trying to set locally.

If affect, In the scanagent.log, you will likely see the error:

CScanJob::Execute- Failed at AddUpdateSource, Error = 0x87d00692

If you receive the error above, please review our KB article Update Scan Error: Job error (0x87d00692) received for assignment ({ID}) action

Troubleshooting Step 5: IIS Application Pool Running and Optimized

WSUS ultimately relies on Microsoft IIS on the backend, even when integrated with Configuration Manager. If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status.

Within IIS on the server running WSUS we can see the below server has both the WSUS Administration and the WsusPool in a stopped state.

When this does happen, clients may exhibit various errors in the WUAHander.log, two of which are below.

OnSearchComplete – Failed to end search job. Error = 0x80244022

OnSearchComplete – Failed to end search job. Error = 0x80240438

To begin with, the two should be started again. You can simply highlight the WSUS Administration website, or the WsusPool and select Start from the Actions pane on the right hand side of IIS.

Commonly the WSUSPool Application Pool will crash due to a lack of resources, or the app pool needing some advanced configuration changes. Microsoft has some docs here which can help give a good baseline for your IIS configuration.