Windows Update Failure on Server 2012 R2

JB Blanco
JB Blanco used Ask the Experts™
on
I have a WIndows Server 2012 R2 that is failing to install Windows Updates.  We pull updates from a WSUS server on our network

Getting an Error 0x80090352

Please see Pics below:

WIndowsUpdateError.png
WIndowsUpdateError2.png

I have tried the following:

stoped windows update service

removed windows update.log and software distribution folder.

restarted Windws Update Services.

Ran wuauclt /resetauthorization /detectnow

Made sure by looking at the log that the server is communicating with the Update Server.

Having a hard time finding any info on the internet about this error code
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JB BlancoSr Systems Engineer

Author

Commented:
I should add that windows will download the updates no problem.

Its when it starts to install them, that I receive this error.  

Also it seems to look like its installing all the updates as the progress bar completely fills up.  But when it gets to the end, it says all 105 updates failed to install.
NikSystems Specialist

Commented:
Try this:

Resetting Windows Update Components will fix corrupt Windows Update Components and help you to install the Windows Updates. Please follow the below steps to reset the Windows Updates Components manually:
1. Press Windows Key + X on the keyboard and then select “Command Prompt (Admin)” from the menu.
2. Stop the BITS, Cryptographic, MSI Installer and the Windows Update Services. To do this, type the following commands at a command prompt. Press the “ENTER” key after you type each command.
•net stop wuauserv
•net stop cryptSvc
•net stop bits
•net stop msiserver
3. Now rename the SoftwareDistribution and Catroot2 folder. You can do this by typing the following commands in the Command Prompt. Press the “ENTER” key after you type each command.
•ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
•ren C:\Windows\System32\catroot2 Catroot2.old
4. Now, let’s restart the BITS, Cryptographic, MSI Installer and the Windows Update Services. Type the following commands in the Command Prompt for this. Press the ENTER key after you type each command.
•net start wuauserv
•net start cryptSvc
•net start bits
•net start msiserver

http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_update/unable-to-install-latest-windows-updates-for-x64/24888975-9612-4749-ad84-cfa9ee50f12b?page=2

Let me know how it goes.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Hector2016Systems Administrator and Solutions Architect

Commented:
According to this the error has to do with certificates and certification authorities.

SEC_E_ISSUING_CA_UNTRUSTED
0x80090352

An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator.
JB BlancoSr Systems Engineer

Author

Commented:
Thanks gonna give each of these a try
JB BlancoSr Systems Engineer

Author

Commented:
In response to Hector2016

I found that too,  but I checked and I cant find any certificate issue on the server.  I am looking at the Certification store on the local computer and I don't see any expired certs that would be causing this.

do you have any suggestions?  Is there a particular place else I can look?
JB BlancoSr Systems Engineer

Author

Commented:
To Nik

I just now tried everything you instructed and now when I check for updates I get Error Code 80096005 immediately
NikSystems Specialist

Commented:
If you receive error “0x80096005”, the error occurs because the URL cache on the destination computer does not contain an up to date certificate revocation list (CRL) for the timestamp countersignature that is used to sign the update.

For error "0x80096005":
If you receive error “0x80096005”, follow these steps to resolve the issue:
Download and install signtool command-line tool from Windows SDK under following links: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764.aspx
Start the Windows SDK Command Prompt as the same account that is used to install the Microsoft .NET Framework update.
Run following signtool command on the Windows SDK Command Prompt. It will verify the signature and help populate the CRL cache to the latest.

Signtool.exe verify /pa <Path Of the .NET Framework 4.0 Update>
If the computer cannot retrieve the CRL because of a disconnected network or a firewall block, the signtool may report the same error “0x80096005” (TRUST_E_TIME_STAMP).  To work around this issue, you can run following command on the Windows SDK Command Prompt.  It will disable the check to the revocation list on the time stamp signer.
setreg.exe 9 false
JB BlancoSr Systems Engineer

Author

Commented:
going to try this Nik,

just an FYI though this is on a Windows Server 2012 R2
JB BlancoSr Systems Engineer

Author

Commented:
also do I install this on the Server 2012 R2 in question? or do I install this on the WSUS server????
NikSystems Specialist

Commented:
on Windows Server 2012 r2 in question.
JB BlancoSr Systems Engineer

Author

Commented:
It wont install

cant install
NikSystems Specialist

Commented:
This article helped on several cases with windows update issues.

http://www.wincert.net/microsoft-windows/windows-update-not-working/

Could you please try to follow the steps and see if it helps.

If this is a newly installed server and above won't help, I would suggest do to a fresh install.
Sr Systems Engineer
Commented:
I was finally able to get it to work.  


I moved the Server from the current OU (Organizational Unit) it was in to a test OU.  Then i ran gpupdate /force and rebooted.

Once it came back up, i moved it back into the OU it was in and again did a Gpupdate /force and rebooted.

Updates are working fine now.

Dont really understand what caused the issue but at least it seemed to work.

thanks for everyones help!
JB BlancoSr Systems Engineer

Author

Commented:
i accepted my own comment above as an accepted solution since it ultimately fixed the issue
JB BlancoSr Systems Engineer

Author

Commented:
it is what utlimately fixed the issue

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial