1. Verify Date and Time Settings
- Go to Settings → Time & Language → Date & Time.
- Enable Set time automatically and Set time zone automatically.
- Restart your computer and try Windows Update again.
2. Enable TLS 1.2 and TLS 1.3 Protocols
- Press Win + R, type inetcpl.cpl, and hit Enter.
- Go to the Advanced tab → scroll to Security.
- Check:
- Use TLS 1.1
- Use TLS 1.2
- Use TLS 1.3 (if available)
- Click Apply → OK, then restart your PC.
3. Update Root Certificates
- Open PowerShell (Admin) and run:
certutil -generateSSTFromWU RootCAs.sst
certutil -addstore -f Root RootCAs.sst
- This refreshes the trusted root certification authorities used by Windows Update.
4. Reset Cryptographic Services and Cache
- Open Command Prompt (Admin) and execute:
net stop cryptsvc
ren %systemroot%\System32\catroot2 catroot2.old
net start cryptsvc
- This rebuilds cryptographic data required for secure communication.
5. Re-register SSL and Cryptographic DLLs
- Run these commands in Command Prompt (Admin):
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 cryptdlg.dll
- This restores the cryptographic functions essential for update verification.
6. Reset WinHTTP Proxy Configuration
- Open Command Prompt (Admin) and type:
netsh winhttp reset proxy
netsh winsock reset
ipconfig /flushdns
- Restart your computer to apply the changes and retry Windows Update.
7. Check Firewall and Antivirus HTTPS Scanning
- Temporarily disable your third-party antivirus or firewall.
- Retry the update.
- Once updates are complete, re-enable protection to maintain security.
8. Use Windows Update Troubleshooter
- Go to Settings → System → Troubleshoot → Other troubleshooters.
- Run Windows Update Troubleshooter.
- Apply the recommended fixes and restart your PC.
9. Manually Install Updates
If the secure channel still fails:
- Visit the Microsoft Update Catalog.
- Search for the KB number of the failed update.
- Download and install it manually.