I rarely comment on any forum, but this topic is so critical and I've spent so many hours on it that I was compelled.
I am an A+CT and an MCSE. I've been in the business for close to thirty years. The first desktop computers I worked on were pre-IBM clone, when every computer was uniquely designed and built from the ground up by the manufacturer, software packages were written for each specific model, and many ran CP/M. Standard drives were 8" floppies with no hard drive, and many keyboards had each key hard wired so the cable going to the back of the unit was as round as your thumb We're not talking dumb terminals (what today they more generously call 'thin clients' even though they're just as dumb), but standalone units, since many small businesses could barely afford the workstation itself let alone a network.
I need to first state that my situation is identical to warwagon's who started this thread: I am a break/fix technician working on primarily consumer and small business units, many still running Windows XP. A common process is to wipe the hard drive and re-install a clean copy of XP from scratch. These can be either manual re-installs or the running of a built-in recovery routine, the former being installed with a XP SP3 disk + case label COA, while the latter are almost exclusively SP2 and require the subsequent SP3 install. They are all clean installations with no viruses, etc. This is the scenerio I'm addressing: if yours is different, then some or none of this may apply to you.
In any business, time is money. You don't have the time to jerk artound with all kinds of patches, jumping through hoops, etc. You don't have time to start the update process and then go to bed and let it run overnight. The older machines with Northwood or even Willamette Celerons with tiny caches may never succeed even after an all night stand. And for quality of service, you cannot simply not update the machines or turn off automatic updates, like many think-they-ares, wish-they-weres weekend warrior amateurs and hacks helping elderly Aunt Mary with her machine or selling 're-installs' to unsuspecting consumers for $50 a crack have been doing for years. The pro MUST have a solution to do the job right. So those reccomendations in this thread suggesting that or other elaborate and tedious time-consuming process do not apply.
I have tried virtually all solutions in this thread. Most do nothing. Updating the certificates does nothing. WSUS runs the EXACT SAME ROUTINE as does the Windows Update site, only on your local machine. So, on such clean install machines I'm speaking of, WSUS also runs the CPU perpeptually--same thing, been there done that have the tee shirt. Plus you have to keep creating new WSUS installs for each version of Windows each time MS releases new updates. Not a practical solution. Upgrading to IE8 does not itself solve the probem. Neither does MS fixit, running custom scripts, messing with ,net framework, shutting off services in the console, etc etc yada yada Remember, warwagon and myself need a quick, no nonsense solution that will work on EVERY XP clean re-install machine, no matter what the brand, over and over and over, time after tiime after time, then immediately on to the next. Many of the solutions suggested did not take this into account, but approached from a perspective of dealing with a single stubborn machine. Any solution that does not take this into account will not be workable to us. And please forgive me but those who suggested just upgrading to Windows 7 get the "I'm only impressing myself with my dumb answer" award because they did not read the original post or did not take the time to understand/comprehend its context or were too busy demonstrating how so much more clever they were than all these other 'stupid' people struggling with this real-world problem to even care. Nor have they probably had to continuously work on other people's machines in a professional context. Real techs must pay attention to every detail; amateurs and hobbyists do not.
I've tried many things over the last 6 months or so since this problem began, and tried all the fixes in this thread. However, the letter from the Microsoft employee of the Windows Update team another member posted combined with all the other acquired knowledge held the key for me. I have now over the last couple of weeks clean re-installed seven machines that went absolutely flawlessly and quickly every time, including various brands, a couple having recovery routines that required SP3 installed after, and even a Dell with recovery that was recently lamented over in here. Here's what I did. Remember, these are CLEAN fresh installs, no use by any user prior to this process:
1) Do none of the fixes you've read about here. If you have, you may need to do another clean install. It may very well be like the poor person who spent hours on the phone with their ISP support to get online and was told to mess with so many settings that you have to do a re-install just to get the machine back to a clean baseline.
2) Turn off Automatic Updates at the System Properties tab: no need to go into the mmc console.
3) Connect to the internet.
4) Install IE8 using the standard standalone installer IE8-WindowsXP-x86-ENU.exe.
5). Doing the IE8 steup wizard process, deselect the "Install Updates" option.
6) After completetion and reboot (it should go fairly quickly), locate and install the LATEST "Cumulative Security Update for Internet Explorer 8 for Windows XP." To me, this was the kicker. The reason why many people failed with this suggestion was because they were coming into the thread and trying this update from previous months, and so which had already expired. Apparently, each time MS releases new updates for this patch (usually in the first two weeks of each month), something is also changed in the update process on the Windows update site so that the previous month's culmulative patch is no longer 'syncronous' (for lack of a better term) with the current Windows Update Page routine. I learned this the hard way, but this is the ticket why so many failed when using the KB version cited in this thread--they had already expired.
7). Locate and install the updated Windows Update Installer Agent installer, of which there is only one version. Do a search for this file: windowsupdateagent30-x86.exe. Download and install it.
8) Reboot, then go to the Windows Updae link and start the process. You'll be surprized how quick it is too!
9) After installing the first bulk round of updates and the computer reboots, you can now go back and turn the Automatic Updates for your customer. You can go back to the WU site and get the rest. No more problems. This is not to say that the customer will subsequently install something else or otherwise mess with the settings that will screw up the update process, but if all related system elements stay clean, automatic updates will work as they should from then on.
10) Copy these files and a brief instruction file on flash drives and place one at every work bench. Tell employees that to remove it will result in at least three Biblical plagues that will inflict them and their descendents for uncounted generations.
11) Keep checking back to the MS site for a newer version of the "Cumulative Security Update for Internet Explorer 8 for Windows XP." Download and impliment immediately. Remember, the Knowledge Base number for the file CHANGES WITH EACH NEW RELEASE! The KB number you'll see in these posts is likely already defunct when you encounter it. As of this writing, the current one is KB2898785 from I believe December 13. It's about to change again almost any day now.
As I said, this has worked EVERY TIME with a variety of machines with both clean installs and clean recoveries. Every time. I cannot say if this will work for everyone, nor can I say if it will work after some of the other suggestions have been executed and the OS is messed with. I can only tell you that it's working flawlessly, time after time, machine after machine in assembly line fashion. Simple, quick, uniform. Just the way warwagon, myself, and those like us need. Praise the Lord. Finally.