Update Management Failures — WSUS Sync Stalls, Intune Update Ring Failures, and Enablement Package Non-Application

Indicators

• WSUS console shows updates stuck in 'Downloading' or 'Pending' state for extended periods
• Intune device compliance blade reports update assignment failures or 'Not applicable' for targeted devices
• Windows Update client does not progress past a specific percentage and surfaces an error code
• Enablement package appears installed in Programs and Features but the Windows feature version has not incremented
• Devices remain on previous Windows feature version after enablement package deployment via WSUS or Intune
• WSUS synchronisation fails or reports downstream server sync errors
• Event log entries indicating Windows Update service failures or component store corruption (wuauserv, BITS)

Likely causes

• WSUS database (SUSDB) corruption or excessive bloat requiring reindexing via WsusDBMaintenance.sql — causes sync and download stalls
• Stale or corrupted Windows Update cache in C:\Windows\SoftwareDistribution preventing new downloads from completing
• Enablement package prerequisites not met — the target device must be on a specific baseline build before the enablement package can apply
• Intune update ring policy conflict or incorrect assignment scope that excludes target devices or applies conflicting rings simultaneously
• Windows Update components (BITS, wuauserv, cryptsvc, msiserver) in a hung or failed state on the client
• IIS WsusPool application pool on the WSUS server recycling or crashing under load, dropping client connections mid-sync
• Insufficient disk space on the WSUS content directory preventing download completion
• Group Policy overrides blocking Windows Update service or redirecting clients to an incorrect WSUS URL
• SSL/TLS certificate mismatch between WSUS server and clients causing silent connection failures

Diagnostic steps

1. Check Windows Update service status and recent errors on the affected client: `Get-Service -Name wuauserv, bits, cryptsvc, msiserver | Select-Object Name, Status, StartType`
   Determines whether core update services are running and reveals any stopped or disabled services that explain download or scan failures.
2. Decode the Windows Update ETL log into readable text: `Get-WindowsUpdateLog -LogPath C:\Temp\WindowsUpdate.log`
   Surfaces specific failure codes and the exact point in the update pipeline where the client is failing — required before applying any remediation.
3. Query the current OS build and display version to validate enablement package prerequisites: `Get-ComputerInfo -Property WindowsVersion, OsBuildNumber, OsDisplayVersion | Format-List`
   Confirms whether the device is on the exact baseline build required for the targeted enablement package; a mismatch here is the most common cause of silent enablement failures.
4. On the WSUS server, check IIS WsusPool application pool state: `Get-WebConfiguration system.applicationHost/applicationPools/add | Where-Object {$_.name -like '*WSUS*'} | Select name, state`
   Identifies whether the WSUS application pool has stopped or is being recycled, which causes client sync timeouts and appears as 'Pending' update states in the WSUS console.
5. On the WSUS server, run the Server Cleanup Wizard cmdlet to check for database bloat and obsolete content: `Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates`
   Identifies and removes orphaned update files and superseded update entries that bloat SUSDB and stall synchronisation and client downloads.
6. Force an immediate Windows Update detection cycle on the affected client: `wuauclt.exe /detectnow; Start-Sleep -Seconds 30; usoclient.exe StartScan`
   Triggers an immediate scan against WSUS or Windows Update and surfaces resulting errors in the decoded Windows Update log, confirming whether component reset has resolved the stall.

Resolution path

• Step 1 — Reset Windows Update components on the affected client. Stop services: `net stop wuauserv && net stop bits && net stop cryptsvc && net stop msiserver`. Rename caches: `ren C:\Windows\SoftwareDistribution SoftwareDistribution.old && ren C:\Windows\System32\catroot2 catroot2.old`. Restart services: `net start wuauserv && net start bits && net start cryptsvc && net start msiserver`.
• Step 2 — Repair the component store to resolve corruption blocking update application: `sfc /scannow` followed by `DISM /Online /Cleanup-Image /RestoreHealth`. Allow both to complete fully before retrying updates.
• Step 3 — For WSUS database stalls, reindex SUSDB using the Microsoft-provided WsusDBMaintenance.sql script: `sqlcmd -S <WSUS_SERVER>\MICROSOFT##WID -i WsusDBMaintenance.sql`. Then run `Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates`.
• Step 4 — For Intune assignment stalls, navigate to Intune > Devices > Update rings, verify the assignment group includes target devices, check for conflicting rings targeting the same devices, and use the 'Retry' option on failed assignments in the device update status blade.
• Step 5 — For failed enablement packages, confirm via Get-ComputerInfo that the device is on the exact required baseline build. Re-push the enablement package from Intune or WSUS. If still failing, deploy the full cumulative update for the target version instead of the enablement package.
• Step 6 — Recycle the WSUS IIS application pool if client sync is timing out: `Restart-WebAppPool -Name 'WsusPool'`. In IIS Manager, under WsusPool > Advanced Settings, set privateMemory to 0 (unlimited) and increase the queue length to 25 for environments with more than 500 clients.

Prevention

• Schedule monthly WSUS database maintenance — run WsusDBMaintenance.sql reindex and Invoke-WsusServerCleanup — to prevent SUSDB bloat from causing sync and download stalls.
• Set the WSUS IIS WsusPool private memory limit to 0 (unlimited) and queue length to 25 for environments with more than 500 clients to prevent pool recycling under load.
• Monitor WSUS content directory disk space with automated alerting; configure threshold alerts at 80% capacity to prevent download failures from disk exhaustion.
• Use Intune Update Ring staged rollouts with a pilot group before broad deployment to catch enablement package failures before fleet-wide impact.
• Enforce a baseline Windows build compliance policy in Intune to ensure devices are on the required build before enablement packages are targeted at them.

Tools

• Invoke-WsusServerCleanup (PowerShell cmdlet — remove obsolete updates, reclaim disk, compress and decline superseded updates)
• WsusDBMaintenance.sql (Microsoft-provided SQL reindex script for SUSDB performance — run via sqlcmd or SSMS)
• DISM.exe (component store repair — /RestoreHealth)
• sfc.exe (System File Checker — OS file integrity verification)
• wuauclt.exe / usoclient.exe (force Windows Update detection and reporting on the client)
• Get-WindowsUpdateLog (decode Windows Update ETL logs to plain text for analysis)
• Intune Admin Portal — intune.microsoft.com (update ring management, assignment correction, retry failed deployments)
• IIS Manager / Restart-WebAppPool (WSUS IIS application pool management)
• sqlcmd / SQL Server Management Studio (WSUS SUSDB database maintenance and backup)

References

• Maintain WSUS — Microsoft Learn
• Troubleshoot Windows Update — Microsoft Learn
• Manage Windows 10 software updates in Intune — Microsoft Learn
• Windows 10 Enablement Package KB5015684 — Microsoft Support