Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

How do I troubleshoot Windows Update failures on my Amazon EC2 instances?

Lesedauer: 5 Minute

I want to troubleshoot update failures on my Amazon Elastic Compute Cloud (Amazon EC2) Windows instances.

Resolution

Run the AWSSupport-TroubleshootWindowsUpdate automation

To troubleshoot issues with Windows updates for EC2 Windows instances, it's a best practice to use the AWSSupport-TroubleshootWindowsUpdate runbook automation. Follow the best practices that you receive when you run the automation.

Note: Before you start AWSSupport-TroubleshootWindowsUpdate, make sure that your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see the Required IAM permissions section in AWSSupport-TroubleshootWindowsUpdate.

If you continue to get Windows Update failures, then take the following actions to manually troubleshoot the issues.

Troubleshoot Windows Update download failures

Updates download from Microsoft online or your Windows Server Update Services (WSUS) server. If you use AWS Systems Manager to manage your instances, then you might receive a failure code. To determine what caused the failure, take the following actions.

Check the WSUS configuration

To check whether Windows automatic updates point to a WSUS server or Microsoft Update online, run the following command:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"

Note: If the UseWUServer value is 1, then you use WSUS to download updates.

Identify download failure issues

When you scan for updates, you might get error codes such as "0x80072EFD", "0x80072EFE", or "0x80D02002". These errors show that your instance can't connect to Microsoft update server or WSUS because of port or network blocks. Or, your instance connects but fails to download because issues with TLS or SSL cause certificate issues.

Check network connectivity

Make sure that the security group and network access control list (network ACL) for your instances allow traffic on outbound ports 80 and 443. Your firewalls or proxy configurations must also allow access.

If you get error code "0x80072EFD", then your firewall rules or proxies block Microsoft download URLs and prevent a server connection.

If you get error code "0x80072EFE", then issues that affect TLS ciphers disrupt connections to Microsoft sites.

To check your Windows Update and TLS connection, run the following Windows PowerShell commands:

Test-NetConnection update.microsoft.com -Port 443
Test-NetConnection ctldl.windowsupdate.com -Port 80

Check Windows Event logs

To check Windows Event logs for Windows Update errors, complete the following steps:

In Windows, open Event Viewer.
In the navigation pane, choose the Applications and Services Logs dropdown list, and then choose the Microsoft dropdown list.
Choose the Windows dropdown list, and then choose the WindowsUpdateClient dropdown list.
Choose Operational.
Under Source, look for a WindowsUpdateClient that has 25 under Event ID.
To view the details, open the event (right-click), and then choose Event Properties.

For example, you might receive an error message that's similar to "Windows Update failed to check for updates with error 0x80244022."

To resolve the issue, note the error codes, and then see Windows Update common errors and mitigation on the Microsoft website.

Generate Windows Update log

To generate a Windows Update log, run the following Windows PowerShell command as an administrator:

Get-WindowsUpdateLog

Check CTL sync time

To check the most recent sync time for trusted or untrusted Certificate Trust Lists (CTLs), run the following commands:

certutil -verifyctl AuthRoot | findstr /i "lastsynctime"
certutil -verifyctl Disallowed | findstr /i "lastsynctime"

When the sync time is older than the last Windows Update scan, there's a certificate issue.

By default, Windows uses CTL Updater to download CTLs from the internet.

Windows uses the following public URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Check TLS client registry keys

To check whether the TLS 1.3 client registry key exists on your system, run the following command:

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Name Enabled, DisabledByDefault -ErrorAction SilentlyContinue

To check whether the TLS 1.2 client registry key exists on your system, run the following command:

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name Enabled, DisabledByDefault -ErrorAction SilentlyContinue

If the output is blank, then the TLS client registry key doesn't exist on your system. By default, Windows Server 2022 and later natively support TLS 1.3, and Windows Server 2012 and later support TLS 1.2. When Windows natively supports a TLS version, it activates TLS and the registry key doesn't need to exist for TLS to function. Windows creates a registry key only when you explicitly configure TLS settings.

Check automatic root certificate update policy

To check whether Windows activated the policy that controls automatic downloads of trusted root certificates, run the following command:

reg query "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /v DisableRootAutoUpdate

Note: If the DisableRootAutoUpdate value is 1, then your policy deactivated the CTL download.

Resolve Windows Update installation failures

To determine whether your installation failed, check the System Windows logs for Event ID 16, Event ID 20 or the "0x80073D02" error code.

If Windows Update is corrupted, then your updates might not install. Check the Setup Windows logs for corruption errors.

To resolve installation failures and corruption errors, see Fix Windows Update corruptions and installation failures on the Microsoft website.

Check for antivirus software

Third-party software, such as antivirus or scanning programs, might interfere with the update process. They also might corrupt files or cause updates to fail.

Before you start the update, exclude files from your virus scanning software. For a list of files to exclude, see Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server on the Microsoft website.

Run the Windows Update troubleshooter

To resolve Windows update issues, run the built-in Windows Update troubleshooter. For more information, see Windows Update Troubleshooter on the Microsoft website.

Related information

AWS Support Automation Workflows (SAW)

Running a simple automation (console)

Setting up Automation

Themen: End User Computing Compute
Tags: Amazon EC2 AWS Support Automation Workflows Windows
Sprache: English

AWS OFFICIALAktualisiert vor einem Monat

1 Kommentar

This article was reviewed and updated on 2026-04-09.

MODERATOR

AWS Official

beantwortet vor einem Monat

Relevanter Inhalt

Wie installiere ich.NET Framework 3.5 auf einer EC2-Windows-Instance, die keinen Internetzugang hat?
AWS OFFICIALAktualisiert vor 4 Jahren
Wie behebe ich eine EC2-Instance, die nach der Installation von Windows-Updates in einer Neustartschleife stecken bleibt?
AWS OFFICIALAktualisiert vor 4 Jahren
Wie aktualisiere ich Microsoft SQL Server auf meinen Amazon-EC2-Windows-Instances?
AWS OFFICIALAktualisiert vor 5 Monaten
Wie behebe ich Patch-Probleme im Zusammenhang mit der Amazon EC2-Windows-Instance, wenn ich das Patch Manager AWS-RunPatchBaseline-Dokument verwende?
AWS OFFICIALAktualisiert vor 3 Jahren