WSUS / Intune Update Pipeline Stall — Failed Enablement Packages, IIS Pool Exhaustion, Component Store Corruption

Indicators

• Windows Update client stuck in 'Downloading' or 'Pending Install' state for an extended period with no progress
• WSUS console shows affected clients in 'Failed' or 'Unknown' status with no recent check-in timestamp
• Intune Devices > Monitor > Feature Update Failures shows update policy as 'Not applicable' or 'Error' for affected devices
• Enablement package installation fails silently or rolls back without surfacing a clear error to the end user
• C:\Windows\Logs\WindowsUpdate\WindowsUpdate.etl contains repeated failure entries (converted via Get-WindowsUpdateLog)
• Event Viewer — Microsoft-Windows-WindowsUpdateClient/Operational log shows errors including update GUIDs and failure phases
• SoftwareDistribution folder (C:\Windows\SoftwareDistribution) grows abnormally large, indicating failed or partial downloads
• WSUS server IIS WsusPool application pool repeatedly crashes or returns HTTP 503 to clients during sync

Likely causes

• WSUS IIS application pool (WsusPool) exceeds default 1.8 GB (1,843,200 KB) private memory limit during large catalogue sync operations, causing pool crash and HTTP 503 responses to clients
• Corrupted Windows Update Agent component store (CBS/WinSxS) preventing package staging — manifests as DISM or CBS errors during update installation
• Stale or misconfigured Group Policy Update settings pointing clients to an incorrect or unreachable WSUS server URL
• Expired or mismatched SSL certificates on the WSUS server causing client authentication failures during sync
• Intune update ring policy conflict — multiple rings target the same device with contradictory deferral settings
• Enablement package prerequisite cumulative update not yet installed on the endpoint — dependency not satisfied
• BITS (Background Intelligent Transfer Service) service in a hung or disabled state blocking update download
• Insufficient free disk space on the system drive to stage update packages (minimum 10 GB recommended)
• WSUS database (SUSDB) fragmentation or synchronisation failure causing catalogue inconsistencies and failed approvals
• Windows Update Medic Service (WaaSMedicSvc) blocking repair of Windows Update agent components

Diagnostic steps

1. Convert and review the Windows Update ETL log on the affected endpoint: `Get-WindowsUpdateLog -LogPath C:\Temp\WindowsUpdate.log` — then open C:\Temp\WindowsUpdate.log in a text editor or search for 'FAIL' or 'error'.
   Identifies the specific error code and exact failure point (download, staging, installation) in the Windows Update pipeline without guessing.
2. Open Event Viewer on the affected client and navigate to Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient > Operational. Filter for error-level events in the last 24–48 hours.
   Surfaces event-level detail including error codes, update KB numbers/GUIDs, and failure phases without requiring ETL conversion — faster for initial triage.
3. On the WSUS server, open IIS Manager > Application Pools > WsusPool > Advanced Settings. Check 'Private Memory Limit (KB)' — if set to 1,843,200 (default ~1.8 GB) and the server manages a large catalogue, this is the crash trigger. Also verify WsusPool State is 'Started'.
   Determines whether IIS application pool memory exhaustion is causing HTTP 503 errors and client sync failures — the most common WSUS failure mode in large environments.
4. On the affected client, verify Windows Update agent services are running: `Get-Service wuauserv, BITS, CryptSvc, msiserver | Select-Object Name, Status, StartType`. Confirm all are Running and set to Automatic.
   Rules out stopped or disabled update agent services (wuauserv, BITS, CryptSvc, msiserver) as the immediate cause before attempting component repair.
5. In the Intune admin portal, navigate to Devices > Monitor > Feature Update Failures and review the per-device error report for affected endpoints. Note whether failure phase is 'OfferReady', 'Download', 'Install', or 'Commit'.
   Pinpoints whether the Intune failure is at policy delivery, update offer, download, or installation phase — determines whether the issue is server-side (ring policy) or client-side (component/disk).
6. Verify the WSUS server URL configured via Group Policy: `gpresult /r` or check HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer and WUStatusServer registry values. Confirm the URL is reachable from the client: `Test-NetConnection -ComputerName <wsus-hostname> -Port 8530` (or 443 for SSL).
   Rules out stale or misconfigured GPO directing clients to an incorrect or unreachable WSUS endpoint — a common cause of 'Unknown' WSUS client status.
7. Check available disk space on the system drive: `Get-PSDrive C | Select-Object Used, Free`. Confirm at least 10 GB free. If low, identify large consumers: `Get-ChildItem C:\Windows\SoftwareDistribution -Recurse | Measure-Object -Property Length -Sum`.
   Insufficient disk space silently fails update staging — must be ruled out before component repair steps that require temporary additional space.

Resolution path

• 1. WSUS IIS memory fix — Open IIS Manager > Application Pools > WsusPool > Advanced Settings > Private Memory Limit (KB). Set to 0 (unlimited) for large environments or minimum 4,000,000 KB (4 GB) as a safe floor. Click OK, then right-click WsusPool > Recycle. Verify pool remains in 'Started' state after 5 minutes.
• 2. Reset Windows Update components on the client — Run the following as administrator in a single elevated CMD session: `net stop wuauserv && net stop bits && net stop cryptsvc && net stop msiserver && ren C:\Windows\SoftwareDistribution SoftwareDistribution.old && ren C:\Windows\System32\catroot2 catroot2.old && net start wuauserv && net start bits && net start cryptsvc && net start msiserver`
• 3. Repair the component store if update staging fails due to CBS corruption — Run in sequence: `DISM /Online /Cleanup-Image /RestoreHealth` (allow 15–30 minutes), then `sfc /scannow`. Reboot after both complete.
• 4. Resolve Intune update ring conflicts — In the Intune admin portal navigate to Devices > Windows > Update rings. Identify any device targeted by multiple active rings with contradictory deferral periods. Consolidate so each device is targeted by exactly one ring per update type. Force policy sync via Company Portal app or: `Start-Process ms-settings:windowsupdate`
• 5. Resolve failed enablement packages — Verify prerequisite CU is installed: `Get-HotFix -Id KB<prerequisite-number>`. If absent, approve and install the prerequisite CU first via WSUS or Intune, wait for installation to complete, then re-offer the enablement package.
• 6. Force Windows Update detection cycle after component reset: `UsoClient StartScan` (Windows 10 1903+) or `wuauclt /detectnow` (legacy). Monitor C:\Temp\WindowsUpdate.log for a successful scan and update offer within 10–15 minutes.
• 7. WSUS database maintenance — On the WSUS server, run the WSUS Server Cleanup Wizard (WSUS console > Options > Server Cleanup Wizard) — select all options including 'Decline expired updates' and 'Compress update files'. For fragmentation, run a SQL re-index against SUSDB using Microsoft's CleanupWsus.ps1 script or via SQL Server Management Studio.

Prevention

• Set WsusPool IIS application pool private memory limit to 0 (unlimited) or ≥ 4,000,000 KB (4 GB) proactively on all WSUS servers during initial configuration — prevents memory-exhaustion crashes during large catalogue syncs.
• Schedule monthly WSUS cleanup wizard runs and SUSDB re-index tasks (via SQL Agent or task scheduler) to prevent catalogue bloat and database fragmentation that accumulate and cause sync failures over time.
• Implement Intune update ring staging with at least three rings (pilot, broad, critical) with a minimum 7-day deferral on non-pilot rings — allows detection of failed enablement packages or regressions before broad rollout.
• Monitor BITS service health via scheduled task or monitoring platform alert — ensure BITS is configured for Automatic start and alert if it enters a stopped or hung state on managed endpoints.
• Enforce enablement package prerequisite sequencing: in WSUS approval rules or Intune update policies, ensure the required baseline cumulative update reaches 95%+ deployment compliance before approving the dependent enablement package.

Tools

• Get-WindowsUpdateLog (PowerShell — converts binary ETL log to readable text at specified path)
• Event Viewer — Microsoft-Windows-WindowsUpdateClient/Operational (client-side update event detail with error codes and GUIDs)
• IIS Manager (inspect and modify WSUS WsusPool application pool memory limit and state)
• DISM /Online /Cleanup-Image /RestoreHealth (component store repair for CBS/WinSxS corruption)
• sfc /scannow (system file integrity check — run after DISM RestoreHealth)
• wuauclt /detectnow or UsoClient StartScan (force Windows Update detection cycle on client)
• Intune admin portal — Devices > Monitor > Feature Update Failures (Intune update status and phase reporting)
• WSUS Server Cleanup Wizard (decline superseded updates and reduce catalogue size)
• Get-HotFix (PowerShell — verify installed KBs and enablement package prerequisites)

References

• Microsoft Docs — Configure WSUS IIS application pool settings
• Microsoft Docs — Get-WindowsUpdateLog (PowerShell)
• Microsoft Docs — DISM Image Management Command-Line Options
• Microsoft Docs — Intune Feature Update Deployments and Monitoring
• Microsoft Support — How to reset Windows Update components