Windows Server 2012 R2 WSUS not able to Sync Updates

Question

Windows Server 2012 R2 WSUS not able to Sync Updates

Firhan Jailani 101

Hi,

We have Windows Server 2012 R2 hosting WSUS Server. WSUS Synchronizations have been failing for weeks with below error.

Some background; our WSUS Server is connected to internet through Proxy Server and proxy server only whitelist all the required Microsoft Windows Update URLs. I am not sure if its due to proxy or WSUS itself having issue. I have tried to access all the URLs and I face message "Active content removed Active content removed" and subsequently redirected to another page "Find Windows Update using your Start Screen". I believe if its blocked by proxy I will received totally different message from Proxy Server itself. Could someone advise? Thanks in advanced.

WSUS Sync error:

WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

Rita Hu -MSFT 9,661 Reputation points

2020-08-10T02:20:39.15+00:00

Hi FirhanJailani-4766,

We could try the following steps to check the health of the WSUS role first:
Open CMD as an administrator and navigate to the wsusutil.exe tool. Then enter the command "wsusutil.exe checkhealth"
wsusutil.exe tool's location:
C:\Program Files\Update Services\Tools

We could check for the report on Event Viewer.
Reference picture:

Regards,
Rita
Firhan Jailani 101 Reputation points

2020-08-11T03:51:11.05+00:00

Hi Rita,

Thanks for your assistance. I receive the usual event when the update sync fail, as per below.
Chris 1 Reputation point

2020-08-23T14:03:53.463+00:00

I'm having this problem as well. I detailed my troubleshooting on this reddit post: https://www.reddit.com/r/sysadmin/comments/iesr8r/wsus_certificate_validation_error/

The crux of the issue is that WSUS is reporting these errors:

2020-08-22 14:29:24.553 UTC Warning WsusService.37 WindowsUpdateCertificatePolicy.VerifyPolicy The given certificate chain has not a Microsoft Root CA signed root (800B0109)
2020-08-22 14:29:24.553 UTC Error WsusService.37 ServerCertificateValidator.VerifyServerCertificate The server certificate did not comply with the following policy: WindowsUpdateCertificatePolicy

Weirdly enough, the server in question, sws.update.microsoft.com, has a valid certificate that is signed by a MS Root CA.

Accepted answer

9 additional answers

Your answer

Rita Hu -MSFT 9,661 Reputation points

2020-08-10T02:20:39.15+00:00

Hi FirhanJailani-4766,

We could try the following steps to check the health of the WSUS role first:
Open CMD as an administrator and navigate to the wsusutil.exe tool. Then enter the command "wsusutil.exe checkhealth"
wsusutil.exe tool's location:
C:\Program Files\Update Services\Tools

We could check for the report on Event Viewer.
Reference picture:

Regards,
Rita
Firhan Jailani 101 Reputation points

2020-08-11T03:51:11.05+00:00

Hi Rita,

Thanks for your assistance. I receive the usual event when the update sync fail, as per below.
Chris 1 Reputation point

2020-08-23T14:03:53.463+00:00

I'm having this problem as well. I detailed my troubleshooting on this reddit post: https://www.reddit.com/r/sysadmin/comments/iesr8r/wsus_certificate_validation_error/

The crux of the issue is that WSUS is reporting these errors:

2020-08-22 14:29:24.553 UTC Warning WsusService.37 WindowsUpdateCertificatePolicy.VerifyPolicy The given certificate chain has not a Microsoft Root CA signed root (800B0109)
2020-08-22 14:29:24.553 UTC Error WsusService.37 ServerCertificateValidator.VerifyServerCertificate The server certificate did not comply with the following policy: WindowsUpdateCertificatePolicy

Weirdly enough, the server in question, sws.update.microsoft.com, has a valid certificate that is signed by a MS Root CA.

Answer 1

Hi All,

thanks for all the help. Unfortunately, none of the above has fix in my particular issue. I have installed the .Net Framework, installed all the above patches provided, modified registry but nothing helps.

I then found out its because of the recent security fixed which I have done. I have modified Cipher Suite list from below link to exclude some weak ciphers. It then break the WSUS sync. After rolling back the changes, WSUS sync works fine again.
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

Anyway thanks all for the help!

Answer 2

Alexandre Nakagawa 1

Same problem here.

I have 3 wsus servers. (2 on 2012 r2 and 1 in 2016)

I can sync / download from wsus 2012 r2 using an 2016 wsus as a server. but can´t download directly from microsoft.

I tried to use reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1 to for tls, but still not work.

any alternative to download from MU site?

Answer 3

Rita Hu -MSFT 9,661

Hi FirhanJailani-4766，

Could we try to check the .net version as the following picture in the registry:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

If you haven't installed the latest Security and Quality Rollup for .NET Framework update for the Windows Server 2012R2(KB4570508), it is recommended to install it first.

Regards,
Rita

Answer 4

Had the same issue and just fixed it. You need to add the following reg values in two places, then reboot.

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
Values: "SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

and

Subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
Values: "SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

Hope this helps someone else.

Answer 5

Hi FirhanJailani-4766,

We could check whether the KB4022720 installed on the Windows Server 2012R2(WSUS Server) or not. If it is not installed on the WSUS Server, it is recommended to install the update first. And then we could try to resync again to check whether this issue has been resolved or not.

Note that the KB4022720 has been replaced by the following updates:
2017-07 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4025336)
2017-08 Update for Windows Server 2012 R2 for x64-based Systems (KB4039871)
2017-07 Preview of Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4025335)

Reference picture:

If there are any updates about the case, please let me know.

Regards,
Rita

If the response is helpful, please click "Accept Answer" and upvote it.

Share via

Windows Server 2012 R2 WSUS not able to Sync Updates

9 additional answers

Your answer