排查 Windows 更新代理问题Troubleshoot Windows update agent issues

在进行更新管理部署时计算机未显示为已就绪(正常),这可能有多种原因。There can be many reasons why your machine isn't showing up as ready (healthy) during an Update Management deployment. 你可以检查 Windows 混合 Runbook 辅助角色代理的运行状况,以确定潜在问题。You can check the health of a Windows Hybrid Runbook Worker agent to determine the underlying problem. 以下是计算机的三种就绪状态:The following are the three readiness states for a machine:

  • 迁移就绪性:已部署混合 Runbook 辅助角色,并且上次访问它的时间距当前时间不到一小时。Ready: The Hybrid Runbook Worker is deployed and was last seen less than one hour ago.
  • 已断开连接:已部署混合 Runbook 辅助角色,并且上次访问它的时间距当前时间超过一小时。Disconnected: The Hybrid Runbook Worker is deployed and was last seen over one hour ago.
  • 未配置:混合 Runbook 辅助角色找不到或尚未完成部署。Not configured: The Hybrid Runbook Worker isn't found or hasn't finished the deployment.

备注

Azure 门户显示的内容和计算机的当前状态之间可能会有些微延迟。There can be a slight delay between what the Azure portal shows and the current state of a machine.

本文介绍如何从 Azure 门户为 Azure 计算机运行故障排除,以及如何为离线场景下的非 Azure 计算机运行故障排除。This article discusses how to run the troubleshooter for Azure machines from the Azure portal, and non-Azure machines in the offline scenario.

备注

故障排除脚本现在包含对 Windows Server Update Services (WSUS) 以及对自动下载和安装密钥的检查。The troubleshooter script now includes checks for Windows Server Update Services (WSUS) and for the autodownload and install keys.

启动“故障排除”Start the troubleshooter

对于 Azure 计算机,通过选中门户中“更新代理准备”列下的“故障排除”链接,可以启动“排除更新代理故障”页。 For Azure machines, you can launch the Troubleshoot Update Agent page by selecting the Troubleshoot link under the Update Agent Readiness column in the portal. 对于非 Azure 计算机,该链接会转到本文。For non-Azure machines, the link brings you to this article. 若要对非 Azure 计算机进行故障排除,请参阅脱机进行故障排除See Troubleshoot offline to troubleshoot a non-Azure machine.

虚拟机更新管理列表的屏幕截图

备注

若要查看混合 Runbook 辅助角色的运行状况,VM 必须处于运行状态。To check the health of the Hybrid Runbook Worker, the VM must be running. 如果 VM 没有运行,屏幕上会显示“启动 VM”按钮。If the VM isn't running, a Start the VM button appears.

在“排除更新代理故障”页上选择“运行检查”,启动故障排除。On the Troubleshoot Update Agent page, select Run checks to start the troubleshooter. 故障排除使用运行命令在计算机上运行脚本以验证依赖项。The troubleshooter uses Run Command to run a script on the machine, to verify dependencies. 完成故障排除时,它会返回检查的结果。When the troubleshooter is finished, it returns the result of the checks.

“排除更新代理故障”页面的屏幕截图

结果准备就绪后会显示在该页上。Results are shown on the page when they're ready. 检查部分显示每个检查中包含的内容。The checks sections show what's included in each check.

“排除更新代理故障检查”的屏幕截图

先决条件检查Prerequisite checks

操作系统Operating system

操作系统检查将验证混合 Runbook 辅助角色是否正在运行下表中的操作系统之一。The operating system check verifies whether the Hybrid Runbook Worker is running one of the operating systems shown in the next table.

操作系统Operating system 说明Notes
Windows Server 2012 和更高版本Windows Server 2012 and later 需要 .NET Framework 4.6 或更高版本。.NET Framework 4.6 or later is required. 下载 .NET Framework。)(Download the .NET Framework.)
需要 Windows PowerShell 5.1。Windows PowerShell 5.1 is required. 下载 Windows Management Framework 5.1。)(Download Windows Management Framework 5.1.)

.NET 4.6.2.NET 4.6.2

.NET Framework 检查,用于验证系统是否安装了 .NET Framework 4.6.2 或更高版本。The .NET Framework check verifies that the system has .NET Framework 4.6.2 or later installed.

WMF 5.1WMF 5.1

WMF 检查用于验证系统是否具有所需的 Windows Management Framework (WMF) 版本,即 Windows Management Framework 5.1The WMF check verifies that the system has the required version of the Windows Management Framework (WMF), which is Windows Management Framework 5.1.

TLS 1.2TLS 1.2

此项检查用于确定是否使用 TLS 1.2 加密通信。This check determines whether you're using TLS 1.2 to encrypt your communications. 该平台不再支持 TLS 1.0。TLS 1.0 is no longer supported by the platform. 请使用 TLS 1.2 与更新管理进行通信。Use TLS 1.2 to communicate with Update Management.

连接性检查Connectivity checks

注册终结点Registration endpoint

此检查确定代理是否可以与代理服务正确通信。This check determines whether the agent can properly communicate with the agent service.

代理和防火墙配置必须允许混合 Runbook 辅助角色代理与注册终结点通信。Proxy and firewall configurations must allow the Hybrid Runbook Worker agent to communicate with the registration endpoint. 有关要打开的地址和端口的列表,请参阅网络规划For a list of addresses and ports to open, see Network planning.

操作终结点Operations endpoint

此检查用于确定代理是否可以与作业运行时数据服务正确通信。This check determines whether the agent can properly communicate with the Job Runtime Data Service.

代理和防火墙配置必须允许混合 Runbook 辅助角色代理与作业运行时数据服务通信。Proxy and firewall configurations must allow the Hybrid Runbook Worker agent to communicate with the Job Runtime Data Service. 有关要打开的地址和端口的列表,请参阅网络规划For a list of addresses and ports to open, see Network planning.

VM 服务运行状况检查VM service health checks

监视代理服务的状态Monitoring agent service status

此检查将确定适用于 Windows 的 Log Analytics 代理 (healthservice) 是否正在计算机上运行。This check determines if the Log Analytics agent for Windows (healthservice) is running on the machine. 若要详细了解如何对服务进行故障排查,请参阅适用于 Windows 的 Log Analytics 代理未运行To learn more about troubleshooting the service, see The Log Analytics agent for Windows isn't running.

若要重新安装适用于 Windows 的 Log Analytics 代理,请参阅安装适用于 Windows 的代理To reinstall the Log Analytics agent for Windows, see Install the agent for Windows.

访问权限检查Access permissions checks

备注

如果配置了代理服务器,则故障排除当前不会通过它路由流量。The troubleshooter currently doesn't route traffic through a proxy server if one is configured.

Crypto 文件夹访问权限Crypto folder access

Crypto 文件夹访问检查将确定本地系统帐户是否有权访问 C:\ProgramData\Microsoft\Crypto\RSA。The Crypto folder access check determines whether the local system account has access to C:\ProgramData\Microsoft\Crypto\RSA.

脱机进行故障排除Troubleshoot offline

可以通过在本地运行脚本,在混合 Runbook 辅助角色上脱机使用故障排除。You can use the troubleshooter on a Hybrid Runbook Worker offline by running the script locally. 从 PowerShell 库获取以下脚本:Troubleshoot-WindowsUpdateAgentRegistrationGet the following script from the PowerShell Gallery: Troubleshoot-WindowsUpdateAgentRegistration. 若要运行该脚本,必须安装 WMF 4.0 或更高版本。To run the script, you must have WMF 4.0 or later installed. 若要下载最新版本的 PowerShell,请参阅安装各种版本的 PowerShellTo download the latest version of PowerShell, see Installing various versions of PowerShell.

此脚本的输出如以下示例所示:The output of this script looks like the following example:

RuleId                      : OperatingSystemCheck
RuleGroupId                 : prerequisites
RuleName                    : Operating System
RuleGroupName               : Prerequisite Checks
RuleDescription             : The Windows Operating system must be version 6.2.9200 (Windows Server 2012) or higher
CheckResult                 : Passed
CheckResultMessage          : Operating System version is supported
CheckResultMessageId        : OperatingSystemCheck.Passed
CheckResultMessageArguments : {}

RuleId                      : DotNetFrameworkInstalledCheck
RuleGroupId                 : prerequisites
RuleName                    : .NET Framework 4.5+
RuleGroupName               : Prerequisite Checks
RuleDescription             : .NET Framework version 4.5 or higher is required
CheckResult                 : Passed
CheckResultMessage          : .NET Framework version 4.5+ is found
CheckResultMessageId        : DotNetFrameworkInstalledCheck.Passed
CheckResultMessageArguments : {}

RuleId                      : WindowsManagementFrameworkInstalledCheck
RuleGroupId                 : prerequisites
RuleName                    : WMF 5.1
RuleGroupName               : Prerequisite Checks
RuleDescription             : Windows Management Framework version 4.0 or higher is required (version 5.1 or higher is preferable)
CheckResult                 : Passed
CheckResultMessage          : Detected Windows Management Framework version: 5.1.17763.1
CheckResultMessageId        : WindowsManagementFrameworkInstalledCheck.Passed
CheckResultMessageArguments : {5.1.17763.1}

RuleId                      : AutomationAgentServiceConnectivityCheck1
RuleGroupId                 : connectivity
RuleName                    : Registration endpoint
RuleGroupName               : connectivity
RuleDescription             :
CheckResult                 : Failed
CheckResultMessage          : Unable to find Workspace registration information in registry
CheckResultMessageId        : AutomationAgentServiceConnectivityCheck1.Failed.NoRegistrationFound
CheckResultMessageArguments : {}

RuleId                      : AutomationJobRuntimeDataServiceConnectivityCheck
RuleGroupId                 : connectivity
RuleName                    : Operations endpoint
RuleGroupName               : connectivity
RuleDescription             : Proxy and firewall configuration must allow Automation Hybrid Worker agent to communicate with eus2-jobruntimedata-prod-su1.azure-automation.cn
CheckResult                 : Passed
CheckResultMessage          : TCP Test for eus2-jobruntimedata-prod-su1.azure-automation.cn (port 443) succeeded
CheckResultMessageId        : AutomationJobRuntimeDataServiceConnectivityCheck.Passed
CheckResultMessageArguments : {eus2-jobruntimedata-prod-su1.azure-automation.cn}

RuleId                      : MonitoringAgentServiceRunningCheck
RuleGroupId                 : servicehealth
RuleName                    : Monitoring Agent service status
RuleGroupName               : VM Service Health Checks
RuleDescription             : HealthService must be running on the machine
CheckResult                 : Failed
CheckResultMessage          : Log Analytics for Windows service (HealthService) is not running
CheckResultMessageId        : MonitoringAgentServiceRunningCheck.Failed
CheckResultMessageArguments : {Log Analytics agent for Windows, HealthService}

RuleId                      : MonitoringAgentServiceEventsCheck
RuleGroupId                 : servicehealth
RuleName                    : Monitoring Agent service events
RuleGroupName               : VM Service Health Checks
RuleDescription             : Event Log must not have event 4502 logged in the past 24 hours
CheckResult                 : Failed
CheckResultMessage          : Log Analytics agent for Windows service Event Log does not exist on the machine
CheckResultMessageId        : MonitoringAgentServiceEventsCheck.Failed.NoLog
CheckResultMessageArguments : {Log Analytics agent for Windows}

RuleId                      : CryptoRsaMachineKeysFolderAccessCheck
RuleGroupId                 : permissions
RuleName                    : Crypto RSA MachineKeys Folder Access
RuleGroupName               : Access Permission Checks
RuleDescription             : SYSTEM account must have WRITE and MODIFY access to 'C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys'
CheckResult                 : Passed
CheckResultMessage          : Have permissions to access C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys
CheckResultMessageId        : CryptoRsaMachineKeysFolderAccessCheck.Passed
CheckResultMessageArguments : {C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys}

RuleId                      : TlsVersionCheck
RuleGroupId                 : prerequisites
RuleName                    : TLS 1.2
RuleGroupName               : Prerequisite Checks
RuleDescription             : Client and Server connections must support TLS 1.2
CheckResult                 : Passed
CheckResultMessage          : TLS 1.2 is enabled by default on the Operating System.
CheckResultMessageId        : TlsVersionCheck.Passed.EnabledByDefault
CheckResultMessageArguments : {}

后续步骤Next steps

排查混合 Runbook 辅助角色问题Troubleshoot Hybrid Runbook Worker issues.