Windows 11 July Updates Failing to Download: Fix KB5028185 and KB5028851

Background / Overview​

What the failures look like — symptoms and error codes​

• Windows Update shows “Downloading…” for a long time and then stalls at 0% or low progress.
• Update proceeds to install but reboots and then rolls back with messages like “We couldn’t complete the updates. Undoing changes.”
• Windows Update lists the update as failed with codes such as 0x80070002, 0x800f0922, 0x800f0983, or 0x800f0991 depending on the system state and specific failure.
• After apparent rollback, services such as Windows Audio or Device Manager may behave incorrectly on a few machines, indicating partial install side effects reported by community users.

Why this happens — underlying causes​

• Corrupted or partial downloads: update payloads stored in SoftwareDistribution can become corrupted; the client then fails with filesystem or hash errors. Community moderation and Microsoft Q&A threads show this is a frequent root cause.
• Disabled/blocked services: crucial services like Background Intelligent Transfer Service (BITS), Windows Update, Cryptographic Services, App Readiness, and Windows Module Installer (TrustedInstaller) must run. App Readiness being stopped has been singled out as a blocker in some community solutions.
• Component store (WinSxS) corruption: the component store that services updates can be damaged; DISM + SFC are the standard remediation tools. Microsoft community answers recommend using an in‑place repair when those tools fail.
• Third‑party security software or drivers: AV or system‑level hooks sometimes interfere with the patching process; clean‑boot testing is a common troubleshooting step.
• Media/distribution issues: certain installation media that included specific October/November cumulative payloads produced systems that blocked later security rollups; workarounds involved applying a later fixed cumulative (December) or re‑creating installation media from Microsoft’s updated images. Community archives document this pattern and Microsoft acknowledged similar symptoms in affected threads.
• Malicious or tampered web assets: the presence of legacy file manager endpoints (FCKeditor filemanager/browser/default/browser.html) on otherwise legitimate sites that call out to untrusted .top domains is a common vector for drive‑by downloads or misleading “update” pages; if users clicked through such content, additional cleanup is required. This same pattern appears in real incidents where a leaders.com.tn endpoint was used to call an external connector hosted on the .top TLD. Independent threat‑intelligence and security posts underscore that .top domains are heavily abused and merit caution.

Quick, safe checklist (what to try first)​

• Reboot the device and ensure at least 20–30 GB free on the system drive (C.
• Temporarily disable third‑party antivirus and any disk‑encryption UI; keep built‑in Microsoft Defender enabled unless diagnostics require otherwise. Record the change so you can re-enable protection after testing.
• Run the built‑in Windows Update Troubleshooter: Settings > System > Troubleshoot > Other troubleshooters > Windows Update > Run.
• Verify crucial services are running: open Services (services.msc) and ensure BITS, Windows Update, Cryptographic Services, App Readiness, and Windows Module Installer show a Running status. Start or restart any that aren’t running and retry updates. Community posts explicitly call out App Readiness as a common failure point.
• Check for pending restarts or failed updates in Settings > Windows Update > Update history. If there is a pending restart, complete it before further troubleshooting.

Step‑by‑step repairs (commands and safety notes)​

1) Reset Windows Update components and clear cache​

net stop wuauserv
net stop cryptSvc
net stop bits
net stop trustedinstaller
ren %windir%\SoftwareDistribution SoftwareDistribution.old
ren %windir%\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start trustedinstaller

2) Repair the component store (DISM) and check system files (SFC)​

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

3) Clean boot to rule out third‑party interference​

• Open System Configuration (msconfig).
• Under Services, check Hide all Microsoft services, then click Disable all.
• Open Task Manager, on Startup tab, disable all non‑Microsoft startup apps.
• Reboot and attempt the update.

4) Manual download and staged install (SSU then LCU)​

• Servicing Stack Update (SSU) for your Windows build (always install SSU first).
• Latest Cumulative Update (LCU) package (KB5028185 or the matching rollup for your exact build).
• .NET cumulative (KB5028851) if applicable, but only after OS updates succeed.

5) In‑place repair (repair upgrade) using an up‑to‑date ISO​

Enterprise / WSUS notes​

• If devices get updates via WSUS, ensure the server has the proper content for the KB packages and confirm IIS is serving content correctly. WSUS content delivery problems (0 KB files in SoftwareDistribution) require validating the WSUSContent folder and IIS logs — a standard enterprise troubleshooting path. Documentation and forum threads show WSUS misconfigurations can produce client-side download failures even though metadata sync succeeded.
• For managed environments, sequence SSU delivery ahead of LCUs in the catalog and use pilot rings when rolling cumulative updates across many devices to catch regressions early. Use Configuration Manager/Intune to stage deployments.

If you clicked the leaders.com.tn link or encountered a trustgo.top redirect​

• Disconnect the PC from the network (unplug Ethernet, disable Wi‑Fi) to prevent additional downloads or callbacks.
• Do not click or interact further with the page; avoid saving or running any files it provided.
• Run a full system scan with Microsoft Defender Offline (Start > Windows Security > Virus & Threat Protection > Scan options > Microsoft Defender Offline scan) and a reputable anti‑malware tool (for example, Malwarebytes or Gridinsoft) to detect PUPs or malicious installers; multiple independent checks improve detection variance. Security sites caution that .top domains are often flagged and should be treated as untrusted.
• Inspect browser extensions and remove unknown or recently installed add‑ons; reset browser settings to default.
• Check scheduled tasks, startup items, and the hosts file (C:\Windows\System32\drivers\etc\hosts) for suspicious entries.
• Clear temporary folders (%temp%, browser caches) and flush the DNS resolver cache with:
  
  Code:

  ipconfig /flushdns
  netsh winsock reset
  netsh int ip reset

• Review network connections with netstat to detect persistent remote connections and, if you’re comfortable, capture a network trace for incident analysis.
• If you entered credentials on any web pages after following a suspicious link, assume compromise for those accounts and change passwords from a clean device; enable MFA.

Capturing logs and when to escalate​

• WindowsUpdate.log: generate it with:
  Get-WindowsUpdateLog -LogPath C:\Temp\WindowsUpdate.log
• CBS.log: C:\Windows\Logs\CBS\CBS.log
• Setup and DISM output (save the DISM output text)
• Event Viewer: Application and System logs time‑filtered to the failure windows.

Critical analysis — strengths, risks and long‑term implications​

• The majority of update failures respond to client‑side repairs (resetting update components, running DISM/SFC, manual SSU+LCU installation). These fixes are well‑documented and allow non‑destructive remediation in most cases.
• Manual package install or in‑place repair using Microsoft’s Media Creation Tool reliably recovers systems where the component store or local payloads are damaged.
• Community reporting and Microsoft Q&A provide real‑world evidence and targeted troubleshooting steps, reducing trial‑and‑error for admins.

• Performing in‑place repairs or re‑creating installation media without a backup carries risk; always back up user data first.
• Disabling security software temporarily to test updates can expose a device if it remains unprotected for long; re‑enable protections immediately after testing.
• If a device was exposed to a suspicious link (the leaders.com.tn / trustgo.top pattern), auto‑repair steps may not remove persistent malware; a full forensic clean or a reinstall from a trusted image may be required.
• Manual installation of SSUs and LCUs must match the device architecture and build precisely; installing the wrong package can itself cause problems. Always confirm package metadata before applying.

• The recurring pattern — distribution or media‑based anomalies that block future updates — underlines the need for admins to validate installation media and to adopt staged deployment and pilot rings for major updates. Where feasible, rely on Microsoft Update Catalog downloads or Windows Update rather than third‑party or legacy ISOs that may include out‑of‑date patch layering. Community archives document instances where older media left devices unable to accept subsequent security rollups until a December cumulative was applied.

Practical remediation checklist (copy‑paste ready)​

• Backup critical data.
• Reboot; ensure >20 GB free on C:.
• Stop third‑party AV; run Windows Update Troubleshooter.
• Verify services: BITS, Windows Update, Cryptographic, App Readiness, TrustedInstaller.
• Reset update components (commands listed above).
• Run DISM /RestoreHealth and sfc /scannow.
• Clean boot and retry update.
• If still failing: download and install SSU then LCU from Microsoft Update Catalog.
• If still failing: perform an in‑place repair with latest Media Creation Tool ISO.
• If you clicked a suspicious link: disconnect, run Defender Offline, run a dedicated anti‑malware scanner, reset browsers, change passwords from a clean device.

Final notes and cautions​

• Cross‑reference package numbers against your exact Windows build before applying fixes; the wrong LCU/SSU can worsen the situation.
• If a device is managed via WSUS or Configuration Manager, coordinate package sequencing and confirm content availability on your update servers before deploying fixes.
• Treat any site calling out to a .top domain from an FCKeditor filemanager endpoint as suspicious; do not click, and run a security sweep if you already did.
• Where a fix requires reinstalling or re‑creating installation media, use the official Microsoft Media Creation Tool and verify ISO checksums where possible.