WSUS Sync Failed: SSL, Proxy, Firewall, and Upstream Server Fixes

11 min read

When WSUS sync failed errors appear, new update metadata, revisions, and expirations stop entering the environment. Existing approvals and previously synchronized updates continue to work, but newly published updates cannot move through the WSUS pipeline until synchronization succeeds. For an internet-facing WSUS server, the failure commonly traces to the Microsoft Update endpoint, TLS negotiation, proxy configuration, DNS, or outbound filtering. In a WSUS hierarchy, also check the upstream server, configured port, SSL mode, certificate trust, and version order.

This guide covers wsus sync failed and other WSUS metadata synchronization failures. It also includes manual Catalog import and disconnected export/import because those workflows share or replace parts of the synchronization path. If sync succeeds but update files are not downloading, that is a separate content-download problem covered in WSUS Not Downloading Updates. Client detection and reporting failures are covered in WSUS Client Not Reporting. Console and IIS performance problems are covered in WSUS Console Slow or Crashing.

TL;DR
  • Read the WSUS server configuration first – MUUrl, upstream settings, and proxy settings – before touching system-level proxy or network tools.
  • The supported endpoint for Windows Server 2012 and later is https://sws.update.microsoft.com. The fe2.update.microsoft.com endpoint is decommissioned. sws1.update.microsoft.com is an old endpoint that Microsoft plans to decommission – migrate before that happens.
  • Configure and verify the synchronization proxy in the WSUS console. Do not use netsh winhttp show proxy as the authoritative WSUS sync-proxy check.
  • Test-NetConnection confirms direct TCP reachability only – it is not definitive behind an explicit proxy.
  • SelfUpdate uses HTTP (port 8530 by default). Do not require SSL on that virtual root.
  • Intermediate CA certificates go to Intermediate Certification Authorities, not to Trusted Root.
  • WSUS is deprecated and receives no new features, but Microsoft continues to support it for production deployments per the Windows Server lifecycle.
First symptomFirst check
SoapException in console or logCheck MUUrl and the endpoint shown in the stack trace
TLS reset / no common algorithmCheck TLS 1.2 enablement and cipher policy
Proxy authentication error / 407Check WSUS console proxy settings
Downstream cannot sync to upstreamCheck upstream port, SSL mode, certificate trust
TCP timeout reaching Microsoft UpdateCheck proxy path, firewall, DNS

Before troubleshooting a WSUS synchronization failure

WSUS is installed and configured. Synchronization was working (or was just set up) but the console now shows a sync error, the sync log shows failures, or the last sync timestamp is stale. A wsus sync failed condition can appear after a Windows update, a network change, a certificate renewal, or a Microsoft endpoint change – sometimes with no obvious trigger.

Where to read sync failures: Sync logging lives in %ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log and the Application event log (source: Windows Server Update Services). The file C:\Windows\SoftwareDistribution\ReportingEvents.log is a Windows Update client-agent log – it records client reporting events, not server sync activity. For server-side sync failures, read SoftwareDistribution.log and the Application event log.

Step 0: Read the current WSUS configuration

Before changing network settings or restarting services, capture the current WSUS server state. This tells you which diagnostic path applies to the WSUS sync failure.

Import-Module UpdateServices -ErrorAction Stop $server = Get-WsusServer -ErrorAction Stop $config = $server.GetConfiguration() [pscustomobject]@{ SyncFromMicrosoftUpdate = $config.SyncFromMicrosoftUpdate IsReplicaServer = $config.IsReplicaServer MUUrl = $config.MUUrl RedirectorChangeNumber = $config.RedirectorChangeNumber UpstreamWsusServerName = $config.UpstreamWsusServerName UpstreamWsusServerPortNumber = $config.UpstreamWsusServerPortNumber UpstreamWsusServerUseSsl = $config.UpstreamWsusServerUseSsl UseProxy = $config.UseProxy ProxyName = $config.ProxyName ProxyServerPort = $config.ProxyServerPort AnonymousProxyAccess = $config.AnonymousProxyAccess HasProxyPassword = $config.HasProxyPassword UseSeparateProxyForSsl = $config.UseSeparateProxyForSsl SslProxyName = $config.SslProxyName SslProxyServerPort = $config.SslProxyServerPort }

Read the output before proceeding:

  • SyncFromMicrosoftUpdate = True and MUUrl shows fe2.update.microsoft.com or sws1.update.microsoft.com – go to section 1 (wrong endpoint).
  • SyncFromMicrosoftUpdate = True and UseProxy = True – go to section 3 (WSUS proxy settings), then verify network path.
  • SyncFromMicrosoftUpdate = False – go to section 6 (upstream/downstream failures).
  • All values look correct – go to section 2 (TLS) or section 4 (firewall/DNS).

After reading WSUS configuration, check direct TCP reachability as a secondary signal:

# Direct-path TCP test only - not definitive behind an explicit proxy Test-NetConnection sws.update.microsoft.com -Port 443

A failed Test-NetConnection in an environment using an explicit proxy does not prove a firewall problem. WSUS routes sync through its configured proxy, not through a direct TCP path. Treat a failed direct test as a data point, not a conclusion.

1. Check for an old Microsoft Update endpoint

On older installations, a decommissioned Microsoft Update endpoint is a well-documented cause of sudden wsus sync failed. Check this first when MUUrl or the SoftwareDistribution.log stack trace references fe2.update.microsoft.com. Windows Server 2012 and later should use https://sws.update.microsoft.com.

The fe2.update.microsoft.com endpoint is decommissioned. sws1.update.microsoft.com is an old endpoint that Microsoft plans to decommission.

Symptoms in SoftwareDistribution.log:

SoapException: Fault occurred ... WebException: The underlying connection was closed

Run only on the server with SyncFromMicrosoftUpdate = True. Close all WSUS consoles first. iisreset restarts IIS services and can interrupt other applications if WSUS shares the server.

$server = Get-WsusServer $config = $server.GetConfiguration() $config.MUUrl = "https://sws.update.microsoft.com" $config.RedirectorChangeNumber = 4002 $config.Save() iisreset Restart-Service WsusService -Verbose

Do not run this on a downstream or replica server. After saving, trigger a synchronization and watch SoftwareDistribution.log for a clean run.

2. Verify TLS 1.2 and cipher compatibility

TLS 1.2 is required by sws.update.microsoft.com. When the server cannot negotiate it, wsus sync failed errors appear – synchronization can fail with a connection reset, an “underlying connection was closed” exception, or a “no common algorithm” error. There are two separate TLS paths in a WSUS deployment: the sync service itself, and the .NET Framework TLS path used by manual Catalog import.

Check TLS 1.2 in the sync log

After restarting the WSUS service and running iisreset, read SoftwareDistribution.log for SCHANNEL entries near startup:

SCHANNEL Protocol 'TLS 1.0' disabled SCHANNEL Protocol 'TLS 1.1' disabled SCHANNEL Protocols subkey for 'TLS 1.2' not found. Protocol is enabled

If these lines are absent, the TLS 1.2 fix for the WSUS sync service is not installed. On Windows Server 2012 and Windows Server 2012 R2, this fix was delivered as a non-security change in the Monthly Rollup track. A server that has installed only Security-Only updates and no applicable Monthly Rollup can therefore be missing the fix. Install KB4022721 for Windows Server 2012 or KB4022720 for Windows Server 2012 R2, or a later rollup that supersedes it, and then apply the latest updates available for the server’s supported servicing channel.

If TLS 1.2 is confirmed enabled but the connection still resets with no common algorithm, check whether a Group Policy cipher-suite order is restricting available ciphers:

$report = Join-Path $env:TEMP "WSUS-GPReport.html" gpresult /scope computer /h $report Start-Process $report

Open the report and inspect SSL Cipher Suite Order under Computer Configuration.

Manual Catalog import uses a separate TLS path

If sync succeeds but manual Catalog import fails, the problem is usually the .NET Framework TLS path. Symptoms in SoftwareDistribution.log or the import output:

The underlying connection was closed: An unexpected error occurred on a send ... they do not possess a common algorithm

Enable strong cryptography for the .NET Framework:

$registryPath = "HKLM:\Software\Microsoft\.NETFramework\v4.0.30319" if (!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null } New-ItemProperty ` -Path $registryPath ` -Name SchUseStrongCrypto ` -Value 1 ` -PropertyType DWord ` -Force | Out-Null Restart-Service WsusService, w3svc

If the issue persists, Microsoft also documents enabling system-default TLS versions through %SystemRoot%\System32\inetsrv\w3wp.exe.config. This affects every IIS worker process on the server – acceptable on a dedicated WSUS host, worth noting on a shared one.

The legacy “Import Updates” action in the WSUS console was built on ActiveX and has been replaced by a PowerShell-based import workflow. Copy UpdateIDs from the Microsoft Update Catalog and import them using Microsoft’s documented PowerShell script. See WSUS and the Microsoft Update Catalog for current import guidance.

3. Verify WSUS proxy settings

Proxy misconfiguration is a common wsus sync failed cause. WSUS synchronization proxy settings are stored in the WSUS configuration and managed through the WSUS console. When synchronization returns a proxy error or HTTP 407, check Options > Update Source and Proxy Server > Proxy Server before changing system-wide proxy settings.

The Step 0 output shows the current proxy configuration: UseProxy, ProxyName, ProxyServerPort, AnonymousProxyAccess, HasProxyPassword, and the SSL proxy fields. These properties control what proxy the WSUS synchronization service uses.

If UseSeparateProxyForSsl = True, verify the HTTPS proxy name and port as well as the standard proxy. Microsoft supports a separate HTTPS proxy through wsusutil ConfigureSSLproxy <proxy-server> <proxy-port> -enable.

After verifying WSUS proxy settings, check the system WinHTTP proxy as a secondary layer:

netsh winhttp show proxy

Treat netsh winhttp show proxy as supporting context, not as proof of the proxy path used by WSUS synchronization.

Proxy authentication

If your proxy requires authentication, configure credentials in the WSUS console: Options > Update Source and Proxy Server, supply proxy name/port, and enable Use user credentials to connect to the proxy server. If the proxy requires basic authentication, enable Allow basic authentication – this sends the password in cleartext to the proxy, so use it only on a trusted internal network or over an encrypted channel.

TLS inspection

Temporarily bypass TLS inspection for the Microsoft Update domains as a diagnostic test. If synchronization succeeds with inspection bypassed, either retain the bypass or correct the proxy’s certificate chain, TLS policy, and cipher configuration according to your security design.

4. Test firewall, DNS, and outbound access

Firewall and DNS failures produce wsus sync failed conditions that surface as timeouts, connection errors, resets, or name-resolution failures. The topmost WSUS server requires outbound HTTP/HTTPS access to the Microsoft domains documented for WSUS.

Per Step 2: Configure WSUS, the required domains include:

http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com https://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://go.microsoft.com http://dl.delivery.mp.microsoft.com https://dl.delivery.mp.microsoft.com http://*.delivery.mp.microsoft.com https://*.delivery.mp.microsoft.com

Allow any URL within these domains. Microsoft does not support IP-based firewall rules for these endpoints – the IPs change constantly because the endpoints are CDN-backed. Microsoft can revise this list; check the live WSUS configuration documentation rather than treating any copied list as permanent.

0x8024402C (name not resolved) often indicates a DNS resolution problem on the proxy rather than a firewall ACL. Validate DNS from the WSUS server:

Resolve-DnsName sws.update.microsoft.com Resolve-DnsName download.windowsupdate.com

These commands validate the WSUS server’s local resolver only. With an explicit proxy, successful local DNS resolution does not prove that the proxy can resolve or reach the destination. Check proxy or secure web gateway logs for the actual CONNECT request and upstream DNS result.

5. Resolve certificate trust failures

Certificate problems produce wsus sync failed errors with a distinctive WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Fix the certificate chain correctly

  • Root CA certificate – import to Local Computer\Trusted Root Certification Authorities
  • Intermediate/issuing CA certificate – import to Local Computer\Intermediate Certification Authorities
  • Server certificate – install it in Local Computer\Personal with its private key, then select it in the WSUS IIS HTTPS binding

Do not import intermediate CA certificates to Trusted Root to force chain validation. That expands the trust boundary and is poor PKI practice.

Verify HTTPS and certificate validation from the WSUS server

$request = [System.Net.HttpWebRequest]::Create( "https://upstream.fqdn:8531/ClientWebService/client.asmx" ) try { $response = $request.GetResponse() $response.Close() "HTTPS request succeeded" } catch { $_.Exception.GetBaseException().Message }

This tests the connection under the account running PowerShell. If the interactive test succeeds but WSUS sync still fails, compare the Local Computer certificate stores and, where necessary, reproduce the request under the service security context.

For file-based certificate verification:

certutil -verify -urlfetch C:\Temp\upstream-wsus.cer

Incorrect system time

0x80072F8F can indicate a certificate or date/time validation failure. Check the WSUS server’s local date, time, time zone, and synchronization source first. An incorrect local clock can make a valid certificate appear not yet valid or expired. After correcting the clock, verify the certificate chain, name, and expiry.

Certificate name mismatch

The FQDN used to reach WSUS must match the Subject or SAN on the certificate. A common source: WSUS configured using a NetBIOS name during setup, while the certificate is issued to the FQDN.

6. Diagnose upstream and downstream synchronization

For WSUS hierarchies, default ports are 8530 (HTTP) and 8531 (HTTPS) on WSUS 6.2+ (Windows Server 2012 and later). Earlier WSUS versions used 80 and 443.

Check downstream reachability to upstream:

# Replace ports if your WSUS site uses a different configured port Test-NetConnection upstream.fqdn -Port 8531 Test-NetConnection upstream.fqdn -Port 8530

The SelfUpdate virtual root uses HTTP (replace 8530 if a different port is configured):

http://upstream.fqdn:8530/selfupdate/iuident.cab

When SSL is enabled for the upstream connection, test the metadata/service endpoint over HTTPS (replace 8531 if a different port is configured):

https://upstream.fqdn:8531/ClientWebService/client.asmx

When WSUS is configured without SSL, the same path is available over HTTP:

http://upstream.fqdn:8530/ClientWebService/client.asmx

When WSUS is configured for SSL, metadata virtual roots such as ClientWebService, ServerSyncWebService, and SimpleAuthWebService use HTTPS. The Content and SelfUpdate virtual roots must not be configured to require SSL – enabling SSL on SelfUpdate creates client self-update problems.

Common hierarchy failures:

  • Port mismatch – downstream configured for 8530 but upstream expects 8531, or vice versa
  • SSL mismatch – upstream uses SSL but downstream has Use SSL when synchronizing unchecked
  • Content-source configuration – confirm whether the downstream stores update files locally, downloads them from the upstream server, or retrieves payloads from Microsoft Update directly. If a downstream retrieves payloads directly from Microsoft, it also needs access to the required Microsoft Update domains. Do not treat different storage choices as a metadata-sync failure by themselves.
  • Version order – the downstream WSUS server must run the same WSUS version as the upstream server or an earlier version. A newer downstream synchronizing from an older upstream is not a supported hierarchy design.
  • “The upstream server experienced an unexpected error” – verify upstream IIS and WSUS service availability, review the upstream SoftwareDistribution.log and Application log, and check WsusPool health and resource pressure. The downstream message alone does not identify the upstream root cause.

Configure the downstream in Options > Update Source and Proxy Server > Synchronize from another Windows Server Update Services server, specifying the upstream FQDN and port. Enable This server is a replica of the upstream server only when replica mode is intentional – replica servers inherit update approvals and computer-group definitions from the upstream and are not administered independently. Computer-group membership itself is not replicated; clients reporting to the replica must still be assigned to the appropriate inherited groups.

7. Use export/import for disconnected WSUS

When the WSUS server has no internet path, synchronization is replaced by export and import. A wsus sync failed message in a disconnected environment usually means the server has never completed a successful import, or the last import is stale. Import metadata only from a trusted export WSUS server – Microsoft warns that importing data from an untrusted source can compromise the destination WSUS server.

On a connected staging WSUS server:

cd "%ProgramFiles%\Update Services\Tools" wsusutil.exe export wsus-export.xml.gz wsus-export.log

Copy wsus-export.xml.gz and the WSUSContent folder to the offline environment, then on the offline WSUS server:

cd "%ProgramFiles%\Update Services\Tools" wsusutil.exe import wsus-export.xml.gz wsus-import.log

wsusutil export/import transfers metadata only – it does not carry approvals or server settings. Re-apply approvals using the UpdateServices PowerShell module after import.

When copying WSUSContent, use robocopy /MIR only when the connected WSUS is the authoritative mirror and it is safe to delete destination files that no longer exist in the source. For incremental copies where both sides have content, use robocopy /E instead.

If updates show Failed to download after a successful metadata import, the metadata may have been imported before the corresponding files were copied into WSUSContent, or the content copy may be incomplete. Copy the missing content from the connected WSUS server, preserve the directory structure, and then verify the update status and WSUS logs again. Do not assume that a client scan alone repairs an incomplete content transfer.

Error and symptom reference

Code / symptomWhere observedWhat it meansFirst check
SoapException: Fault occurredSoftwareDistribution.logOld sync endpoint or upstream SOAP failureCheck MUUrl, endpoint in stack trace
0x80072EE2Server or client logTimeoutProxy/firewall/route – do not assume IIS without additional evidence
0x80072EFDServer or client logConnection could not be establishedDNS, proxy, firewall, upstream port
0x80072F8FServer or client logSecure-channel, certificate, or local date/time validation failureVerify local date/time, then certificate validity, name, and trust chain
0x80244022SOAP/HTTP pathHTTP 503Upstream availability, IIS/WsusPool load
0x8024402CCommonly WUA/client contextProxy or target name resolution failureDNS and proxy resolution in the affected security context

Verify synchronization succeeded

After applying a fix, trigger sync and confirm the wsus sync failed condition is resolved:

  1. WSUS console – Synchronizations node shows Succeeded for the latest run
  2. Last synchronization time has advanced
  3. SoftwareDistribution.log shows no new sync exception after the triggered run
  4. Application event log shows no new Event 10021 or 10022 associated with a failed catalog synchronization

FAQ

Why does sync work in the browser but fail in WSUS?

The browser uses the current user’s proxy and certificate store. WSUS sync runs as a system service using its own proxy configuration and the local computer certificate store. A certificate trusted in the user profile may not be trusted in the machine store, and a proxy that works in the browser may not be configured in the WSUS console. Always verify in the machine context.

Can `netsh winhttp import proxy source=ie` fix a wsus sync failed error?

netsh winhttp import proxy source=ie changes the machine-wide WinHTTP proxy and can affect components that use WinHTTP. It is not the primary configuration method for standalone WSUS synchronization. For a WSUS sync failure, inspect UseProxy, ProxyName, the configured port, and proxy credentials in the WSUS console or IUpdateServerConfiguration first. Treat netsh winhttp show proxy as supporting context, not as proof of the proxy path used by WSUS synchronization.

What is the difference between sws.update.microsoft.com and sws1.update.microsoft.com?

sws.update.microsoft.com is the current supported endpoint for Windows Server 2012 and later. sws1.update.microsoft.com is an old endpoint that Microsoft plans to decommission – Windows Server 2012 and later should use sws. The fe2.update.microsoft.com WSUS synchronization endpoint is already decommissioned. If your WSUS shows either of the legacy values, update MUUrl and RedirectorChangeNumber as shown in section 1.

Sync succeeds but no new updates appear – is that a wsus sync failed condition?

Not necessarily. If the Synchronizations node shows Succeeded and the timestamp advanced, metadata sync is working. Missing updates after a successful sync usually trace to a products/classifications subscription issue (the update’s product or classification is not subscribed) or a content download failure (metadata arrived, files have not). Check subscriptions first, then see WSUS Not Downloading Updates if content is the problem.

How do I confirm whether a downstream server is in replica mode?

Check IsReplicaServer in the Step 0 output, or in the WSUS console under Options > Update Source and Proxy Server. Replica servers inherit update approvals and computer-group definitions from the upstream and are not administered independently. Computer-group membership itself is not replicated; clients reporting to the replica must still be assigned to the appropriate inherited groups.

References