Wednesday, May 25, 2016

Fix Windows 7 Updates stalling out or hanging on a new install

Checking for Updates in Windows 7 taking forever?


Revision History:
May 25, 2016 = Initial list posted.
June 15, 2016 = Updated with kb3161664 which supersedes kb3153199
June 22, 2016 = Microsoft has released kb3161647 as a fix for this specific problem (long waits for Checking for Updates.)  See extended NOTE1 below for comments and prerequisites for this patch, and how to obtain it.

October 19, 2016 = there is a more streamlined set of instructions that are being maintained by Dalai at Search for Windows Updates takes forever? - A possible solution that I just tested.  It's every bit as effective, covers this problem for both Windows 7 and Windows 8.1, but has fewer steps and downloads required.  He also supplies a nice script that can automate the procedure.  I still recommend on Windows 7 machines that you apply KB3020369 and KB3125574 first, as this will greatly reduce the number of updates that are needed to bring a newly installed machine completely up to date in the least amount of time. Unless he stops maintaining his list, or something dramatic comes up, I don't intend to update this post again in the future.

Original post continues below for continuities sake.

Several times in the last year when our company went to re-install Windows 7 on a workstation, we noticed that Microsoft Updates would take several hours (if ever - sometimes it would fail after a full day) to check for needed updates.  This held true for workstations that pulled updates directly from Microsoft and for domain joined workstations that used a local server running WSUS.  Each time we monitored where the process was hanging and identified an update that was failing to be compared to the workstations file versions.  This problem became a bit more public with a recent article on Paul Thurrott's blog: The Convenience Rollup Makes a Big Difference, But Windows 7 Updating is Still Broken.  I commented there with the current list of specific updates that have helped us resolve the problem.  Because the list might change over time, I decided to post that list here, with the intention of updating the list in the future if needed.

Prepare a new install of Windows 7 to quickly obtain Microsoft Updates:

Here are the current steps we use as of this month (June 2016).  You can find all the below updates in the Microsoft Update Catalog.

1) Push your machine image onto the hardware (or clean install Windows 7 from your source disk).
2) Copy ALL the below updates to the local hard drive on that machine.
3) Turn OFF Windows Update in settings.
4) Disconnect the Network on the machine (yes really, and it makes a huge difference). *
5) Reboot once after disconnecting from your network. (disable Wi-Fi or literally pull the Ethernet connection.)
6) Install from your local copies in this order and reboot between each one:

- Windows 7 Service Pack 1 (if not already on the image or install media)
- kb3020369 (Re-Requisite for the new roll up - the April 2015 servicing stack update)
- kb3125574 (the new Convenience Roll Up - installs most core updates - but not all - on a new machine up through April 2016)
- kb3138612 (March 2016 Windows Update Client)
- kb3145739 (Security update for Windows Graphics Component: April 12, 2016)
- kb3153199 (Security update for Windows Kernel-Mode Drivers: May 10, 2016)
- kb3161664 (Security update for Windows 7 MS16-073 supersedes above kb3153199: June 15, 2016)
- kb3161647 (Windows Update Client for windows 7 and Windows Server 2008 R2: June 2016 which supersedes the above kb3138612)

NOTE1:
The June 2016 Windows Update client can only be obtained via the June 2016 update rollup: kb3161608.  Including SP1 as a prerequisite, you also need the April 2015 Servicing stack update kb 3020369 before installing this new rollup. This was already on the list above as the very first update required to fix the slow check for updates.  This deprecates the above listed March 2016 Windows Update Client, so you can skip that now.  The list has been re-ordered to ensure that you install old to new for the system files being changed.




- Optional - run GRC's "Never10" to prevent the upgrade offer to Win10, or use the raw reg keys as provided by Microsoft - same difference. We push these keys out via Group Policy.

Once all the above are installed successfully:
1) reboot once again,
2) reconnect the network,
3) turn Windows Update back on,
4) change Windows Update settings to use Microsoft Update (so you can get updates for other Microsoft products like Office),
5) if you are on a domain, join the workstation to your domain now,
6) then check and install any remaining updates as you need from Microsoft.

The Checking for Updates process should now take minutes instead of hours.

After this we join the machine to our domain, linking it to WSUS - and generally there are no more problems with monthly updates. Twice now we have had the method above break, and had to research and add a very specific update to our list. This occurred with kb 3145739 and again the next month with kb 3153199 . . . no idea why lack of these specific updates would cause the check for updates process to take many hours.

We do this in-house to avoid hours if not days to update a new/reloaded workstation. But as a home or small office self serve customer it is absolutely ridiculous to expect anyone to have to find and do these steps to get a new computer running Windows 7 up to a point where it's safe to connect to the Internet.

If you are an advanced IT Administrator, you can slipstream all the listed updates into your source images and achieve the same benefit.

* Note: We found that the separate updates listed above also invoke an online check with Microsoft to see if they are the latest version or not, which hangs the machine if Windows Update is not already working.  Since this process is to fix that exact problem, the only graceful solution we have found to prevent it is to take the machine completely offline while installing the list. You can force a disconnect physically by disabling Wi-Fi with a hardware switch (if your system has such) or by pulling the network cable out of the socket, or by disabling the relevant network adapter in Network Settings. Be sure to remember which way you did this!