System Overview
-
- Operating system: Windows 10 / Windows 11
- Hardening configuration: Hardening according to CIS or BSI Baseline
- Windows Subsystem for Linux (WSL) is not installed
Problem
Running Windows Update returns error 0x80070643 (Fig. 1). When manually searching for updates, there is a brief moment showing that an update for „Windows Subsystem for Linux“ (which is not activated on the system) is being installed (Fig. 2), before the previous error is displayed again.
Fig. 1
Fig. 2
Cause
During analyzing the root cause it turned out to be the following issue.
-
- Applying CIS and BSI benchmarks (see here) leads to configuring a registry key for the „LxssManager“ service – this service should be, according to hardening benchmarks, disabled
- This registry key obviously triggers the Microsoft Update Agent to check for „Linux Subsystem updates“ – although it is not installed
- And the fact Linux subsystem is not installed leads to an error
What hardening baselines recommend to set:
-
- Hardening baselines from CIS (5. 10 – (L1) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘) and BSI ((ND, NE) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘) create the registry key „HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager“
- Within this key ValueName „Start“ with value „4“ is created, which disables the service LxssManager. However, the existence of this key causes Windows to check for updates for WSL.
Solution
Overview
The solution is done in two steps. First, the causative control must be removed from hardening and the updated hardening rolled out to the systems. Then, the registry key must be deleted on the affected systems.
1. Removal of the configuration
– Option 1 – When using a hardening tool like Enforce Administrator
The affected custom benchmark is edited and an exception is set for the control in step 4 of the TAPS wizard. The custom benchmark is then saved. The new created configuration template is then rolled out again on all systems.
– Option 2 – When using „Group Policy Objects“ (GPOs)
The responsible configuration is removed from the GPO.
2. Clean up affected system(s)
Deleting the relevant registry key is the way to go here. There are several options here:
1. Start regedit as administrator and navigate to „Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager„. Delete the whole key, a restart is not necessary.
2. Deliver a customized .reg file to delete the key via GPO or software distribution.
Check
Afterwards check for Windows updates using Microsoft Update agent, the error is gone.
References