排查“更新管理”问题Troubleshoot Update Management issues

本文讨论在计算机上部署更新管理功能时可能遇到的问题。This article discusses issues that you might run into when deploying the Update Management feature on your machines. 对于混合 Runbook 辅助角色代理,可使用代理故障排除程序来确定底层问题。There's an agent troubleshooter for the Hybrid Runbook Worker agent to determine the underlying problem. 若要了解有关故障排除程序的详细信息,请参阅排查 Windows 更新代理问题排查 Linux 更新代理问题To learn more about the troubleshooter, see Troubleshoot Windows update agent issues and Troubleshoot Linux update agent issues. 有关其他功能部署问题,请参阅排查功能部署问题For other feature deployment issues, see Troubleshoot feature deployment issues.

场景:收到“无法启用更新解决方案”错误Scenario: You receive the error "Failed to enable the Update solution"

问题Issue

尝试在自动化帐户中启用更新管理时,收到以下错误:When you try to enable Update Management in your Automation account, you get the following error:

Error details: Failed to enable the Update solution

原因Cause

出现该错误的原因可能如下:This error can occur for the following reasons:

  • 可能是未正确配置 Log Analytics 代理的网络防火墙要求。The network firewall requirements for the Log Analytics agent might not be configured correctly. 这种情况可能会导致代理在解析 DNS URL 时失败。This situation can cause the agent to fail when resolving the DNS URLs.

  • 未正确配置更新管理目标,并且计算机未按预期接收更新。Update Management targeting is misconfigured and the machine isn't receiving updates as expected.

  • 你可能还会注意到,计算机在“合规性”下显示了状态 Non-compliantYou might also notice that the machine shows a status of Non-compliant under Compliance. 同时,代理桌面分析将代理报告为 DisconnectedAt the same time, Agent Desktop Analytics reports the agent as Disconnected.

解决方法Resolution

方案:被取代的更新在“更新管理”中显示为缺失Scenario: Superseded update indicated as missing in Update Management

问题Issue

旧更新即使已被取代,在自动化帐户中仍会显示为缺失。Old updates are appearing for an Automation account as missing even though they've been superseded. 被取代的更新是指不必安装的更新,因为推出的后续更新可纠正相同的漏洞。A superseded update is one that you don't have to install because a later update that corrects the same vulnerability is available. 为了支持取代旧更新的更新,“更新管理”会忽略被取代的更新,并使其“不适用”。Update Management ignores the superseded update and makes it not applicable in favor of the superseding update. 若需了解相关问题的信息,请参阅更新被取代For information about a related issue, see Update is superseded.

原因Cause

被取代的更新在 Windows Server Update Services (WSUS) 中不是“已拒绝”,因此无法将其视为“不适用”。Superseded updates aren't declined in Windows Server Update Services (WSUS) so that they can be considered not applicable.

解决方法Resolution

当被取代的更新完全不适用时,应在 WSUS 中将该更新的批准状态更改为 DeclinedWhen a superseded update becomes 100 percent not applicable, you should change the approval state of that update to Declined in WSUS. 若要更改所有更新的审批状态,请执行以下操作:To change approval state for all your updates:

  1. 在自动化帐户中,选择“更新管理”来查看计算机的状态。In the Automation account, select Update Management to view machine status. 请参阅查看更新评估See View update assessments.

  2. 检查被取代的更新,确保其 100% 不适用。Check the superseded update to make sure that it's 100 percent not applicable.

  3. 在计算机向其报告的 WSUS 服务器上,拒绝更新On the WSUS server the machines report to, decline the update.

  4. 选择“计算机”,然后在“合规性”列中,强制执行重新扫描,以检查合规性 。Select Computers and, in the Compliance column, force a rescan for compliance. 请参阅管理 VM 的更新See Manage updates for VMs.

  5. 对于其他被取代的更新,请重复上述步骤。Repeat the steps above for other superseded updates.

  6. 对于 Windows Server Update Services (WSUS),请清除所有被取代的更新以使用 WSUS 清理向导刷新基础结构。For Windows Server Update Services (WSUS), clean all superseded updates to refresh the infrastructure using the WSUS Server cleanup Wizard.

  7. 定期重复此过程以更正显示问题,并最大程度地减少用于更新管理的磁盘空间量。Repeat this procedure regularly to correct the display issue and minimize the amount of disk space used for update management.

场景:更新管理下的门户中未显示计算机Scenario: Machines don't show up in the portal under Update Management

问题Issue

计算机出现以下问题:Your machines have the following symptoms:

  • 计算机在 VM 的更新管理视图中显示为 Not configuredYour machine shows Not configured from the Update Management view of a VM.

  • Azure 自动化帐户的“更新管理”视图中缺失计算机。Your machines are missing from the Update Management view of your Azure Automation account.

  • 在“合规性”下,计算机显示为 Not assessedYou have machines that show as Not assessed under Compliance. 但 Azure Monitor 日志中会显示混合 Runbook 辅助角色的检测信号数据,而不会显示更新管理的检测信号数据。However, you see heartbeat data in Azure Monitor logs for the Hybrid Runbook Worker but not for Update Management.

原因Cause

导致此问题的原因可能是本地配置问题或作用域配置不当。This issue can be caused by local configuration issues or by improperly configured scope configuration. 可能的特定原因如下:Possible specific causes are:

  • 可能需要重新注册并重新安装混合 Runbook 辅助角色。You might have to re-register and reinstall the Hybrid Runbook Worker.

  • 可能在工作区中定义的配额已满,导致无法继续存储数据。You might have defined a quota in your workspace that's been reached and that's preventing further data storage.

解决方法Resolution

  1. 根据操作系统,运行适用于 WindowsLinux 的故障排除程序。Run the troubleshooter for Windows or Linux, depending on the OS.

  2. 请确保你的计算机向正确的工作区报告。Make sure that your machine is reporting to the correct workspace. 有关如何进行这方面验证的指导,请参阅验证代理与 Azure Monitor 的连接For guidance on how to verify this aspect, see Verify agent connectivity to Azure Monitor. 此外,请确保此工作区已链接到 Azure 自动化帐户。Also make sure that this workspace is linked to your Azure Automation account. 若要进行验证,请转到自动化帐户,选择“相关资源”下的“链接的工作区” 。To confirm, go to your Automation account and select Linked workspace under Related Resources.

  3. 确保链接到自动化帐户的 Log Analytics 工作区中显示计算机。Make sure that the machines show up in the Log Analytics workspace linked to your Automation account. 在 Log Analytics 工作区中运行以下查询。Run the following query in the Log Analytics workspace.

    Heartbeat
    | summarize by Computer, Solutions
    
  4. 如果查询结果中未显示计算机,则表示该计算机最近尚未签入。If you don't see your machine in the query results, it hasn't recently checked in. 可能存在本地配置问题,因此应该重新安装代理There's probably a local configuration issue and you should reinstall the agent.

  5. 如果查询结果中显示了计算机,请检查作用域配置问题。If your machine shows up in the query results, check for scope configuration problems. 作用域配置决定为更新管理配置哪些计算机。The scope configuration determines which machines are configured for Update Management.

  6. 如果工作区中显示了计算机,但更新管理中未显示,则必须将作用域配置配置为面向计算机。If your machine is showing up in your workspace but not in Update Management, you must configure the scope configuration to target the machine. 若要了解如何执行此操作,请参阅在工作区中启用计算机To learn how to do this, see Enable machines in the workspace.

  7. 在工作区中运行此查询。In your workspace, run this query.

    Operation
    | where OperationCategory == 'Data Collection Status'
    | sort by TimeGenerated desc
    
  8. 如果结果为 Data collection stopped due to daily limit of free data reached. Ingestion status = OverQuota,则表示工作区中定义的配额已满,这导致无法保存数据。If you get a Data collection stopped due to daily limit of free data reached. Ingestion status = OverQuota result, the quota defined on your workspace has been reached, which has stopped data from being saved. 在工作区中,转到“使用情况和预估成本”下的“数据量管理”,然后更改或删除配额 。In your workspace, go to data volume management under Usage and estimated costs , and change or remove the quota.

  9. 如果问题仍未解决,请遵循部署 Windows 混合 Runbook 辅助角色中的步骤来为 Windows 重新安装混合辅助角色。If your issue is still unresolved, follow the steps in Deploy a Windows Hybrid Runbook Worker to reinstall the Hybrid Worker for Windows. 对于 Linux,请按照部署 Linux 混合 Runbook 辅助角色中的步骤操作。For Linux, follow the steps in Deploy a Linux Hybrid Runbook Worker.

场景:无法为订阅注册自动化资源提供程序Scenario: Unable to register Automation resource provider for subscriptions

问题Issue

在自动化帐户中部署功能时,发生以下错误:When you work with feature deployments in your Automation account, the following error occurs:

Error details: Unable to register Automation Resource Provider for subscriptions

原因Cause

未在订阅中注册自动化资源提供程序。The Automation resource provider isn't registered in the subscription.

解决方法Resolution

若要注册自动化资源提供程序,请在 Azure 门户中执行以下步骤。To register the Automation resource provider, follow these steps in the Azure portal.

  1. 在门户底部的 Azure 服务列表中,选择“所有服务”,然后在“常规”服务组中选择“订阅” 。In the Azure service list at the bottom of the portal, select All services , and then select Subscriptions in the General service group.

  2. 选择订阅。Select your subscription.

  3. 在“设置”下,选择“资源提供程序” 。Under Settings , select Resource Providers.

  4. 在资源提供程序列表中,验证是否注册了 Microsoft.Automation 资源提供程序。From the list of resource providers, verify that the Microsoft.Automation resource provider is registered.

  5. 如果未列出该提供程序,请按照解决资源提供程序注册错误中的步骤操作,注册 Microsoft.Automation 提供程序。If it's not listed, register the Microsoft.Automation provider by following the steps at Resolve errors for resource provider registration.

场景:设置了动态计划的计划更新缺失了某些计算机Scenario: Scheduled update with a dynamic schedule missed some machines

问题Issue

更新预览中包含的计算机不会全部显示在要在计划的运行期间进行修补的计算机的列表中。Machines included in an update preview don't all appear in the list of machines patched during a scheduled run.

原因Cause

导致此问题的原因可能是以下之一:This issue can have one of the following causes:

  • 没有为注册的自动化资源提供程序配置动态查询作用域中定义的订阅。The subscriptions defined in the scope in a dynamic query aren't configured for the registered Automation resource provider.

  • 执行计划时,计算机不可用或缺少适当的标记。The machines weren't available or didn't have appropriate tags when the schedule executed.

解决方法Resolution

未为注册的自动化资源提供程序配置订阅Subscriptions not configured for registered Automation resource provider

如果未为自动化资源提供程序配置订阅,则无法查询或获取该订阅中关于计算机的信息。If your subscription isn't configured for the Automation resource provider, you can't query or fetch information on machines in that subscription. 使用以下步骤验证订阅的注册情况。Use the following steps to verify the registration for the subscription.

  1. Azure 门户中,访问 Azure 服务列表。In the Azure portal, access the Azure service list.

  2. 在“常规”服务组中,依次选择“所有服务”和“订阅” 。Select All services , and then select Subscriptions in the General service group.

  3. 查找部署作用域中定义的订阅。Find the subscription defined in the scope for your deployment.

  4. 在“设置”下,选择“资源提供程序” 。Under Settings , choose Resource Providers.

  5. 验证是否注册了 Microsoft.Automation 资源提供程序。Verify that the Microsoft.Automation resource provider is registered.

  6. 如果未列出该提供程序,请按照解决资源提供程序注册错误中的步骤操作,注册 Microsoft.Automation 提供程序。If it's not listed, register the Microsoft.Automation provider by following the steps at Resolve errors for resource provider registration.

执行计划时,计算机不可用或标记不当Machines not available or not tagged correctly when schedule executed

如果为自动化资源提供程序配置了订阅,但在运行更新计划时,指定的动态组缺失了某些计算机,请执行以下操作。Use the following procedure if your subscription is configured for the Automation resource provider, but running the update schedule with the specified dynamic groups missed some machines.

  1. 在 Azure 门户中,打开自动化帐户,然后选择“更新管理”。In the Azure portal, open the Automation account and select Update Management.

  2. 检查更新管理历史记录,以确定运行更新部署的确切时间。Check Update Management history to determine the exact time when the update deployment was run.

  3. 对于可能是更新管理所缺失的计算机,请使用 Azure Resource Graph (ARG) 查找计算机更改For machines that you suspect to have been missed by Update Management, use Azure Resource Graph (ARG) to locate machine changes.

  4. 搜索运行更新部署之前的某个时间段(不要太短,例如一天)内的更改。Search for changes over a considerable period, such as one day, before the update deployment was run.

  5. 检查搜索结果,确定此时段内是否有任何针对计算机的系统更改,例如删除或更新更改。Check the search results for any systemic changes, such as delete or update changes, to the machines in this period. 这些更改可能会改变计算机状态或标记,导致部署更新时计算机在计算机列表中不会被选中。These changes can alter machine status or tags so that machines aren't selected in the machine list when updates are deployed.

  6. 根据需要调整计算机和资源设置以纠正计算机状态或标记问题。Adjust the machines and resource settings as necessary to correct for machine status or tag issues.

  7. 重新运行更新计划,以确保具有指定动态组的部署包括所有计算机。Rerun the update schedule to ensure that deployment with the specified dynamic groups includes all machines.

场景:动态组的预览中未显示预期的计算机Scenario: Expected machines don't appear in preview for dynamic group

问题Issue

Azure 门户预览列表中未显示动态组的所选作用域的 VM。VMs for selected scopes of a dynamic group are not showing up in the Azure portal preview list. 此列表包含 ARG 查询针对所选作用域检索的所有计算机。This list consists of all machines retrieved by an ARG query for the selected scopes. 作用域筛选为安装了混合 Runbook 辅助角色的计算机以及你具有访问权限的计算机。The scopes are filtered for machines that have Hybrid Runbook Workers installed and for which you have access permissions.

原因Cause

可能导致此问题的原因包括:Here are possible causes for this issue:

  • 对所选作用域不具有正确的访问权限。You don't have the correct access on the selected scopes.
  • ARG 查询未检索到预期的计算机。The ARG query doesn't retrieve the expected machines.
  • 计算机未安装混合 Runbook 辅助角色。Hybrid Runbook Worker isn't installed on the machines.

解决方法Resolution

对所选作用域的访问权限不正确Incorrect access on selected scopes

Azure 门户仅显示你在给定作用域内具有写入访问权限的计算机。The Azure portal only displays machines for which you have write access in a given scope. 如果你在某个范围内没有适当的访问权限,请参阅教程:使用 Azure 门户授予用户对 Azure 资源的访问权限If you don't have the correct access for a scope, see Tutorial: Grant a user access to Azure resources using the Azure portal.

ARG 查询未返回预期的计算机ARG query doesn't return expected machines

按照以下步骤操作,查看查询是否正常工作。Follow the steps below to find out if your queries are working correctly.

  1. 运行 ARG 查询,格式如下方 Azure 门户的 Resource Graph 资源管理器边栏选项卡中所示。Run an ARG query formatted as shown below in the Resource Graph explorer blade in Azure portal. 此查询模拟在更新管理中创建动态组时所选的筛选器。This query mimics the filters you selected when you created the dynamic group in Update Management. 请参阅将动态组与更新管理配合使用See Use dynamic groups with Update Management.

    where (subscriptionId in~ ("<subscriptionId1>", "<subscriptionId2>") and type =~ "microsoft.compute/virtualmachines" and properties.storageProfile.osDisk.osType == "<Windows/Linux>" and resourceGroup in~ ("<resourceGroupName1>","<resourceGroupName2>") and location in~ ("<location1>","<location2>") )
    | project id, location, name, tags = todynamic(tolower(tostring(tags)))
    | where  (tags[tolower("<tagKey1>")] =~ "<tagValue1>" and tags[tolower("<tagKey2>")] =~ "<tagValue2>") // use this if "All" option selected for tags
    | where  (tags[tolower("<tagKey1>")] =~ "<tagValue1>" or tags[tolower("<tagKey2>")] =~ "<tagValue2>") // use this if "Any" option selected for tags
    | project id, location, name, tags
    

    以下是示例:Here is an example:

    where (subscriptionId in~ ("20780d0a-b422-4213-979b-6c919c91ace1", "af52d412-a347-4bc6-8cb7-4780fbb00490") and type =~ "microsoft.compute/virtualmachines" and properties.storageProfile.osDisk.osType == "Windows" and resourceGroup in~ ("testRG","withinvnet-2020-01-06-10-global-resources-chinaeast2") and location in~ ("chinaeast2","chinanorth","chinanorth2") )
    | project id, location, name, tags = todynamic(tolower(tostring(tags)))
    | where  (tags[tolower("ms-resource-usage")] =~ "azure-cloud-shell" and tags[tolower("temp")] =~ "temp")
    | project id, location, name, tags
    
  2. 查看查询结果中是否列出了你要查找的计算机。Check to see if the machines you're looking for are listed in the query results.

  3. 如果未列出所需计算机,动态组中所选的筛选器可能存在问题。If the machines aren't listed, there is probably an issue with the filter selected in the dynamic group. 根据需要调整组配置。Adjust the group configuration as needed.

未在计算机上安装的混合 Runbook 辅助角色Hybrid Runbook Worker not installed on machines

ARG 查询结果中确实显示了计算机,但动态组预览中仍未显示。Machines do appear in ARG query results but still don't show up in the dynamic group preview. 在这种情况下,可能不会将计算机指定为混合辅助角色,因此无法运行 Azure 自动化和更新管理作业。In this case, the machines might not be designated as hybrid workers and thus can't run Azure Automation and Update Management jobs. 若要确保将所需计算机设置为混合 Runbook 辅助角色,请执行以下操作:To ensure that the machines you're expecting to see are set up as Hybrid Runbook Workers:

  1. 在 Azure 门户中,转到自动化帐户,找到某个未正确显示的计算机。In the Azure portal, go to the Automation account for a machine that is not appearing correctly.

  2. 在“流程自动化”下选择“混合辅助角色组” 。Select Hybrid worker groups under Process Automation.

  3. 选择“系统混合辅助角色组”选项卡。Select the System hybrid worker groups tab.

  4. 验证是否为该计算机显示了混合辅助角色。Validate that the hybrid worker is present for that machine.

  5. 如果计算机未设置为混合辅助角色,请按照使用混合 Runbook 辅助角色自动执行数据中心或云中的资源中的说明进行调整。If the machine is not set up as a hybrid worker, make adjustments using instructions at Automate resources in your datacenter or cloud by using Hybrid Runbook Worker.

  6. 将计算机加入到混合 Runbook 辅助角色组。Join the machine to the Hybrid Runbook Worker group.

  7. 针对预览中未显示的所有计算机,重复上述步骤。Repeat the steps above for all machines that have not been displaying in the preview.

场景:已启用更新管理组件,但 VM 仍显示为正在配置Scenario: Update Management components enabled, while VM continues to show as being configured

问题Issue

在部署开始 15 分钟后继续在 VM 上看到以下消息:You continue to see the following message on a VM 15 minutes after deployment begins:

The components for the 'Update Management' solution have been enabled, and now this virtual machine is being configured. Please be patient, as this can sometimes take up to 15 minutes.

原因Cause

出现该错误的原因可能如下:This error can occur for the following reasons:

  • 与自动化帐户的通信被阻止。Communication with the Automation account is being blocked.

  • 同一计算机名称具有不同的源计算机 ID。There is a duplicate computer name with different source computer IDs. 当在不同的资源组中都创建一个具有特定计算机名称的 VM 并且这些 VM 向订阅中的同一 Logistics Agent 工作区报告时,会发生这种情况。This scenario occurs when a VM with a particular computer name is created in different resource groups and is reporting to the same Logistics Agent workspace in the subscription.

  • 正在部署的 VM 映像可能来自于某个克隆计算机,该计算机未在安装了用于 Windows 的 Log Analytics 代理的情况下使用系统准备 (sysprep) 进行配置。The VM image being deployed might come from a cloned machine that wasn't prepared with System Preparation (sysprep) with the Log Analytics agent for Windows installed.

解决方法Resolution

为帮助确定 VM 的确切问题,请在链接到自动化帐户的 Log Analytics 工作区中运行以下查询。To help in determining the exact problem with the VM, run the following query in the Log Analytics workspace that's linked to your Automation account.

Update
| where Computer contains "fillInMachineName"
| project TimeGenerated, Computer, SourceComputerId, Title, UpdateState 

与自动化帐户的通信被阻止Communication with Automation account blocked

转到网络规划,了解必须允许哪些地址和端口才能使更新管理正常工作。Go to Network planning to learn about which addresses and ports must be allowed for Update Management to work.

重复的计算机名称Duplicate computer name

重命名 VM,以确保其名称在环境中的唯一性。Rename your VMs to ensure unique names in their environment.

从克隆计算机部署了映像Deployed image from cloned machine

如果使用的是克隆映像,则不同的计算机名具有相同的源计算机 ID。If you're using a cloned image, different computer names have the same source computer ID. 在这种情况下:In this case:

  1. 在 Log Analytics 工作区中,从已保存的范围配置 MicrosoftDefaultScopeConfig-Updates(若显示)的搜索中删除 VM。In your Log Analytics workspace, remove the VM from the saved search for the MicrosoftDefaultScopeConfig-Updates scope configuration if it's shown. 已保存的搜索位于工作区的“常规”下。Saved searches can be found under General in your workspace.

  2. 运行以下 cmdlet。Run the following cmdlet.

    Remove-Item -Path "HKLM:\software\microsoft\hybridrunbookworker" -Recurse -Force
    
  3. 运行 Restart-Service HealthService 重新启动运行状况服务。Run Restart-Service HealthService to restart the health service. 此操作将重新创建密钥并生成新的 UUID。This operation recreates the key and generates a new UUID.

  4. 如果这种方法不起作用,请先对映像运行 sysprep,然后安装适用于 Windows 的 Log Analytics 代理。If this approach doesn't work, run sysprep on the image first and then install the Log Analytics agent for Windows.

场景:在为另一个 Azure 租户中的计算机创建更新部署时收到链接订阅错误Scenario: You receive a linked subscription error when you create an update deployment for machines in another Azure tenant

问题Issue

尝试为另一个 Azure 租户中的计算机创建更新部署时遇到以下错误:You encounter the following error when you try to create an update deployment for machines in another Azure tenant:

The client has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroupName/providers/Microsoft.Automation/automationAccounts/automationAccountName/softwareUpdateConfigurations/updateDeploymentName', however the current tenant '00000000-0000-0000-0000-000000000000' is not authorized to access linked subscription '00000000-0000-0000-0000-000000000000'.

原因Cause

当创建的更新部署包含另一个租户中的 Azure VM 时会发生此错误。This error occurs when you create an update deployment that has Azure VMs in another tenant that's included in an update deployment.

解决方法Resolution

使用以下解决方法来安排这些项。Use the following workaround to get these items scheduled. 可以将 New-AzAutomationSchedule cmdlet 与 ForUpdateConfiguration 参数一起使用来创建计划。You can use the New-AzAutomationSchedule cmdlet with the ForUpdateConfiguration parameter to create a schedule. 然后,使用 New-AzAutomationSoftwareUpdateConfiguration cmdlet,并将另一个租户中的计算机传递给 NonAzureComputer 参数。Then, use the New-AzAutomationSoftwareUpdateConfiguration cmdlet and pass the machines in the other tenant to the NonAzureComputer parameter. 以下示例介绍如何执行此操作:The following example shows how to do this:

$nonAzurecomputers = @("server-01", "server-02")

$startTime = ([DateTime]::Now).AddMinutes(10)

$s = New-AzAutomationSchedule -ResourceGroupName mygroup -AutomationAccountName myaccount -Name myupdateconfig -Description test-OneTime -OneTime -StartTime $startTime -ForUpdateConfiguration

New-AzAutomationSoftwareUpdateConfiguration  -ResourceGroupName $rg -AutomationAccountName $aa -Schedule $s -Windows -AzureVMResourceId $azureVMIdsW -NonAzureComputer $nonAzurecomputers -Duration (New-TimeSpan -Hours 2) -IncludedUpdateClassification Security,UpdateRollup -ExcludedKbNumber KB01,KB02 -IncludedKbNumber KB100

场景:原因不明的重启Scenario: Unexplained reboots

问题Issue

即使已将“重启控制”选项设置为“永不重启”,计算机仍将在安装更新后重新启动 。Even though you've set the Reboot Control option to Never Reboot , machines are still rebooting after updates are installed.

原因Cause

多个注册表项都可以修改 Windows 更新,其中任何一个都可以修改重启行为。Windows Update can be modified by several registry keys, any of which can modify reboot behavior.

解决方法Resolution

查看通过编辑注册表来配置自动更新用于管理重启的注册表项下列出的注册表项,确保计算机配置正确。Review the registry keys listed under Configuring Automatic Updates by editing the registry and Registry keys used to manage restart to make sure your machines are configured properly.

场景:计算机在更新部署中显示为“无法启动”Scenario: Machine shows "Failed to start" in an update deployment

问题Issue

计算机显示为 Failed to start 状态。A machine shows a Failed to start status. 查看计算机的特定详细信息时,看到以下错误:When you view the specific details for the machine, you see the following error:

Failed to start the runbook. Check the parameters passed. RunbookName Patch-MicrosoftOMSComputer. Exception You have requested to create a runbook job on a hybrid worker group that does not exist.

原因Cause

存在以下任一原因时,可能出现此错误:This error can occur for one of the following reasons:

  • 计算机不再存在。The machine doesn't exist anymore.
  • 计算机已关闭且无法访问。The machine is turned off and unreachable.
  • 计算机存在网络连接问题,因此无法访问计算机上的混合辅助角色。The machine has a network connectivity issue, and therefore the hybrid worker on the machine is unreachable.
  • 对 Log Analytics 代理的某项更新更改了源计算机 ID。There was an update to the Log Analytics agent that changed the source computer ID.
  • 如果在自动化帐户中达到了 200 个并发作业的限制,则更新运行会受到限制。Your update run was throttled if you hit the limit of 200 concurrent jobs in an Automation account. 每个部署均视为一项作业,更新部署中的每台计算机均计为一个作业。Each deployment is considered a job, and each machine in an update deployment counts as a job. 自动化帐户中当前运行的其他任何自动化作业或更新部署均计入并发作业,受其数量限制的约束。Any other automation job or update deployment currently running in your Automation account counts toward the concurrent job limit.

解决方法Resolution

如果适用,请为更新部署使用动态组When applicable, use dynamic groups for your update deployments. 此外,可以执行以下步骤。In addition, you can take the following steps.

  1. 验证计算机或服务器是否满足要求Verify that your machine or server meets the requirements.
  2. 使用混合 Runbook 辅助角色代理故障排除程序验证与混合 Runbook 辅助角色的连接。Verify connectivity to the Hybrid Runbook Worker using the Hybrid Runbook Worker agent troubleshooter. 若要了解有关故障排除程序的详细信息,请参阅排查更新代理问题To learn more about the troubleshooter, see Troubleshoot update agent issues.

场景:在没有部署的情况下安装更新Scenario: Updates are installed without a deployment

问题Issue

在更新管理中注册 Windows 计算机时,你会看到在没有部署的情况下安装的更新。When you enroll a Windows machine in Update Management, you see updates installed without a deployment.

原因Cause

在 Windows 上,更新一旦可用就会自动安装。On Windows, updates are installed automatically as soon as they're available. 如果未计划将更新部署到计算机,则此行为可能会导致混淆。This behavior can cause confusion if you didn't schedule an update to be deployed to the machine.

解决方法Resolution

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU 注册表项默认设置为 4:auto download and installThe HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU registry key defaults to a setting of 4: auto download and install.

对于更新管理客户端,建议将此项设置为 3:auto download but do not auto installFor Update Management clients, we recommend setting this key to 3: auto download but do not auto install.

有关详细信息,请参阅配置自动更新For more information, see Configuring Automatic Updates.

场景:计算机已注册到其他帐户Scenario: Machine is already registered to a different account

问题Issue

看到以下错误消息:You receive the following error message:

Unable to Register Machine for Patch Management, Registration Failed with Exception System.InvalidOperationException: {"Message":"Machine is already registered to a different account."}

原因Cause

计算机已部署到其他进行更新管理的工作区。The machine has already been deployed to another workspace for Update Management.

解决方法Resolution

  1. 计算机不显示在门户中的更新管理下中的步骤操作,确保计算机向正确的工作区报告。Follow the steps under Machines don't show up in the portal under Update Management to make sure the machine is reporting to the correct workspace.
  2. 通过删除混合 runbook 组对计算机上的项目进行清理,然后重试。Clean up artifacts on the machine by deleting the hybrid runbook group, and then try again.

场景:计算机无法与服务进行通信Scenario: Machine can't communicate with the service

问题Issue

收到以下错误消息之一:You receive one of the following error messages:

Unable to Register Machine for Patch Management, Registration Failed with Exception System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server can't communicate, because they do not possess a common algorithm
Unable to Register Machine for Patch Management, Registration Failed with Exception Newtonsoft.Json.JsonReaderException: Error parsing positive infinity value.
The certificate presented by the service <wsid>.oms.opinsights.azure.cn was not issued by a certificate authority used for Microsoft services. Contact your network administrator to see if they are running a proxy that intercepts TLS/SSL communication.
Access is denied. (Exception form HRESULT: 0x80070005(E_ACCESSDENIED))

原因Cause

可能是因为代理、网关或防火墙阻止了网络通信。A proxy, gateway, or firewall might be blocking network communication.

解决方法Resolution

检查网络并确保允许适当的端口和地址。Review your networking and make sure appropriate ports and addresses are allowed. 有关更新管理和混合 Runbook 辅助角色所需的端口和地址列表,请参阅网络要求See network requirements for a list of ports and addresses that are required by Update Management and Hybrid Runbook Workers.

场景:无法创建自签名证书Scenario: Unable to create self-signed certificate

问题Issue

收到以下错误消息之一:You receive one of the following error messages:

Unable to Register Machine for Patch Management, Registration Failed with Exception AgentService.HybridRegistration. PowerShell.Certificates.CertificateCreationException: Failed to create a self-signed certificate. ---> System.UnauthorizedAccessException: Access is denied.

原因Cause

混合 Runbook 辅助角色无法生成自签名证书。The Hybrid Runbook Worker couldn't generate a self-signed certificate.

解决方法Resolution

请验证系统帐户是否具有对文件夹 C:\ProgramData\Microsoft\Crypto\RSA 的读取权限,然后重试。Verify that the system account has read access to the C:\ProgramData\Microsoft\Crypto\RSA folder, and try again.

场景:计划的更新失败,并出现 MaintenanceWindowExceeded 错误Scenario: The scheduled update failed with a MaintenanceWindowExceeded error

问题Issue

更新的默认维护时段为 120 分钟。The default maintenance window for updates is 120 minutes. 最多可将维护时段增至 6 小时,即 360 分钟。You can increase the maintenance window to a maximum of 6 hours, or 360 minutes.

解决方法Resolution

若要了解更新成功启动后在运行期间发生此错误的原因,请检查运行中受影响的计算机的作业输出To understand why this occurred during an update run after it starts successfully, check the job output from the affected machine in the run. 可以从计算机查找特定的错误消息,可以对这些错误消息进行调查并对其采取操作。You might find specific error messages from your machines that you can research and take action on.

编辑任何失败的计划更新部署,并增加维护时段。Edit any failing scheduled update deployments, and increase the maintenance window.

有关维护时段的详细信息,请参阅安装更新For more information on maintenance windows, see Install updates.

场景:计算机显示“未评估”,并显示 HRESULT 异常Scenario: Machine shows as "Not assessed" and shows an HRESULT exception

问题Issue

  • 计算机在“合规性”下显示 Not assessed,并且能看到下面显示一条异常消息。You have machines that show as Not assessed under Compliance , and you see an exception message below them.
  • 你会在门户中看到 HRESULT 错误代码。You see an HRESULT error code in the portal.

原因Cause

未正确配置更新代理(Windows 上的 Windows 更新代理;Linux 分发的包管理器)。The Update Agent (Windows Update Agent on Windows; the package manager for a Linux distribution) isn't configured correctly. 更新管理依赖于计算机的更新代理来提供所需的更新、修补程序的状态,以及所部署的修补程序的结果。Update Management relies on the machine's Update Agent to provide the updates that are needed, the status of the patch, and the results of deployed patches. 如果没有该信息,则更新管理无法正确报告所需的或已安装的修补程序。Without this information, Update Management can't properly report on the patches that are needed or installed.

解决方法Resolution

尝试在计算机上本地执行更新。Try to perform updates locally on the machine. 如果此操作失败,则通常表示存在更新代理配置错误。If this operation fails, it typically means that there's an update agent configuration error.

此问题通常是由网络配置和防火墙问题导致的。This problem is frequently caused by network configuration and firewall issues. 执行以下检查来更正问题。Use the following checks to correct the issue.

如果看到 HRESULT,双击显示为红色的异常,查看完整的异常消息。If you see an HRESULT, double-click the exception displayed in red to see the entire exception message. 查看下表,了解可能采取的解决方案或推荐操作。Review the following table for potential resolutions or recommended actions.

异常Exception 解决方法或操作Resolution or action
Exception from HRESULT: 0x……C 搜索 Windows 更新错误代码列表中的相关错误代码,以查找有关异常原因的其他详细信息。Search the relevant error code in Windows update error code list to find additional details about the cause of the exception.
0x8024402C
0x8024401C
0x8024402F
这些表示是网络连接问题。These indicate network connectivity issues. 请确保你的计算机具有与更新管理的网络连接。Make sure your machine has network connectivity to Update Management. 请参阅网络规划部分,了解所需的端口和地址的列表。See the network planning section for a list of required ports and addresses.
0x8024001E 由于服务或系统正关闭,未能完成更新操作。The update operation didn't complete because the service or system was shutting down.
0x8024002E 已禁用 Windows 更新服务。Windows Update service is disabled.
0x8024402C 如果使用 WSUS 服务器,请确保注册表项 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateWUServerWUStatusServer 的注册表值指定的是正确的 WSUS 服务器。If you're using a WSUS server, make sure the registry values for WUServer and WUStatusServer under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry key specify the correct WSUS server.
0x80072EE2 网络连接问题或与已配置的 WSUS 服务器通信的问题。There's a network connectivity issue or an issue in talking to a configured WSUS server. 检查 WSUS 设置并确保可以从客户端访问服务。Check WSUS settings and make sure the service is accessible from the client.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422) 请确保 Windows 更新服务 (wuauserv) 正在运行,并且未禁用。Make sure the Windows Update service (wuauserv) is running and not disabled.
0x80070005 出现拒绝访问错误的原因可能是以下之一:An access denied error can be caused by any one of the following:
感染的计算机Infected computer
未正确配置 Windows 更新设置Windows Update settings not configured correctly
%WinDir%\SoftwareDistribution 文件夹的文件权限错误File permission error with %WinDir%\SoftwareDistribution folder
系统驱动器 (C:) 的磁盘空间不足。Insufficient disk space on the system drive (C:).
任何其他一般异常Any other generic exception 在 Internet 上搜索可能的解决方案,并与本地 IT 支持人员合作。Run a search on the internet for possible resolutions, and work with your local IT support.

查看 %Windir%\Windowsupdate.log 文件还可以帮助确定可能的原因。Reviewing the %Windir%\Windowsupdate.log file can also help you determine possible causes. 有关如何阅读日志的详细信息,请参阅如何阅读 Windowsupdate.log 文件For more information about how to read the log, see How to read the Windowsupdate.log file.

你还可以下载并运行 Windows 更新故障排除程序,以检查计算机上的 Windows 更新是否存在任何问题。You can also download and run the Windows Update troubleshooter to check for any issues with Windows Update on the machine.

备注

根据 Windows 更新故障排除程序文档,该程序不仅适用于 Windows 客户端,还适用于 Windows Server。The Windows Update troubleshooter documentation indicates that it's for use on Windows clients, but it also works on Windows Server.

方案:更新运行返回状态“失败”(Linux)Scenario: Update run returns Failed status (Linux)

问题Issue

启动更新运行后,在运行期间遇到错误。An update run starts but encounters errors during the run.

原因Cause

可能的原因:Possible causes:

  • 包管理器运行状况不正常。Package manager is unhealthy.
  • 错误地配置了更新代理(适用于 Windows 的 WUA,适用于 Linux 的发行版特定包管理器)。Update Agent (WUA for Windows, distro-specific package manager for Linux) is misconfigured.
  • 特定包干扰基于云的修补。Specific packages are interfering with cloud-based patching.
  • 无法访问计算机。The machine is unreachable.
  • 更新具有未解析的依赖关系。Updates had dependencies that weren't resolved.

解决方法Resolution

如果更新运行成功启动后又失败,请检查运行中受影响的计算机的作业输出If failures occur during an update run after it starts successfully, check the job output from the affected machine in the run. 可以从计算机查找特定的错误消息,可以对这些错误消息进行调查并对其采取操作。You might find specific error messages from your machines that you can research and take action on. 更新管理要求包管理器正常运行才能成功进行更新部署。Update Management requires the package manager to be healthy for successful update deployments.

如果看到特定修补程序、包或更新后作业随即失败,则可以尝试在下一次更新部署中排除这些项。If specific patches, packages, or updates are seen immediately before the job fails, you can try excluding these items from the next update deployment. 若要从 Windows 更新收集日志信息,请参阅 Windows 更新日志文件To gather log information from Windows Update, see Windows Update log files.

如果无法解决某个修补问题,请在下次更新部署启动之前创建 /var/opt/microsoft/omsagent/run/automationworker/omsupdatemgmt.log 文件的副本,并保留它以用于故障排除。If you can't resolve a patching issue, make a copy of the /var/opt/microsoft/omsagent/run/automationworker/omsupdatemgmt.log file and preserve it for troubleshooting purposes before the next update deployment starts.

未安装修补程序Patches aren't installed

计算机未安装更新Machines don't install updates

请尝试直接在计算机上运行更新。Try running updates directly on the machine. 如果计算机无法应用更新,请查阅故障排除指南中的潜在错误列表If the machine can't apply the updates, consult the list of potential errors in the troubleshooting guide.

如果更新在本地运行,请尝试按照从更新管理中删除 VM 中的指南在计算机上删除并重新安装代理。If updates run locally, try removing and reinstalling the agent on the machine by following the guidance at Remove a VM from Update Management.

我知道有可用更新,但更新并未在计算机上显示为可用I know updates are available, but they don't show as available on my machines

如果将计算机配置为从 WSUS 或 Microsoft Endpoint Configuration Manager 获取更新,但 WSUS 和 Configuration Manager 并未批准相应的更新,则往往会发生这种情况。This often happens if machines are configured to get updates from WSUS or Microsoft Endpoint Configuration Manager but WSUS and Configuration Manager haven't approved the updates.

可以检查是否已针对 WSUS 和 SCCM 配置计算机,方法是将 UseWUServer 注册表项交叉引用到本文“通过编辑注册表配置自动更新”部分的注册表项。You can check to see if the machines are configured for WSUS and SCCM by cross-referencing the UseWUServer registry key to the registry keys in the Configuring Automatic Updates by Editing the Registry section of this article.

如果 WSUS 中未批准更新,则不会安装更新。If updates aren't approved in WSUS, they're not installed. 可以通过运行以下查询在 Log Analytics 中检查未批准的更新。You can check for unapproved updates in Log Analytics by running the following query.

Update | where UpdateState == "Needed" and ApprovalSource == "WSUS" and Approved == "False" | summarize max(TimeGenerated) by Computer, KBID, Title

更新显示为已安装,但我在计算机上找不到它们Updates show as installed, but I can't find them on my machine

更新通常会被其他更新替代。Updates are often superseded by other updates. 有关详细信息,请参阅 Windows 更新疑难解答指南中的“更新被替代”For more information, see Update is superseded in the Windows Update Troubleshooting guide.

按 Linux 上的分类安装更新Installing updates by classification on Linux

按分类(“关键更新和安全更新”)将更新部署到 Linux 有重要的注意事项,尤其是对 CentOS 来说。Deploying updates to Linux by classification ("Critical and security updates") has important caveats, especially for CentOS. 这些限制记录在“更新管理”概览页上These limitations are documented on the Update Management overview page.

KB2267602 始终缺失KB2267602 is consistently missing

KB2267602 是 Windows Defender 定义更新KB2267602 is the Windows Defender definition update. 它每天更新一次。It's updated daily.

后续步骤Next steps

如果看不到你的问题,或者无法解决你的问题,请尝试以下通道之一以获取其他支持。If you don't see your problem or can't resolve your issue, try one of the following channels for additional support.