WSUS is a great product from Microsoft to keep your servers up to date. In the past years, I have often used it at the companies I worked for. But it has it downsides as well. Sometimes the Windows Update client just won’t work. You’ll get errors like 0x80244022, 0x8024401C and 0x80072EE2 and just haven’t got a clue what is going on.
I have collected a number of solutions to fix these errors and put them in a PowerShell script. This script contains all the tricks I had to pull to get the Windows Update client running again.
So, what does it do?
Clear-Host
$WSUSServer = "WSUS.$env:USERDNSDOMAIN"
# Make sure we run as admin
If ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "You are running this script elevated. This is a good thing. Moving on with the script...."
} Else {
Write-Warning "You are NOT running this script elevated. This is a BAD thing. Exiting script !!!"
Start-Sleep -Seconds 5
Return
}
# Test connection to the WSUS server
If (Test-Connection -ComputerName $WSUSServer -Quiet) {
Write-Host "Ping to WSUS server completed SUCCESFULLY. This is a good thing. Moving on with the script...."
} Else {
Write-Warning "Ping to WSUS server FAILED. This is a BAD thing !!!"
Start-Sleep -Seconds 5
}
If (Test-NetConnection -ComputerName $WSUSServer -Port 8530) {
Write-Host "Connection test to WSUS server on port 8530 completed SUCCESFULLY. This is a good thing. Moving on with the script...."
} Else {
Write-Warning "Connection test to WSUS server on port 8530 FAILED. This is a BAD thing !!!"
Start-Sleep -Seconds 5
}
If (Test-NetConnection -ComputerName $WSUSServer -Port 8531) {
Write-Host "Connection test to WSUS server on port 8531 completed SUCCESFULLY. This is a good thing. Moving on with the script...."
} Else {
Write-Warning "Connection test to WSUS server on port 8531 FAILED. This is a BAD thing !!!"
Start-Sleep -Seconds 5
}
# Test if WSUS server has been set
Try {
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | Select-Object -ExpandProperty 'WUServer' -ErrorAction Stop | Out-Null
Write-Host "WSUS server = " (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | Select-Object -ExpandProperty 'WUServer')
} Catch {
Write-Warning "WUServer registry key is empty. This is a BAD thing !!!"
}
# Test if Internet Explorer proxy server has been set
$CurrentProxySettings = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings')
$DNSDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain
$item = "*." + $DNSDomain
If ($CurrentProxySettings.ProxyEnable -eq '1') {
If ($CurrentProxySettings.ProxyOverride -like "*$item*") {
Write-Host "A proxy server has been set in Internet Explorer."
Write-Host "A proxy exception for $item has been set. This is a good thing. Moving on with the script...."
} # endif
Else {
Write-Warning "A proxy exception for $item has NOT been set.Adding proxy exception..."
$NewOverrideValue = $CurrentProxySettings.ProxyOverride + ";" + $item
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name ProxyOverride $NewOverrideValue
$CurrentProxySettings = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings')
Write-Host " Proxy exception has been added. Current proxy exceptions are: " $CurrentProxySettings.ProxyOverride
} # endelse
} # endif
Else {
Write-Host 'No proxy server has been set. This is a good thing. Moving on with the script....'
} # endelse
# Testing if winhttp proxy has been set
$NetshWinhttpSetting = [string](Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections' | Select-Object -ExpandProperty 'WinHttpSettings')
$NotSet = "40 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0"
If ($NetSHWinhttpSetting -match $NotSet) {
Write-Host 'A winhttp proxy has not been set. This is a good thing. Moving on with the script....'
} Else {
Write-Warning 'A winhttp proxy has been set. This is a BAD thing. Resetting winhttp proxy....'
# Reset winhttp (wuauclt fails if winhttp is set)
netsh winhttp show proxy
Start-Sleep -Seconds 3
netsh winhttp reset proxy
Start-Sleep -Seconds 3
}
# Refresh group membership
Write-Host 'Refreshing computer group membership'
klist -lh 0 -li 0x3e7 purge
klist -lh 0 -li x3e7 purge
Start-Sleep 3
# Refrsh group policy
Write-Host 'Forcing group policy'
gpupdate /force /target:computer
Start-Sleep 3
#Stop services
$ServiceDisplayNames = @()
$ServiceDisplayNames = @('Background Intelligent Transfer Service', 'Windows Update', 'Application Identity', 'Cryptographic Services')
ForEach ($ServiceDisplayName in $ServiceDisplayNames) {
Try {
Get-Service -DisplayName $ServiceDisplayName | Stop-Service -Verbose
Get-Service -DisplayName $ServiceDisplayName
} Catch {
}
}
# Remove files
Remove-Item "$env:AllUsersProfile\Microsoft\Network\Downloader\qmgr*.dat" -Force -Verbose
Remove-Item "$env:SystemRoot\SoftwareDistribution" -Force -Recurse -Verbose
# Start services
$ServiceDisplayNames = @()
$ServiceDisplayNames = @('Cryptographic Services', 'Application Identity', 'Windows Update', 'Background Intelligent Transfer Service')
ForEach ($ServiceDisplayName in $ServiceDisplayNames) {
Try {
Get-Service -DisplayName $ServiceDisplayName | Start-Service -Verbose
Get-Service -DisplayName $ServiceDisplayName
} Catch {
}
}
Start-Sleep -Seconds 5
wuauclt /reportnow
As always, please keep in mind this script is tailored to my environment, but can be used as a template for your environment. I do not pretend to be a PowerShell guru and as such my script may not be perfect. I am open to suggestions 🙂 . If you found this script useful, I’d appreciate it if you leave a comment.