locked
WSUS SYNCRONIZATION ERROR RRS feed

  • Question

  • Today my wsus shows the next error when it tries to synchronize:

    WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

    Friday, April 7, 2017 6:51 PM

All replies

  • Hi Jose Daniel Rofriguez,

    1. What is the version of the WSUS server, if it's WSUS 3.0, please check if it is version .274, if not, please install KB2938066 to upgrade the WSUS server; if it's WSUS 4.0, please check if it installs KB3095113 and KB3159706(with manual steps listing in KB3159706), if not, please install them;

    2. Please check the WSUS event log, check if there is event 364, if yes, this log may record the detailed reason of the failure, please show us the event details;

    3. Also check if the WSUS server is fully patched;

    4. Try restart the WSUS server, check if it could help.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Monday, April 10, 2017 2:32 AM
  • Hi

    1-) I have WSUS version 6.3.9600.18228

    2-) In the event log,  show the event 10022 "The last catalog synchronization attempt was unsuccessful."

    3-) When trying to update the server by windows update shows the following error: 80245006 

    4-) Try restarting but still the same

    Regars,

    Monday, April 10, 2017 3:54 PM
  • Hi Jose Daniel Rodrguez,

    >3-) When trying to update the server by windows update shows the following error: 80245006 

    What about installing KB3095113 and KB3159706 manually, will it be installed successfully?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, April 11, 2017 2:35 AM
  • Hi Anne,<o:p></o:p>

     

    3-) When I try to manually install this update, it gives me the following error.

    "the upgrade patch cannot be installed by the windows installer service because the program to be upgrade patch may update a different version of the program. Verify that the program to be upgrade exists on your computer and that you have the correct upgrade patch"

    Restart windows updates components but give me the same error<o:p></o:p>

    <o:p></o:p>

    Tuesday, April 11, 2017 2:13 PM
  • I am getting this exact same thing, same version of WSUS, same event error. Restarted, patched, failing sync. I am able to do a manual Windows Update, but nothing related to WSUS or much of anything there.. I had a successful sync last night at midnight and every time before that, but everything after has failed. 

    Curt Kessler - FLC

    Tuesday, April 11, 2017 6:41 PM
  • I have a Windows 2012 R2 server with WSUS server version 6.3.9600.18324 that is currently unable to perform a successful sync with the "Upgrades" classification enabled. If I disable the "Upgrade" classification, the WSUS server will sync successfully. However, since I assume the Creators update will be listed in the upgrade classification, I am currently unable to get that upgrade downloaded to my WSUS server.
    Tuesday, April 11, 2017 7:01 PM
  • I just tried your disable Upgrades trick and that seems to work to get the normal patches flowing! Thank you! I  I guess WSUS will not update the machines to CU in it's current state. It seems we had something like this on 1511 but can't quite remember the details. 

    I have my WSUS set to update WSUS, I wonder why my software seems so much older that yours? That makes me nervous. 

    Also, I figured maybe this was an error in manual updating, but the scheduled time just happened and it failed on that as well.

    It was working perfectly well up until this morning, no changes on the server or configurations, so I'm wondering if they changed something on the back end that broke this to accommodate CU?

    I've stopped and started services, rebooted, let Windows update run, but it's dead in the water, on Patch Tuesday, and with Creator's update inbound. 


    Curt Kessler - FLC

    Tuesday, April 11, 2017 7:17 PM
  • I have a Windows 2012 R2 server with WSUS server version 6.3.9600.18324 that is currently unable to perform a successful sync with the "Upgrades" classification enabled. If I disable the "Upgrade" classification, the WSUS server will sync successfully. However, since I assume the Creators update will be listed in the upgrade classification, I am currently unable to get that upgrade downloaded to my WSUS server.
    Thanks for posting this.  Unchecking "upgrades" got my 2012 R2 WSUS server back in business as well.
    Tuesday, April 11, 2017 7:17 PM
  • Exactly the same here. WSUS 6.3.9600.18324 on 2012R2, about 10 failed manual sync attempts in the last hour with service restarts, server reboots, WSUS reindex script etc. between. Now after disabling "Upgrades" category sync works.

    Where are the times when there was a QA at Microsoft ...

    Tuesday, April 11, 2017 7:18 PM
  • I have a Windows 2012 R2 server with WSUS server version 6.3.9600.18324 that is currently unable to perform a successful sync with the "Upgrades" classification enabled. If I disable the "Upgrade" classification, the WSUS server will sync successfully. However, since I assume the Creators update will be listed in the upgrade classification, I am currently unable to get that upgrade downloaded to my WSUS server.

    Thanks for posting this.  Unchecking "upgrades" got my 2012 R2 WSUS server back in business as well.

    You're welcome... I can also confirm that this same problem occurs using a Windows 2016 server with WSUS version 10.0.14393.969
    Tuesday, April 11, 2017 7:20 PM
  • Can solve the problem, the firewall was blocking the updates

    THANKS FOR YOUR HELP

    REGARDS

    Tuesday, April 11, 2017 7:40 PM
  • Do you know what attributes a firewall needs to change to allow? We previously had an issue with an allow range connection for Office 365 updates that sounds similar. 

    Curt Kessler - FLC

    Tuesday, April 11, 2017 8:22 PM
  • If youre not able to use Windows 10 Upgrades, have you installed this?: https://support.microsoft.com/en-us/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

    NN

    Wednesday, April 12, 2017 8:10 AM
  • If youre not able to use Windows 10 Upgrades, have you installed this?: https://support.microsoft.com/en-us/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

    NN

    Yes. I even successfully upgraded my users from 1511 to 1607 on this server. Since yesterday, having the upgrades classification enabled prevents the server from syncing. Other people are having this problem too.

    I re-enabled the upgrades classification and tried a sync this morning. It completed successfully.

    • Edited by wirt's leg Wednesday, April 12, 2017 12:12 PM
    Wednesday, April 12, 2017 12:00 PM
  • Same here, we upgraded to 1607 fine on WSUS last time for all our PC's. This seems unique to 1703's arrival. I re-enabled Upgrades as well and it looks to be syncing now, at least it's downloading something :-). Will post update if it finishes successfully. 

    Curt Kessler - FLC

    Wednesday, April 12, 2017 3:28 PM
  • I approved the upgrades and agreed to the EULA in WSUS. So far two machines have reported in and both are failing. The error is:

    Feature update to Windows 10 Pro, version 1703, en-us, Retail
    Event reported at 4/12/2017 11:08 AM:
    (Unable to Find Resource:) ReportingEvent.Client.167; Parameters: Feature update to Windows 10 Pro, version 1703, en-us, Retail

    Ugh. Hopefully these are isolated. 


    Curt Kessler - FLC

    Wednesday, April 12, 2017 6:27 PM
  • Second machine has a slightly different error in the log:

    Installation Failure: Windows failed to install the following update with
    error 0x8024200d: Feature update to Windows 10 Pro, version 1703, en-us, Retail


    Curt Kessler - FLC

    Wednesday, April 12, 2017 6:28 PM
  • So far all 9 machines that have attempted have failed. 

    Curt Kessler - FLC

    Wednesday, April 12, 2017 8:17 PM
  • Looks like it's failing on all installs, 22 fails, 14 pending, 38 more to report in. No successful upgrades. :-(

    Curt Kessler - FLC

    Wednesday, April 12, 2017 11:40 PM
  • Hi Anne,<o:p></o:p>

     

    3-) When I try to manually install this update, it gives me the following error.

    "the upgrade patch cannot be installed by the windows installer service because the program to be upgrade patch may update a different version of the program. Verify that the program to be upgrade exists on your computer and that you have the correct upgrade patch"

    Restart windows updates components but give me the same error<o:p></o:p>

    <o:p></o:p>

    Hi Jose Daniel Rodriguez,

    >1-) I have WSUS version 6.3.9600.18228

    Sorry for my mistake, since you are on Server 2012R2 (WSUS 4.0), we need to install KB3095113 and KB3159706(with manual steps).

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 13, 2017 2:40 AM
  • So far, 100% failure rate. Again, we successfully upgraded all earlier major builds. Those KB articles are out of date for what we have. 

    Curt Kessler - FLC

    Thursday, April 13, 2017 3:18 PM
  • Hi CurK-CA,

    It's better to open a new post for your case, so that you may get better help.

    Besides, in my test lab, I could sync successfully, and even with 1703 upgrade, I sync the 1703 upgrade into my WSUS server and deploy it to win10 clients successfully, so far, I haven't meet issues. I tested on Server 2012R2 with KB3095113 and KB3159706, and Server 2016.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 14, 2017 1:59 AM
  • So far, 100% failure rate. Again, we successfully upgraded all earlier major builds. Those KB articles are out of date for what we have. 

    Curt Kessler - FLC

    Similiar issue here.  We have all the old KB's installed and we have sucessfully upgraded clients form 1511 -> 1607 through WSUS in the past.  However 1703 does not even show up on the clients even though it is approved in WSUS.  WSUS also reports 0 comptuers needing this update even though we have 40+ on 1607 currently.

    Friday, April 14, 2017 4:57 PM
  • On ours we show the update ready and all 86 desktop workstations report requiring the update. But this is the error we see in WSUS:

    (Unable to Find Resource:) ReportingEvent.Client.167; Parameters: Feature update to Windows 10 Pro, version 1703, en-us, Retail

    We have a couple we manually updated through the media creation tool, those worked, plus are receiving WSUS updates for that build. It's just the auto-1703 update won't work. All other updates are fine now. 


    Curt Kessler - FLC

    Friday, April 14, 2017 5:12 PM

  • Similiar issue here.  We have all the old KB's installed and we have sucessfully upgraded clients form 1511 -> 1607 through WSUS in the past.  However 1703 does not even show up on the clients even though it is approved in WSUS.  WSUS also reports 0 comptuers needing this update even though we have 40+ on 1607 currently.

    We have a registry setting established via group policy on our Win7 boxes. . . if you have something similar on your Win10 ones, I'd expect the above behavior:

    Software\Policies\Microsoft\Windows\WindowsUpdate\DisableOSUpgrade 1

    Maybe something similar in group policy in your environment?

    Friday, April 14, 2017 10:16 PM
  • I've checked this, but we never block updates--all machines are permitted to download and install. We successfully upgraded to Anniversary edition via WSUS last go round and it was pretty smooth. It's this new one that has failed universally. Now all machines have reported failing. 

    Curt Kessler - FLC

    Monday, April 17, 2017 6:27 PM
  • FYI - There is a pre-req to get the Creator Update and it appears that pre-req (KB4013214) hasn't released to WSUS.  I posted about it on SpiceWorks:

    https://community.spiceworks.com/topic/1984716-wsus-won-t-offer-win-10-pro-update-1703-or-cu-says-pcs-needing-update-0?page=1

    For now either find the pre-req and manually update or just wait.

    -Allan

    Monday, April 17, 2017 6:44 PM
  • Can solve the problem, the firewall was blocking the updates

    THANKS FOR YOUR HELP

    REGARDS

    Hi Jose Daniel Rofriguez,

    Since you have solved your issue, you may mark the solution as answer, so that the reply can be highlighted.

    At the same time, for those who still have issue with this topic, it's recommended to open a new case, so that you may get better help.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 18, 2017 2:09 AM
  • Anne or Jose, do you know what firewall blocks were causing this? If it's the answer it would be great to know what that was. thanks! 

    Curt Kessler - FLC

    Wednesday, April 19, 2017 3:27 PM
  • Anne or Jose, do you know what firewall blocks were causing this? If it's the answer it would be great to know what that was. thanks! 

    Curt Kessler - FLC

    Hi CurtK-CA,

    Firewall requirements for Microsoft Update:

    https://technet.microsoft.com/en-us/library/bb693717.aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 20, 2017 2:29 AM