locked
Wndows Updates from WSUS failed over VPN RRS feed

  • Question

  • I have number of computers in remote office. That offices connects to the main office over VPN.

    The windows updates over VPN is failing. When I have  computer  in main office the update service works fine. Computer can get updates from WSUS server. However when I move the same PC to the remote office and  run windows updates, it is failing with error 80072efe. I can successfully connect from the same PC and download updates from Microsoft site but not from WSUS. Whn I look in to the log file, this  is what I see:

    failed to connect to: "http://server namwe:8530/selfupdate/wuident.cab"

    however when I try to d it from the network where the WSUS server is located or over MPLS, the download for wuident.cab comes up. This means the server is operating  without any problems

    Can some one take a look at tit and may be give me an idea where to look for the problem? It might be our VPN connection but I am not sure.

    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2017-08-17 10:07:17:818 1068 558 Agent *********
    2017-08-17 10:07:17:818 1068 558 Agent   * Online = Yes; Ignore download priority = No
    2017-08-17 10:07:17:818 1068 558 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2017-08-17 10:07:17:818 1068 558 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2017-08-17 10:07:17:818 1068 558 Agent   * Search Scope = {Machine}
    2017-08-17 10:07:17:818 1068 558 Setup Checking for agent SelfUpdate
    2017-08-17 10:07:17:818 1068 558 Setup Client version: Core: 7.6.7601.23806  Aux: 7.6.7601.23806
    2017-08-17 10:07:36:852 1068 558 Misc WARNING: Send failed with hr = 80072efe.
    2017-08-17 10:07:36:852 1068 558 Misc WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2017-08-17 10:07:36:852 1068 558 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://server name:8530/selfupdate/wuident.cab>. error 0x80072efe
    2017-08-17 10:07:36:852 1068 558 Misc WARNING: WinHttp: DoFileDownload MakeRequest failed. error 0x80072efe
    2017-08-17 10:07:36:852 1068 558 Misc WARNING: DownloadFileInternal failed for http://server namwe:8530/selfupdate/wuident.cab: error 0x80072efe
    2017-08-17 10:07:36:852 1068 558 Setup FATAL: DownloadCab failed, err = 0x80072EFE
    2017-08-17 10:07:36:852 1068 558 Setup WARNING: SelfUpdate check failed to download package information, error = 0x80072EFE
    2017-08-17 10:07:36:852 1068 558 Setup FATAL: SelfUpdate check failed, err = 0x80072EFE
    2017-08-17 10:07:36:853 1068 558 Agent   * WARNING: Skipping scan, self-update check returned 0x80072EFE
    2017-08-17 10:07:36:853 1068 558 Agent   * WARNING: Exit code = 0x80072EFE
    2017-08-17 10:07:36:853 1068 558 Agent *********
    2017-08-17 10:07:36:853 1068 558 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2017-08-17 10:07:36:853 1068 558 Agent *************
    2017-08-17 10:07:36:853 1068 558 Agent WARNING: WU client failed Searching for update with error 0x80072efe
    2017-08-17 10:07:36:853 1068 8b0 AU >>##  RESUMED  ## AU: Search for updates [CallId = {431C838E-EE3E-49B7-9183-0F1F9A80098D}]
    2017-08-17 10:07:36:853 1068 8b0 AU   # WARNING: Search callback failed, result = 0x80072EFE
    2017-08-17 10:07:36:853 1068 8b0 AU   # WARNING: Failed to find updates with error code 80072EFE
    2017-08-17 10:07:36:853 1068 8b0 AU #########
    2017-08-17 10:07:36:853 1068 8b0 AU ##  END  ##  AU: Search for updates [CallId = {431C838E-EE3E-49B7-9183-0F1F9A80098D}]
    2017-08-17 10:07:36:853 1068 8b0 AU #############
    2017-08-17 10:07:36:853 1068 8b0 AU Successfully wrote event for AU health state:0
    2017-08-17 10:07:36:853 1068 8b0 AU AU setting next detection timeout to 2017-08-17 15:05:55
    2017-08-17 10:07:36:854 1068 8b0 AU Setting AU scheduled install time to 2017-08-17 16:00:00
    2017-08-17 10:07:36:854 1068 8b0 AU Successfully wrote event for AU health state:0
    2017-08-17 10:07:36:854 1068 8b0 AU Successfully wrote event for AU health state:0
    2017-08-17 10:07:41:853 1068 558 Report REPORT EVENT: {32FA1A3D-965A-4764-9439-AE0E44C80062} 2017-08-17 10:07:36:852-0400 1 148 101 {D67661EB-2423-451D-BF5D-13199E37DF28} 1 80072efe SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x80072efe.
    2017-08-17 10:07:41:859 1068 558 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
    2017-08-17 10:07:41:859 1068 558 Report WER Report sent: 7.6.7601.23806 0x80072efe(0) 67661EB-2423-451D-BF5D-13199E37DF28 Scan 1 0 SelfUpdate {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} 0

    Thursday, August 17, 2017 2:21 PM

All replies

  • Hi Sir,

    >>WinHttp: SendRequestUsingProxy failed for 

    Have you checked that if the following URL can be opened from Client side:

    http://WsusServerName:8530/ClientWebService/client.asmx

     

    In addition , it is recommended to use local update server for update downloading :

    https://social.technet.microsoft.com/Forums/office/en-US/4791a298-e0c6-49ba-b7cd-d09636780299/wsus-and-updates-via-vpn?forum=winserverwsus

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Elton_Ji Friday, September 15, 2017 8:52 AM
    Friday, August 18, 2017 8:33 AM
  • You should use the FQDN instead of just the HOSTNAME in the GPO. This way regardless of where the client is, the server's location will be able to be resolved over VPN.

    The above answers your question, but at the same time I'd like to bring to your attention my script for maintenance of WSUS. It keeps WSUS operating at peek efficiency and improves the speed!

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Can I also suggest that you setup SSL on your WSUS Server:


    SSL Setup
    ---------------------------------------------

    I follow a really smart guy named Emin Atac (he was the one who helped me develop part of my WSUS Script) and he posted something that was enlightening in all regards with regards to WSUS and MITM attacks and how relatively easy it would be to compromise a network.

    Black Hat USA 2015 - WSUSpect Compromising The Windows Enterprise Via Windows Update (Video here: https://www.youtube.com/watch?v=mU8vw4gRaGs). It is worth the watch as they explain exactly how to take over a network by just having access to it

    https://p0w3rsh3ll.wordpress.com/2015/11/24/switch-wsus-to-https/

    Official MS TechNet article for SSL for WSUS

    https://technet.microsoft.com/library/hh852346.aspx#bkmk_3.5.ConfigSSL


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, September 2, 2017 4:19 AM