Windows Update stuck at 0 percent on Windows 10, Windows Server 2016, or Windows Server 2019

Applies to: Windows 10, version 1809Windows Server 2019, all versionsWindows Server 2016 More

Symptoms


On Windows 10, Windows Server 2016 or Windows Server 2019, when you try to download updates by using Windows Update (stand-alone or WSUS), the process hangs at 0 percent completion, as shown in the following screen shot:

Capture.JPG

Cause


This issue occurs for either of the following reasons.

Cause 1

A proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level). This configuration causes the connections to Windows Update to fail.

Cause 2

You are using the RTM version (10.0.14393.0) of the Windows Update Agent, and have configured the computer to connect to a Windows Server Update Services (WSUS) server.

Cause 3

This issue can be caused if the Windows Firewall service is disabled on the computer. This is an unsupported method of turning off the firewall functionality.

Resolution


To resolve the issue, follow these steps:

For Cause 1

Configure a proxy in WinHTTP by using the following netsh command:

netsh winhttp set proxy ProxyServerName:PortNumber

Note You can also import the proxy settings from Internet Explorer by using the following command:

netsh winhttp import proxy source=ie

For Cause 2

Update the Windows Update Agent to version 10.0.14393.187. To do this, install the September 2016 Cumulative Update for Windows 10 or Windows Server 2016 (3193494), or any later cumulative update.

For Cause 3

To correctly turn off the firewall functionality, see: I Need to Disable Windows Firewall.

Third-party firewall software that is compatible with Windows Vista and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that have to be disabled for compatibility. You should not disable the firewall yourself for this purpose. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.

We recommend verifying your firewall solution vendor if disabling of the service is necessary because usually third-party Firewall software usually turn off the Windows Firewall functionality in a supported way already. You may not disable the service which is not a supported configuration.

More Information


For Cause 1

The proxy can be configured at the following levels:

  • USER level (from Internet Explorer)
  • SYSTEM level (from WinHTTP)

In all Windows versions, the scanning operation ("Check for Updates") always run as the caller. Therefore, the operation uses the proxy of the caller (user IR proxy, if the scan is done as the user).

The download proxy resolution has changed for different versions of Windows 10 because of different enterprise requirements and their proxy configurations.

Before Windows 10, Windows Update cached all the resolved proxies (using USER and SYSTEM accounts) and passed the list to Background Intelligent Transfer Service (BITS) for downloads.

In Windows 10 and Windows Server 2016, WinHTTP introduced a better auto-proxy resolution that makes it unnecessary to cache the proxies. Therefore, Windows Update changed the proxy resolution logic based on the configuration.

When the downloads go through BITS, Windows Update has to resolve the proxies by itself and send them to BITS.

To summarize:

  • The "Check for updates" (against the Internet) process uses either Internet Explorer proxy settings or WinHTTP proxy settings.
  • The downloading updates (from the Internet) process uses only the WinHTTP proxy settings.
  • The WinHTTP proxy setting is required for Windows Server 2016 to get updates from Microsoft Update (online) when the computer is behind a proxy server.

For Cause 2

Windows Update log reveals that the download got completed within seconds. However, the download completion status does not reflect the actual status in the UI. For example, the Windows Update log entry resembles the following entry.

  • The ReportingEvents log shows that the scan and download of the update succeeded, as shown in the following example.
  • However, this entry contains no entries after 08:11:51.82161 AM. This might indicate that the service was stopped.
  • The event log confirms that many services stopped unexpectedly at 8:11:58 A.M., including usosvc and wuauserv. For example, the log entry resembles the following.
  • The UpdateUx log shows many 0x800706ba errors. This indicates that the uso session object does not exist anymore. Therefore, SystemSettings.exe cannot update the download progress on the settings page Ux.

For Cause 3

Windows Update uses the Background Intelligent Transfer Service (BITS) for downloading updates. For BITS to be able to enforce transfer behavior related to Windows Information Protection (WIP), the firewall service must be running, regardless of whether the firewall functionality is enabled. When the firewall service is disabled, BITS doesn’t have the necessary information to continue the download without it leading to a possible security breach.

Therefore, BITS or Delivery Optimization (DO) encounter the transient error 0x800706D9:

On Windows 10, Windows Update uses DO instead of BITS when DO is not disabled, for the same job of downloading the updates and that is why we will see DO job hitting the transient error.