Windows Update issues troubleshooting
Applies to: Windows 10
Try our Virtual Agent - It can help you quickly identify and fix common Windows Update issues
If you run into problems when using Windows Update, start with the following steps:
Run the built-in Windows Update troubleshooter to fix common issues. Navigate to Settings > Update & Security > Troubleshoot > Windows Update.
Install the most recent Servicing Stack Update that matches your version of Windows from the Microsoft Update Catalog. For more information on servicing stack updates, see Servicing stack updates.
Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- Windows 10, version 2004 and Windows Server, version 2004
- Windows 10, version 1909 and Windows Server, version 1909
- Windows 10, version 1903 and Windows Server, version 1903
- Windows 10, version 1809 and Windows Server 2019
- Windows 10, version 1803
- Windows 10, version 1709
- Windows 10, version 1703
- Windows 10 and Windows Server 2016
- Windows 8.1 and Windows Server 2012 R2
- Windows Server 2012
- Windows 7 SP1 and Windows Server 2008 R2 SP1
Advanced users can also refer to the log generated by Windows Update for further investigation.
You might encounter the following scenarios when using Windows Update.
Why am I offered an older update?
The update that is offered to a device depends on several factors. The following are some of the most common attributes:
- OS Build
- OS Branch
- OS Locale
- OS Architecture
- Device update management configuration
If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices won't receive the update on the same day.
My device is frozen at scan. Why?
The Settings UI communicates with the Update Orchestrator service that in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps:
Close the Settings app and reopen it.
Start Services.msc and check if the following services are running:
- Update State Orchestrator
- Windows Update
Feature updates aren't being offered while other updates are
Devices running Windows 10, version 1709 through Windows 10, version 1803 that are configured to update from Windows Update (including Windows Update for Business) are able to install servicing and definition updates but are never offered feature updates.
Checking the WindowsUpdate.log reveals the following error:
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User}
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx""
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs.
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570]
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570]
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092]
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587]
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken
YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001
YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377]
YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25
The 0x80070426 error code translates to:
ERROR_SERVICE_NOT_ACTIVE - # The service has not been started.
Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won't be generated and sent by the client and the search for feature updates never completes successfully.
To resolve this issue, reset the MSA service to the default StartType of "manual."
Issues related to HTTP/Proxy
Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Therefore proxy servers on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.
To fix this issue, configure a proxy in WinHTTP by using the following netsh command:
netsh winhttp set proxy ProxyServerName:PortNumber
Note
You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie
.
If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.
You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:
*.download.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.delivery.mp.microsoft.com
If you can't allow RANGE requests, you'll be downloading more content than needed in updates (as delta patching won't work).
The update isn't applicable to your computer
The most common reasons for this error are described in the following table:
Cause | Explanation | Resolution |
---|---|---|
Update is superseded | As updates for a component are released, the updated component will supersede an older component that is already on the system. When this issue occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you might receive this error message. | Check that the package that you're installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. |
Update is already installed | If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message. | Verify that the package that you're trying to install wasn't previously installed. |
Wrong update for architecture | Updates are published by CPU architecture. If the update that you're trying to install doesn't match the architecture for your CPU, you may encounter this error message. | Verify that the package that you're trying to install matches the Windows version that you're using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates can't be installed on Windows Server 2012 R2-based computers. Also, verify that the package that you're installing matches the processor architecture of the Windows version that you're using. For example, an x86-based update can't be installed on x64-based installations of Windows. |
Missing prerequisite update | Some updates require a prerequisite update before they can be applied to a system. If you're missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed. | Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424). To determine if these prerequisite updates are installed, run the following PowerShell command: get-hotfix KB3173424,KB2919355, KB2919442 . If the updates are installed, the command will return the installed date in the InstalledOn section of the output. |
Issues related to firewall configuration
Error that you might see in Windows Update logs:
DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls.
Or
[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 <NULL>, error = 0x800706D9
Or
DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 <NULL>, error = 0x80D0000A
Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security isn't supported by Microsoft. For more information, see I need to disable Windows Firewall.
Issues arising from configuration of conflicting policies
Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors.
For more information, see How to configure automatic updates by using Group Policy or registry settings.
Device can't access update files
Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:
Protocol | Endpoint URL |
---|---|
TLS 1.2 | *.prod.do.dsp.mp.microsoft.com |
HTTP | emdl.ws.microsoft.com |
HTTP | *.dl.delivery.mp.microsoft.com |
HTTP | *.windowsupdate.com |
HTTPS | *.delivery.mp.microsoft.com |
TLS 1.2 | *.update.microsoft.com |
TLS 1.2 | tsfe.trafficshaping.dsp.mp.microsoft.com |
Note
Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
The specific endpoints can vary between Windows client versions. See, for example, Windows 10 2004 Enterprise connection endpoints. Similar articles for other Windows client versions are available in the table of contents nearby.
Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager)
Windows client devices can receive updates from various sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
Start Windows PowerShell as an administrator.
Run the cmdlet:
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
Run the cmdlet:
$MUSM.Services
Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table.
You have a bad setup in the environment
In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001
From Windows Update logs:
2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
2018-08-06 09:33:31:085 480 1118 Agent *********
2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates
2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No
2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*"
2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine}
2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities
2018-08-06 09:33:32:554 480 1118 Agent *********
2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*"
. "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.
As shown in the following logs, automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won't happen with this configuration.
2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
2018-08-06 10:58:45:992 480 5d8 Agent *********
2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No
2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2
2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities
2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates
2018-08-06 10:58:47:383 480 5d8 Agent *********
2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
High bandwidth usage on Windows client by Windows Update
Users might see that Windows is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components.
The following group policies can help mitigate this situation:
- Blocking access to Windows Update servers: Policy Turn off access to all Windows Update features (Set to enabled)
- Driver search: Policy Specify search order for device driver source locations (Set to "Do not search Windows Update")
- Windows Store automatic update: Policy Turn off Automatic Download and Install of updates (Set to enabled)
Other components that connect to the internet:
- Windows Spotlight: Policy Configure Windows spotlight on lock screen (Set to disabled)
- Consumer experiences: Policy Turn off Microsoft consumer experiences (Set to enabled)
- Background traffic from Windows apps: Policy Let Windows apps run in the background
Transient errors caused by heavy load or network congestion
Users might receive the following errors from Windows Update. These errors are transient errors, occurring when the service is temporarily under heavy load or when networks are congested. Users don't need to take any action because the device will retry the operation later.
Error code | Error value | Details |
---|---|---|
WU_S_SEARCH_LOAD_SHEDDING | 0x248001 | Search operation completed successfully but one or more services were shedding load. |
WU_E_PT_LOAD_SHEDDING | 0x8024402d | The server is shedding load. |
In these cases, users that programmatically call into the Windows Update Agent API to retrieve the result of a search operation would get orcFailed or orcSucceededWithErrors. Retrying the operation later is expected to succeed.
Data collection
If you need assistance from Microsoft support, we recommend you collect the information by following the steps mentioned in Gather information by using TSS for deployment-related issues.