If you encounter Windows update error codes, you can check the System log in the Event Viewer, typically under the event source “WindowsUpdateClient” (though it doesn’t provide much info as always 😂). Another place to look is in the “C:\Windows\Logs\WindowsUpdate.log” file for Server 2012R2 / Windows 8.1 and below. For the later Windows version, you will need to use Event Tracing for Windows (ETW) to generate diagnostic logs.
Note that after the extended support period, servers cannot get updates from WSUS servers unless you purchase the Extended Security Updates from Microsoft , but you can still download those updates from Microsoft Catalogue and install them manually. For example, the extended support period for Server 2012R2 ends in October 2023. Updates beyond this date cannot be installed from WSUS unless you purchase Extended Security Updates (ESU), while the last date of ESU is Oct, 2026 as you can see as below.
For a comprehensive list of WSUS errors and their references, you can visit the following Microsoft resources:
Here are some common errors codes along with their resolutions:
Generic Error
Cause: Sometimes, when manually installing the standalone package (*.msu file) on Server, it may display as “Update is not applicable.”
Resolution: Install the latest servicing stack before installing the update. Eg: for Server 2008R2 SP1, the latest working servicing stack is KB5028264, released on July 11, 2023
Error 0x80244010
Cause: The number of round trips to the server exceeded the maximum limit.
Resolution: Click Try again after a few miniutes.
Error 0x80200056
Cause: Indicates corruption in the local repository.
Resolution:
Stop the Windows Update Service
delete the c:\Windows\SoftwareDistribution folder
start the Windows Update Service
and then launch “Check for Updates.”
Error 0x80072efd / 0x80072ee2
Cause: Timeout / Cannot connect to windows update service.
Resolution: Make sure there’s no firewall rule or proxy blocking the connection. You can check with the telnet to the WSUS address found in the registry under this location “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\”
Error 0x80242014
Cause: A reboot is pending.
Resolution: Reboot the machine before installing updates.
Error 0x800F0831
Cause: Corruption in the Windows Component Store or some packages are missing.
Resolution: Go to c:\windows\logs\CBS and edit CBS.log (or previous CBSPersist_[timestamp].log)
Go to end of the file. Search (CTRL-F) for “missing” string in the backwards direction.
You may find “missing for package :” with a package name. Identify the KBXXXXXXX.
From Internet browser go to : https://www.catalog.update.microsoft.com and search for “KBXXXXXXX”.
Download file corresponding to Server version and install it manually.
If not ok, reset the windows updates with Dism RestoreHealth command.
Dism.exe /Online /Cleanup-Image /Restorehealth
Sfc.exe /Scannow
Error 0x80070070
Cause: There is no enough space (usually C:\ drive) to extract and install updates.
Resolution: Check the drive space.
Error 0x80248007 / 0x8024043d / 0x80244017
Cause: Connectivity issue due to the proxy configuration.
Resolution: Check the firewall and proxy.
If the proxy is turned on, disable the proxy in Internet Explorer. Or add the WSUS servers into the bypass list via netsh command as follow.
netsh winhttp show proxy
netsh winhttp set proxy proxy-server=YourProxyServer:Port bypass-list=WSUSServerIP1,WSUSServerIP2;
Error 0x8007000e
Cause: Update fails due to low memory RAM.
Resolution: Increase the machine memory or reboot the machine to free up running processes.
Error 0x80072ee5
Cause: The WSUS URL may not be correct.
Resolution: Check the WSUS URL on the locations.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
Error 0x8024402C / 0x8024500C
Cause: Client cannot reach the windows update URL
Resolution :
Check the log file C:\Windows\WindowsUpdate.log if the WSUS servers trying to connect is correct or not.
Things to check
• Check if the destination wSUS ports are opened.
• Check the system proxy.
• Make sure these registry keys are present.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \WindowsUpdate\AU\UseWUServer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Error 0x80244018
Cause: Server understood the request but declined to fulfill it.
Resolution: Disable the proxy in Internet Explorer. Or add the WSUS servers into the bypass list via netsh command as follow.
netsh winhttp show proxy
netsh winhttp set proxy proxy-server=YourProxyServer:Port bypass-list=WSUSServerIP1,WSUSServerIP2;
Error 0x8024000E
Cause: Unkown
Resolution: Try resetting the Windows Update database. If unsuccessful, disable Windows Update and the Windows Update URL in registry and restart the windows update service.
Error 0x80244007
Cause: there was a SOAP fault betwen client and server communication
Resolution: First, try troubleshooting with the built-in Windows Update troubleshooter.
If the computer name is missing in the WSUS console, re-create SuClientId in the registry key at this location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\WindowsUpdate\SusClientId
#Query if SusClientId exists with the following command
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId
You can run the following command to fix it. It will delete the key and regenerate a new one.
#Stop the Automatic Updates service
sc stop wuauserv
#Delete the SUSclientID registry key from the following location:
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\WindowsUpdate” /v SUSClientID /f
#Start the Automatic Updates service
sc start wuauserv
#Re-register windows client in WUSS
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
If the error code comes with these entries in the C:\Windows\windowsupdate.txt file, then re-create the software distribution folder as shown in error 0x80200056
• The body of the received message contained a fault
• Soap fault info:
Error 0x8024401c
Cause: This error usually happens when the client cannot connect WSUS server.
Resolution: Make sure the WSUS URL is correct or not in the group policy (gpedit.msc). While checking for update, you can check if the connection is going to the correct server or not by the following command.
netstat -an | findstr 8530
netstat -an | findstr 8531
Error 0x800b0109
Cause: This error usually comes with Certificate error (frequently found on Server 2008 R2). Customers who run legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) are required to have SHA-2 code signing support installed on their devices to install updates released on or after July 2019. Any devices without SHA-2 support will not be able to install Windows updates on or after July 2019.
Resolution: For Server 2008 R2 SP1, install KB4490628 and KB4474419. Ensure Server 2008 R2 has SP1 installed if encountering the message “The update is not applicable to your computer.”
Error 0x800b010a
Cause: Occurs in Server 2008 R2 if Microsoft Windows Update and associated partner certificates become obsolete. So, you need to update the serveral root certificates
Resolution: Update several root certificates using the provided steps.
On one computer where you get the internet access, type
Certutil -generateSSTFromWU WU_Roots.sst
Copy the WU_Roots.sstto the destination computer (on which your have problems)
Open the Certificate Manger (Computer Account)and import the .sst file from there.
Error 0x800b010f / 80072f8f
Cause: Indicates SSL connection issues when connecting to the WSUS server.
Resolution: Check the error log under C:\Windows\WindowsUpdate.log. This issue is often caused by certificate CN or SAN name mismatch or by using the IP address instead of the hostname in the WSUS URL.
If not ok, check if TLS 1.1 and 1.2 are enabled on clients as in this article.
Error 0x80072f0c
Cause: Indicates “A certificate is required to complete client authentication.”
Resolution: In the IIS manager of the WSUS server, under “Client Certificates,” ensure the option “Ignore” is selected instead of “Accept” or “Require.”