How does Windows Update work?

The Windows Update workflow has four core areas of functionality:

Download

Install

Commit

How updating works

During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn’t disrupt your computer usage.

Scanning updates

The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn’t overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.

When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.

Make sure you’re familiar with the following terminology related to Windows Update scan:

Term	Definition
Update	We use this term to mean several different things, but in this context it’s the actual updated code or change.
Bundle update	An update that contains 1-N child updates; doesn’t contain payload itself.
Child update	Leaf update that’s bundled by another update; contains payload.
Detector update	A special «update» that contains «IsInstalled» applicability rule only and no payload. Used for prereq evaluation.
Category update	A special «detectoid» that has an IsInstalled rule that is always true. Used for grouping updates and to allow the device to filter updates.
Full scan	Scan with empty datastore.
Delta scan	Scan with updates from previous scan already cached in datastore.
Online scan	Scan that uses the network and to check an update server.
Offline scan	Scan that doesn’t use the network and instead checks the local datastore. Only useful if online scan has been performed before.
CatScan	Category scan where caller can specify a categoryId to get updates published under that categoryId.
AppCatScan	Category scan where caller can specify an AppCategoryId to get apps published under that appCategoryId.
Software sync	Part of the scan that only checks for software updates (both the apps and the operating system).
Driver sync	Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.
ProductSync	A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud.

How Windows Update scanning works

Windows Update does the following actions when it runs a scan.

Starts the scan for updates

When users start scanning in Windows Update through the Settings panel, the following occurs:

• The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
• «Agent» messages: queueing the scan, then actually starting the work:

  Updates are identified by the different IDs («ID = 10», «ID = 11») and from the different thread ID numbers.

  Windows Update uses the thread ID filtering to concentrate on one particular task.

  

  Identifies service IDs

  Service IDs indicate which update source is being scanned.

  The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates.

  Common service IDs

  ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It’s totally controlled by responses from the Service Locator Service.

Service	ServiceId
Unspecified / Default	WU, MU, or WSUS 00000000-0000-0000-0000-000000000000
Windows Update	9482F4B4-E343-43B6-B170-9A65BC822C77
Microsoft Update	7971f918-a847-4430-9279-4a52d1efe18d
Store	855E8A7C-ECB4-4CA3-B045-1DFA50104289
OS Flighting	8B24B027-1DEE-BABB-9A95-3517DFB9C552
WSUS or Configuration Manager	Via ServerSelection::ssManagedServer 3DA21691-E39D-4da6-8A4B-B43877BCB1B7
Offline scan service	Via IUpdateServiceManager::AddScanPackageService

Finds network faults

Common update failure is caused due to network issues. To find the root of the issue:

Look for «ProtocolTalker» messages to see client-server sync network traffic.

«SOAP faults» can be either client- or server-side issues; read the message.

The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting.

If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.

On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.

Downloading updates

Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.

To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.

Installing updates

When an update is applicable, the «Arbiter» and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an «action list».

The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation.

Committing Updates

When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.

Windows Update troubleshooting

If you run into problems when using Windows Update, start with the following steps:

Run the built-in Windows Update troubleshooter to fix common issues. Navigate to Settings > Update & Security > Troubleshoot > Windows Update.

Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See Servicing stack updates for more details on servicing stack updates.

Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:

Advanced users can also refer to the log generated by Windows Update for further investigation.

You might encounter the following scenarios when using Windows Update.

Why am I offered an older update?

The update that is offered to a device depends on several factors. The following are some of the most common attributes:

• OS Build
• OS Branch
• OS Locale
• OS Architecture
• Device update management configuration

If the update you’re offered isn’t the most current available, it might be because your device is being managed by a WSUS server, and you’re being offered the updates available on that server. It’s also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices will not receive the update on the same day.

My device is frozen at scan. Why?

The Settings UI communicates with the Update Orchestrator service that in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps:

Close the Settings app and reopen it.

Start Services.msc and check if the following services are running:

• Update State Orchestrator
• Windows Update

Feature updates are not being offered while other updates are

Devices running Windows 10, version 1709 through Windows 10, version 1803 that are configured to update from Windows Update (including Windows Update for Business) are able to install servicing and definition updates but are never offered feature updates.

Checking the WindowsUpdate.log reveals the following error:

The 0x80070426 error code translates to:

Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won’t be generated and sent by the client and the search for feature updates never completes successfully.

To resolve this issue, reset the MSA service to the default StartType of «manual.»

Issues related to HTTP/Proxy

Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Therefore proxy servers on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.

To fix this issue, configure a proxy in WinHTTP by using the following netsh command:

You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie

If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.

You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:

*.download.windowsupdate.com
*.dl.delivery.mp.microsoft.com *.delivery.mp.microsoft.com

If you can’t allow RANGE requests, you’ll be downloading more content than needed in updates (as delta patching will not work).

The update is not applicable to your computer

The most common reasons for this error are described in the following table:

Cause	Explanation	Resolution
Update is superseded	As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you’re trying to install already has a newer version of the payload on your system, you might receive this error message.	Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package.
Update is already installed	If the update that you’re trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.	Verify that the package that you are trying to install was not previously installed.
Wrong update for architecture	Updates are published by CPU architecture. If the update that you’re trying to install does not match the architecture for your CPU, you may encounter this error message.	Verify that the package that you’re trying to install matches the Windows version that you are using. The Windows version information can be found in the «Applies To» section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers. Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows.
Missing prerequisite update	Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.	Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424). To determine if these prerequisite updates are installed, run the following PowerShell command: get-hotfix KB3173424,KB2919355, KB2919442 . If the updates are installed, the command will return the installed date in the InstalledOn section of the output.

Issues related to firewall configuration

Error that you might see in Windows Update logs:

Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see I need to disable Windows Firewall.

Issues arising from configuration of conflicting policies

Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors.

Device cannot access update files

Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:

Protocol	Endpoint URL
TLS 1.2	*.prod.do.dsp.mp.microsoft.com
HTTP	emdl.ws.microsoft.com
HTTP	*.dl.delivery.mp.microsoft.com
HTTP	*.windowsupdate.com
HTTPS	*.delivery.mp.microsoft.com
TLS 1.2	*.update.microsoft.com
TLS 1.2	tsfe.trafficshaping.dsp.mp.microsoft.com

Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.

The specific endpoints can vary between Windows 10 versions. See, for example, Windows 10 2004 Enterprise connection endpoints. Similar articles for other Windows 10 versions are available in the table of contents nearby.

Updates aren’t downloading from the intranet endpoint (WSUS or Configuration Manager)

Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:

1. Start Windows PowerShell as an administrator.
2. Run $MUSM = New-Object -ComObject «Microsoft.Update.ServiceManager».
3. Run $MUSM.Services.

Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table.

Output	Meaning
— Name: Microsoft Update -OffersWindowsUpdates: True	— The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered. — Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)
— Name: DCat Flighting Prod — OffersWindowsUpdates: True	— Starting with Windows 10 1709, feature updates are always delivered through the DCAT service. — Indicates that the client is configured to receive feature updates from Windows Update.
— Name: Windows Store (DCat Prod) — OffersWindowsUpdates: False	-The update source is Insider Updates for Store Apps. — Indicates that the client will not receive or is not configured to receive these updates.
— Name: Windows Server Update Service — OffersWindowsUpdates: True	— The source is a Windows Server Updates Services server. — The client is configured to receive updates from WSUS.
— Name: Windows Update — OffersWindowsUpdates: True	— The source is Windows Update. — The client is configured to receive updates from Windows Update Online.

You have a bad setup in the environment

In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line):

From Windows Update logs:

In the above log snippet, we see that the Criteria = «IsHidden = 0 AND DeploymentAction=*» . «*» means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.

As shown in the following logs, automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn’t include Configuration Manager, there’s no way to install unapproved updates. You’re expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration.

High bandwidth usage on Windows 10 by Windows Update

Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components.

The following group policies can help mitigate this situation:

Other components that connect to the internet: