Hi,

Windows update is failing for 2 servers (Domain Controllers), it works for the other servers in the same domain. I checked the Windows update logs and notice the following -

Client version: Core: 7.6.7600.320  Aux: 7.6.7600.320
2015-02-02 Misc WARNING: Send failed with hr = 80072f8f.
2015-02-02 Misc WARNING: SendRequest failed with hr = 80072f8f. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-02-02 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab>. error 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f
2015-02-02 Misc WARNING: Send failed with hr = 80072f8f.
2015-02-02 Misc WARNING: SendRequest failed with hr = 80072f8f. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-02-02 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab>. error 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
2015-02-02 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f

I have done the following checks -

i. SFC comes clean, Checksur reports no errors.

ii. Removed the WSUS self signed certificate and did gpupdate /force to add the certificates back. The other servers are using the same certificate

iii. I can access the link <https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab> and can download the file.

iv. Online update through Microsoft update site works.

Please advice. Thanks in advance. 

0x80072f8f is some ssl error occurred.

Check proxy settigns (in IE and winhttp) on the client.

Also check the eventlog for Schannel errors, make sure the client supports TLS and the certificate is trusted.

I've encountered alike issues were only updating through one Microsoft update once rersolved (worked around) the issue (just because it update the Windows update agent).



2015-02-02 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab>. error 0x80072f8f

Why is SSL *ENABLED* on the Selfupdate v-dir?

Perhaps reading the docs and properly implementing SSL will help?

Secure WSUS with the Secure Sockets Layer Protocol

There are no proxy configured on the clients. I get the below result with netsh winhttp command

>netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).

I get certificate warning on problematic client when I try to connect to https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab, I don't get this on the working clients.

I have put the certificate in Trusted Root Certification Authorities & in Trusted Publishers (through GPO), the same certificate is used for other clients in the same domain and other managed domains (We are MSP) and it works everywhere. Same policy targeting the domain 

Windows update agent version on the client is 7.6.7600.320 and on WSUS server its 7.6.7600.256. The other working clients have version 7.6.7600.256. 

Do you think version mismatch of Windows update agent is causing the issue?

Could you provide some inputs on the correct way to downgrade the agents.

Thanks

• Edited by Prabhash K Jena Tuesday, February 03, 2015 9:22 AM Added more information

There are no proxy configured on the clients. I get the below result with netsh winhttp command

>netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).

I get certificate warning on problematic client when I try to connect to https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab, I don't get this on the working clients.

I have put the certificate in Trusted Root Certification Authorities & in Trusted Publishers (through GPO), the same certificate is used for other clients in the same domain and other managed domains (We are MSP) and it works everywhere. Same policy targeting the domain 

Windows update agent version on the client is 7.6.7600.320 and on WSUS server its 7.6.7600.256. The other working clients have version 7.6.7600.256. 

Do you think version mismatch of Windows update agent is causing the issue?

Could you provide some inputs on the correct way to downgrade the agents.

Thanks

• Edited by Prabhash K Jena Tuesday, February 03, 2015 9:22 AM Added more information

This has been enabled from before I started here however it works for almost 150 servers & clients across different domains (We are MSP), its only these two servers where I have this issue.

Would you suggest some steps\checks which I can perform on the problematic client.

Thanks.

This has been enabled from before I started here

That may be true; it's still configured incorrectly.

however it works for almost 150 servers & clients across different domains (We are MSP),

Somehow I doubt that it's actually working correctly.

Would you suggest some steps\checks which I can perform on the problematic client.

The problem is not on the client. The problem is on the ***WSUS SERVER***.

I provided a link to the documentation. My suggestion is that you read the documentation and follow the guidance provided in it and configure the SERVER correctly.

Hi Lawrence,

I checked the SSL settings, SSL is not enabled for Selfupdate v-dir infact SSL is not enabled for any v-dir. I ran the BPA on WSUS role and it doesn't report any non-compliance.

I read through the article and as far as I could see setting seems to be configured correctly, though there may be something which I could have missed as I am not a expert on WSUS. The event logs doesn't provide any hint either, I am clueless.

The two thing which i notice different on WSUS clients are -

i. The Windows update agent is of different version than of WSUS server.

ii. Accessing https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab link gives me a certficate warning which I don't get on other servers.

Thanks for your inputs so far.

Regards

Prabhash Jena

• Edited by Prabhash K Jena 59 minutes ago

Hi Lawrence,

I checked the SSL settings, SSL is not enabled for Selfupdate v-dir infact SSL is not enabled for any v-dir. I ran the BPA on WSUS role and it doesn't report any non-compliance.

I read through the article and as far as I could see setting seems to be configured correctly, though there may be something which I could have missed as I am not a expert on WSUS. The event logs doesn't provide any hint either, I am clueless.

The two thing which i notice different on WSUS clients are -

i. The Windows update agent is of different version than of WSUS server.

ii. Accessing https://wsus2.xxxx.xx:8531/selfupdate/wuident.cab link gives me a certficate warning which I don't get on other servers.

Thanks for your inputs so far.

Regards

Prabhash Jena

• Edited by Prabhash K Jena Monday, February 09, 2015 10:25 AM

Hi,

I have managed to sort out this issue. It was a certificate issue on the WSUS client servers itself.<o:p></o:p>

On my WSUS server I have installed certificate issued by Digicert and we have deployed self-signed WSUS certificate on all WSUS clients. On the working servers the certification path was showing up correctly but on these 2 non-working servers the certification path was showing error.<o:p></o:p>

Out of way I went to the Digicert site on the servers which somehow fixed the certification path. I am not sure what it was and how it got corrupted initially.<o:p></o:p>

Take away - Error 80072f8f is a certificate error. Please check all the relevant certificates and ensure all is in order before you troubleshoot any other component.  

Regards

Prabhash Jena