HOWTO: Fixing Windows Update Error Code 80072F8F

This error can have a number of different symptoms, including Information messages in the event log: “Event id 1001 WindowsUpdateFailure”. Looking at event log entries and the generated text file that goes with it do not really help unfortunately.

Some background on Windows Update – on Windows 7, Vista and Windows Server 2008, Windows Update is available via the Control Panel. The update process also has a corresponding service, Windows Update, that can automatically download and install updates for you. The update process uses the folder:

C:\Windows\SoftwareDistribution

(or wherever your Windows folder is) to store all updates prior to installing them on your OS. The update process connects to the Microsoft Windows Update site via http://www.update.microsoft.com:443, and this is where the process sometimes trips up. As it is using a secure SSL transaction, it needs to be able to trust the certificate being used. Put very simply, there are two primary checks that are done:

  1. Validate that the time is correct (at least within a couple of minutes)
  2. Validate that the SSL certificates being used are trusted

The error code 80072F8F is associated with the following error message: “Your computer’s date and
time appear to be out of sync with an update certificate.”. Following are some possible fixes to resolve the issue.

1. Check Your Computer Date and Time

You can do this via control panel, or clicking  the clock in the taskbar. Verify that the time is correct using a third-party website (such as The World Clock). Most PCs and servers can be synced with an external time server to ensure accuracy.

If the PC/server is a member of a windows domain, you possibly won’t be able to change the date and time. But at least verify that the time is correct. Within a couple of minutes (+/- 5 as a general rule) should be OK.

2. Check Your Trusted Site Certificate Authorities

If the SSL certificate being used to connect to the microsoft site is not trusted, the connection will fail with the dreaded 80072F8F error code. You can check if this is an issue by going to the Microsoft website via SSL instead of the normal HTTP connection. If you get a certificate error when visiting this page, then your pc/server does not trust the certificate being used. Usually this means you are missing the following trusted authority certificate for:

GTE CyberTrust Global Root

You can install the latest trusted certificate authorities by downloading and running the November 2009 Update for Root Certificates. PLEASE NOTE: the download has no user interface when installing, but it does install the certificates correctly. All certificates are installed in the Trusted Root Certification Authorities area for your Local Computer.

3. Proxy Server Certificates

This is the more unusual case. Some web proxy servers have their own certificates installed, and these can be used on your behalf to authenticate with websites via SSL. On one particular occasion the test environment I was working in had it’s own Server OS build, which did not include the organisational trusted authority certificate. All web connections were via the web proxy server, which automatically applied the proxy server’s custom certificate. This meant that the Server OS I was using did not trust the web proxy certificate, which invalidated the SSL connection and displayed the error code above.

To fix this issue, you need to obtain the Trusted Authority Certificate that the web proxy server SSL certificate is using and install that in the Trusted Root Certification Authorities certificate list. In my case it was available from the Windows Certificate Services server itself. This should resolve the issue in most cases.

The Windows Update Support web site has a list of common errors generated by Windows Update, along with other workarounds for issues. An older page on the technet site contains a list of Windows Update Error Codes.

Advertisements

17 Responses to “HOWTO: Fixing Windows Update Error Code 80072F8F”

  1. windose Says:

    thank you for your post; i solved my issue @ step 1 “Check Your Computer Date and Time” : )

  2. Arcker Says:

    Hi,
    Thx you so much for the SSL tip. I was blocked and after rootca update, evrything worked fine 🙂

  3. Darren Says:

    This fixed my problem in Windows7 too. My root certificates were messed up.

  4. Joseph sumith Says:

    It did not solve my problem Error ID = 0xC00D11BA, Condition ID = 0x00000000
    ERROR CODE : 80072F8F

    • gavinmckay Says:

      Hi Joseph,

      I’m sorry it didn’t help. Are there any other errors in your event log? Also check that you have enough disk space on your C: drive, updates can consume a lot of space.

      Gavin.

  5. Dave Says:

    After fighting this error for weeks and trying every solution on the web I could find I FINALLY found a setting on my firewall that was causing my issue. Found a setting under web security called “Transmite Mode Skiplist” that allowed: “IPs, listed here will not be subject to the transparent interception of HTTP/S traffic”

  6. Shawna Duncan Says:

    This is amazing! I checked the ssl link and was blocked ~ downloaded the root cert’s and am good to go! I have not been able to access windows update for a long time, but my pc would automatically update itself… so now I can do it via the website. Wishing I found this a long time ago~ Thank you.

  7. Kevin Says:

    I got the same error when the SSL cert on my WSUS server had expired. Microsoft only said to check the time. I figured it out somehow, but glad to know that you have it posted here.

  8. Linda J Says:

    2009 root certificate update didn’t work for me but the Dec 2012 Root Certificate Update did!
    Thank you! This has been an ongoing issue since Hotmail changed acct. to Outlook.com. but it is finally fixed. 🙂

  9. dewy Says:

    Thanxz…..
    I solved my issue @ step 1 “Check Your Computer Date and Time”

  10. youssef Says:

    I appreciate this article. Very useful (root ca solved my problem)

  11. Murugan Says:

    Very Helpful..

  12. BigMcLargehuge Says:

    In my case it was a certificate problem, not the MS root certs, but didn’t have the CA cert that issued the cert for the WSUS server. Added that to trusted CAs and get funky!

  13. Should I Update XP? - Page 2 Says:

    […] https://gavinmckay.wordpress.com/2010…code-80072f8f/ that error is generally for date/time issues, is the date/time set correctly on your pc?? have you checked your bios time?? ================== Firewall: Jojo does not use windows firewall, so he has it turned off, he uses a different firewall. I use windows firewall. The choice is yours. If you use zone alarm or another firewall, then yes, turn off windows firewall. You can only have one firewall running. ============== do you have sp3 installed?? if not this may be why you cannot run the utility. microsoft will only allow updates with sp3, so the fixits need sp3 also. I downloaded the utility with no problem.   Search engines are your friend […]

  14. Scott Fryer Says:

    Ok this is how we got this working. In IE options -> Advanced Tab
    Scroll all the way down and uncheck:
    “Check for publisher’s certificate revocation” and “check for server certificate revocation”
    Then restart IE. This fixed this for us.

  15. Andrew E. Says:

    ok, klicking on that 2009November-Link in Part 2. solved my problem (running 64bit-Win 7.)

  16. Jan C Andersen Says:

    I had this error as well and nothing suggested worked. I ran Network Monitor and saw connection to sls.update.microsoft.com:443.
    I started iexplore https://sls.update.microsoft.com (I got access denied but I wanted to get the CTL) and downloaded the RootCA cert and the SubCA cert.. I already had the RootCA “Microsoft Root Certificate Authority 2011” installed in Trusted Root Certification Authority. However the SubCA cert “Microsoft Update Secure Server….” was missing. I imported this cert into ‘Intermediate Certification Authorities’ and ran Windows Update Again and everything worked. I’m going to push this cert to all computer with GPO

    Hope this helps someone 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: