Windows Update Error > Windows Subsystem for Linux can’t be updated

System Overview

• Operating system: Windows 10 / Windows 11
• Hardening configuration: Hardening according to CIS or BSI Baseline
• Windows Subsystem for Linux (WSL) is not installed

Problem

Running Windows Update returns error 0x80070643 (Fig. 1). When manually searching for updates, there is a brief moment showing that an update for „Windows Subsystem for Linux“ (which is not activated on the system) is being installed (Fig. 2), before the previous error is displayed again.

Fig. 1

Fig. 2

Cause

During analyzing the root cause it turned out to be the following issue.

• Applying CIS and BSI benchmarks (see here) leads to configuring a registry key for the „LxssManager“ service – this service should be, according to hardening benchmarks, disabled
• This registry key obviously triggers the Microsoft Update Agent to check for „Linux Subsystem updates“ – although it is not installed
• And the fact Linux subsystem is not installed leads to an error

What hardening baselines recommend to set:

• Hardening baselines from CIS (5. 10 – (L1) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘) and BSI ((ND, NE) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘) create the registry key „HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager“
• Within this key ValueName „Start“ with value „4“ is created, which disables the service LxssManager. However, the existence of this key causes Windows to check for updates for WSL.

Solution

Overview

The solution is done in two steps. First, the causative control must be removed from hardening and the updated hardening rolled out to the systems. Then, the registry key must be deleted on the affected systems.

1. Removal of the configuration

– Option 1 – When using a hardening tool like Enforce Administrator
The affected custom benchmark is edited and an exception is set for the control in step 4 of the TAPS wizard. The custom benchmark is then saved. The new created configuration template is then rolled out again on all systems.

– Option 2 – When using „Group Policy Objects“ (GPOs)
The responsible configuration is removed from the GPO.

2. Clean up affected system(s)
Deleting the relevant registry key is the way to go here. There are several options here:

1. Start regedit as administrator and navigate to „Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager„. Delete the whole key, a restart is not necessary.

2. Deliver a customized .reg file to delete the key via GPO or software distribution.

Check

Afterwards check for Windows updates using Microsoft Update agent, the error is gone.

References

• How to add, modify, or delete registry subkeys and values by using a .reg file