Windows Update Refused to Work, So I Spoon-Fed it.

TL;WR: Windows update never got past checking for updates. Nothing worked. Used my private WSUS server and spoonfed it 10 updates at a time. Suggested Pairing: Rye.


Warning: The following was a holiday experiment turning into a WSUS bastardization rabbit hole. Real research would’ve involved some debugging. All this was probably related to a terminal WID or something else that real work would’ve resolved.


I have a laptop to fix. The poor thing was worked over by power Luser. The belligerently ignorant bastard left his mark on everything he could. He installed every browser, installed Avast (but left defender running… somehow), pretty much everything on ninite, pirated keys (even though he had the oem keys for it), rosetta stone with no lang packs, etc. etc.

The worst though was killing windows update. Something about the government using it to spy on people. Ironically he left telemetry on.

I digress. I tried everything on this computer. Windows update would stick on checking for updates and never return. It hadn’t been updated in two and a half years so I expected a delay, but not 20 hours.

A packet cap was showing that wuau was reaching the M$ servers and after 20 or so packets it received a 200 OK then just stopped responding. Then all of the tcp connections would timeout and close. Not. A. Peep. All it would do is poke a few reg values for the wuau gpo settings.

First up the update agent  (Here for win 8.1/ Server 2012 R2, watch for the prerequisites). Which in this case happened to be pretty much the last update it received before the Luserpocalypse.

I ran the Windows update diagnostic cab (Here) and each time it did its thing but the problem never went away. Stopping the windows update service (wuauserv) and deleting the \Windows\SoftwareDistribution\ folder (data store that catalogues the updates and stores update info) would get it started again but the same problem kept popping up.

After checking AV, other network apps, other file apps, running a procmon trace, sfc, dism, and little Christmas Drinking I decided to try one last thing before a clean boot.

I popped onto my home WSUS server, added a computer group for this poor laptop, and added the windows 8.1 updates to the catalogue.

  • I set up two empty computer groups.
  • Went through and picked out the updates I wanted, approved them for the first empty group to start the download
  • Blindly made the tweaks Here as per cargo-cult administration standards.
  • On the laptop I updated the GPO to point at my wsus server and added it to the second empty computer group.
  • As updates came in (starting with top of tree/cumulative monthlies) I added approvals for the second group in batches of 5 (8-10 at a time later).
  • Popped on the laptop and started the updates. THEY WORKED.

After all that I got cocky and decided to try approving 20 updates. No dice, I had to wipe the SoftwareDistribution cache again just to get it working. Finally I got it up to date, 8 updates at a time. Never did figure out why, it’s on the slate for a reinstall soonish. If you’ve got any ideas before I do the reinstall I’m open to taking a look, let me know. She’s long gone, few caps popped shortly after one of the LCD ffc’s gave out and it was relegated to the boneyard.

Leave a Reply

Your email address will not be published. Required fields are marked *