Can’t Log in to Windows? Fix the Real Cause Without Wasting Time (Before You Reset Anything)

Quick answer: Fix a Windows Update error with Google login by removing the Google/work account from Windows, resetting the WAM/AAD Broker token cache, then resetting Windows Update (SoftwareDistribution/Catroot2) and WinHTTP proxy.

If updates work on a hotspot but fail on your normal network, focus on proxy/SSL inspection; if they fail everywhere, focus on token + update component resets.

Quick Fix Checklist

• Restart once (don’t skip): reboot clears stuck update/identity processes.
• Disconnect Google + stale work/school accounts (prevents broken token re-use).
• Reset WAM/AAD Broker token cache (Microsoft.AAD.BrokerPlugin) and reboot.
• Reset Windows Update cache (SoftwareDistribution + Catroot2) and retry.
• Check WinHTTP proxy (Windows Update uses WinHTTP, not your browser).
• Temporarily disable VPN / web shield and test on a clean network (hotspot).
• Repair system files (DISM + SFC) if installs fail (0x800Fxxxx).

Causes (realistic, not generic)

• Corrupted WAM token cache (Web Account Manager) after sign-in activity: Windows identity broker can get stuck and break Microsoft service auth flows used by Store/Update.
• Broken Microsoft.AAD.BrokerPlugin state: common after account changes, password resets, MFA changes, or interrupted sign-in prompts.
• WinHTTP proxy mismatch: browser traffic works, but Windows Update fails because it uses WinHTTP proxy settings.
• SSL inspection / security agent (Zscaler/Netskope/AV web shield): TLS interception can cause certificate validation failures for Microsoft update endpoints.
• Update cache or catalog corruption (SoftwareDistribution/Catroot2): repeated failures at the same percentage or endless “Downloading.”
• Servicing stack/component store damage: DISM/SFC required; often shows as 0x800F081F, 0x80073712, 0x800F0922.
• Windows Update policy/WSUS on managed devices: updates are redirected and may fail if the org endpoint is unreachable.

Step-by-Step Fix

0) Confirm it’s the “Google login” pattern (30 seconds)

• Try Windows Update right after a reboot before opening Chrome/Edge or signing into Google.
• Then sign into Google (browser/app) and try Windows Update again.

If it only fails after Google sign-in, that points to identity tokens, security modules, or network inspection that activates after sign-in.

1) Remove the Google account and stale work/school connections

Do this first so Windows doesn’t immediately restore the same broken tokens.

• Go to Settings > Accounts > Email & accounts.
• Under Accounts used by email, calendar, and contacts, select the Google account > Remove.
• Go to Settings > Accounts > Access work or school.
• Disconnect any old/unused connections.

Important: If this is a work-managed PC, don’t remove required work/school accounts without IT approval.

2) Reset the AAD Broker Plugin (WAM) token cache (most effective fix)

This targets the Windows identity broker layer that can break Microsoft services after sign-in activity.

• Go to Settings > Apps > Installed apps.
• Search for Microsoft AAD Broker Plugin.
• If present: Advanced options > Terminate > Reset.
• Reboot.

If it does not appear in the Apps list, clear its package data manually:

• Sign in with an administrator account.
• Close Microsoft Store, Outlook, Teams, OneDrive, and browsers.
• Open File Explorer and paste:

C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\

• Rename (safer than delete) these folders if present:
• AC\TokenBroker → TokenBroker.old
• LocalState → LocalState.old
• Settings → Settings.old

If Windows blocks changes, do it from another admin profile or after a clean boot (Step 7).

3) Reset Windows Update components (SoftwareDistribution + Catroot2)

This clears corrupted downloads and signature catalogs.

• Open Windows Terminal (Admin).
• Run:

net stop wuauserv
net stop bits
net stop cryptsvc
net stop msiserver

ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old

net start msiserver
net start cryptsvc
net start bits
net start wuauserv

• Go to Settings > Windows Update > Check for updates.

4) Fix WinHTTP proxy (common when browser login works but Update fails)

Windows Update uses WinHTTP settings, which can differ from your browser.

• Open Windows Terminal (Admin) and run:

netsh winhttp show proxy

• If you see a proxy you don’t recognize or it’s stale:

netsh winhttp reset proxy

If your network requires a proxy, don’t reset it permanently—set the correct proxy string provided by IT.

5) Advanced (non-obvious): Reset Microsoft Store/Delivery Optimization caches

On some systems, Windows Update downloads are impacted by Store/DO cache layers—especially when sign-in/token state changes.

• Run this to reset Microsoft Store cache:

wsreset.exe

• Then reset Delivery Optimization (Admin Terminal):

net stop dosvc
del /q /f “%ProgramData%\Microsoft\Windows\DeliveryOptimization\Cache\*”
net start dosvc

If the cache folder is empty or deletion fails, continue—this step is optional but can be decisive on “download stuck” cases.

6) Repair Windows system files (when installs fail or errors are 0x800Fxxxx)

• Open Windows Terminal (Admin) and run:

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Reboot after both complete, then try Windows Update again.

7) Clean boot to isolate security/VPN/identity hooks

If the error appears only after signing into Google in Chrome/Edge (or after a security agent update), a background process may be intercepting network/auth flows.

• Press Win + R, type msconfig, press Enter.
• Services tab: check Hide all Microsoft services > Disable all.
• Startup tab: open Task Manager > disable non-essential startup items.
• Reboot and run Windows Update before opening browsers/signing into Google.

If it works in clean boot, re-enable items in batches to identify the conflicting VPN, web shield, SSL inspection, or identity tool.

8) If you see certificate/TLS errors: confirm SSL inspection and fix trust

If updates work on a hotspot but fail on your normal network, treat it as a network trust/inspection issue.

• Test on a mobile hotspot (quick isolation test).
• If hotspot works: bypass TLS inspection for Microsoft update endpoints or correctly deploy the inspection root certificate to the Local Computer trust store.
• Temporarily disable “HTTPS scanning” / “web shield” in third-party AV (if allowed) and retest.

Still Not Working

• Get the exact error code: Settings > Windows Update > Update history. Match the family:
• 0x80072xxx = network/TLS/proxy/DNS
• 0x8024xxxx = Windows Update service/components
• 0x800Fxxxx = install/component store/servicing stack
• Check if the device is managed (WSUS/Policy):
• Admin Terminal: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
• If WUServer / WUStatusServer exist, updates may be forced through your organization.
• Run built-in troubleshooters (quick sanity check): Settings > System > Troubleshoot > Other troubleshooters > Windows Update.
• Generate Windows Update logs (Admin Terminal):

Get-WindowsUpdateLog

• Check key services are running (Admin Terminal):

sc query wuauserv
sc query bits
sc query cryptsvc

• Try installing the latest cumulative update manually:
• Find your KB in Windows Update history, then download it from the Microsoft Update Catalog.
• If manual install fails with 0x800Fxxxx, go back to DISM/SFC and consider an in-place repair.
• In-place repair install (keeps apps/files):
• Download the latest Windows ISO from Microsoft, run setup.exe, choose Keep personal files and apps.
• Escalation (when it’s clearly identity-related):
• If this started after MFA/password changes, remove/re-add the account after Step 2, then sign into Microsoft Store once and retry Windows Update.
• If you’re in an enterprise environment, provide IT with: error code, whether hotspot works, and WinHTTP proxy output (netsh winhttp show proxy).

If you share your exact Windows Update error code and whether updates work on a hotspot, you can usually narrow this to one fix (proxy/SSL inspection) or two fixes (WAM reset + update reset) instead of trying everything.

If Google Sign-In Is Failing

This section covers a specific troubleshooting angle related to windows update error with google login. Use it to narrow the issue before moving to deeper fixes.

Why this happens

Problems like this often come from one of three areas: local app state, network conditions, or a recent configuration change.

How to fix it

1. Confirm the exact symptom before changing multiple settings at once.
2. Restart the app and the device before trying advanced fixes.
3. Test on a different network or device if possible.
4. Keep note of any exact error message because it often points to the real cause.

Important notes

• If the basic checks change the behavior, that usually tells you where the issue really lives.
• Move to stronger fixes only after the quick isolation steps above.

Frequently Asked Questions