Windows Update Repair and Restore

We are continuing our series that answers common questions, or questions that have been asked about/of PowerShell. Today’s topic, Windows Update Database Repair and Restore. What we intend to provide is one of the many, many ways you can accomplish these same tasks within PowerShell.

All of the solutions are ours and demonstrate the author’s skill and ability level at the time of writing. That is to say, we might not always write the best PowerShell code, however, if you know of a better way we welcome that input.

Let’s start. The question is:

There is a failure in WSUS, between got to patch machines manually. Would the below command works with general way of looking available updates in a machine and install or it works only with WSUS? Imported the pswindowsupdate module already,

Invoke-WUInstall -ComputerName Test-1 -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll | Out-File C:\PSWindowsUpdate.log } -Confirm:$false –Verbose

The Answer:

Windows Update Database Repair and Restore

To start, what you are asking for is a bit more involved than a one-line fix using a module we are not even clear is installed at this time. Let us dive into what causes this problem, how to address it, and bringing it all together in a script that takes care of each issue individually yet all within the same script.

Sounds fun.

What causes the problem?

More specifically, what is the problem? In my experience, it is one of two issues. Either no connection to the WSUS server, or the Windows Update Service on the computer in question is hosed and needs rebuilt.

Rebuilt you say?

Why yes we can rebuild the Windows Update Database, however there are things we need to do before we can just jump in and start trying to rebuild a database on a computer. Let us continue.

Here is a fantastic article that shows the most common way to rebuild the database.

https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_update-insiderplat_pc/windows-update-database-corruption/7d4a68e8-cad3-422b-a54b-d5c17e397319

Here is how we can replicate this in PowerShell:

Stop-Service -Name BITS 
Stop-Service -Name wuauserv 
Stop-Service -Name appidsvc 
Stop-Service -Name cryptsvc 

Rename-Item $env:systemroot\SoftwareDistribution SoftwareDistribution.bak -ErrorAction SilentlyContinue 
Rename-Item $env:systemroot\System32\Catroot2 catroot2.bak -ErrorAction SilentlyContinue

Start-Service -Name BITS 
Start-Service -Name wuauserv 
Start-Service -Name appidsvc 
Start-Service -Name cryptsvc 

The first part stops the BITS, Cryptographic, MSI Installer, and Windows Update Services. The two Rename lines Rename SoftwareDistribution and Catroot2 folder. The last part restarts the BITS, Cryptographic, MSI Installer, and Windows Update Services.

That is it we are done right?

No, absolutely not. This answers no question yet. What if the system is still getting updates from WSUS, how do we stop that? Luckily we have this. Here is how:

function disableWSUS {
     # Pulled location and registry key information from https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10#disable_automatic_windows_update_regedit
     # By: Alan Newingham
     # Date: 4/9/2020
     # Purpose of this script is to nuke the appropriate registry keys in order to set windows to auto update in response to mass-remote COVID response.


     #Adding this as customers cannot do this themselves. When the script runs it will disable the "running scripts is not allowed in this environment."
     Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

     $username = "USERNAME"
     #encrypted password
     $password = ""
     #create the credentials object
     $cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))

     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUStatusServer" -Credential $cred
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"-Credential $cred


     Read-Host "DOMAIN\USERNAME" -AsSecureString | ConvertFrom-SecureString | Out-File C:\SecureData\SecureString.txt

     $SPAdmin = "DOMAIN\USERNAME" 
     $Password = Get-Content C:\Temp\securestring.txt | convertto-securestring 
     $Credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $SPAdmin, $Password 

     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUStatusServer" -Credential $Credential
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer" -Credential $Credential
}
disableWSUS 

I created a function around an old script I wrote to authenticate as an “admin account” and change the registry keys associated with the WSUS server and WSUS Status Server.

That is pretty much all that you need to do both. However, I have found that there is a bit more we can do to go that extra mile and just make sure everything is setup and correct before we proceed.

Windows Update Database Repair and Restore Complete Script

Below is my completed answer for this question.

The script does this in order:

1. Disable WSUS (Need to configure for your environment)
2. Completely rebuilds Windows Updates
3. Reregisters all associated DLL’s
4. Delete’s Windows Update Reg Keys
5. Resets sdet bits and wuauserv data
6. Removes Windows Update Log
7. Removes qmgr.dat file
8. Runs wuauclt
9. Runs a System Scan (Sfc /scannow)