How do I troubleshoot Window update failures for Amazon Elastic Compute Cloud instances?

4 分钟阅读

I want to troubleshoot why my Microsoft Windows Amazon Elastic Compute Cloud (Amazon EC2) instances fail to update.

Resolution

Run the AWSSupport-TroubleshootWindowsUpdate automation

As a best practice, first use AWSSupport-TroubleshootWindowsUpdate automation to troubleshoot common issues related to Windows updates for Windows Amazon EC2 instances. Follow the recommendations that you receive when you run this automation.

Note: Before you start AWSSupport-TroubleshootWindowsUpdate, make sure that your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see the Required IAM permissions section of the runbook.

To launch SAW automation, complete the following steps:

Log in to the AWS Systems Manager console, and then open AWSSupport-TroubleshootWindowsUpdate.
To run the automation, follow the steps under Instructions in the runbook.
After the SAW automation completes, review the results in the Outputs section. The final report contains the detailed plaintext output of each step.

Important: If you continue to get Windows Update failures, then review the following steps to manually troubleshoot the issues.

Verify connectivity to the update servers when WSUS isn't used

Verify that your instances can reach the required Microsoft domains. For more information, see Configure your firewall to allow your first WSUS server to connect to Microsoft domains on the internet on the Microsoft website.

If the instances can't reach the domains, then check the following conditions:

Your instances have internet connectivity.
The security group and network access control list (network ACL) for your instances allow traffic on outbound ports 80 and 443.
Your firewalls or proxy configurations allow access. For more information, see Issues related to HTTP/Proxy on the Microsoft website.

Check Windows Update for a corrupt component

The update installation might fail from corrupt Windows Update components. There are two ways to fix this issue:

Use the Windows Update Troubleshooter

The Windows Update Troubleshooter fixes corrupt components as well as other update-related issues. For more information on running the Troubleshooter, see Windows Update Troubleshooter on the Microsoft website.

Perform a manual reset

To stop all essential Windows Update services that might block a component reset, run the following commands:

net stop bitsnet stop wuauserv
net stop cryptsvc

Rename the following folders under %Systemroot%\SoftwareDistribution. To rename the folders, run the following commands:

Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bakRen %Systemroot%\SoftwareDistribution\Download Download.bak

To restart all essential Windows Update services, run the following commands:

net start bitsnet start wuauserv
net start cryptsvc

Check for antivirus software

Third-party software such as antivirus or scanning programs might interfere with the update process. They might also corrupt files or cause updates to fail.

To increase the chance of a successful update, exclude some files from your virus scanning software before the update. For a list of files to exclude, see Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server on the Microsoft website.

For a list of other common Windows Update errors and their resolution, see Windows Update common errors and mitigation on the Microsoft website.

Review additional logs for troubleshooting options

If you still can't successfully run Windows Update for your instances, then check the Windows events, update, and CBS logs for specific errors. These logs are in the temporary folder that's created by the automation on the EC2 instance. For more information, see the output for the automation.

For more information on Windows Update errors, see Windows Update common errors and mitigation on the Microsoft website.