Windows Update is the single most common Windows pain point — and the failure modes are creative. Stuck at 0%, stuck at "checking for updates", an error code in hex that means nothing on its own, a WSUS server that the client has never heard of, a client that thinks it has but the WSUS console disagrees. This guide is the practical playbook: the reset script that fixes 80% of cases, the error codes that point at the actual cause, and the WSUS-specific gotchas.
Free PDF cheat sheet at the bottom.
Table of Contents
The canonical reset script
If Windows Update is broken and you do not know why, this is the first thing you run. It stops the services, deletes the corrupted catalog and download cache, and restarts the services from scratch. Run as administrator:
# Stop services
Stop-Service -Name wuauserv, cryptSvc, bits, msiserver -Force
# Rename the corrupted folders (do not delete - lets you roll back)
Rename-Item C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old -ErrorAction SilentlyContinue
Rename-Item C:\Windows\System32\catroot2 C:\Windows\System32\catroot2.old -ErrorAction SilentlyContinue
# Reset BITS and Windows Update components
Start-Process -FilePath "cmd.exe" -ArgumentList @(
"/c sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
) -Wait -NoNewWindow
# Re-register the Windows Update DLLs
$dlls = "atl.dll","urlmon.dll","mshtml.dll","shdocvw.dll","browseui.dll",
"jscript.dll","vbscript.dll","scrrun.dll","msxml.dll","msxml3.dll","msxml6.dll",
"actxprxy.dll","softpub.dll","wintrust.dll","dssenh.dll","rsaenh.dll","gpkcsp.dll",
"sccbase.dll","slbcsp.dll","cryptdlg.dll","oleaut32.dll","ole32.dll","shell32.dll",
"initpki.dll","wuapi.dll","wuaueng.dll","wuaueng1.dll","wucltui.dll","wups.dll",
"wups2.dll","wuweb.dll","qmgr.dll","qmgrprxy.dll","wucltux.dll","muweb.dll","wuwebv.dll"
foreach ($d in $dlls) { regsvr32.exe /s $d }
# Restart services
Start-Service -Name wuauserv, cryptSvc, bits, msiserver
# Re-trigger detection
wuauclt.exe /resetauthorization /detectnow
Write-Host "Done. Check Settings > Windows Update again."
This is the script every Microsoft support engineer eventually emails you. Save it somewhere — you will use it.
Common error codes
| Code | Meaning | Fix |
|---|---|---|
| 0x80070643 | Installation failed (often .NET CU) | Run DISM /RestoreHealth, then SFC, then retry |
| 0x80070005 | Access denied | Run as admin; check ACLs on SoftwareDistribution |
| 0x800f0922 | Failed to apply (often boot partition) | Free space on system reserved partition; resize |
| 0x800f081f | Source files could not be found | DISM /Source for offline install media |
| 0x80244007 | SOAP fault from WSUS | Reset SUSClientId; re-register with WSUS |
| 0x8024401c | WSUS unreachable | Check group policy WSUS URL; firewall |
| 0x80072EFE | Connection failure | Network / proxy / TLS handshake |
| 0x80073712 | Component store corruption | DISM /CheckHealth, /ScanHealth, /RestoreHealth |
| 0x80240017 | Operation did not complete | Reset script above |
| 0xC1900101 | Driver-related rollback | Update / remove problem driver |
Where the logs are
# Modern Windows logs to ETW; convert to text:
Get-WindowsUpdateLog -LogPath C:\Temp\WindowsUpdate.log
# Setup-related issues (CBS = Component Based Servicing)
Get-Content C:\Windows\Logs\CBS\CBS.log -Tail 100
# DISM log
Get-Content C:\Windows\Logs\DISM\dism.log -Tail 100
# Setup log (in-place upgrades)
Get-ChildItem C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
WSUS gotchas
If the client is supposed to use a WSUS server but is not, the four things to check:
# 1. Is the GPO setting actually applied?
gpresult /h C:\Temp\gp.html
# Look for "Specify intranet Microsoft update service location"
# 2. Is the registry set?
Get-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' WUServer, WUStatusServer
# 3. Has the client registered with WSUS?
wuauclt.exe /resetauthorization /detectnow
# 4. SUSClientId conflict (cloned VMs share an ID and only one shows up)
$key = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate'
Stop-Service wuauserv -Force
Remove-ItemProperty $key -Name SusClientId -ErrorAction SilentlyContinue
Remove-ItemProperty $key -Name SusClientIdValidation -ErrorAction SilentlyContinue
Start-Service wuauserv
wuauclt.exe /resetauthorization /detectnow
The cloned-VM SUSClientId problem is the #1 reason "Why does only one of my five identical VMs show up in WSUS?" — they all share the same ID until you wipe and regenerate it.
Force-install or skip an update
# Manual download + install (when WU UI refuses)
# Get the .msu from catalog.update.microsoft.com
wusa.exe C:\Updates\Windows10.0-KB5012345-x64.msu /quiet /norestart
# Hide an update permanently
Install-Module PSWindowsUpdate -Scope CurrentUser
Get-WindowsUpdate
Hide-WindowsUpdate -KBArticleID KB5012345
# Unhide
Show-WindowsUpdate -KBArticleID KB5012345
DISM and SFC for component store damage
If updates fail with 0x800f081f or 0x80073712, the WinSxS component store is damaged. The standard repair sequence:
DISM /Online /Cleanup-Image /CheckHealth # quick status
DISM /Online /Cleanup-Image /ScanHealth # full scan (~5 min)
DISM /Online /Cleanup-Image /RestoreHealth # repair from Windows Update
sfc /scannow # fix protected system files
If /RestoreHealth cannot reach Windows Update (offline machine), point at install media:
DISM /Online /Cleanup-Image /RestoreHealth /Source:WIM:E:\sources\install.wim:1 /LimitAccessPSWindowsUpdate module
Install-Module PSWindowsUpdate -Scope CurrentUser
# What is available?
Get-WindowsUpdate
# Install everything
Install-WindowsUpdate -AcceptAll -AutoReboot
# Install one
Install-WindowsUpdate -KBArticleID KB5034441 -AcceptAll
# Recent install history
Get-WUHistory -Last 10
# Pending reboot?
Get-WURebootStatus
This module is the right way to script Windows Update from PowerShell. Built-in cmdlets are limited.
When Defender is in the way
Windows Defender occasionally quarantines update files mid-download. Symptoms: 0x80070643 with no useful logs. Workaround: temporarily exclude the SoftwareDistribution folder, retry, then remove the exclusion:
Add-MpPreference -ExclusionPath "C:\Windows\SoftwareDistribution"
# ... run update ...
Remove-MpPreference -ExclusionPath "C:\Windows\SoftwareDistribution"
Cheat sheet
Reset script + error codes + WSUS fixes on a single PDF: Windows Update Cheat Sheet.
FAQ
Why does the same update keep failing?
Component store damage. Run the DISM /RestoreHealth + SFC sequence, then retry. If still failing, the .msu manual install often succeeds.
Can I roll back a bad cumulative update?
Yes — Settings → Update → Update history → Uninstall updates. Or via PowerShell: wusa.exe /uninstall /kb:5012345 /quiet /norestart. Note: some servicing-stack updates cannot be uninstalled.
How do I check pending reboots without restarting?
Get-WURebootStatus from PSWindowsUpdate, or check HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending.
Why does Windows Update show 0 updates but my server is months behind?
Either WSUS is targeting the wrong group, the SUSClientId is duplicated, or the client is offline from the WU service. Run the WSUS re-registration script.
Is it safe to delete the SoftwareDistribution folder?
Yes if Windows Update services are stopped first. The folder regenerates on next service start. Renaming (not deleting) is safer — easy rollback.
Why is my system reserved partition full?
Old fonts, old WinRE images, leftover from in-place upgrades. Clear with cleanmgr /sageset:65535 + cleanmgr /sagerun:65535, or extend the partition.
Can I use Windows Update for Business with WSUS together?
Yes — WUfB defers updates while WSUS distributes them. Configure both via GPO with the right priority order.
