Windows Update Errors

0x80070422 Windows Update Service Disabled: How to Re-Enable Safely

by Jonathan Dudamel
13 min read

If you’re seeing the message “There were some problems installing updates” with error code 0x80070422, Windows is telling you that a critical service needed for updates is disabled. Although this isn’t a blue screen, it’s just as important to address: a disabled Windows Update service means you’ll miss security patches, driver updates, and reliability fixes. This guide goes well beyond generic advice, showing you how to safely re-enable Windows Update and its dependencies, repair any corruption that might be causing the error, and confirm the system is healthy afterward. It also covers enterprise scenarios where Group Policy or MDM may be enforcing the disabled state.

Note: This article focuses on error 0x80070422 “Windows Update Service Disabled: How to Re-Enable Safely,” not BSODs. Where many BSOD guides reference minidumps, the equivalent for this error is analyzing Windows Update and servicing logs, which we include below along with thorough step-by-step fixes.

Understanding the Error

What 0x80070422 means in plain language

  • 0x80070422 maps to the Windows error ERROR_SERVICE_DISABLED (Win32 code 1058). It means Windows tried to start a service (typically the Windows Update service: wuauserv) but couldn’t because the service startup type is set to Disabled, or a required dependency is disabled.
  • Practically, this prevents Windows from checking for, downloading, or installing updates.

Typical scenarios that trigger it

  • You (or a third-party “tweaker,” “debloater,” or “update blocker”) disabled Windows Update (wuauserv), BITS, Delivery Optimization (DoSvc), or Windows Defender Firewall (mpssvc).
  • Group Policy or MDM (e.g., Intune) configured the device to turn off Windows Update features or block the service.
  • Corruption in service configuration, the SoftwareDistribution or Catroot2 folders, or the servicing stack.
  • Security or privacy tools set restrictive policies in the Registry.
  • Rarely, malware or a broken hardening script altered update-related services.
  • On some systems, disabling IPv6 or setting a connection as Metered can block update checks.

Why it’s critical to fix

  • Unpatched systems are vulnerable to exploits, malware, and data loss.
  • Many drivers and Microsoft Store components rely on the update channel.
  • Over time, missing updates can lead to compatibility and performance issues.

Quick Reference Table

Cause Symptom Recommended Fix
Windows Update (wuauserv) disabled 0x80070422 when checking for updates Re-enable service via Services or command line; set to Manual (Trigger Start) or Automatic
BITS/DoSvc disabled Updates stuck at 0% or error 0x80070422 Re-enable BITS and Delivery Optimization services
Windows Defender Firewall disabled Updates and Microsoft Store downloads fail Set Windows Defender Firewall (mpssvc) to Automatic and start it
Group Policy/MDM blocks updates Update UI grayed out; gpresult shows policies applied Review and change policy; contact admin if managed
Corrupted SoftwareDistribution/Catroot2 Update scans fail or loop Reset Windows Update components (rename folders and restart services)
Servicing stack/component corruption SFC/DISM errors; updates won’t install Run SFC and DISM repair commands
Third‑party “update blocker” tool Updates disabled after tool use Re-enable services via tool or uninstall it; restore defaults
Malware or aggressive hardening Services and policies toggled or broken Scan with Defender, remove malware, then repair services

Common Causes

  • Windows Update service disabled
    • The wuauserv service Startup Type is set to Disabled.
  • Dependencies disabled
    • BITS, Delivery Optimization (DoSvc), Windows Update Orchestrator Service (UsoSvc), Windows Update Medic Service (WaaSMedicSvc), Cryptographic Services (CryptSvc), Windows Event Log (EventLog), or Windows Defender Firewall (mpssvc) are stopped or disabled.
  • Group Policy or MDM restrictions
    • Policies like “Turn off access to all Windows Update features” or “Configure Automatic Updates” set to Disabled can block the update UI and underlying services.
  • Third-party tools or registry tweaks
    • Popular “privacy,” “debloat,” or “update blocker” utilities often disable update services or set restrictive registry keys.
  • Corruption in update cache or servicing stack
    • Damaged SoftwareDistribution/Catroot2 folders or component store corruption leads to failed update checks and installs.
  • Network and configuration issues
    • Metered network connections, disabled IPv6, or misconfigured proxies can interfere with update checks.
  • Malware or tampering
    • Malicious software can disable security and update services to keep the system vulnerable.
See also  0x80072efe Connection Aborted: Network Hygiene for Updates

Preliminary Checks

H3: Booting into Safe Mode (if needed)
Most fixes below work in normal mode. If a tool or malware prevents changes, use Safe Mode:

  • Windows 10/11:
    1. Hold Shift and click Restart from the Start menu.
    2. Troubleshoot > Advanced options > Startup Settings > Restart.
    3. Press 4 for Safe Mode or 5 for Safe Mode with Networking.

H3: Back up data and set a restore point

  • Back up important files to OneDrive or an external drive.
  • Create a System Restore point before registry or service changes:
    • Press Win+R, type SystemPropertiesProtection.exe, Enter.
    • Select your system drive > Configure (enable protection if off) > Create.
    • Or run in PowerShell (as admin): Checkpoint-Computer -Description “Before_0x80070422_Fix”

H3: Run basic health checks

  • SFC (System File Checker) and DISM (Deployment Image Servicing and Management) can repair corruption that might be impacting services:
    • Open an elevated Command Prompt (right-click Start > Windows Terminal (Admin)) and run:
      sfc /scannow
    • Then:
      DISM /Online /Cleanup-Image /RestoreHealth
  • Optional: Quick disk check (online, no reboot):
    chkdsk /scan

If SFC/DISM reports repairs, reboot before continuing.

Step-by-Step Troubleshooting

Start with the simplest steps and work toward more advanced repairs. Test Windows Update after each major action: Settings > Windows Update > Check for updates.

  1. Run the Windows Update Troubleshooter
  • Windows 10/11: Settings > System > Troubleshoot > Other troubleshooters > Windows Update > Run.
  • This auto-fixes common misconfigurations and restarts services. If it reports services are disabled, continue to the next steps.
  1. Re-enable Windows Update (wuauserv) in Services
  • Press Win+R, type services.msc, Enter.
  • Find Windows Update.
    • Startup type: set to Manual (Trigger Start) or Automatic.
    • Click Start if the service isn’t running.
  • Also check:
    • Background Intelligent Transfer Service (BITS) — Automatic (Delayed Start) or Manual
    • Delivery Optimization (DoSvc) — Automatic (Delayed Start) or Manual
    • Cryptographic Services (CryptSvc) — Automatic
    • Windows Event Log (EventLog) — Automatic
    • Windows Update Orchestrator Service (UsoSvc) — Manual (Trigger Start)
    • Windows Update Medic Service (WaaSMedicSvc) — Manual (Trigger Start)
    • Windows Defender Firewall (mpssvc) — Automatic
  • If a service refuses to change (Access Denied), use the command line next.
  1. Command-line re-enable and start services
    Run Command Prompt or PowerShell as Administrator. Use these commands (safe on Windows 10/11):

  • Query current status:
    sc query wuauserv
    sc query bits
    sc query dosvc
    sc query usosvc
    sc query WaaSMedicSvc
    sc query cryptsvc
    sc query eventlog
    sc query mpssvc

  • Set reasonable defaults and start the core services:
    sc config wuauserv start= demand
    sc start wuauserv

    sc config bits start= delayed-auto
    sc start bits

    sc config dosvc start= delayed-auto
    sc start dosvc

    sc config cryptsvc start= auto
    sc start cryptsvc

    sc config mpssvc start= auto
    sc start mpssvc

Notes:

  • “start= demand” is Manual (Trigger Start). “delayed-auto” is Automatic (Delayed). A space is required after “start=”.
  • Some protected services (e.g., WaaSMedicSvc, UsoSvc) may ignore manual config changes; this is normal. Ensure they’re not Disabled.
  1. Ensure Windows Defender Firewall is enabled
    Many update and Microsoft Store operations fail when the firewall is disabled.
  • In Services, set Windows Defender Firewall to Automatic and Start it.
  • Or run:
    netsh advfirewall set allprofiles state on
  1. Reset Windows Update components (safe and reversible)
    This clears cached update files and rebuilds catalogs.

  • Command Prompt (Admin):
    net stop wuauserv
    net stop bits
    net stop cryptsvc
    net stop msiserver

    ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
    ren C:\Windows\System32\catroot2 catroot2.old

    net start cryptsvc
    net start bits
    net start wuauserv
    net start msiserver

  • Reboot, then try Check for updates again.

  1. Check Group Policy and Registry for enforced disablement
    If this is a personal PC and you’re not on a corporate domain, policy values should typically be Not Configured.

  • Local Group Policy Editor (Windows Pro/Enterprise):

    • Press Win+R, type gpedit.msc, Enter.
    • Navigate:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update
      • “Configure Automatic Updates” = Not Configured or Enabled (as you prefer)
      • “Turn off access to all Windows Update features” = Not Configured
    • If policies are enforced by your organization (banner in Settings), you may not be able to change them.

  • Quick policy report:
    gpresult /h “%USERPROFILE%\Desktop\gp-report.html”

    • Open the report and search for “Windows Update.”

  • Registry checks (Advanced; back up first: reg export HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate “%USERPROFILE%\Desktop\WU_policies.reg”):

    • Policy path:
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      • Look for values like NoAutoUpdate (1), AUOptions, or DisableWindowsUpdateAccess (1). Set to 0 or remove the policy if unmanaged.

  • Service registry Start values (only if Services UI is blocked):

    • wuauserv:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
      • Start REG_DWORD should be 2 (Automatic) or 3 (Manual). Avoid 4 (Disabled).
    • bits: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS (Start=2 or 3)
    • dosvc: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc (Start=2 or 3)
    • mpssvc: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc (Start=2)
    • Reboot after changes.
See also  0x800705b4 Timeout: Services Firewalls and Stable Retry Strategy

Caution: Editing the Registry incorrectly can cause issues. Use a restore point and export keys before changing.

  1. Undo third‑party “tweaks,” blockers, or hardening
  • If you used tools such as “Windows Update Blocker,” “StopUpdates10,” or privacy debloat scripts, use their interface to restore defaults or uninstall them.
  • Check Task Scheduler for disabled Update tasks:
    • Task Scheduler > Task Scheduler Library > Microsoft > Windows > WindowsUpdate and UpdateOrchestrator.
    • Ensure tasks are enabled.
  1. Network sanity checks: unmeter and enable IPv6
  • Settings > Network & internet > Properties for your connection:
    • Set Metered connection to Off.
  • Enable IPv6 (some update endpoints expect it):
    • Control Panel > Network and Sharing Center > Change adapter settings > Right-click your adapter > Properties > check Internet Protocol Version 6 (TCP/IPv6).
  • If you use a proxy/VPN, temporarily disable and test again.
  1. Repair servicing stack and system files again (if needed)
  • If updates still fail, rerun:
    sfc /scannow
    DISM /Online /Cleanup-Image /RestoreHealth
  • Reboot and test.
  1. In-place repair upgrade (keeps files and apps)
    If services or components remain broken, do an in-place repair using the latest Windows ISO:
  • Download Windows 10/11 ISO from Microsoft.
  • Right-click the ISO > Mount > run setup.exe > Choose “Keep personal files and apps.”
  • After the repair, recheck services and try updates.
  1. Enterprise/MDM scenarios
  • If “Some settings are managed by your organization” appears, contact IT. Policies from WSUS, Intune, or other MDMs may intentionally disable updates or redirect them.
  • You can view WSUS redirection here:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    • WUServer and WUStatusServer values indicate WSUS usage.

Advanced Diagnostics

Use these tools to pinpoint why 0x80070422 occurs or persists.

H3: Check Event Viewer for Update and Servicing errors

  • Event Viewer > Applications and Services Logs > Microsoft > Windows:
    • WindowsUpdateClient > Operational
    • Windows > WindowsUpdate
    • Setup > Servicing
    • Windows > Windows Defender > Operational (if security suite interference suspected)
  • Look for errors around the time you click “Check for updates.” Note service start failures, access denied, or policy blocks.

H3: Analyze WindowsUpdate.log and CBS.log

  • On Windows 10/11, generate a readable WindowsUpdate.log:
    • Open PowerShell (Admin) and run:
      Get-WindowsUpdateLog -LogPath “$env:USERPROFILE\Desktop\WindowsUpdate.log”
    • Open the generated log and search for error codes (0x80070422) and “service” failures.
  • CBS (Component-Based Servicing) log:
    • Path: C:\Windows\Logs\CBS\CBS.log
    • Open in a text editor and search for “error,” “failed,” or “corrupt.”
  • These logs can confirm if services aren’t starting, if the catalog is corrupt, or if policy is restricting updates.

H3: Inspect service dependencies and triggers

  • Service config details:
    sc qc wuauserv
    sc qc bits
    sc qc dosvc
    • Confirm dependencies like RpcSs (Remote Procedure Call) are running.
  • If a dependency is disabled, re-enable it in Services (Startup: Automatic).

H3: Reset network stacks (if network-related)

  • Sometimes stale sockets or winsock catalog issues can block update checks:
    netsh winsock reset
    netsh int ip reset
    ipconfig /flushdns
  • Reboot and try again.

H3: Malware and tampering checks

  • Run a full scan with Microsoft Defender Antivirus (update definitions first if possible).
  • If you suspect deeper tampering, use Microsoft Defender Offline scan.

Note: BSOD minidumps are not part of this error category. For 0x80070422, WindowsUpdate.log, CBS.log, and Event Viewer are the key diagnostic sources.

Post-Fix Checklist

  • Confirm services are healthy
    • Windows Update, BITS, DoSvc, CryptSvc, and Firewall are not Disabled and start without errors.
  • Run a full update cycle
    • Settings > Windows Update > Check for updates.
    • Install everything offered, including servicing stack updates and cumulative updates.
  • Verify clean logs
    • Event Viewer’s WindowsUpdateClient log shows successful scan/install events, not repeated failures.
  • Re-run SFC (optional)
    • sfc /scannow should report no integrity violations.
  • Check Microsoft Store downloads (optional)
    • Open Microsoft Store and try a small app update to confirm network/firewall integrity.
See also  0xC1900107 Cleanup Pending: How to Clear the Update Queue

When to Seek Professional Help

  • You’re on a managed (work/school) device, and policies enforce disabled updates. Only your IT admin can change this.
  • Services are missing or refuse to start even after SFC/DISM and an in-place repair.
  • You suspect malware persists or critical system files are tampered with.
  • The system shows repeated servicing stack errors in CBS.log and cannot complete updates.

In these cases, a qualified technician or your organization’s IT service should review logs, policies, and possibly perform a clean installation after data backup.

Prevention Tips

  • Avoid “debloat” or “update blocker” tools unless you fully understand and can reverse their changes.
  • Keep Windows Defender Firewall enabled; it’s integrated with Windows security and update mechanisms.
  • Create periodic System Restore points before major tweaks.
  • Keep drivers and firmware up to date via OEM utilities or Windows Update.
  • Don’t disable BITS, DoSvc, or Windows Update services to “save resources”—they’re trigger-start and lightweight.
  • Use a reputable security suite and regularly scan for malware.
  • Maintain regular backups (File History, OneDrive, or third-party imaging tools).

Conclusion

Error 0x80070422 is Windows’ way of saying “the service needed for updates is disabled.” In most cases, re-enabling the Windows Update service and its dependencies, resetting the update components, and repairing the component store with SFC and DISM solves the problem. For managed devices, the fix may involve changing Group Policy or MDM settings through your IT department. Follow the steps above in order—from basic checks through advanced diagnostics—and you’ll restore update functionality safely and reliably.

You’ve got this. With services re-enabled and the system repaired, your PC can once again receive the security and feature updates that keep it safe and fast.

FAQ

H4: What exactly causes 0x80070422 in Windows Update?
It means a required service—usually Windows Update (wuauserv)—is disabled, or a dependency like BITS, DoSvc, or Windows Defender Firewall isn’t running. It can also be enforced by Group Policy/MDM or caused by corrupted update cache or servicing components.

H4: Should I set Windows Update to Automatic or Manual?
Either works. The default for Windows Update on modern Windows is Manual (Trigger Start), which starts when needed. Automatic is also fine. The critical point is: do not set it to Disabled.

H4: Do I need Windows Defender Firewall enabled for updates?
Yes. Disabling Windows Defender Firewall often breaks Windows Update and Microsoft Store downloads. Keep it enabled even if you use a third-party firewall, or ensure that firewall allows Windows Update endpoints.

H4: Is it safe to delete SoftwareDistribution and Catroot2?
You shouldn’t delete them; instead, rename them while update services are stopped. Windows will recreate them. This is a standard, safe step to clear a corrupted update cache.

H4: I’m on a work computer and can’t change policies. What now?
If Settings says “Some settings are managed by your organization,” your company’s policies may intentionally disable or redirect updates (e.g., to WSUS). Contact your IT administrator to review and adjust policies as needed.

Appendix: Quick Command Set (for reference)

  • Repair basics:
    sfc /scannow
    DISM /Online /Cleanup-Image /RestoreHealth

  • Enable and start key services:
    sc config wuauserv start= demand
    sc start wuauserv
    sc config bits start= delayed-auto
    sc start bits
    sc config dosvc start= delayed-auto
    sc start dosvc
    sc config cryptsvc start= auto
    sc start cryptsvc
    sc config mpssvc start= auto
    sc start mpssvc

  • Reset update components:
    net stop wuauserv
    net stop bits
    net stop cryptsvc
    net stop msiserver
    ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
    ren C:\Windows\System32\catroot2 catroot2.old
    net start cryptsvc
    net start bits
    net start wuauserv
    net start msiserver

  • Re-enable Firewall:
    netsh advfirewall set allprofiles state on

  • Generate WindowsUpdate.log:
    PowerShell (Admin): Get-WindowsUpdateLog -LogPath “$env:USERPROFILE\Desktop\WindowsUpdate.log”

If you follow these steps carefully, you’ll fix error 0x80070422 and restore Windows Update without compromising system integrity.

About the author

Jonathan Dudamel

Jonathan Dudamel

I'm Jonathan Dudamel, an experienced IT specialist and network engineer passionate about all things Windows. I have deep expertise in Microsoft project management, virtualization (VMware ESXi and Hyper-V), and Microsoft’s hybrid platform. I'm also skilled with Microsoft O365, Azure ADDS, and Windows Server environments from 2003 through 2022.

My strengths include Microsoft network infrastructure, VMware platforms, CMMS, ERP systems, and server administration (2016/2022).

View all posts

You may also like