When WSUS sync failed errors appear, new update metadata, revisions, and expirations stop entering the environment. Existing approvals and previously synchronized updates continue to work, but newly published updates cannot move through the WSUS pipeline until synchronization succeeds. For an internet-facing WSUS server, the failure commonly traces to the Microsoft Update endpoint, TLS negotiation, proxy configuration, DNS, or outbound filtering. In a WSUS hierarchy, also check the upstream server, configured port, SSL mode, certificate trust, and version order.
This guide covers wsus sync failed and other WSUS metadata synchronization failures. It also includes manual Catalog import and disconnected export/import because those workflows share or replace parts of the synchronization path. If sync succeeds but update files are not downloading, that is a separate content-download problem covered in WSUS Not Downloading Updates. Client detection and reporting failures are covered in WSUS Client Not Reporting. Console and IIS performance problems are covered in WSUS Console Slow or Crashing.
- Read the WSUS server configuration first –
MUUrl, upstream settings, and proxy settings – before touching system-level proxy or network tools. - The supported endpoint for Windows Server 2012 and later is
https://sws.update.microsoft.com. Thefe2.update.microsoft.comendpoint is decommissioned.sws1.update.microsoft.comis an old endpoint that Microsoft plans to decommission – migrate before that happens. - Configure and verify the synchronization proxy in the WSUS console. Do not use
netsh winhttp show proxyas the authoritative WSUS sync-proxy check. Test-NetConnectionconfirms direct TCP reachability only – it is not definitive behind an explicit proxy.- SelfUpdate uses HTTP (port 8530 by default). Do not require SSL on that virtual root.
- Intermediate CA certificates go to
Intermediate Certification Authorities, not toTrusted Root. - WSUS is deprecated and receives no new features, but Microsoft continues to support it for production deployments per the Windows Server lifecycle.
| First symptom | First check |
|---|---|
SoapException in console or log | Check MUUrl and the endpoint shown in the stack trace |
| TLS reset / no common algorithm | Check TLS 1.2 enablement and cipher policy |
| Proxy authentication error / 407 | Check WSUS console proxy settings |
| Downstream cannot sync to upstream | Check upstream port, SSL mode, certificate trust |
| TCP timeout reaching Microsoft Update | Check proxy path, firewall, DNS |
Before troubleshooting a WSUS synchronization failure
WSUS is installed and configured. Synchronization was working (or was just set up) but the console now shows a sync error, the sync log shows failures, or the last sync timestamp is stale. A wsus sync failed condition can appear after a Windows update, a network change, a certificate renewal, or a Microsoft endpoint change – sometimes with no obvious trigger.
Where to read sync failures: Sync logging lives in %ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log and the Application event log (source: Windows Server Update Services). The file C:\Windows\SoftwareDistribution\ReportingEvents.log is a Windows Update client-agent log – it records client reporting events, not server sync activity. For server-side sync failures, read SoftwareDistribution.log and the Application event log.
Step 0: Read the current WSUS configuration
Before changing network settings or restarting services, capture the current WSUS server state. This tells you which diagnostic path applies to the WSUS sync failure.
Import-Module UpdateServices -ErrorAction Stop
$server = Get-WsusServer -ErrorAction Stop
$config = $server.GetConfiguration()
[pscustomobject]@{
SyncFromMicrosoftUpdate = $config.SyncFromMicrosoftUpdate
IsReplicaServer = $config.IsReplicaServer
MUUrl = $config.MUUrl
RedirectorChangeNumber = $config.RedirectorChangeNumber
UpstreamWsusServerName = $config.UpstreamWsusServerName
UpstreamWsusServerPortNumber = $config.UpstreamWsusServerPortNumber
UpstreamWsusServerUseSsl = $config.UpstreamWsusServerUseSsl
UseProxy = $config.UseProxy
ProxyName = $config.ProxyName
ProxyServerPort = $config.ProxyServerPort
AnonymousProxyAccess = $config.AnonymousProxyAccess
HasProxyPassword = $config.HasProxyPassword
UseSeparateProxyForSsl = $config.UseSeparateProxyForSsl
SslProxyName = $config.SslProxyName
SslProxyServerPort = $config.SslProxyServerPort
}Read the output before proceeding:
SyncFromMicrosoftUpdate = TrueandMUUrlshowsfe2.update.microsoft.comorsws1.update.microsoft.com– go to section 1 (wrong endpoint).SyncFromMicrosoftUpdate = TrueandUseProxy = True– go to section 3 (WSUS proxy settings), then verify network path.SyncFromMicrosoftUpdate = False– go to section 6 (upstream/downstream failures).- All values look correct – go to section 2 (TLS) or section 4 (firewall/DNS).
After reading WSUS configuration, check direct TCP reachability as a secondary signal:
# Direct-path TCP test only - not definitive behind an explicit proxy
Test-NetConnection sws.update.microsoft.com -Port 443A failed Test-NetConnection in an environment using an explicit proxy does not prove a firewall problem. WSUS routes sync through its configured proxy, not through a direct TCP path. Treat a failed direct test as a data point, not a conclusion.
1. Check for an old Microsoft Update endpoint
On older installations, a decommissioned Microsoft Update endpoint is a well-documented cause of sudden wsus sync failed. Check this first when MUUrl or the SoftwareDistribution.log stack trace references fe2.update.microsoft.com. Windows Server 2012 and later should use https://sws.update.microsoft.com.
The fe2.update.microsoft.com endpoint is decommissioned. sws1.update.microsoft.com is an old endpoint that Microsoft plans to decommission.
Symptoms in SoftwareDistribution.log:
SoapException: Fault occurred ...
WebException: The underlying connection was closedRun only on the server with SyncFromMicrosoftUpdate = True. Close all WSUS consoles first. iisreset restarts IIS services and can interrupt other applications if WSUS shares the server.
$server = Get-WsusServer
$config = $server.GetConfiguration()
$config.MUUrl = "https://sws.update.microsoft.com"
$config.RedirectorChangeNumber = 4002
$config.Save()
iisreset
Restart-Service WsusService -VerboseDo not run this on a downstream or replica server. After saving, trigger a synchronization and watch SoftwareDistribution.log for a clean run.
2. Verify TLS 1.2 and cipher compatibility
TLS 1.2 is required by sws.update.microsoft.com. When the server cannot negotiate it, wsus sync failed errors appear – synchronization can fail with a connection reset, an “underlying connection was closed” exception, or a “no common algorithm” error. There are two separate TLS paths in a WSUS deployment: the sync service itself, and the .NET Framework TLS path used by manual Catalog import.
Check TLS 1.2 in the sync log
After restarting the WSUS service and running iisreset, read SoftwareDistribution.log for SCHANNEL entries near startup:
SCHANNEL Protocol 'TLS 1.0' disabled
SCHANNEL Protocol 'TLS 1.1' disabled
SCHANNEL Protocols subkey for 'TLS 1.2' not found. Protocol is enabledIf these lines are absent, the TLS 1.2 fix for the WSUS sync service is not installed. On Windows Server 2012 and Windows Server 2012 R2, this fix was delivered as a non-security change in the Monthly Rollup track. A server that has installed only Security-Only updates and no applicable Monthly Rollup can therefore be missing the fix. Install KB4022721 for Windows Server 2012 or KB4022720 for Windows Server 2012 R2, or a later rollup that supersedes it, and then apply the latest updates available for the server’s supported servicing channel.
If TLS 1.2 is confirmed enabled but the connection still resets with no common algorithm, check whether a Group Policy cipher-suite order is restricting available ciphers:
$report = Join-Path $env:TEMP "WSUS-GPReport.html"
gpresult /scope computer /h $report
Start-Process $reportOpen the report and inspect SSL Cipher Suite Order under Computer Configuration.
Manual Catalog import uses a separate TLS path
If sync succeeds but manual Catalog import fails, the problem is usually the .NET Framework TLS path. Symptoms in SoftwareDistribution.log or the import output:
The underlying connection was closed: An unexpected error occurred on a send
... they do not possess a common algorithmEnable strong cryptography for the .NET Framework:
$registryPath = "HKLM:\Software\Microsoft\.NETFramework\v4.0.30319"
if (!(Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
New-ItemProperty `
-Path $registryPath `
-Name SchUseStrongCrypto `
-Value 1 `
-PropertyType DWord `
-Force | Out-Null
Restart-Service WsusService, w3svcIf the issue persists, Microsoft also documents enabling system-default TLS versions through %SystemRoot%\System32\inetsrv\w3wp.exe.config. This affects every IIS worker process on the server – acceptable on a dedicated WSUS host, worth noting on a shared one.
The legacy “Import Updates” action in the WSUS console was built on ActiveX and has been replaced by a PowerShell-based import workflow. Copy UpdateIDs from the Microsoft Update Catalog and import them using Microsoft’s documented PowerShell script. See WSUS and the Microsoft Update Catalog for current import guidance.
3. Verify WSUS proxy settings
Proxy misconfiguration is a common wsus sync failed cause. WSUS synchronization proxy settings are stored in the WSUS configuration and managed through the WSUS console. When synchronization returns a proxy error or HTTP 407, check Options > Update Source and Proxy Server > Proxy Server before changing system-wide proxy settings.
The Step 0 output shows the current proxy configuration: UseProxy, ProxyName, ProxyServerPort, AnonymousProxyAccess, HasProxyPassword, and the SSL proxy fields. These properties control what proxy the WSUS synchronization service uses.
If UseSeparateProxyForSsl = True, verify the HTTPS proxy name and port as well as the standard proxy. Microsoft supports a separate HTTPS proxy through wsusutil ConfigureSSLproxy <proxy-server> <proxy-port> -enable.
After verifying WSUS proxy settings, check the system WinHTTP proxy as a secondary layer:
netsh winhttp show proxyTreat netsh winhttp show proxy as supporting context, not as proof of the proxy path used by WSUS synchronization.
Proxy authentication
If your proxy requires authentication, configure credentials in the WSUS console: Options > Update Source and Proxy Server, supply proxy name/port, and enable Use user credentials to connect to the proxy server. If the proxy requires basic authentication, enable Allow basic authentication – this sends the password in cleartext to the proxy, so use it only on a trusted internal network or over an encrypted channel.
TLS inspection
Temporarily bypass TLS inspection for the Microsoft Update domains as a diagnostic test. If synchronization succeeds with inspection bypassed, either retain the bypass or correct the proxy’s certificate chain, TLS policy, and cipher configuration according to your security design.
4. Test firewall, DNS, and outbound access
Firewall and DNS failures produce wsus sync failed conditions that surface as timeouts, connection errors, resets, or name-resolution failures. The topmost WSUS server requires outbound HTTP/HTTPS access to the Microsoft domains documented for WSUS.
Per Step 2: Configure WSUS, the required domains include:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com
http://*.delivery.mp.microsoft.com
https://*.delivery.mp.microsoft.comAllow any URL within these domains. Microsoft does not support IP-based firewall rules for these endpoints – the IPs change constantly because the endpoints are CDN-backed. Microsoft can revise this list; check the live WSUS configuration documentation rather than treating any copied list as permanent.
0x8024402C (name not resolved) often indicates a DNS resolution problem on the proxy rather than a firewall ACL. Validate DNS from the WSUS server:
Resolve-DnsName sws.update.microsoft.com
Resolve-DnsName download.windowsupdate.comThese commands validate the WSUS server’s local resolver only. With an explicit proxy, successful local DNS resolution does not prove that the proxy can resolve or reach the destination. Check proxy or secure web gateway logs for the actual CONNECT request and upstream DNS result.
5. Resolve certificate trust failures
Certificate problems produce wsus sync failed errors with a distinctive WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Fix the certificate chain correctly
- Root CA certificate – import to
Local Computer\Trusted Root Certification Authorities - Intermediate/issuing CA certificate – import to
Local Computer\Intermediate Certification Authorities - Server certificate – install it in
Local Computer\Personalwith its private key, then select it in the WSUS IIS HTTPS binding
Do not import intermediate CA certificates to Trusted Root to force chain validation. That expands the trust boundary and is poor PKI practice.
Verify HTTPS and certificate validation from the WSUS server
$request = [System.Net.HttpWebRequest]::Create(
"https://upstream.fqdn:8531/ClientWebService/client.asmx"
)
try {
$response = $request.GetResponse()
$response.Close()
"HTTPS request succeeded"
}
catch {
$_.Exception.GetBaseException().Message
}This tests the connection under the account running PowerShell. If the interactive test succeeds but WSUS sync still fails, compare the Local Computer certificate stores and, where necessary, reproduce the request under the service security context.
For file-based certificate verification:
certutil -verify -urlfetch C:\Temp\upstream-wsus.cerIncorrect system time
0x80072F8F can indicate a certificate or date/time validation failure. Check the WSUS server’s local date, time, time zone, and synchronization source first. An incorrect local clock can make a valid certificate appear not yet valid or expired. After correcting the clock, verify the certificate chain, name, and expiry.
Certificate name mismatch
The FQDN used to reach WSUS must match the Subject or SAN on the certificate. A common source: WSUS configured using a NetBIOS name during setup, while the certificate is issued to the FQDN.
6. Diagnose upstream and downstream synchronization
For WSUS hierarchies, default ports are 8530 (HTTP) and 8531 (HTTPS) on WSUS 6.2+ (Windows Server 2012 and later). Earlier WSUS versions used 80 and 443.
Check downstream reachability to upstream:
# Replace ports if your WSUS site uses a different configured port
Test-NetConnection upstream.fqdn -Port 8531
Test-NetConnection upstream.fqdn -Port 8530The SelfUpdate virtual root uses HTTP (replace 8530 if a different port is configured):
http://upstream.fqdn:8530/selfupdate/iuident.cabWhen SSL is enabled for the upstream connection, test the metadata/service endpoint over HTTPS (replace 8531 if a different port is configured):
https://upstream.fqdn:8531/ClientWebService/client.asmxWhen WSUS is configured without SSL, the same path is available over HTTP:
http://upstream.fqdn:8530/ClientWebService/client.asmxWhen WSUS is configured for SSL, metadata virtual roots such as ClientWebService, ServerSyncWebService, and SimpleAuthWebService use HTTPS. The Content and SelfUpdate virtual roots must not be configured to require SSL – enabling SSL on SelfUpdate creates client self-update problems.
Common hierarchy failures:
- Port mismatch – downstream configured for 8530 but upstream expects 8531, or vice versa
- SSL mismatch – upstream uses SSL but downstream has Use SSL when synchronizing unchecked
- Content-source configuration – confirm whether the downstream stores update files locally, downloads them from the upstream server, or retrieves payloads from Microsoft Update directly. If a downstream retrieves payloads directly from Microsoft, it also needs access to the required Microsoft Update domains. Do not treat different storage choices as a metadata-sync failure by themselves.
- Version order – the downstream WSUS server must run the same WSUS version as the upstream server or an earlier version. A newer downstream synchronizing from an older upstream is not a supported hierarchy design.
- “The upstream server experienced an unexpected error” – verify upstream IIS and WSUS service availability, review the upstream
SoftwareDistribution.logand Application log, and check WsusPool health and resource pressure. The downstream message alone does not identify the upstream root cause.
Configure the downstream in Options > Update Source and Proxy Server > Synchronize from another Windows Server Update Services server, specifying the upstream FQDN and port. Enable This server is a replica of the upstream server only when replica mode is intentional – replica servers inherit update approvals and computer-group definitions from the upstream and are not administered independently. Computer-group membership itself is not replicated; clients reporting to the replica must still be assigned to the appropriate inherited groups.
7. Use export/import for disconnected WSUS
When the WSUS server has no internet path, synchronization is replaced by export and import. A wsus sync failed message in a disconnected environment usually means the server has never completed a successful import, or the last import is stale. Import metadata only from a trusted export WSUS server – Microsoft warns that importing data from an untrusted source can compromise the destination WSUS server.
On a connected staging WSUS server:
cd "%ProgramFiles%\Update Services\Tools"
wsusutil.exe export wsus-export.xml.gz wsus-export.logCopy wsus-export.xml.gz and the WSUSContent folder to the offline environment, then on the offline WSUS server:
cd "%ProgramFiles%\Update Services\Tools"
wsusutil.exe import wsus-export.xml.gz wsus-import.logwsusutil export/import transfers metadata only – it does not carry approvals or server settings. Re-apply approvals using the UpdateServices PowerShell module after import.
When copying WSUSContent, use robocopy /MIR only when the connected WSUS is the authoritative mirror and it is safe to delete destination files that no longer exist in the source. For incremental copies where both sides have content, use robocopy /E instead.
If updates show Failed to download after a successful metadata import, the metadata may have been imported before the corresponding files were copied into WSUSContent, or the content copy may be incomplete. Copy the missing content from the connected WSUS server, preserve the directory structure, and then verify the update status and WSUS logs again. Do not assume that a client scan alone repairs an incomplete content transfer.
Error and symptom reference
| Code / symptom | Where observed | What it means | First check |
|---|---|---|---|
SoapException: Fault occurred | SoftwareDistribution.log | Old sync endpoint or upstream SOAP failure | Check MUUrl, endpoint in stack trace |
0x80072EE2 | Server or client log | Timeout | Proxy/firewall/route – do not assume IIS without additional evidence |
0x80072EFD | Server or client log | Connection could not be established | DNS, proxy, firewall, upstream port |
0x80072F8F | Server or client log | Secure-channel, certificate, or local date/time validation failure | Verify local date/time, then certificate validity, name, and trust chain |
0x80244022 | SOAP/HTTP path | HTTP 503 | Upstream availability, IIS/WsusPool load |
0x8024402C | Commonly WUA/client context | Proxy or target name resolution failure | DNS and proxy resolution in the affected security context |
Verify synchronization succeeded
After applying a fix, trigger sync and confirm the wsus sync failed condition is resolved:
- WSUS console – Synchronizations node shows Succeeded for the latest run
- Last synchronization time has advanced
SoftwareDistribution.logshows no new sync exception after the triggered run- Application event log shows no new Event 10021 or 10022 associated with a failed catalog synchronization
FAQ
Why does sync work in the browser but fail in WSUS?
The browser uses the current user’s proxy and certificate store. WSUS sync runs as a system service using its own proxy configuration and the local computer certificate store. A certificate trusted in the user profile may not be trusted in the machine store, and a proxy that works in the browser may not be configured in the WSUS console. Always verify in the machine context.
Can `netsh winhttp import proxy source=ie` fix a wsus sync failed error?
netsh winhttp import proxy source=ie changes the machine-wide WinHTTP proxy and can affect components that use WinHTTP. It is not the primary configuration method for standalone WSUS synchronization. For a WSUS sync failure, inspect UseProxy, ProxyName, the configured port, and proxy credentials in the WSUS console or IUpdateServerConfiguration first. Treat netsh winhttp show proxy as supporting context, not as proof of the proxy path used by WSUS synchronization.
What is the difference between sws.update.microsoft.com and sws1.update.microsoft.com?
sws.update.microsoft.com is the current supported endpoint for Windows Server 2012 and later. sws1.update.microsoft.com is an old endpoint that Microsoft plans to decommission – Windows Server 2012 and later should use sws. The fe2.update.microsoft.com WSUS synchronization endpoint is already decommissioned. If your WSUS shows either of the legacy values, update MUUrl and RedirectorChangeNumber as shown in section 1.
Sync succeeds but no new updates appear – is that a wsus sync failed condition?
Not necessarily. If the Synchronizations node shows Succeeded and the timestamp advanced, metadata sync is working. Missing updates after a successful sync usually trace to a products/classifications subscription issue (the update’s product or classification is not subscribed) or a content download failure (metadata arrived, files have not). Check subscriptions first, then see WSUS Not Downloading Updates if content is the problem.
How do I confirm whether a downstream server is in replica mode?
Check IsReplicaServer in the Step 0 output, or in the WSUS console under Options > Update Source and Proxy Server. Replica servers inherit update approvals and computer-group definitions from the upstream and are not administered independently. Computer-group membership itself is not replicated; clients reporting to the replica must still be assigned to the appropriate inherited groups.
References
- WSUS synchronization fails with SoapException – Microsoft Learn
- Troubleshoot WSUS synchronization and import issues – Microsoft Learn
- Step 2: Configure WSUS – Microsoft Learn
- Plan Your WSUS Deployment – Microsoft Learn
- WSUS and the Microsoft Update Catalog – Microsoft Learn
- Setting up update synchronizations – Microsoft Learn
- Synchronize updates with no Internet connection – Microsoft Learn
WSUS on Windows Server
Installation & Configuration · Maintenance · Sync Failures · Content Download · Client Reporting · Console Recovery