Share via

Persistent Windows Update failure (0x80240025) surviving repair install and policy reset – request guidance or confirmation of rebuild requirement

Guillermo Ramirez 0 Reputation points
2026-04-07T17:56:29.47+00:00

We are encountering a persistent Windows Update failure on a Windows 11 workstation:

Error:

  • Windows Update error code: 0x80240025 (WU_E_USER_ACCESS_DISABLED)
  • Occurs under SYSTEM context (S-1-5-18)
  • Logged consistently as Event ID 25 (WindowsUpdateClient/Operational)
  • Target service: Microsoft Update

Context:

  • This machine was previously domain-joined and WSUS-managed.
  • WSUS has since been fully decommissioned.
  • The device is now intended to use Microsoft Update directly.

Remediation already performed (confirmed and verified):

  1. WSUS removal and validation
    • All WSUS-related registry keys removed
    • Microsoft Update confirmed as default AU service
    • No WUServer / WUStatusServer values remain
  2. Policy and security reset
    • Local Group Policy removed:
      • %SystemRoot%\System32\GroupPolicy
      • %SystemRoot%\System32\GroupPolicyUsers
    • Local Security Policy reset:
      • secedit /configure /cfg %SystemRoot%\inf\defltbase.inf
  3. Windows Update component reset
    • SoftwareDistribution reset
    • catroot2 contents cleared
    • wuauserv, bits, cryptsvc services restarted
  4. System integrity repair
    • sfc /scannow
    • DISM /Online /Cleanup-Image /RestoreHealth
  5. OS repair
    • In-place Windows 11 repair install (keep files and apps)
  6. Domain isolation test
    • Issue persists even when signed out of domain account

Current behavior:

  • Windows Update scans execute but immediately fail with 0x80240025.
  • Event ID 26 (store service) appears normally, confirming scan engine runs.
  • Event ID 25 (Microsoft Update) consistently fails with access denied.
  • Issue persists across reboots and policy refresh.

At this point, the behavior appears consistent with a persistent local SYSTEM-level update access denial that survives:

  • Local GPO reset
  • Security policy reset
  • In-place OS repair

Request:

We are requesting confirmation of whether this state is considered non-recoverable via supported remediation, and whether a clean OS redeployment is the recommended resolution.

If additional supported diagnostics (CBS logs, WindowsUpdate logs, servicing stack validation) are required, we are happy to provide them.

Windows for home | Windows 11 | Windows update
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ramesh Srinivasan 77,225 Reputation points Independent Advisor
    2026-04-07T18:51:00.5133333+00:00

    Hi Guillermo,

    Please reset the Windows Update cache and the policy keys using this batch file to see if that fixes the issue:

    1. Download the zip file from the following link, and extract the batch file to the desktop.

    https://gist.github.com/winhelponline/af9296c106448a664a6229d8146a85fd

    1. Right-click on the batch file, click Properties, click "Unblock" (if present), and OK.
    2. Double-click the batch file to run it.
    3. After it completes execution, don't close it yet.
    4. Right-click on that Command Prompt window, click "Edit" and click "Select all"
    5. Right-click on that Command Prompt window, click "Edit" and click "Copy" (This copies the output to the clipboard.)
    6. Paste the info (Ctrl + V) into your reply window.

    Standard Disclaimer: There is a link to a non-Microsoft website. The page appears to provide accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUPs (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    0 comments
  2. Q&A Assist
    2026-04-07T17:56:44.78+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Based on the provided information and the documented guidance, a clean redeployment is the only clearly supported next step when:

    • Windows Update consistently fails with access-related errors under SYSTEM
    • WSUS/scan-source configuration has already been corrected
    • Local policy and security baselines have been reset
    • Windows Update components have been fully reset
    • System integrity checks (SFC/DISM) are clean
    • An in-place repair install of the current Windows version has already been performed and the issue persists

    The available guidance for Windows Update issues focuses on:

    • Verifying the correct scan source (Windows Update vs WSUS) and scan behavior
    • Resetting Windows Update components (BITS, wuauserv, cryptsvc, SoftwareDistribution, catroot2)
    • Ensuring a valid repair source and using DISM /RestoreHealth
    • Using repair/reinstall of the current Windows version when component corruption or update failures persist

    In similar cases where:

    • DISM and SFC report no issues, but
    • Updates continue to fail with persistent errors, and
    • An in-place repair install does not resolve the problem,

    the recommended and effective resolution has been to reinstall the current Windows version (clean OS deployment) rather than continue to troubleshoot at the component level.

    Given that all standard and advanced remediation steps have already been completed (including in-place repair) and the failure is still occurring under SYSTEM, this state should be treated as effectively non-recoverable via normal supported remediation. A clean OS redeployment is the appropriate and supported resolution path.

    If further escalation is desired before redeployment, the only additional supported step would be to collect full diagnostic data (including Windows Update logs and CBS logs) and open a support case, as described in the Windows Update troubleshooting guidance. However, in practice, with an in-place repair already completed and all standard resets performed, clean redeployment is the most direct and reliable fix.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.