Archive for the ‘Windows Update’ Category

HOWTO: Fixing Windows Update Error Code 80072F8F

September 28, 2010

This error can have a number of different symptoms, including Information messages in the event log: “Event id 1001 WindowsUpdateFailure”. Looking at event log entries and the generated text file that goes with it do not really help unfortunately.

Some background on Windows Update – on Windows 7, Vista and Windows Server 2008, Windows Update is available via the Control Panel. The update process also has a corresponding service, Windows Update, that can automatically download and install updates for you. The update process uses the folder:

C:\Windows\SoftwareDistribution

(or wherever your Windows folder is) to store all updates prior to installing them on your OS. The update process connects to the Microsoft Windows Update site via http://www.update.microsoft.com:443, and this is where the process sometimes trips up. As it is using a secure SSL transaction, it needs to be able to trust the certificate being used. Put very simply, there are two primary checks that are done:

  1. Validate that the time is correct (at least within a couple of minutes)
  2. Validate that the SSL certificates being used are trusted

The error code 80072F8F is associated with the following error message: “Your computer’s date and
time appear to be out of sync with an update certificate.”. Following are some possible fixes to resolve the issue.

1. Check Your Computer Date and Time

You can do this via control panel, or clicking  the clock in the taskbar. Verify that the time is correct using a third-party website (such as The World Clock). Most PCs and servers can be synced with an external time server to ensure accuracy.

If the PC/server is a member of a windows domain, you possibly won’t be able to change the date and time. But at least verify that the time is correct. Within a couple of minutes (+/- 5 as a general rule) should be OK.

2. Check Your Trusted Site Certificate Authorities

If the SSL certificate being used to connect to the microsoft site is not trusted, the connection will fail with the dreaded 80072F8F error code. You can check if this is an issue by going to the Microsoft website via SSL instead of the normal HTTP connection. If you get a certificate error when visiting this page, then your pc/server does not trust the certificate being used. Usually this means you are missing the following trusted authority certificate for:

GTE CyberTrust Global Root

You can install the latest trusted certificate authorities by downloading and running the November 2009 Update for Root Certificates. PLEASE NOTE: the download has no user interface when installing, but it does install the certificates correctly. All certificates are installed in the Trusted Root Certification Authorities area for your Local Computer.

3. Proxy Server Certificates

This is the more unusual case. Some web proxy servers have their own certificates installed, and these can be used on your behalf to authenticate with websites via SSL. On one particular occasion the test environment I was working in had it’s own Server OS build, which did not include the organisational trusted authority certificate. All web connections were via the web proxy server, which automatically applied the proxy server’s custom certificate. This meant that the Server OS I was using did not trust the web proxy certificate, which invalidated the SSL connection and displayed the error code above.

To fix this issue, you need to obtain the Trusted Authority Certificate that the web proxy server SSL certificate is using and install that in the Trusted Root Certification Authorities certificate list. In my case it was available from the Windows Certificate Services server itself. This should resolve the issue in most cases.

The Windows Update Support web site has a list of common errors generated by Windows Update, along with other workarounds for issues. An older page on the technet site contains a list of Windows Update Error Codes.