Over 600 Domain computers won't get windows updates


certutil also has a -syncWithWU switch that, well, syncs with WU. :)
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
pjudkins said:
That key doesn't exist on this machine
Click to expand...
That's very strange. A clean install (just did one) creates an empty sub-tree hierarchy for AuthRoot.

Wonder if a domain-wide "extinction event" clobbered this key (or another setting) at the same time. And it doesn't show up for machines created since then.
 

Attachments

  • Windows 11 x64-2025-07-08-21-22-30.webp
    Windows 11 x64-2025-07-08-21-22-30.webp
    43.7 KB · Views: 5

My Computer

System One

  • OS
    Windows 7
pjudkins said:
The only common denominator I can find is it looks like all of these were upgraded from windows 10 to windows 11.
Click to expand...
Windows does not handle upgrades well, usually a second upgrade or a repair upgrade fixes that.
I would reset Catroot2 to see, what happens, eventually SoftwareDistribution's Download folder.
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
No need to reset any folders. OP has already found that it’s a certificate issue. The only remaining item is figuring out what caused the cert issue.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
Tester said:
Can you try to manual trigger the cert update to see if that works?
terminal with adminrights.
certutil -pulse

afterwards check with (can take a few seconds after pulse before output shows:
certutil -verifyctl AuthRoot | findstr /i "lastsynctime"
Click to expand...
The pulse completed successfully, The last sync time still shows a date of 3/21/2024, I waited about 10 minutes to give it a chance to and did the sync time again and it still didn't change.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
pseymour said:
certutil also has a -syncWithWU switch that, well, syncs with WU. :)
Click to expand...
I still haven't found the cause, but the fix appears to be working, I'm going to have cybersecurity push a GPO to all 652 remaining computers with the issue, then I will spot check 50 or so to make sure they are doing updates.

Can you tell me the full syncwithWU command?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
garlin said:
That's very strange. A clean install (just did one) creates an empty sub-tree hierarchy for AuthRoot.

Wonder if a domain-wide "extinction event" clobbered this key (or another setting) at the same time. And it doesn't show up for machines created since then.
Click to expand...
we use lansweeper to monitor all of our network devices, I cant find a single computer on our domain with that key
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
pseymour said:
No need to reset any folders. OP has already found that it’s a certificate issue. The only remaining item is figuring out what caused the cert issue.
Click to expand...
Question, we applied a new Authroot cert to most of the affected machines, now it looks like it only does updates for a few days on that certificate then it's back to not doing updates again. Any ideas?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
Head back to the logs (post 4). They really are your friend here.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
pseymour said:
Head back to the logs (post 4). They really are your friend here.
Click to expand...
Unfortunately, those logs are foreign language to me, I'm no expert in reading logs and figuring out what the issue is.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
Attach them here if they're small enough, or put them in some cloudy storage, and folks will take a look.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
In all honesty, this site is more geared to consumer versions of Windows rather than domain based corporate versions.

You should contact MS Support for advice.

This link might help?

Volume License Key Phone Numbers | Microsoft Volume Licensing

Access Microsoft Activation Centers for support with product activation and licensing. Find contact details and resources to ensure your software is properly licensed.
www.microsoft.com
 

My Computer

System One

  • OS
    Windows 11 Pro + Win11 Canary VM.
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Zenbook 14
    CPU
    I9 13th gen i9-13900H 2.60 GHZ
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB soldered
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    laptop OLED screen
    Screen Resolution
    2880x1800 touchscreen
    Hard Drives
    1 TB NVME SSD (only weakness is only one slot)
    PSU
    Internal + 65W thunderbolt USB4 charger
    Case
    Yep, got one
    Cooling
    Stella Artois (UK pint cans - 568 ml) - extra cost.
    Keyboard
    Built in UK keybd
    Mouse
    Bluetooth , wireless dongled, wired
    Internet Speed
    900 mbs (ethernet), wifi 6 typical 350-450 mb/s both up and down
    Browser
    Edge
    Antivirus
    Defender
    Other Info
    TPM 2.0, 2xUSB4 thunderbolt, 1xUsb3 (usb a), 1xUsb-c, hdmi out, 3.5 mm audio out/in combo, ASUS backlit trackpad (inc. switchable number pad)

    Macrium Reflect Home V8
    Office 365 Family (6 users each 1TB onedrive space)
    Hyper-V (a vm runs almost as fast as my older laptop)
Below is the log on the one I'm working on. It is doing updates currently, but the last sync date on the authroot cert is 9/17/2025

Dropbox

www.dropbox.com www.dropbox.com
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
pjudkins said:
I desperately need help! We have 3200+/- total domain computers all on windows 11, mostly Enterprise and some on Pro, 600+ of them haven't done updates since either November of 2024 or August of 2023. They get an error when trying to do updates that says, "We couldn't connect to the update service". I have tried many things, verified all the Registry setting were correct, update troubleshooter fails, I can ping the update serves successfully from a CMD prompt, restarted services, deleted software distribution and other folders, I can manually push updates, but it won't auto pull them. Any help would be greatly appreciated.
Click to expand...
I too had some machines do this as well at my station, and was unsure why. I never thought to look at the certificates. Luckily it was only around 3 machines in our building that were doing that, so it was fixed with a reimage.

Still odd though. I will keep an eye on this thread should I come across any more.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    4TB Western Digital nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Keyboard
    Logitech G213
    Mouse
    Logitech G203
    Internet Speed
    1.2gbps Fiber 😎
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
andrew129260 said:
I too had some machines do this as well at my station, and was unsure why. I never thought to look at the certificates. Luckily it was only around 3 machines in our org that were doing that, so it was fixed with a reimage.

Still odd though. I will keep an eye on this thread should I come across any more.
Click to expand...
yea, I have so many of them, reimaging is not an option, they are spread all over the state of Arkansas. The list I pulled this morning was 414 devices.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
When you say it's doing updates, does that mean it's working? We should probably look at one that isn't working.

Regardless, you have a lot of 0x80070032 errors (request not supported) when trying to do AppX updates. The ones that are failing seem to be
  • 756C33C9-8D18-4224-988F-911889331C84 - Microsoft.NET.Native.Runtime.1.7
  • 95BFB018-ECDB-44EC-9464-9F8C53B38172 - Microsoft.VCLibs.140.00
  • 7DAB5818-B936-45AE-BA63-7F4011707BCA - Microsoft.XboxApp
  • 75FFE6C0-5EAD-4041-B6FA-EAAE0C696169 - Microsoft.NET.Native.Framework.1.7
You can try the DISM/SFC dance, a wsreset to reset the Store, or the ol' re-register all the Store apps.

Powershell: 
Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
I should add that, as you mentioned, your cert sync time is a little old. Until you track down what's keeping that from working, you're going to keep having this problem.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
pjudkins said:
Can you tell me the full syncwithWU command?
Click to expand...

certutil -syncWithWU -f AuthRoot
certutil -syncWithWU -f Disallowed

This should be helpful:

learn.microsoft.com

Configure trusted roots and disallowed certificates in Windows

Guidance on how to configure individual software updates for automatic daily Root Certificate Updates, including certificate trust lists (CTLs)
learn.microsoft.com

You can manually update them:
certutil -f -addstore Root authrootstl.cab

You can download the latest here:

 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    4TB Western Digital nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Keyboard
    Logitech G213
    Mouse
    Logitech G203
    Internet Speed
    1.2gbps Fiber 😎
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
pseymour said:
I should add that, as you mentioned, your cert sync time is a little old. Until you track down what's keeping that from working, you're going to keep having this problem.
Click to expand...
Correct, that's what I'm trying to fix. While this computer is doing updates, the Auth root cert hasn't synced since the 17th of this month. I am assuming that should be syncing every day. If I can fix this issue it will in turn resolve the update issue.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom