How to resolve WSUS and Windows Update common errors

Table of Contents

Case #

You are trying to install Windows Updates on a client or server OS machine and you are using either WSUS or doing direct Windows Update download/install. Windows Updates however do not download or install and return an error code.

Resolution #

First of all you will need to check the logs and the WSUS or Windows Update console for the exact error message thrown.

WSUS #

Remember that this troubleshooting guide assumes that you have a healthy and functional WSUS deployment. Depending on your WSUS architecture design, you may need to re-check the configuration of various components to exclude a potential infrastructure or configuration issue. One such configuration issue example is related to the permissions on the NTFS network share, as explained in this article: https://stefanos.cloud/kb/windows-server-update-services-wsus-share-permissions/. Other WSUS infrastructure considerations include the number and sync topology of the WSUS servers, the network bandwidth and routing, as well as the configuration of the WSUS via the WSUS console.

Note: If you cannot connect to the WSUS MMC console, then check the following article: https://stefanos.cloud/kb/how-to-resolve-wsus-connection-error/.

If you are running WSUS, you will need to check the WSUS logs and also check the Windows Updates status from within the WSUS console and from each affected Windows server/client machine. Ensure also that the WSUS server(s) themselves have the latest Windows Updates installed.

Microsoft provides general troubleshooting steps for WSUS, based on the following article: https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting.

Also a common troubleshooting step which resolves many WSUS issues is to run the WSUS server cleanup wizard.

To resolve WSUS registration issues re-register Windows client/server in WSUS by following the following instructions:

  • Run "gpupdate /force" command on the Windows client/server that have a registration issue in WSUS.
  • Check GPO application on each WSUS client by running gpresult /r and verifying that the GPO containing the WSUS logic has been applied to the WSUS client in question.
  • Ensure that all WSUS clients can access the WSUS server (DNS and WSUS port). For this, you should run the following commands on each WSUS client:
    • nslookup [WSUS_SERVER_FQDN]
    • telnet [WSUS_SERVER_FQDN] [TCP_PORT: 8530]
  • Run "wuauclt /detectnow " command on the Windows client/server that have a registration issue in WSUS.
    Tip: You can use the Event Viewer to review the re-registration
  • In rare cases, you may need to run: "wuauclt.exe /resetauthorization /detectnow" command

Client devices not reporting to WSUS console #

If client devices are not reporting to the WSUS console, remove the affected devices from the WSUS MMC console and then from an administrative PowerShell prompt on each affected system, run the following Powershell cmdlets.

Stop-Service -Name BITS, wuauserv -Force
Remove-ItemProperty -Name AccountDomainSid, PingID, SusClientId, SusClientIDValidation -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ -ErrorAction SilentlyContinue
Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue
Start-Service -Name BITS, wuauserv
wuauclt /resetauthorization /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Wait 24-48 hours after running the client-side script above to see if the issues have been resolved.

Also you can run various other troubleshooting tasks via the WSUSUtil.exe tool: https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127395 (WSUSUtil.exe)

Important note:

You can quickly check whether the issue is related to the WSUS-client machine communication if you remove the WSUS integration from the affected client/server OS machine. If the machine works ok with direct windows updates, then the issue definitely lies in the WSUS configuration or in the infrastructure configuration integrating WSUS with the target servers/clients.

Direct Windows Updates #

Check your Windows Update console on the affected server/client OS machine as well as in the Windows event log and take action depending on the WSUS error(s) discovered. Windows Update errors are organized by Microsoft in the following articles:

A common fix for many direct Windows Update errors is to rebuild the Windows Update local Software Distribution Cache, by running the following commands in an elevated command prompt: 

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
# After completion of the above commands, reboot the machine
shutdown -r -t 1

Uninstall and re-install WSUS #

If all else fails, only resort would be to fully unininstall and cleanup the WSUS installation and then run a clean installation again. The following articles provide step-by-step guidance on how to perform a full uninstall and cleanup of an existing WSUS server installation.

  • www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it
  • www.petenetlive.com/kb/article/0001679

Useful WSUS server troubleshooting tools #

The following notable tools may come in handy when troubleshooting a WSUS server.

Sources #

Troubleshooting, Windows, Windows Server, windows update, WSUS
What are your Feelings

Powered by BetterDocs