Why can’t I update Windows on my Amazon EC2 Windows instance?

Short description

You can use four methods to manage Windows Update for your Amazon EC2 instances, depending on your use case:

1. Use Group Policy Management for instances that are joined to a domain.
2. Use Windows Settings or the Local Group Policy Editor for non-domain joined (Workgroup) instances.
3. Use SCONFIG commands for Non-Domain joined (Workgroup) instances. For more information, see How to change Windows Update settings using SCONFIG on the Microsoft website.
4. Use the Patch Manager in AWS Systems Manager.

Note: Amazon EC2 Windows can get the Windows update either from Microsoft Update Servers or Windows Server Update Services (WSUS). Microsoft Update Servers send updates through the internet. To check your instances' current update source, refer to the following registry key:

Path - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Key - UseWUServer, Value - 1

If the UseWUServer key value is 1, then your instances receive updates from WSUS.

If the UseWUServer key value is either 0 or missing, then your instances receive updates from Microsoft Update Servers.

Resolution

There are several reasons why Windows Update might fail on EC2 instances. Refer to the following troubleshooting steps for common issues. For more information on Windows Update errors, see Windows Update common errors and mitigation on the Microsoft website.

Verify connectivity to the update servers

Microsoft Update servers (internet)

Verify that your instances can reach all Microsoft Update URLs, from the Microsoft website. If the instances can't reach the URLs, then check following conditions:

• Instances must have internet connectivity.
• Your instances' security group and network access control list (network ACL) must allow traffic on outbound ports 80 and 443.
• Check any firewalls or proxy configurations that you applied to the instance. For more information, see Issues related to HTTP/Proxy on the Microsoft website.

WSUS

Verify that your instances can reach the WSUS server over ports 8530 and 8531 or any custom port that you configured. To do this, run the following PowerShell command:

Test-NetConnection -ComputerName [WSUS Server] -Port [8530/8531/custom port]

If the instances can't reach the WSUS server, then check your instances' security group and network ACL. They must allow traffic on the outbound port to the WSUS server.

Check the status of Windows Update services

Verify that the following services are in the Running state:

• Windows Update
• Background Intelligent Transfer Service
• Cryptographic Services

Check Windows Update for a corrupt component

The update installation might fail from corrupt Windows Update components. There are two ways to fix this issue:

Windows Update Troubleshooter

The Windows Update Troubleshooter fixes corrupt components as well as other update-related issues. To run the troubleshooter, follow these steps:

1. Choose Start on your Windows operating system.
2. Choose Settings.
3. Choose Windows Update. Or, choose Update & Security, and then choose Windows Update.
4. From the navigation pane, choose Troubleshoot.
5. Choose Additional Troubleshooters, and then choose Windows Update.
6. Choose Run the troubleshooter.

Manual reset

1. Open a Windows command prompt as an administrator.

2. Stop all essential Windows Update services that might block a component reset:

   net stop bits
   net stop wuauserv
   net stop cryptsvc 

3. Rename the following folders under %Systemroot%\SoftwareDistribution. Run these commands to rename the folders as shown:

   Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak
   Ren %Systemroot%\SoftwareDistribution\Download Download.bak

4. Start all essential Windows Update services:

   net start bits
   net start wuauserv
   net start cryptsvc

Check your system's disk space

Windows Update requires enough free space on your system drive (C:) to download and install necessary files on the instance. Update files vary in size, so make sure that you have sufficient space for the update.

Check any antivirus software

Third-party software such as antivirus or scanning programs might interfere with the update process. They might also corrupt files or cause updates to fail.

To increase the chance of a successful update, exclude some files from your virus scanning software before the update. For a list of these files, see Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server on the Microsoft website.

For a list of other common Windows Update errors and their resolution, see Windows Update common errors and mitigation on the Microsoft website.

Additional logs and troubleshooting

If you still can't successfully run Windows Update for your instances, then check the Windows Event Logs for specific errors:

1. Choose Start on your Windows operating system.
2. Choose Event Viewer.
3. In the navigation pane, choose the Application and Service Logs file to expand it.
4. Choose the following subfolders to expand them: Microsoft, Windows, WindowsUpdateClient. Then, choose the Operational log.
5. Under the Operational log pane, find the update that fails to install. Note the failure code.
6. To identify your error and troubleshoot it, see Windows Update error codes by component and Windows Update common errors and mitigation on the Microsoft website.

To further analyze any Windows Update failures, collect the following logs from the instance:

• CBS logs: Review the CBS.log file located in C:\Windows\Logs\CBS.
• Windows Update logs: To generate the Windows Update log file, run the following command. This saves the file to your desktop:

  Get-WindowsUpdateLog