Windows Updates Failing to Apply to Server – Updates Wont Download -CBS log errors

Sure I get it. Your Mad. You have re- installed windows because you couldn’t fix broken windows updates and now they are broken again. I can assure you, no matter how mad you are, you will not fix windows unless you go back and run these commands. Its very straight forward. Windows updates can break. You have to use commands from this article and its links to fix windows. There is just no way around it- You might look into issues like your Anti virus or other applications, which may not allow windows to do its work. Try removing the anti-virus.

I have had a rash of issues and problems with Windows Updates failing in Server 2016. Issues range from the Language pack missing from the install, to the Specter Patch resulting in failure of subsequent updates.

Just General Steps

Before I start let me post some of the familiar syntax for several commands to repair the component store. There are specific cases in the paragraphs below. These first two lists are general steps only. Read on for specific cases. The idea is pick one from the first list. Then run the entire second list. IF this does not work, then select another one from the first list, and follow the entire second list:

Before you begin- you may need to find the value of install.wim:x where x is called the index value- I am referencing the value you may use in list 1. Run this first, and correct for your version of windows. Run this on the DVD for the OS you have installed:

Dism /Get-ImageInfo /imagefile:C:\sources\install.wim

List 1

  • Dism /online /cleanup-image /restorehealth
  • Dism /online /cleanup-image /restorehealth /source:D:\Sources\Install.wim
  • DISM /Online /Cleanup-Image /RestoreHealth /source:WIM:X:\Sources\Install.wim:1
  • dism.exe /Online /Cleanup-image /Restorehealth /source:WIM:D:\Sources\Install.wim:1 /LimitAccess

To read a little more about the ways to fix windows with Dism or SFC, check out this KB947821


After running any of the commands in this article, you should go back and run this process if the CBSA log is not cleaned up-

List 2

  • Stop Windows Update Service
  • Rename Cbs.log to Cbs.old
  • Start Windows update service
  • DISM /Online /Cleanup-Image /StartComponentCleanup
  • When that finishes run DISM /Online /Cleanup-Image /RestoreHealth
  • Restart the machine after and run SFC /Scannow


If you prefer, you can create a batch file and place this in the contents:

fsutil resource setautoreset true c:\&fsutil usn deletejournal /d /n c:&Dism.exe /online /Cleanup-Image /StartComponentCleanup&sfc /scannow&Dism.exe /Online /Cleanup-Image /RestoreHealth&sfc /scannow&pause

This will run the steps in sequence. Dont forget to open the CMD shell as admin.

The Updates should be fixed at this point.


There are several other forms of failure. I ran this as early as 2008R2. Dism was not as functional at that time. There are several switches you may want to research. For our purposes, the switches will help us repair the OS for Windows Updates. The command can do quite a few things with updates and packages.

Beside Dism, There are a few other fixes to keep hold of. Use these as the situation dictates.

1. Script to reset the Update agent

2. Reset-WindowsUpdates.Ps1 (resetagent2018)

3. Script to Direct download and apply updates

4. Use power shell to Download and apply Updates


Beyond this, There are some special cases. I tried to document a few I have seen below:


Updates Fail

I wanted to start cataloging some of these failures. Today’s first example is the case where the CBS log (c:\windows\logs\CBS\cbs.log) shows similar lines repeatedly:

“Read out cached applicability from TiLight for package: KB3159706-MappingPackage~31bf3856ad364e35~amd64~~, ApplicableState: 0, CurrentState:0”

The other error I see is “Failed to internally open package”. If you run dism /online /cleanup-image /restorehealth and it does not clean up the updates and no updates are missing,

then the issue has to be some sort of corruption or something wrong with with the windows components.


Well from trial and error we found this issue looks to be an issue with Windows Components. Follow the Windows Update Components Reset Below and it should resolve your issue.


#1. CBS log shows Failed to internally open package. if you search for How do I reset Windows Update components, you find a useful article to clean up your Windows updates:


#2 Windows Update Fails to get the updates downloaded.

If you scan for updates and you get messages like:

“There are no updates available at this time”
“There are no updates available for your computer. Please check back later.

This is an example when the link above may be helpful. Resetting the browser settings and disabling background applications may be all that is causing the problem.

you may think of disabling the firewall, but you may not think of some of the smaller items. Help article 326253 may help you resolve.


#3 Error 0x80073701 installing updates and roles or features

This one can be misleading there are a host of issues that all give the same error code. KBs from MS may not be much help. See here. If you see this, it basically means there is a file that is missing. This file is normally something inside a language pack, Windows Update, or package that is a component of the update.

So the key here is to look in the C:\Windows\Logs\CBS\CBS.Log. Use Notepad++ and search for terms like

  • Failed to pin deployment while resolving update
  • Errors in this link

To resolve this kind of issue, you will need to correct the missing or corrupt data. This means you will need to:

  • Install the missing Language or service pack
  • Install the missing or corrupt Package from the update
  • Remove the missing Service pack
  • Remove the references to the Language pack.

#3 Broken down into specific case 

there are several things you may come across. For example, there is one out there where the error says the file cannot be unzipped, but the file is actually unzipped allready. You have to manually go into the registry and set the zip flag to yes. It was a bug. Find registry locations here.

I will cover a FEW possible scenarios here- I hope this is some help.

To Install a missing package from an update-

  • Find the missing package in the CBS log. Try to get the KB that the package belongs to- you may have to expand a few to find where the package came from
  • Go to the Microsoft update catalog and download the update
  • Expand the Update-Expand -F:* windows2012.0-kbxxxxxx-x64_guidlongID.msu c:\users\admin\temp\
  • Install the package from update- Dism /online /add-package /packagepath:c:\users\admin\name\temp\

  • You may need to remove packageRemove-WindowsPackage -Online -PackageName “Microsoft-Windows-Backup-Package~31bf3856ad364e35~x86~~6.1.7601.16525”

To install or remove Language Pack from Windows.

Method 1 (around the language pack itself)

  • Obtain and install the Language Pack from one of the Dism Commands
  • Identify the language pack in the CBS log- here is a chart of codes for language packs
  • Install (i)or uninstall (u) the pack with  lpksetup.exe /u fr-Fr or lpksetup.exe /I fr-Fr where fr-Fr would be replaced with your language pack in the cbs log.

Method 2 (around the language pack itself)

  • Use command to install language pack – DISM /online /add-package /packagepath:D:\langpacks\fr-Fr\

Method 3 (Remove the reference to the language pack) Common for OEM Media

  • Take ownership or use psExec to be able to make changes to
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect
  • Recently I had to run the command below by running CMD as admin user then Run Powershell and verify the shell is running as system account- use whoami to verify this.
  • Use the script located – to remove the language pack from the registry. you need to replace the text for the language pack you want to remove.


#4 Updates caused the server to go slow or Hyper-V virtual machines wont start.

This is a good article just because it allows you to enable or disable the specter/Meltdown patch. This may not have been an issue immediately but became an issue when someone noticed performance.


#5 Below is just the basic steps to resolve windows updates will not apply; a reprint of How do I reset Windows Updates:

  • Back up your registry – Export to a safe file.
  • Open CMD windows as Administrator
  • net stop bits
  • net stop wuauserv
  • net stop appidsvc
  • net stop cryptsvc
  • Del “%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat”
  • Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
  • Ren %systemroot%\system32\catroot2 catroot2.bak
  • cd /d %windir%\system32
  • The items below (regsvr) may be best in a batch file
    • regsvr32.exe atl.dll
    • regsvr32.exe urlmon.dll
    • regsvr32.exe mshtml.dll
    • regsvr32.exe shdocvw.dll
    • regsvr32.exe browseui.dll
    • regsvr32.exe jscript.dll
    • regsvr32.exe vbscript.dll
    • regsvr32.exe scrrun.dll
    • regsvr32.exe msxml.dll
    • regsvr32.exe msxml3.dll
    • regsvr32.exe msxml6.dll
    • regsvr32.exe actxprxy.dll
    • regsvr32.exe softpub.dll
    • regsvr32.exe wintrust.dll
    • regsvr32.exe dssenh.dll
    • regsvr32.exe rsaenh.dll
    • regsvr32.exe gpkcsp.dll
    • regsvr32.exe sccbase.dll
    • regsvr32.exe slbcsp.dll
    • regsvr32.exe cryptdlg.dll
    • regsvr32.exe oleaut32.dll
    • regsvr32.exe ole32.dll
    • regsvr32.exe shell32.dll
    • regsvr32.exe initpki.dll
    • regsvr32.exe wuapi.dll
    • regsvr32.exe wuaueng.dll
    • regsvr32.exe wuaueng1.dll
    • regsvr32.exe wucltui.dll
    • regsvr32.exe wups.dll
    • regsvr32.exe wups2.dll
    • regsvr32.exe wuweb.dll
    • regsvr32.exe qmgr.dll
    • regsvr32.exe qmgrprxy.dll
    • regsvr32.exe wucltux.dll
    • regsvr32.exe muweb.dll
    • regsvr32.exe wuwebv.dll
  • netsh winsock reset (will need a restart and may leave you with no ip address. must replace ip subnet and gateway) maybe restart at the end.
  • netsh winhttp reset proxy
  • net start bits
  • net start wuauserv
  • net start appidsvc
  • net start cryptsvc
  • bitsadmin.exe /reset /allusers
  • Install the latest Windows Update Agent.
  • Restart the computer.
  • Enter the Static IP Address on the primary network adapter, if it has been removed.


I hope you have good success with these processes.

This is a document I plan to update if I begin to see additional themes to this issue. I hope this is helpful.

Thank you,


MS Solutions



This is placed at the bottom so as not to lose the script from graveyard tools – this is a good piece of work by my colleague Kristian. Its worth a look just how it works-


$rootkey = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\”
$subkeys = (Get-ChildItem -path $rootkey).Name
[System.Collections.ArrayList]$fsubkeys = @()

foreach ($key in $subkeys) {
$fsubkeys.Add([regex]::Replace($key, “HKEY_LOCAL_MACHINE”, “HKLM:”)) | out-null

foreach ($key in $fsubkeys) {

Write-Progress -Activity “Processing Subkeys” -Status “Percent Complete” -PercentComplete (($i / ($fsubkeys.count) * 100))

$knode = Get-Item -path $key
if ([regex]::IsMatch($knode.Property, “en-US”) -eq $True) { # edit en-US
foreach ($Property in $knode.Property) {
$badprop = [regex]::Match($Property, “.+?en-US.+”) # edit en-US
if ($badprop.value) {
$frootkey = [regex]::Replace($, “HKEY_LOCAL_MACHINE”, “HKLM:”)
Remove-ItemProperty -path $frootkey -name $badprop.value






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s