question

FirhanJailani-4766 avatar image
1 Vote"
FirhanJailani-4766 asked FirhanJailani-4766 answered

Windows Server 2012 R2 WSUS not able to Sync Updates

Hi,

We have Windows Server 2012 R2 hosting WSUS Server. WSUS Synchronizations have been failing for weeks with below error.

Some background; our WSUS Server is connected to internet through Proxy Server and proxy server only whitelist all the required Microsoft Windows Update URLs. I am not sure if its due to proxy or WSUS itself having issue. I have tried to access all the URLs and I face message "Active content removed Active content removed" and subsequently redirected to another page "Find Windows Update using your Start Screen". I believe if its blocked by proxy I will received totally different message from Proxy Server itself. Could someone advise? Thanks in advanced.

WSUS Sync error:

WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

windows-server-update-services
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image RitaHu-MSFT ·

Hi FirhanJailani-4766,


We could try the following steps to check the health of the WSUS role first:
Open CMD as an administrator and navigate to the wsusutil.exe tool. Then enter the command "wsusutil.exe checkhealth"
wsusutil.exe tool's location:
C:\Program Files\Update Services\Tools


We could check for the report on Event Viewer.
Reference picture:
16608-1.png


Regards,
Rita

0 Votes 0 ·
1.png (3.3 KiB)
FirhanJailani-4766 avatar image FirhanJailani-4766 ·

Hi Rita,

Thanks for your assistance. I receive the usual event when the update sync fail, as per below.

16942-wsus.png


0 Votes 0 ·
wsus.png (56.4 KiB)
Chris-5101 avatar image Chris-5101 ·

I'm having this problem as well. I detailed my troubleshooting on this reddit post: https://www.reddit.com/r/sysadmin/comments/iesr8r/wsus_certificate_validation_error/

The crux of the issue is that WSUS is reporting these errors:

2020-08-22 14:29:24.553 UTC Warning WsusService.37 WindowsUpdateCertificatePolicy.VerifyPolicy The given certificate chain has not a Microsoft Root CA signed root (800B0109)
2020-08-22 14:29:24.553 UTC Error WsusService.37 ServerCertificateValidator.VerifyServerCertificate The server certificate did not comply with the following policy: WindowsUpdateCertificatePolicy

Weirdly enough, the server in question, sws.update.microsoft.com, has a valid certificate that is signed by a MS Root CA.

0 Votes 0 ·

10 Answers

FirhanJailani-4766 avatar image
0 Votes"
FirhanJailani-4766 answered

Hi All,

thanks for all the help. Unfortunately, none of the above has fix in my particular issue. I have installed the .Net Framework, installed all the above patches provided, modified registry but nothing helps.

I then found out its because of the recent security fixed which I have done. I have modified Cipher Suite list from below link to exclude some weak ciphers. It then break the WSUS sync. After rolling back the changes, WSUS sync works fine again.
https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

Anyway thanks all for the help!

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered FirhanJailani-4766 commented

Hi FirhanJailani-4766,


Please help to follow the below pictures to check whether there are any other Event ID on the Windows Server 2012R2.

Open the Event Viewer and create a custom View:
16976-1.png

And then filter out the Event ID information as the following picture:
16977-2.png

In addition, please help to confirm whether the KB3159706 update has been installed on the Windows Server 2012R2 or not? If not, please try to install it first. To apply this update in Windows Server 2012 R2, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed.
Reference link: https://support.microsoft.com/en-us/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012


Regards,
Rita


1.png (5.1 KiB)
2.png (18.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FirhanJailani-4766 avatar image FirhanJailani-4766 ·

Hi Rita,

If I filter eventvwr with the above, all I can see is error 10032 and 10022.

I have tried to download KB3159706 from below link. However upon running, theres a prompt "The update is not applicable to your computer" Is this update necessary?
https://www.catalog.update.microsoft.com/Search.aspx?q=kb3159706

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered AJTek-Adam-J-Marshall edited

Updated/Removed as no longer correct ***

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-3-windows-as-a-service-waas-and-group-policy-administrative-templates/



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered AJTek-Adam-J-Marshall edited

Also, for some history, KB3159706 supersedes KB3148812 because KB3148812 did not do what it was intended to do. It was re-released under the new KB shortly after KB3148812 was released. It was then silently (because it's not superseded) embedded into the Cumulative updates.

I'm sorry. I was confusing 2 KB's - KB3148812 was the one that was released and then shortly later KB3159706 was released. It was NOT KB2919355

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image RitaHu-MSFT ·

Hi AJTek-Adam-J-Marshall,


Thanks for your time to sharing on this forum. I missed the above information totally.


Thanks for your time. Hope you have a good day.


Regards,
Rita

1 Vote 1 ·
FirhanJailani-4766 avatar image FirhanJailani-4766 ·

Hi AJTek-Adam-J-Marshall,

Thanks for your advise. KB2919355 has already been installed though. Is there any advise for the above issue? Could it be proxy issue? How can we confirm?


Thanks,

0 Votes 0 ·
RitaHu-MSFT avatar image RitaHu-MSFT FirhanJailani-4766 ·

Hi FirhanJailani-4766,


Have you ever try to configure the IIS in the WSUS Server? If not, we could try to configure the IIS as the following link:
https://support.microsoft.com/en-us/help/4490414/windows-server-update-services-best-practices

17258-1.png


Before the usage of WSUS, we recommend to configure the IIS first. This is essential for WSUS. If it's the first sync, it is not recommended to select too many products and classifications. This is not conducive to synchronization.


Regards,
Rita

0 Votes 0 ·
1.png (22.7 KiB)
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered RitaHu-MSFT rolled back

I'm sorry. I was confusing 2 KB's - KB3148812 was the one that was released and then shortly later KB3159706 was released. It was NOT KB2919355

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image RitaHu-MSFT ·

Hi AJTek-Adam-J-Marshall,


The KB3148812 was replaced with KB3159706.

In addition, the KB3095113 and KB3159706 are required for syncing Upgrades classification in WSUS 6.2 and 6.3. But, both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. This means we may not see KB 3095113 and KB 3159706 as installed updates since they may have been installed with a rollup. So it is not related to these updates.


Regards,
Rita

0 Votes 0 ·
7.png (18.3 KiB)
alexandrenakagawa avatar image
0 Votes"
alexandrenakagawa answered

Same problem here.

I have 3 wsus servers. (2 on 2012 r2 and 1 in 2016)

I can sync / download from wsus 2012 r2 using an 2016 wsus as a server. but can´t download directly from microsoft.

I tried to use reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1 to for tls, but still not work.

any alternative to download from MU site?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

Hi FirhanJailani-4766,


Could we try to check the .net version as the following picture in the registry:
19730-10.png

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

If you haven't installed the latest Security and Quality Rollup for .NET Framework update for the Windows Server 2012R2(KB4570508), it is recommended to install it first.


Regards,
Rita




10.png (53.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GreeneJoan-8634 avatar image
0 Votes"
GreeneJoan-8634 answered

Had the same issue and just fixed it. You need to add the following reg values in two places, then reboot.


Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
Values: "SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

and

Subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
Values: "SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

Hope this helps someone else.






5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

Hi FirhanJailani-4766,


We could check whether the KB4022720 installed on the Windows Server 2012R2(WSUS Server) or not. If it is not installed on the WSUS Server, it is recommended to install the update first. And then we could try to resync again to check whether this issue has been resolved or not.


Note that the KB4022720 has been replaced by the following updates:
2017-07 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4025336)
2017-08 Update for Windows Server 2012 R2 for x64-based Systems (KB4039871)
2017-07 Preview of Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB4025335)


Reference picture:
20308-17.png


If there are any updates about the case, please let me know.


Regards,
Rita

If the response is helpful, please click "Accept Answer" and upvote it.


17.png (44.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered

Hi GreeneJoan-8634,


Thanks for your sharing on this forum.


I did found the above steps about enabling the TLS 1.2 on the clients as this link. These subkeys are helpful to configure for strong cryptography as the following picture:
20370-18.png


But we should also install the .NET framework updates to upgrade to version 4.6.2 and later to support TLS 1.1 and TLS 1.2. Please refer to the following picture:
20310-19.png

Regards,
Rita

If the response is helpful, please click "Accept Answer" and upvote it.


18.png (84.3 KiB)
19.png (28.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.