Recently at a site we had machines starting using high CPU of the SVCHost process, this process is used by lots of services to access the network , however, as soon as stopping the Windows Update Service CPU came back down to normal
I had seen this before at another site and the issue was due to not enough CPU ( only one was flatlining the CPU ) , however increasing the CPU and memory still did not fix this
Then after some recent updates, the servers would no Windows Update anymore , they would just sit on “Checking for Windows Updates”. I couldn’t install updates Via powershell
A server running Windows Server 2012 R2 on the same network updated fine!
I tried the normal fix of Wiping these :
C:\Windows\SoftwareDistribution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
However to no avail.
I checked the Windows Update Log : C:\Windows\WindowsUpdate.log
2019-04-23 14:09:51:839 5080 ab8 CltUI FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002
2019-04-23 14:09:51:839 5080 ab8 CltUI WARNING: RegisterNetworkCostChangeNotification: Error 80004002
I then found an article to Remove the Desktop Experience Feature ( which had been installed to Disk Cleanup the servers )
After this I did this again and could windows update again
C:\Windows\SoftwareDistribution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
Check also for Dual Scanning
In an elevated powershell prompt:
- Get-WindowsUpdateLogThis will produce a log file on the desktop giving verbose detail on all of the windows update tasks performed recently.
- (New-Object -ComObject “Microsoft.Update.ServiceManager”).Services | Select-Object Name, IsDefaultAUServiceThis will output all configured update sources, along with the default.If dual scanning is active, and the workstation is not checking in with WSUS, you might see Windows Update as the default, and WSUS as not default.
- (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()This will trigger the computer to check in with the WSUS server – BUT if there are no new reports to add, it won’t send anything. If that is the case, then:
- $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).UpdatesThis will force a status to be returned at next check in
Extra GPO settings to prevent Dual Scanning from hijacking the GPO and making the workstations go rogue – take note of setting the alternate download server to your WSUS server:
**Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Set to “Enabled”Select search order: “Do not search Windows Update”
Specify the search server for device driver updates
Set to “Enabled”Select Update Server: “Search Managed Server”
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not ‘make so it can’t get updates’)
Set to “Enabled”
Turn off access to the Store
Set to “Enabled”
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
Set to “Enabled”
No auto-restart with logged on users for scheduled automatic updates installations
Set to “Enabled”
Specify intranet Microsoft update service location (note that the alternate download server is also set to our own WSUS server)
Set to “Enabled”Set the intranet update service for detecting updates: [http://[YOUR%20SERVER]:8530]http://[YOUR SERVER]:8530Set the intranet statistics server:[http://[YOUR%20SERVER]:8530]http://[YOUR SERVER]:8530Set the alternate download server: [http://[YOUR%20SERVER]:8530]http://[YOUR SERVER]:8530Uncheck the box Download files with no Url in the metadata if alternate download server is set
Loading...