Let’s find out ConfigMgr CMPivot Query to Collect Windows Update Logs from SCCM Client Remotely. The ConfigMgr CMPivot is based on fast channel notification architecture.
The WindowsUpdate.log is part of event logs called WindowsUpdateClient with the latest versions of Windows.
Many organizations use SCCM (WSUS) and Intune (WUfB) to patch Windows 10 devices. Collecting Windows update logs (WindowsUpdate.log) from the SCCM client is important to troubleshoot Windows updates or patching issues.
ConfigMgr CMPivot query tool allows you to assess the state of devices quickly. When you run a query against a device collection, the CMPivot tool will run a query in real-time on all currently connected (online) devices in the selected collection.
- CMPivot Query for SCCM BitLocker Management Event Logs
- Publish CMPivot Query To The SCCM Community Hub Contributions
WindowsUpdateClient Event Logs
You don’t have WindowsUpdate.log available out of the box with the latest version of Windows. Instead, you need to use the following PowerShell command to create WindowsUpdate.log. The Get-WindowsUpdateLog cmdlet merges and converts Windows Update .etl files into a single readable WindowsUpdate.log file.
Get-WindowsUpdateLog
How to Collect Windows Update Logs from SCCM Client
You can use the CMPivot query to collect Windows update logs from Windows devices. This is the best and easy way to get the error details from Windows Update Client event logs.
- Navigate to the device collection against which you want to run the CMPivot query.
- Select any device collection.
- Right-Click on Device collection.
- Select Start CMPivot.
NOTE! – In a production environment with more than many Windows devices, I don’t recommend using the All System collection. Instead, use the collection with a smaller number of devices to try out the query.
ConfigMgr CMPivot Query for Event Logs
Let’s see how to find the ConfigMgr CMPivot query for event logs. It would be best to be mindful of the logs information that you query through CMPivot.
The following CMPivot query gives you the details of Microsoft-Windows-WindowsUpdateClient/Operational event logs for the last one hour.
WinEvent('Microsoft-Windows-WindowsUpdateClient/Operational', 1h)
The following CMPivot query gives you the details of Microsoft-Windows-WindowsUpdateClient/Operational event logs for the last day.
WinEvent('Microsoft-Windows-WindowsUpdateClient/Operational', 1d)
The following CMPivot query gives you the error and count of devices with a summary dashboard by querying Microsoft-Windows-WindowsUpdateClient/ Operational event logs for the last day.
WinEvent('Microsoft-Windows-WindowsUpdateClient/Operational', 1d)
| where LevelDisplayName =='Error'
| summarize count() by Device
Export CMPivot Query Results
Let’s find out how to export CMPivot query results into a CSV file.
- Click on Export button.
- From the drop down menu, select Result to file.
| Device | LevelDisplayName | DateTime | Message | ProviderName | ID |
| Prod-Win20 | Information | 07-02-2021 03:41 | Windows Update successfully found 0 updates. | Microsoft-Windows-WindowsUpdateClient | 26 |
Resources
- SCCM CMPivot Query Devices with Greater than 15 GB Free Disk Space
- SCCM CMPivot Query for Windows 10 English Language Devices | ConfigMgr
- ConfigMgr Software Updates Troubleshooting Tips
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.