Windows Update troubleshooting

Applies to: Windows 10

If you run into problems when using Windows Update, start with the following steps:

  1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to Settings > Update & Security > Troubleshoot > Windows Update.

  2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See Servicing stack updates for more details on SSU.

  3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:

Advanced users can also refer to the log generated by Windows Update for further investigation.

You might encounter the following scenarios when using Windows Update.

Why am I offered an older update/upgrade?

The update that is offered to a device depends on several factors. Some of the most common attributes include the following:

  • OS Build
  • OS Branch
  • OS Locale
  • OS Architecture
  • Device update management configuration

If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day.

My machine is frozen at scan. Why?

The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:

  1. Close the Settings app and reopen it.
  2. Launch Services.msc and check if the following services are running:
    • Update State Orchestrator
    • Windows Update

Feature updates are not being offered while other updates are

On computers running Windows 10 1709 or higher configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered.

Checking the WindowsUpdate.log reveals the following error:

YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           * START * Finding updates CallerId = Update;taskhostw  Id = 25
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           Search Scope = {Current User}
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx""
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            Token Requested with 0 category IDs.
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570]
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570]
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] GetDeviceTickets
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092]
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587]
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] GetAgentTokenFromServer
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] GetAgentToken
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] EP:Call to GetEndpointToken
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Misc            *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001
YYYY/MM/DD HH:mm:ss:SSS PID  TID  ProtocolTalker  *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377]
YYYY/MM/DD HH:mm:ss:SSS PID  TID  ProtocolTalker  *FAILED* [80070426] Initialization failed for Protocol Talker Context
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           Exit code = 0x80070426
YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           * END * Finding updates CallerId = Update;taskhostw  Id = 25

The 0x80070426 error code translates to:

ERROR_SERVICE_NOT_ACTIVE - # The service has not been started.

Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully.

In order to solve this issue, we need to reset the MSA service to the default StartType of manual.

Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.

To fix this issue, configure a proxy in WinHTTP by using the following netsh command:

netsh winhttp set proxy ProxyServerName:PortNumber 

Note

You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie

If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.

You may choose to apply a rule to permit HTTP RANGE requests for the following URLs:

*.download.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com

If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work).

The update is not applicable to your computer

The most common reasons for this error are described in the following table:

Cause Explanation Resolution
Update is superseded As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message. Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package.
Update is already installed If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message. Verify that the package that you are trying to install was not previously installed.
Wrong update for architecture Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows.
Missing prerequisite update Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed. Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output.

Error that may be seen in the WU logs:

DownloadManager    Error 0x800706d9 occurred while downloading update; notifying dependent calls. 

Or

[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 <NULL>, error = 0x800706D9 

Or

DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 <NULL>, error = 0x80D0000A 

Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see I need to disable Windows Firewall.

Issues arising from configuration of conflicting policies

Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors.

See How to configure automatic updates by using Group Policy or registry settings for more information.

Updates aren't downloading from the intranet endpoint (WSUS/SCCM)

Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:

  1. Start Windows PowerShell as an administrator
  2. Run $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
  3. Run $MUSM.Services.

Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table.

Output Interpretation
- Name: Microsoft Update
-OffersWindowsUpdates: True
- The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)
- Name: DCat Flighting Prod
- OffersWindowsUpdates: True
- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update.
- Name: Windows Store (DCat Prod)
- OffersWindowsUpdates: False
-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.
- Name: Windows Server Update Service
- OffersWindowsUpdates: True
- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS.
- Name: Windows Update
- OffersWindowsUpdates: True
- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.

You have a bad setup in the environment

If we look at the GPO being set through registry, the system is configured to use WSUS to download updates:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
"UseWUServer"=dword:00000001                                        ===================================> it says use WSUS server.  

From the WU logs:

2018-08-06 09:33:31:085  480 1118 Agent ** START **  Agent: Finding updates [CallerId = OperationalInsight  Id = 49] 
2018-08-06 09:33:31:085  480 1118 Agent ********* 
2018-08-06 09:33:31:085  480 1118 Agent   * Include potentially superseded updates 
2018-08-06 09:33:31:085  480 1118 Agent   * Online = No; Ignore download priority = No 
2018-08-06 09:33:31:085  480 1118 Agent   * Criteria = "IsHidden = 0 AND DeploymentAction=*" 
2018-08-06 09:33:31:085  480 1118 Agent   * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service 
2018-08-06 09:33:31:085  480 1118 Agent   * Search Scope = {Machine} 
2018-08-06 09:33:32:554  480 1118 Agent   * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities 
2018-08-06 09:33:32:554  480 1118 Agent ********* 
2018-08-06 09:33:32:554  480 1118 Agent **  END  **  Agent: Finding updates [CallerId = OperationalInsight  Id = 49] 

In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=". "" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.

Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.

2018-08-06 10:58:45:992  480 5d8 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates  Id = 57] 
2018-08-06 10:58:45:992  480 5d8 Agent ********* 
2018-08-06 10:58:45:992  480 5d8 Agent   * Online = Yes; Ignore download priority = No 
2018-08-06 10:58:45:992  480 5d8 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" 
   
2018-08-06 10:58:46:617  480 5d8 PT   + SyncUpdates round trips: 2 
2018-08-06 10:58:47:383  480 5d8 Agent   * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities 
2018-08-06 10:58:47:383  480 5d8 Agent Reporting status event with 0 installable, 83 installed,  0 installed pending, 0 failed and 0 downloaded updates 
2018-08-06 10:58:47:383  480 5d8 Agent ********* 
2018-08-06 10:58:47:383  480 5d8 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates  Id = 57] 

High bandwidth usage on Windows 10 by Windows Update

Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components.

The following group policies can help mitigate this:

Other components that reach out to the internet: