Tracking Windows Update Failures with Intune

Everyone knows that Intune’s strength is not in reporting.
Getting concrete data can be hard, so I built my own reporting tool to do just that.

Here’s how I did it.

The Problem:

Some Windows 11 devices in our fleet were falling behind on Windows Updates. This is an issue as the further behind they get, the more vulnerable they become, increasing our exposure level.

Reviewing the environment, everything looked correct:

  • The affected devices were recently active
  • Our Windows Update policies were properly configured
  • Devices had successfully received the policies

But despite all of that, dozens of devices still weren’t installing patches.

Some of them were running months behind on security updates.

We needed a clear reason why each device was falling behind, and we needed to pull that information centrally.

Reviewing our options..

In this case I’m working with a pretty simple tech stack.

  • Entra Joined Devices.
  • Intune managed.
  • Defender for Endpoint.
  • Windows 11 Enterprise.

Surely, we can get the data from Intune right?

I came across Microsoft’s feature update monitoring documentation, and at first it looked close to what I needed (even if it just covered feature updates).

There was just one problem… the report it referenced didn’t exist.

I was however able to find an entirely different “quality update report” under Autopatch reports, but it does not give me any error codes or clues on why devices aren’t updating.

Sadly, Defender does not help us much here either, only revealing what updates devices are missing and begging me to patch them.

The closest thing to real update reporting seems to be Windows Update for Business Reports, which uses Log Analytics in Azure Monitor.

If we look at screenshots from WUfB reporting, we can see it does give some status messages and “alerts” but it doesn’t seem like there’s enough data here to really explain why a device is behind.

Community Solutions

One thing that kept coming up was this script from Reddit user hahman14.

I took a look at the script and it’s a nice design, it focuses on DISM repairs, cleaning up old update policies, even schedules a reboot around midnight.

But I wanted something more reporting focused that was safe to run at scale, this way I could split devices up into categories and plan out remediation based on the individual issues.

The reality is too, Intune alone is unlikely to be able to fix all of the devices, there will be a few more involved issues that make sense to go to onsite teams for device replacement/re-imaging.

This gave me an idea.

I made my own reporting script

Similar to hahman14, I decided to take advantage of Intune’s Remediation Script function to push a powershell script to each device.

Remediation scripts aren’t really meant for reporting in this way, so I had to keep in mind that my output might be truncated or hard to export cleanly from Intune.

Still, I was able to piece something together that met my needs fairly well.

There’s 2x parts to this

  1. Local logging – The detection script gathers endpoint information and drops it to a JSON file under:
C:\ProgramData\Remediations\WindowsUpdate\UpdateHealth.json
  1. Intune error output – this parses the data from the .json file and truncates it down to only the key bits of information and then logs it to Intune. See the example output below:

I’ve released the script as-is on my github below, which also includes instructions on how to use it :

IntuneWindowsUpdateTelemetry

While this serves my needs fine, there is definitely some room for improvement, so if anyone wants to contribute I’ll happily review any PR’s.

Working with the data

The first step is to make sure that you’ve got the “Pre-remediation detection output” column enabled in Intune.

Once you’ve done that you can review each output individually from the Device status page.

You can even use the export button to open the data in Excel.

As you can see this gives you a lot of information to go off, in my example I’ve got a few different error codes that reveal exactly what is going on with my machines.

However, if you want even more data, you can use Microsoft Defender Live Response (or another remote access tool) to retrieve the full .json file directly from an endpoint for analysis.

The .json file gives you a lot more info, historical update installs, Network test results, service statistics, it’s all there.

Perhaps someone out there might be able to ingest this into Log Analytics/Azure Monitor or something similar to get some cool looking reports from it, but that’s out of scope for me today.

Next Steps.

With my script, I now know that there aren’t any patterns with update failures, I’ve literally got different hex error codes for each device in my list.

In this case it all seems to point to Windows Update Servicing issues on the devices themselves, not disk space issues, low activity or force shutdowns interrupting updates.

The next step for me is to explore repairing Windows Update components with another Intune remediation script.

For the stubborn devices that can’t be resolved remotely I’ll assign our onsite guys to take a look and provide them the error codes directly from the endpoint.

Once we get all our devices up to date we can explore setting a Minimum required OS version using Conditional Access/Compliance Policies to immediately block access to devices that are vulnerable.

This would also ensure that any devices with patching issues receive attention from IT before falling multiple months behind.

Problem solved.

I hope this helped.

Leave a comment down below if you have any tips or even if you just have different ways that you are handling this in your organisation, I’m curious!

Cheers,

Chris

🙉 Wanna know when I post?

I don’t spam! – Just one email, every once in a while, when there’s a new post.

Sharing is caring!

Comments

Note: any comments identifying companies or individuals discussed above will not be approved.

14 responses to “Tracking Windows Update Failures with Intune”

  1. Huw Weatherhead Avatar
    Huw Weatherhead

    Great post and useful scripts, but am i going mad or have you confused Remediation and Detection? surely Detection should create the JSON and Remediation should analyse it?

    1. Chris Avatar

      Honestly, it could probably all be one big detection script with no remediation script at all, it doesn’t technically touch the device other than creating the .json file.

      I’ll get it updated next week into a single script when I’ve got more time.

      Edit:
      This bothered me so I just did some testing and combined the scripts into one detection script.

      The repo and post has been updated, I will collect updated screenshots later on too so that this is easy to follow.

  2. Kingsy Avatar
    Kingsy

    Hi Chris

    Thanks for the article..something I may start to use.

    What fixes are you putting in for these f corrupt files or windows components

    We got yy same issue and it’s a pain in the backside. Not sure how to resolve these ones…you got a script for it?

    1. Chris Avatar

      Thanks mate, glad you found a use for it!

      As for fixes, I’m likely going to do something similar to u/hahman14 and push a script to run DISM repairs and try and restore windows update servicing to a functional state.

      I’m actually in the middle of the remeditation stage right now, so I’m not sure how well it’ll work just yet, I may make another post once I have some results to show for it 🙂

      For a fair amount of endpoints though, we are going to need our onsite guys to manually remediate the devices. This seems pretty unavoidable for us because we have so many different errors popping up, I’ve already flagged a few devices that will just be better off with re-imaging.

  3. JF Avatar
    JF

    I tested it on a few PC and they are all reporting error with eventid 20.

    “HealthState”:”Issue”,”LikelyReason”:”Windows Update failure events detected”,”Evidence”:”EventId=20, Time=2026-05-25 08:40:33, Error=, KB=, Update=”,”

    Not sure what I am missing.

    1. Chris Avatar

      Hey mate,

      Looks like it was having trouble parsing the .json output, if you check a device you deployed to is the .json file there?
      Default path for it is:
      "C:\ProgramData\Remediations\WindowsUpdate\UpdateHealth.json"

      Maybe also try running the script locally on a test machine, not through Intune, it should give you an immediate output there.
      As it stands though, I’ve hit 9 different machines in my fleet with this script and all of them have a very descriptive output in Intune, not what you are seeing.

      1. JF Avatar
        JF

        This is what I got

        “RecentStoreFailures”: [
        {
        “TimeCreated”: “2026-03-23 08:18:12”,
        “EventId”: 20,
        “Message”: “Échec de l’installation : l’installation de la mise à jour suivante a échoue avec l’erreur 0x80073D02 : 9WZDNCRFJBMP-MICROSOFT.WINDOWSSTORE.”
        },
        {
        “TimeCreated”: “2026-03-20 12:55:30”,
        “EventId”: 20,
        “Message”: “Échec de l’installation : l’installation de la mise à jour suivante a échoue avec l’erreur 0x80073D02 : 9WZDNCRFJBMP-MICROSOFT.WINDOWSSTORE.”
        },
        {
        “TimeCreated”: “2026-03-11 08:44:34”,
        “EventId”: 20,
        “Message”: “Échec de l’installation : l’installation de la mise à jour suivante a échoue avec l’erreur 0x80073D02 : 9NBLGGH4NNS1-Microsoft.DesktopAppInstaller.”
        }
        ],

        Message says “Installation Failure: Windows failed to install the following update with error 0x80073D02”.
        Everything is updated in the MS Store but they still report as failed. Weird.

        1. Chris Avatar

          Yep those would be the latest failure events in the log, looks like they’re from back in march.

          It’s possible that is resolved especially if you’re saying that the store apps are updated.

          The .json should have a lot more data than that though, maybe a lack of permissions?

          1. JF Avatar
            JF

            Yes the json file contain much more information

            “RecentInstalledUpdates”: is fine, 9 update are there
            “RecentWUFailures”: contains built-in apps update failure (10 total)
            “RecentStoreFailures”: contains also built-in apps update failure (3 total)

          2. Chris Avatar

            Interesting, if you can share your whole .json file using something like Pastebin, I can take a look at where it’s failing to parse the data and update the script.

            Feel free to sanitise any hostnames or other details if you like, but I do need a pretty untouched .json file to look at.

          3. Chris Avatar

            Thanks for that.

            Looks like there are 2 things I didn’t account for that are causing it to fail.
            One of them is the language not being English, which was all I tested for.
            The second thing was that I hadn’t classified many of the store app events, so some store application update failures were being incorrectly treated as Windows Update failures.
            I’ve tried to add more filtering to catch these, there’s an updated script below if you have some time to test it.

            Let me know if it works better for you and I’ll update my repo.
            https://pastebin.com/u1biCaTT

            Cheers,

          4. JF Avatar
            JF

            I’m getting more green now like this one:

            {“ComputerName”:”COMPUTERNAME”,”HealthState”:”Warning”,”LikelyReason”:”Store/app update failures only”,”Evidence”:”EventId=20, Time=2026-06-03 08:14:26, Error=0x80240016, Update=Mise à jour de la sélection disjointe pour Microsoft Defender Antivirus – 2267602 Ko (version 1.451.245.0) – Canal actuel (large).”,”LastRebootTime”:”2026-05-19 15:41:43″,”LastRebootReason”:”Le processus C:\\WINDOWS\\uus\\packages\\preview\\AMD64\\MoNotificationUx.exe (COMPUTERNAME) a lancé le Redémarrer de l’ordinateur COMPUTERNAME pour l’utilisateur DOMAIN\\USER pour la raison suivante : Système d’exploitation : Service pack (planifié)\r\n Code : 0x80020010\r\n Type d’arrêt : Redémarrer\r\n Commentaire : “,”RecentWUFailures”:null,”PendingWUReboot”:false,”PendingWURebootEvidence”:””,”LastHotfix”:”KB5087051″,”LastHotfixDate”:”2026-05-19 00:00:00″,”CFreeGB”:82.28,”WUServiceStatus”:”Stopped”,”WUServiceStartType”:”Manual”,”BITSServiceStatus”:”Running”,”BITSServiceStartType”:”Automatic”,”PrimaryNic”:”Wi-Fi”,”PrimaryNicSpeed”:”351 Mbps”,”CollectedAt”:”2026-06-03 10:02:37″}

          5. Chris Avatar

            Great to hear, I’ll update the repo with the new script.

Leave a Reply

Your email address will not be published. Required fields are marked *