Over 600 Domain computers won't get windows updates

pjudkins · Jul 8, 2025

I desperately need help! We have 3200+/- total domain computers all on windows 11, mostly Enterprise and some on Pro, 600+ of them haven't done updates since either November of 2024 or August of 2023. They get an error when trying to do updates that says, "We couldn't connect to the update service". I have tried many things, verified all the Registry setting were correct, update troubleshooter fails, I can ping the update serves successfully from a CMD prompt, restarted services, deleted software distribution and other folders, I can manually push updates, but it won't auto pull them. Any help would be greatly appreciated.

pseymour · Jul 8, 2025

Is the installed image healthy? I ask because, coincidentally, I had a large number of machines quit updating around Aug/Sept 2023, and I had to DISM RestoreHealth and SFC them to get them going again.

pjudkins · Jul 8, 2025

They appear to be healthy. Other computers on the same Image version are doing updates successfully. I have also run all 3 DISM tools and SFC scan on a few test computers.

pseymour · Jul 8, 2025

What are you connecting to? WUfB? WSUS? Anything significant in the logs?

Windows Update log files

Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.

learn.microsoft.com

Troubleshoot WSUS connection failures - Configuration Manager

Introduce several methods to troubleshoot WSUS issues.

learn.microsoft.com

neemobeer · Jul 8, 2025

How do you get updates?
Directly from Microsoft?
WSUS?
MECM (SCCM)?

Do you control updates via GPO?

Also what build/version are these devices?

pjudkins · Jul 8, 2025

Updates auto download directly from Microsoft. We have one Group Policy in place to block feature updates for 1 year hence why we are on 23H2 instead of 24H2.

In the logs, I'm not real versed in what im looking for but it throws these entries at the end.

2025/07/08 10:51:14.1461899 5292 5644 Misc *FAILED* [80072F8F] WinHttp: SendRequestWithAuthRetry using proxy failed for <HTTPS://slscr.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.22631.3593/0?CH=989&L=en-US&P=&PT=0x30&WUA=1217.2403.25012.1&MK=LENOVO&MD=11CES01P00>
2025/07/08 10:51:14.1461959 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\DownloadFile\DownloadSession.cpp @776
2025/07/08 10:51:14.1462041 5292 5644 Misc *FAILED* [80072F8F] Library download error. Will retry. Retry Counter: 0
2025/07/08 10:51:14.5477660 5292 5644 Misc *FAILED* [80072F8F] WinHttp: SendRequestWithAuthRetry using proxy failed for <HTTPS://slscr.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.22631.3593/0?CH=989&L=en-US&P=&PT=0x30&WUA=1217.2403.25012.1&MK=LENOVO&MD=11CES01P00>
2025/07/08 10:51:14.5477711 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\DownloadFile\DownloadSession.cpp @776
2025/07/08 10:51:14.5477788 5292 5644 Misc *FAILED* [80072F8F] Library download error. Will retry. Retry Counter: 1
2025/07/08 10:51:14.8728477 5292 5644 Misc *FAILED* [80072F8F] WinHttp: SendRequestWithAuthRetry using proxy failed for <HTTPS://slscr.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.22631.3593/0?CH=989&L=en-US&P=&PT=0x30&WUA=1217.2403.25012.1&MK=LENOVO&MD=11CES01P00>
2025/07/08 10:51:14.8728526 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\DownloadFile\DownloadSession.cpp @776
2025/07/08 10:51:14.8728601 5292 5644 Misc *FAILED* [80072F8F] Library download error. Will retry. Retry Counter: 2
2025/07/08 10:51:15.2039509 5292 5644 Misc *FAILED* [80072F8F] WinHttp: SendRequestWithAuthRetry using proxy failed for <HTTPS://slscr.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.22631.3593/0?CH=989&L=en-US&P=&PT=0x30&WUA=1217.2403.25012.1&MK=LENOVO&MD=11CES01P00>
2025/07/08 10:51:15.2039562 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\DownloadFile\DownloadSession.cpp @776
2025/07/08 10:51:15.2039652 5292 5644 SLS Complete the request URL HTTPS://slscr.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.22631.3593/0?CH=989&L=en-US&P=&PT=0x30&WUA=1217.2403.25012.1&MK=LENOVO&MD=11CES01P00 with [80072F8F] and http status code[0] and send SLS events.
2025/07/08 10:51:15.2040536 5292 5644 SLS *FAILED* [80072F8F] GetDownloadedOnWeakSSLCert
2025/07/08 10:51:15.2045982 5292 5644 SLS *FAILED* [80072F8F] Method failed [CSLSClient::GetResponse:659]
2025/07/08 10:51:15.2046029 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\EndpointProviders\EndpointProviders.cpp @1831
2025/07/08 10:51:15.2046043 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\EndpointProviders\EndpointProviders.cpp @1376
2025/07/08 10:51:15.2046052 5292 5644 Agent *FAILED* [80072F8F] wuauengcore.dll, C:\__w\1\s\src\Client\lib\EndpointProviders\EndpointProviders.cpp @1387
2025/07/08 10:51:15.2046066 5292 5644 Agent *FAILED* [80072F8F] Method failed [CAgentServiceManager:

etectAndToggleServiceState:3018]
2025/07/08 10:51:15.2046078 5292 5644 Agent *FAILED* [80072F8F] SLS sync failed during service registration (cV: AnZ78FuShkGZXTrd.1.0.0.)
2025/07/08 10:51:15.2066225 5292 5644 Agent Total possible federated services: 1 (cV: AnZ78FuShkGZXTrd.1.0.0.)
2025/07/08 10:51:15.2066260 5292 5644 Agent Candidate federated service 9482F4B4-E343-43B6-B170-9A65BC822C77 (cV: AnZ78FuShkGZXTrd.1.0.0.)
2025/07/08 10:51:15.2066278 5292 5644 Agent Federated service 9482F4B4-E343-43B6-B170-9A65BC822C77 is not added due to an associated SLS registration failure (cV: AnZ78FuShkGZXTrd.1.0.0.)

pseymour · Jul 8, 2025

Error 0x80072f8f means you have some kind of decoding error, which usually points to certificates being out of date. On a broken machine, do either of these commands show really old sync times, compared to a working machine?

Code:

certutil -verifyctl AuthRoot | findstr /i "lastsynctime"
certutil -verifyctl Disallowed | findstr /i "lastsynctime"

If so, you can probably export this registry key on a working machine, and import it on a broken machine. Restart the computer just for fun, and try WU again.

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

pjudkins · Jul 8, 2025

certutil -verifyctl AuthRoot | findstr /i "lastsynctime"<br>

03/19/23

certutil -verifyctl Disallowed | findstr /i "lastsynctime"

8/24/23

Ironically 8/22/23 was the last successful update

pseymour · Jul 8, 2025

Yikes. Mine were updated today, for comparison.

Tester · Jul 8, 2025

Are those 600+ pc's in a other group in the firewall? Perhaps in that group some needed domains are blocked?

pjudkins · Jul 8, 2025

I exported the registry key from my working computer onto 2 test machines, updates immediately started downloading. Now my question is why are those certificates not updating?

pjudkins · Jul 8, 2025

Tester said:
Are those 600+ pc's in a other group in the firewall? Perhaps in that group some needed domains are blocked?

No, all of our 3200 machines are on the exact same firewall settings.

neemobeer · Jul 8, 2025

Could be a GPO, do you have this registry key? This is the GPO to disable root cert updates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot

pjudkins · Jul 8, 2025

neemobeer said:
Could be a GPO, do you have this registry key? This is the GPO to disable root cert updates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot

That key doesn't exist on this machine

pseymour · Jul 8, 2025

Can you nslookup and ping ctldl.windowsupdate.com?

pjudkins · Jul 8, 2025

pseymour said:
Can you nslookup and ping ctldl.windowsupdate.com?

I attached a photo with the results of both, it does ping it successfully.

pseymour · Jul 8, 2025

Alrighty so you can get to the certs server on the Internets. Assuming the machines are healthy, I would say something is blocking their cert upgrade, but that doesn't make sense since it's not all of them. If it was all of them, I would throw something out like you have an internal cert server that's not updating or doesn't exist anymore, for example, but that's probably not it in your situation.

pjudkins · Jul 8, 2025

pseymour said:
Alrighty so you can get to the certs server on the Internets. Assuming the machines are healthy, I would say something is blocking their cert upgrade, but that doesn't make sense since it's not all of them. If it was all of them, I would throw something out like you have an internal cert server that's not updating or doesn't exist anymore, for example, but that's probably not it in your situation.

The only common denominator I can find is it looks like all of these were upgraded from windows 10 to windows 11.

Tester · Jul 8, 2025

Can you try to manual trigger the cert update to see if that works?
terminal with adminrights.
certutil -pulse

afterwards check with (can take a few seconds after pulse before output shows:
certutil -verifyctl AuthRoot | findstr /i "lastsynctime"

pjudkins · Jul 8, 2025

Tester said:
Can you try to manual trigger the cert update to see if that works?
terminal with adminrights.
certutil -pulse

afterwards check with (can take a few seconds after pulse before output shows:
certutil -verifyctl AuthRoot | findstr /i "lastsynctime"

I will try this in the morning on another one

Over 600 Domain computers won't get windows updates

New member

My Computer

who wants pizza?

My Computer

New member

My Computer

who wants pizza?

My Computer

Well-known member

My Computer

New member

My Computer

who wants pizza?

My Computer

New member

My Computer

who wants pizza?

My Computer

Well-known member

My Computer

New member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

who wants pizza?

My Computer

New member

Attachments

My Computer

who wants pizza?

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Similar threads