Windows Server update troubleshooting guidance

Article
02/19/2024

Try our Virtual Agent - It can help you quickly identify and fix common Windows Update issues.

This solution is designed to get you started on Windows Update troubleshooting scenarios.

Troubleshooting checklist

Step 1: Identify the issue by examining the event log for specific errors

Open Event Viewer from the Control Panel > Administrative Tools.
Look for Windows Update Agent events in the System log, and the errors in the System and Application logs around the same time that updates were applied.
Expand the Event Viewer tree to Application and Service Logs > Microsoft > Windows > WindowsUpdateClient > Operational.
Identify the Update that is failing to install and the failure code.
Find the error and the resolution in Common Windows Update errors or Windows Update error codes by component.

Step 2: Check for Pending Reboot state

If the computer hasn't been restarted, restart the computer.

Step 3: Services Stack update

Install the latest servicing stack update. See Latest Servicing Stack Updates.

Step 4: Run the Windows Update troubleshooter for Windows

Download the troubleshooter, and select Open or Save in the pop-up window. (If you choose Save, you'll need to open the troubleshooter from the save location.)
Select Next to start the troubleshooter, and follow the steps to identify and fix any issues.
After the troubleshooter finishes, try running Windows Update again. From the Start button, select Settings > Update & security > Windows Update > Check for updates, and install any available updates.
If applicable, Reset windows update components.

Step 5: Use DISM or System Update Readiness tool to troubleshoot Windows Update issue

See Fix Windows Update errors by using the DISM or System Update Readiness tool for more information.

Common issues and solutions

You receive "Update not applicable" error message

Error message

The update is not applicable to your computer.

Cause 1: Update is superseded

To troubleshoot this issue, check that the package that you are installing contains newer versions of the binaries. Alternatively, check that the package is superseded by another new package.

Cause 2: Update is already installed

To troubleshoot this issue, verify that the package that you are trying to install isn't already installed.

Cause 3: Wrong update for architecture

To troubleshoot this issue, verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Verify that the package you want to install matches the processor architecture of the Windows version that you are using. For example, an x86-based update can't be installed on x64-based installations of Windows.

Cause 4: Missing prerequisite update

To troubleshoot this issue, read the package’s related article to find out whether the prerequisite updates are installed. For example, if you receive the error message in Windows 8.1 or Windows Server 2012 R2, you might have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
To determine if these prerequisite updates are installed, run this PowerShell command:
get-hotfix KB3173424, KB2919355, KB2919442
If the updates are installed, the command returns the installed date in the InstalledOn section of the output.

Updates aren't downloading from Windows Server Update Services (WSUS) or Configuration Manager

Error message:

Failed to connect to Mux due to network or cert errors

To troubleshoot this issue, check the numeric code provided in the error message code: this corresponds to the winsock error code. Certificate errors are granular (for example, cert cannot be verified, cert not authorized, etc.)

The device isn't receiving an update that you deployed

To troubleshoot this issue, follow these steps:

Check that the device’s updates for the relevant category aren’t paused. See Pause feature updates and Pause quality updates.
Feature updates only: The device might have a safeguard hold applied for the given feature update version. For more information about safeguard holds, see Safeguard holds and Opt out of safeguard holds.
Check that the deployment to which the device is assigned has the state offering. Deployments that have the states paused or scheduled won't deploy content to devices.
Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see Scanning updates.
Feature updates only: Verify that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled is represented by a Microsoft Entra device resource with an update management enrollment for feature updates and has no Microsoft Entra device registration errors.
Expedited quality updates only: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in KB 4023057 - Update for Windows 10 Update Service components, or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. The program’s location on the device is C:\Program Files\Microsoft Update Health Tools.
To verify its presence, view the installed programs list or use this PowerShell script:
```
Get-WmiObject -Class Win32\_Product \| Where-Object {$\_.Name -amatch "Microsoft Update Health Tools"}
```

The device is receiving an update that you didn't deploy

To troubleshoot this issue, follow these steps:

Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see Scanning updates.
Feature updates only: Check that the device is successfully enrolled in feature update management by the deployment service. A device that isn't successfully enrolled might receive different updates according to its feature update deferral period. A device that is successfully enrolled is represented by a Microsoft Entra device resource with an update management enrollment for feature updates and has no Microsoft Entra device registration errors.

WSUS troubleshooting

WSUS connection failures

If you are using WSUS 3.0 SP2 on Windows Server 2008 R2, you must have update 4039929 or a later-version update package installed on the WSUS server.

Here's how to verify the server version:

Open the WSUS console.
Select the server name.
Locate the version number under Overview > Connection > Server Version.
Check whether the version is 3.2.7600.283 or a later version.

If you are using WSUS on Windows Server 2012 or a later version, you must have one of the following Security Quality Monthly Rollups or a later-version rollup installed on the WSUS server:

Windows Server 2012 - KB4039873
Windows Server 2012 R2 - KB4039871
Windows Server 2016 - KB4039396

Note

If you're using Configuration Manager with the software update point installed on a remote site system server, the WSUS Administration Console must be installed on the site server. For WSUS 3.0 SP2, KB 4039929 or a later update must also be installed on the WSUS Administration console. A server restart is required after installing 4039929 (remotely or locally). Check whether the issue persists after the restart.

To troubleshoot connection failures, follow these steps:

Verify that the Update Services service and the World Wide Web Publishing Service are running on the WSUS server.
Verify that the Default website or WSUS Administration website is running on the WSUS server.
Review the IIS logs for the WSUS Administration website (c:\inetpub\logfiles), and check for errors.

Error code: 80244007