One thing I get asked about a lot in my job is how to fix some of the more common Windows patching issues. The vast majority of Windows patching issues can be resolved relatively easily with just a few steps. This article covers the most common steps which are mostly nondestructive (unless the OS is entirely hosed at least). This article looks to cover the process which I have found fixes a good number of issues consistently as well as detailing a few further steps if this doesn’t work.
What To Look For When Fixing Windows Patching
If you try to run Windows Update and get an HRESULT code or similar and searching the specific code doesn’t help or the potential fix is pretty heavy handed, this guide may help you. The other thing to look for is the CBS log found under C:\Windows\Logs\CBS\CBS.log. This log can be a bit hard to read, but it can tell you a lot of information about both the system health and the patch health of a given machine. If you look at the CBS log and see something like Failed to internally open package. [HRESULT = 0x800f0805 – CBS_E_INVALID_PACKAGE] (the HRESULT code will probably change, but that CBS_E_INVALID_PACKAGE is a definite sign), then you probably want to follow this process all the way through.
The usual disclaimer applies, if you don’t know what you’re doing or don’t understand, this can run some risk (though, I’ve only ever seen this process mess up OSes which were too far gone anyway and a few rare fringe cases with some very specific patch sets) and you probably shouldn’t proceed. This also isn’t a miracle fix for every single issue, but it definitely does fix something like 90% of the issues I’ve seen with patching (aside from the insanely exotic).
What To Do First With Windows Patching Issues
One of the first things to do when you have Windows Update issues is to run SFC and DISM as mentioned in this article. Basically, you want to run something like the following:
Windows 7 or Windows Server 2008 + Windows Server 2008 R2
From an admin command prompt or similar, run:
sfc /scannow
Windows 8 + Windows 8.1 + Windows 10 or Windows Server 2012 + Windows Server 2012 R2 + Windows Server 2016 and newer
From an admin command prompt or similar, run:
sfc /scannow
dism /online /cleanup-image /restorehealth
sfc /scannow
You almost definitely want to reboot the machine after these commands complete as there may be some pieces which require a reboot to properly fix. Sometimes you even reboot in between depending on the state of the system. I like to run SFC and DISM on newer Windows OSes as Microsoft has managed to keep SFC relevant. SFC and DISM do a similar function, but even though DISM is more powerful, SFC can fix things which make DISM able to function more properly. I run SFC afterwards because it can fix some permissions issues which may be leftover after DISM runs if there is some latent corruption which needs to be worked through.
What To Do Next
After you try DISM and SFC, you may still get some kind of error from Windows Update or error from the general update process (like updates just failing without an error, or it rolling back on reboot). At this point, you want to reset the Software Distribution folder. The Software Distribution folder contains a repository of what all has been installed and many temporary files which can impact updates. When these are safely cleared out, Windows will regenerate the contents of this folder if the OS isn’t too far gone.
In order to fix this in the safest way possible, run the following from an admin command prompt:
sc config wuauserv start= disabled
sc stop wuauserv
ren %windir%\softwaredistribution softwaredistribution.old
sc config wuauserv start= auto
sc start wuauserv
The first line sets the Windows Update service to be disabled in case something tries to stop it while we are running this process. The next line actually stops the service. We then rename the folder from SoftwareDistribution (Windows is not case sensitive) to softwaredistribution.old. We then reset our service definition so that it starts automatically and restart the service. Once this is done, give the machine about 10 to 15 minutes to rebuild this cache, though it can take longer on older hardware. Check the size of the folder, and when it stops growing for about 30 seconds, you can consider it finished.
You can go ahead and delete the old folder after you verify patching works. I have almost never had to restore anything from the old folder, but there are rare cases where having this available can help. Ultimately, saving the folder costs nothing but space, but it can help in some classes of fringe cases. If space is part of the reason for patching, you may want to copy this elsewhere just to free up space. I have seen this folder grow a bit out of control due to random issues.
Next Steps
Try to run Windows Update again and see if the machine is fixed. If not, try rebooting and testing that, or run through DISM and SFC again just to rule that out entirely. I have seen DISM and SFC fix machines after a few passes through with reboots in between. It takes a good bit of experience to read the logs generated by these to know if it’s really still helping or if you’re just doing the same thing over and over though. If that doesn’t work, try looking for the specific HRESULT code where possible.
Another fix is to test downloading the raw MSU (Microsoft Standalone Update) from the Microsoft Update Catalog and installing it manually. You can also try to find dependencies for a given patch and apply them by hand that way. This is a bit harder, but can solve some types of chicken and egg issues with a dependency being broken causing another patch to break which might fix the dependency.
This process isn’t by any means bulletproof, but it can solve a lot of issues and help fix a lot of lower level issues. Even if there are further problems to be debugged, this can still help reduce other issues which exacerbate your original problem. Most larger problems on Windows are a combination of smaller problems. By systematically working through these issues, you can get to the root of your actual problem and fix the machine in a way which prevents it breaking the next time.
Still Stuck?
See here for more information on fixing these issues in Windows 10 and similar.