Windows Update Failure on Server 2012 R2

I have a WIndows Server 2012 R2 that is failing to install Windows Updates.  We pull updates from a WSUS server on our network

Getting an Error 0x80090352

Please see Pics below:


I have tried the following:

stoped windows update service

removed windows update.log and software distribution folder.

restarted Windws Update Services.

Ran wuauclt /resetauthorization /detectnow

Made sure by looking at the log that the server is communicating with the Update Server.

Having a hard time finding any info on the internet about this error code
JB BlancoSr Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JB BlancoSr Systems EngineerAuthor Commented:
I should add that windows will download the updates no problem.

Its when it starts to install them, that I receive this error.  

Also it seems to look like its installing all the updates as the progress bar completely fills up.  But when it gets to the end, it says all 105 updates failed to install.
Sajid Shaik MSystem AdminCommented:
NikSystems SpecialistCommented:
Try this:

Resetting Windows Update Components will fix corrupt Windows Update Components and help you to install the Windows Updates. Please follow the below steps to reset the Windows Updates Components manually:
1. Press Windows Key + X on the keyboard and then select “Command Prompt (Admin)” from the menu.
2. Stop the BITS, Cryptographic, MSI Installer and the Windows Update Services. To do this, type the following commands at a command prompt. Press the “ENTER” key after you type each command.
•net stop wuauserv
•net stop cryptSvc
•net stop bits
•net stop msiserver
3. Now rename the SoftwareDistribution and Catroot2 folder. You can do this by typing the following commands in the Command Prompt. Press the “ENTER” key after you type each command.
•ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
•ren C:\Windows\System32\catroot2 Catroot2.old
4. Now, let’s restart the BITS, Cryptographic, MSI Installer and the Windows Update Services. Type the following commands in the Command Prompt for this. Press the ENTER key after you type each command.
•net start wuauserv
•net start cryptSvc
•net start bits
•net start msiserver

Let me know how it goes.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Hector2016Systems Administrator and Solutions ArchitectCommented:
According to this the error has to do with certificates and certification authorities.


An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator.
JB BlancoSr Systems EngineerAuthor Commented:
Thanks gonna give each of these a try
JB BlancoSr Systems EngineerAuthor Commented:
In response to Hector2016

I found that too,  but I checked and I cant find any certificate issue on the server.  I am looking at the Certification store on the local computer and I don't see any expired certs that would be causing this.

do you have any suggestions?  Is there a particular place else I can look?
JB BlancoSr Systems EngineerAuthor Commented:
To Nik

I just now tried everything you instructed and now when I check for updates I get Error Code 80096005 immediately
NikSystems SpecialistCommented:
If you receive error “0x80096005”, the error occurs because the URL cache on the destination computer does not contain an up to date certificate revocation list (CRL) for the timestamp countersignature that is used to sign the update.

For error "0x80096005":
If you receive error “0x80096005”, follow these steps to resolve the issue:
Download and install signtool command-line tool from Windows SDK under following links:
Start the Windows SDK Command Prompt as the same account that is used to install the Microsoft .NET Framework update.
Run following signtool command on the Windows SDK Command Prompt. It will verify the signature and help populate the CRL cache to the latest.

Signtool.exe verify /pa <Path Of the .NET Framework 4.0 Update>
If the computer cannot retrieve the CRL because of a disconnected network or a firewall block, the signtool may report the same error “0x80096005” (TRUST_E_TIME_STAMP).  To work around this issue, you can run following command on the Windows SDK Command Prompt.  It will disable the check to the revocation list on the time stamp signer.
setreg.exe 9 false
JB BlancoSr Systems EngineerAuthor Commented:
going to try this Nik,

just an FYI though this is on a Windows Server 2012 R2
JB BlancoSr Systems EngineerAuthor Commented:
also do I install this on the Server 2012 R2 in question? or do I install this on the WSUS server????
NikSystems SpecialistCommented:
on Windows Server 2012 r2 in question.
JB BlancoSr Systems EngineerAuthor Commented:
It wont install

cant install
NikSystems SpecialistCommented:
This article helped on several cases with windows update issues.

Could you please try to follow the steps and see if it helps.

If this is a newly installed server and above won't help, I would suggest do to a fresh install.
JB BlancoSr Systems EngineerAuthor Commented:
I was finally able to get it to work.  

I moved the Server from the current OU (Organizational Unit) it was in to a test OU.  Then i ran gpupdate /force and rebooted.

Once it came back up, i moved it back into the OU it was in and again did a Gpupdate /force and rebooted.

Updates are working fine now.

Dont really understand what caused the issue but at least it seemed to work.

thanks for everyones help!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JB BlancoSr Systems EngineerAuthor Commented:
i accepted my own comment above as an accepted solution since it ultimately fixed the issue
JB BlancoSr Systems EngineerAuthor Commented:
it is what utlimately fixed the issue
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.