# WinUpdate-Outstanding Intune Remediation

# Table of Contents

• Table of Contents
• Purpose
• Overview
• Dependencies
• Detection Script
• Remediation Script
• Usage
• Inputs
• Outputs
• Notes

# Purpose

Documents both the detection and remediation scripts for outstanding Windows Updates via Intune Remediation.

# Overview

This page covers both:

• Detection script: Checks for outstanding Windows Updates by OS version, last update date, and spread scheduling logic.
• Remediation script: Repairs Windows Update components, removes update pauses, and resets update-related registry keys to allow updates to proceed.

# Dependencies

• PowerShell 7+
• Windows 10/11
• Access to registry and WMI
• Get-ComputerInfo
• Get-HotFix
• Repair-WindowsImage

# Detection Script

Logic:

• Targeting logic (spread scheduling):
• The script determines if the device should be evaluated for outstanding updates on a given day, based on:
• The current day of the week (Monday–Friday only; weekends are always skipped).
• The last character of the device hostname:
  • If the last character is a digit, only certain digits are allowed on each weekday (e.g., 0/1 on Monday, 2/3 on Tuesday, etc.).
  • If the last character is a letter, only devices ending with a letter are targeted on Fridays.
  • If the device is not targeted for the current day, the script exits immediately with code 0 (compliant/skipped).
• Update compliance check:
  • If the device is targeted, the script checks:
  • OS version (Windows 10/11) against the current expected build.
  • Last update date using Get-HotFix.
  • If OS version is outdated or last update is too old (≥40 days), marks as non-compliant.
• Exit codes:
  • 0: Compliant (up to date), or device not targeted for today (skipped)
  • 1: Non-compliant (outstanding updates, outdated OS, or last update too old)

Inputs: None required; uses environment, registry, and WMI.

Outputs:

• Compliance status (compliant, non-compliant, or skipped)
• OS version
• Last update date
• Log/output to console

Documentation:

• Get-ComputerInfo
• Get-HotFix

# Remediation Script

Logic:

The remediation script performs a comprehensive reset and repair of Windows Update components, following these steps:

1. Run DISM Repair:

• Executes Repair-WindowsImage -RestoreHealth to repair system image corruption.

2. Remove Update Pause and Policy Registry Keys:

• Deletes or resets keys and values under:
  • HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  • HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings (removes pause dates/status, sets status values to 0)
  • HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update (removes pause dates, sets status values to 0)
• Also resets update deferral and telemetry settings as needed.

1. Data Collection and Appraiser Registry:

• Ensures telemetry/compatibility settings are enabled for update eligibility.
• Sets or creates values under HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection and HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\GWX.

4. Stop Windows Update Services:

• Stops BITS, wuauserv, and cryptsvc services.

5. Remove QMGR Data Files:

• Deletes qmgr*.dat files to clear BITS job queue.

6. Remove SoftwareDistribution and CatRoot2 Folders:

• Deletes these folders to reset Windows Update state.

7. Reset Service Permissions:

• Resets permissions for BITS and wuauserv using sc.exe sdset.

8. Re-register Windows Update DLLs:

• Registers a comprehensive list of DLLs required for Windows Update using regsvr32.exe.

9. Reset WinSock:

• Runs netsh winsock reset to repair network stack issues.

10. Restart Windows Update Services:

• Starts BITS, wuauserv, and cryptsvc services.

11. Force Update Discovery:

• Runs USOClient.exe StartInteractiveScan to trigger update scan.

12. Pause for 5 Minutes:

• Waits 5 minutes to allow update processes to settle.

13. Create Diagnostic Logs:

• Downloads and runs SetupDiag to collect update diagnostics, saving logs to the Intune Management Extension logs folder.

14. Schedule Midnight Reboot (if needed):

• Creates a scheduled task to reboot the device at midnight if it has not rebooted in the last day.
• Checks for fast boot and calculates true uptime.
• If a reboot is needed, schedules shutdown.exe with a 15-minute warning and a user notification (toast message) instructing users to save work.
• The notification message is: "Your computer will restart in 15 minutes to install Windows updates - Please save your work now. Submit an ICT Service Desk ticket if this prompt has been displayed three or more days in a row."

All actions are logged to the console and, where applicable, to log files.

Exit codes:

• 0: Success
• 1: Error

Inputs: None required; uses environment and registry.

Outputs:

• Actions taken (step-by-step log)
• Registry and file changes
• Diagnostic logs
• Scheduled reboot status
• Log/output

Documentation:

• Repair-WindowsImage

# Usage

• Both scripts are deployed as part of an Intune Remediation package.
• Detection runs first; if updates are outstanding, remediation is triggered.

# Inputs

• No external parameters; all logic is self-contained.

# Outputs

• Detection: Update status, OS version, last update date, log/output.
• Remediation: Actions taken, registry changes, log/output.

# Notes

• See project standards for logging, error handling, and accessibility.