This chapter covers troubleshooting Windows Update failures, a common scenario in the CompTIA A+ Core 2 (220-1102) exam under Domain 3.0 (Software Troubleshooting), Objective 3.1. Understanding why updates fail and how to resolve them is critical because update issues affect system security and stability. Approximately 10-15% of troubleshooting questions on the exam involve Windows Update problems, including error codes, corrupted components, and connectivity issues. This chapter provides a systematic approach to diagnosing and fixing these failures, with emphasis on exam-specific tools and commands.
Jump to a section
Imagine Windows Update is like a large-scale package delivery system for a city. The update server is the central warehouse where all packages (updates) are stored. Your computer is a house that needs to receive packages. The Windows Update client is your mailroom clerk. When the clerk checks for updates, it sends a request to the warehouse asking, 'What packages are available for my house?' The warehouse checks its inventory against your house's subscription (Windows version, installed components) and sends back a manifest listing available packages. The clerk then decides which packages to order based on your preferences (automatic or manual). The warehouse ships the packages via the internet (delivery trucks). The clerk receives them, verifies the contents against the manifest (hash check), and if valid, installs them by unpacking and placing items in the correct rooms (system files, registry). If a package is damaged (corrupted download), the clerk requests a replacement. Sometimes the warehouse itself is updated, and the clerk needs to get a new catalog (Windows Update Agent update). If the clerk is busy or the warehouse is overwhelmed, there can be delays. The clerk logs every delivery attempt (WindowsUpdate.log) for troubleshooting.
What is Windows Update and Why Does It Fail?
Windows Update is a Microsoft service that provides updates for the Windows operating system and other Microsoft products. It uses the Windows Update Agent (WUA) to communicate with Microsoft Update servers via HTTPS (port 443). Updates include security patches, feature updates, driver updates, and definition updates for Windows Defender. Failures occur due to network issues, corrupted update files, misconfigured services, disk space problems, or third-party interference.
How Windows Update Works Internally
The update process involves several steps:
Scan: The WUA contacts the Microsoft Update server and downloads a list of applicable updates. This uses a catalog file (wsusscn2.cab) that contains metadata.
Download: The client downloads update files (.cab, .msu, .psf) to C:\Windows\SoftwareDistribution\Download. Each file is verified using a digital signature and hash.
Install: The update is staged and installed. For feature updates, this may involve a reboot and offline servicing.
Commit: The update is finalized, and backup files are stored in C:\Windows\WinSxS\Backup for rollback.
Failures can occur at any stage. Common error codes include: - 0x80070002: File not found (corrupted download) - 0x80070643: Installation failure (often .NET Framework) - 0x80244019: Connection to WSUS server failed - 0x80240034: Update not applicable (wrong architecture)
Key Components, Values, and Defaults
- Windows Update Service (wuauserv): Must be running (default: automatic start).
- Background Intelligent Transfer Service (BITS): Manages download throttling (default: automatic).
- Cryptographic Services: Ensures signature verification.
- SoftwareDistribution Folder: Stores temporary update files. Clearing it can resolve many issues.
- Catroot2 Folder: Stores catalog database. Resetting it can fix corruption.
- Registry Keys:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Group Policy settings for WSUS or deferral.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate: Client configuration.
- Group Policy: Can configure update source (Microsoft Update vs. WSUS), deferral policies, and automatic update behavior.
Configuration and Verification Commands
Check service status:
sc query wuauserv
sc query bitsReset Windows Update components:
net stop wuauserv
net stop bits
net stop cryptsvc
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start bits
net start cryptsvcUse DISM and SFC:
DISM /Online /Cleanup-Image /RestoreHealth
SFC /SCANNOWWindows Update Troubleshooter: Built-in tool in Settings > Update & Security > Troubleshoot.
Check disk space:
fsutil volume diskfree C:Minimum free space: 20 GB for Windows 10/11 feature updates.
View update history: Get-WindowsUpdateLog in PowerShell or C:\Windows\WindowsUpdate.log (older versions).
How Updates Interact with Related Technologies
WSUS (Windows Server Update Services): Enterprises use WSUS to download updates once and distribute internally. Clients point to the WSUS server via Group Policy. Failures often involve incorrect server URL or certificate issues.
Delivery Optimization: Uses peer-to-peer sharing to reduce bandwidth. Can cause update download failures if misconfigured.
Windows Defender: Antivirus definitions update via Windows Update. Conflicts with third-party antivirus can block updates.
Group Policy: Can enforce update deferrals (e.g., feature updates deferred 60 days). Misconfiguration can prevent updates from appearing.
VPN and Proxy: Updates require internet access. Proxy authentication or VPN split tunneling can block connections.
Common Failure Points and Troubleshooting
Corrupted Update Cache: Clear SoftwareDistribution and Catroot2.
Service Not Running: Check wuauserv, bits, cryptsvc.
Disk Space: Free up space using Disk Cleanup.
Third-Party Antivirus: Temporarily disable or add exclusions for C:\Windows\SoftwareDistribution.
Date and Time Incorrect: Windows Update uses SSL certificates; incorrect time breaks certificate validation.
Corrupted System Files: Run SFC and DISM.
Network Connectivity: Use netsh winsock reset and check proxy settings.
Update Component Registration: Re-register DLLs:
regsvr32 /s atl.dll
regsvr32 /s urlmon.dll
regsvr32 /s mshtml.dll
regsvr32 /s shdocvw.dll
regsvr32 /s browseui.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
regsvr32 /s scrrun.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml3.dll
regsvr32 /s msxml6.dll
regsvr32 /s actxprxy.dll
regsvr32 /s softpub.dll
regsvr32 /s wintrust.dll
regsvr32 /s dssenh.dll
regsvr32 /s rsaenh.dll
regsvr32 /s gpkcsp.dll
regsvr32 /s sccbase.dll
regsvr32 /s slbcsp.dll
regsvr32 /s cryptdlg.dll
regsvr32 /s oleaut32.dll
regsvr32 /s ole32.dll
regsvr32 /s shell32.dll
regsvr32 /s initpki.dll
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups.dll
regsvr32 /s wups2.dll
regsvr32 /s wuweb.dll
regsvr32 /s qmgr.dll
regsvr32 /s qmgrprxy.dll
regsvr32 /s wucltux.dll
regsvr32 /s muweb.dll
regsvr32 /s wuwebv.dllReset Windows Update via PowerShell:
$Reset = New-Object -ComObject Microsoft.Update.AutoUpdate
$Reset.Reset()Use Microsoft's Update Catalog: Manually download and install updates for specific KB numbers.
Exam-Specific Notes
The 220-1102 exam expects you to identify the correct troubleshooting step given an error code. For example:
Error 0x80070002 → Clear SoftwareDistribution folder.
Error 0x80244019 → Check WSUS configuration.
Error 0x80070643 → Repair .NET Framework.
Error 0x800f0831 → Use DISM with /RestoreHealth.
Remember that the Windows Update Troubleshooter is often the first recommended step in Microsoft documentation, but the exam may test manual steps.
Identify the Error Code
When a Windows Update fails, the error code is the starting point. Common codes include 0x80070002 (file not found), 0x80070643 (installation failure), 0x80244019 (WSUS connection failed), and 0x800f0831 (corruption). Note the exact code and any accompanying message. Also check the update history in Settings > Update & Security > View update history. The error code often points to the root cause. For example, 0x80240034 indicates the update is not applicable, possibly due to wrong architecture or missing prerequisites.
Run the Windows Update Troubleshooter
The built-in Windows Update Troubleshooter automates common fixes like resetting services and clearing cache. Go to Settings > Update & Security > Troubleshoot > Additional troubleshooters > Windows Update. It checks for misconfigured services, corrupted files, and incorrect permissions. This is often the first recommended step in Microsoft documentation. However, the exam may ask for manual steps, so know both. The troubleshooter uses a set of diagnostic scripts and can fix about 70% of common issues.
Check Service Status
Windows Update relies on several services: wuauserv (Windows Update), bits (Background Intelligent Transfer Service), and cryptsvc (Cryptographic Services). Use `services.msc` or `sc query wuauserv` to verify they are running. If stopped, set them to automatic and start them. The default start type for wuauserv is Automatic (Delayed Start). BITS should be Automatic. If services fail to start, check for corrupted service configuration or malware. Also ensure the Remote Procedure Call (RPC) service is running.
Clear SoftwareDistribution and Catroot2 Folders
Corrupted update files in C:\Windows\SoftwareDistribution are a common cause of failures. Stop the wuauserv, bits, and cryptsvc services. Rename the SoftwareDistribution folder to SoftwareDistribution.old and the Catroot2 folder to Catroot2.old. Restart the services. This forces Windows Update to download fresh catalog and update files. This step resolves errors like 0x80070002 and 0x800705b4. Do not delete the folders; renaming allows rollback.
Run DISM and SFC Scans
System file corruption can prevent updates. Run Deployment Image Servicing and Management (DISM) to repair the system image: `DISM /Online /Cleanup-Image /RestoreHealth`. Then run System File Checker (SFC): `SFC /SCANNow`. DISM uses Windows Update as the source for repair files; if that fails, use a Windows installation media as a source: `DISM /Online /Cleanup-Image /RestoreHealth /Source:C:\RepairSource\Windows /LimitAccess`. SFC replaces corrupted system files with cached copies. This fixes errors like 0x800f081f and 0x80073712.
In enterprise environments, Windows Update failures can affect hundreds of computers. One common scenario is a company using WSUS to manage updates. A technician might see error 0x80244019, indicating the client cannot connect to the WSUS server. This often happens when the WSUS server URL in Group Policy is incorrect or when the client's certificate for SSL communication has expired. The fix involves verifying the Group Policy setting under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location. The server URL should be http://WSUSServer:8530 or https://WSUSServer:4431. Also check that the client can resolve the WSUS server name via DNS.
Another scenario involves a remote worker with a VPN. Updates fail with error 0x80072efd, which means a connection error. This often occurs because the VPN splits traffic, and the update request goes through the corporate proxy, which requires authentication. The solution is to configure the proxy settings in Internet Options or use a PAC file. Alternatively, the technician can set the update source to Microsoft Update directly via Group Policy, bypassing WSUS.
A third scenario is a disk space issue on a system with a small SSD. When a feature update fails with error 0x80070070, the solution is to free up space using Disk Cleanup, including cleaning system files, or moving personal files to an external drive. The technician can also use the cleanmgr command with the /sageset parameter to select specific file types. In some cases, expanding the page file or disabling hibernation can free additional space.
Misconfiguration of Delivery Optimization can also cause issues. If set to peer-to-peer, the client may try to download from other computers on the same network, but if those computers have outdated or corrupted files, the download fails. The fix is to set Delivery Optimization to 'Not configured' or to use Group Policy to disable peer-to-peer.
The CompTIA A+ Core 2 (220-1102) exam tests Windows Update troubleshooting under Objective 3.1 (Given a scenario, troubleshoot common Windows OS problems). Specific areas include: - Identifying error codes: Know the most common codes and their meanings. - Using built-in tools: Windows Update Troubleshooter, DISM, SFC, services.msc, and the command line. - Resetting update components: Stopping services and renaming folders. - Checking disk space: Minimum free space for updates. - Network issues: Proxy, VPN, WSUS configuration.
Common wrong answers candidates choose: 1. Running a full antivirus scan: While malware can cause issues, it is not the first step for update failures. The exam expects you to check services and clear cache first. 2. Reinstalling Windows: This is a last resort. Many candidates jump to this instead of trying DISM/SFC. 3. Disabling UAC: User Account Control does not directly affect updates. This is a distractor. 4. Changing the update source to Microsoft Update from WSUS: This is only correct if the WSUS server is unreachable, but the exam may test whether to check Group Policy first.
Specific numbers and terms that appear on the exam:
- Error 0x80070002 → 'File not found' → clear SoftwareDistribution.
- Error 0x80070643 → 'Installation failure' → repair .NET Framework.
- Error 0x80244019 → 'Connection to WSUS failed' → check Group Policy.
- Minimum free space: 20 GB for 64-bit Windows 10.
- Commands: net stop wuauserv, DISM /Online /Cleanup-Image /RestoreHealth, SFC /SCANNow.
Edge cases: - Updates fail after a system restore: The restore may have corrupted the update cache. Clear SoftwareDistribution. - Windows 7 updates fail on 2020: The SHA-2 update (KB4474419) is required first. - Windows 10 1809 to 1903: Some updates require the latest servicing stack update (SSU) before the cumulative update.
How to eliminate wrong answers: - If the error code indicates a network issue (0x80244019), focus on connectivity, not disk space. - If the error is 0x80070070 (disk space), the answer will involve freeing space, not resetting components. - If the error is 0x800f0831 (corruption), the answer is DISM, not clearing cache.
The Windows Update service (wuauserv) must be running; check with `sc query wuauserv`.
Clear SoftwareDistribution and Catroot2 folders after stopping services to resolve cache corruption.
Error 0x80070002 indicates missing files; clear the update cache.
Error 0x80244019 indicates WSUS connectivity issues; check Group Policy.
Error 0x80070643 often requires .NET Framework repair.
Run DISM /Online /Cleanup-Image /RestoreHealth before SFC /SCANNow for system file corruption.
Minimum 20 GB free space required for Windows 10/11 feature updates.
Third-party antivirus can block updates; disable temporarily or add exclusions.
These come up on the exam all the time. Here's how to tell them apart.
Windows Update Troubleshooter
Automated tool that runs diagnostics and fixes common issues.
Requires no technical knowledge; user-friendly.
May not resolve complex errors like corruption or WSUS misconfiguration.
Logs are stored in `%windir%\logs\CBS\` for analysis.
First recommended step in Microsoft documentation.
Manual Reset of Update Components
Involves manually stopping services, renaming folders, and restarting services.
Requires administrative privileges and command-line knowledge.
Effective for corrupted cache and service misconfigurations.
Can be scripted for deployment across multiple machines.
Resolves errors like 0x80070002 and 0x800705b4.
Mistake
Clearing the SoftwareDistribution folder deletes all updates permanently.
Correct
Renaming the folder does not delete updates; it forces Windows to re-download the catalog and update files. The original updates are still available from Microsoft servers.
Mistake
Windows Update errors always require a clean OS reinstall.
Correct
Most errors can be resolved with built-in tools like DISM, SFC, or the Update Troubleshooter. Reinstallation is a last resort.
Mistake
Third-party antivirus does not affect Windows Update.
Correct
Antivirus software can block update files or interfere with the update process. Temporarily disabling it or adding exclusions for `C:\Windows\SoftwareDistribution` often resolves failures.
Mistake
The Windows Update Troubleshooter fixes all update problems.
Correct
It fixes common issues but not all. For complex errors (e.g., corruption, WSUS misconfiguration), manual steps are required.
Mistake
Error 0x80070643 always means a .NET Framework issue.
Correct
While often related to .NET, it can also indicate a general installation failure. Check the update details and try repairing .NET Framework, but also consider other components.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
This error indicates that Windows Update cannot find a required file, often due to a corrupted download cache. To fix it, stop the Windows Update service (wuauserv), BITS, and Cryptographic Services. Rename the C:\Windows\SoftwareDistribution folder to SoftwareDistribution.old and C:\Windows\System32\catroot2 to catroot2.old. Restart the services. This forces Windows to re-download the update catalog and files. If the issue persists, run DISM and SFC to repair system files.
Error 0x80244019 means the client cannot connect to the WSUS server. This typically occurs in enterprise environments where updates are managed via WSUS. Check the Group Policy setting 'Specify intranet Microsoft update service location' under Computer Configuration > Administrative Templates > Windows Components > Windows Update. Ensure the WSUS server URL is correct and accessible. Also verify that the client can resolve the server name via DNS and that the necessary ports (8530 for HTTP, 4431 for HTTPS) are open.
If Windows Update is stuck at 0%, first check the Background Intelligent Transfer Service (BITS) is running. Then clear the SoftwareDistribution folder as described. Also check disk space and run the Windows Update Troubleshooter. If using a VPN, try disconnecting. Sometimes, a slow or unstable internet connection causes this; pause and resume the update. If still stuck, restart the Windows Update service and try again.
Yes, you can download the update from the Microsoft Update Catalog (https://www.catalog.update.microsoft.com). Search for the KB number of the failed update, download the appropriate version for your system architecture (x86, x64, ARM), and run the .msu file. This bypasses the Windows Update client and can resolve issues caused by a corrupted client. Ensure all prerequisites are installed first.
This message appears when Group Policy or registry settings configure Windows Update. In a domain environment, it's normal. If it appears on a home computer, it may be due to third-party software or manual registry changes. Check Group Policy settings (gpedit.msc) and registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Delete any policies that are not intended. Also check for 'Configure Automatic Updates' policies.
Error 0x80070643 indicates an installation failure, often related to .NET Framework updates. First, try repairing .NET Framework using the Microsoft .NET Framework Repair Tool. Alternatively, run `DISM /Online /Cleanup-Image /RestoreHealth` and `SFC /SCANNow`. If the update is a .NET Framework update, uninstall and reinstall .NET Framework via Programs and Features. Also ensure that the Microsoft .NET Framework update KB number is correct for your system.
The Windows Update Troubleshooter is a built-in diagnostic tool that automatically detects and fixes common update issues. To run it, go to Settings > Update & Security > Troubleshoot > Additional troubleshooters > Windows Update, and click 'Run the troubleshooter'. It will check services, reset cache, and repair corrupted files. It's the first recommended step for most update problems. On the exam, know that it exists and when to use it as an alternative to manual steps.
You've just covered Troubleshoot: Windows Update Failures — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?