Hello Technet community,

Since the last 2 weekends Windows Update error code 80072F8F has been plaguing my new Surface Pro 2 w/Windows 8.1 which: 1. Is joined to a domain. 2. Has a domain account which is also a Local Admin and it is linked to a Microsoft Account. 3. Correctly receives machine GPOs at boot (1st via wireless computer Auth THEN (after) via Domain User Re-Auth after login). What I've tried so far: - clean boot & restore windows updates (either aggressively and/or through the MS Fixit). - The NTP setup follows a domain hierarchy (UTC+9.30 updated every 3mins.); all domain members are NT5DS clients & they correctly recognise and receive the same time from the PDC emulator. - No Proxies in between (just a standard nat). - The following sites have been added to the trusted sites (as per http://support.microsoft.com/kb/818018/en-au):

• http://update.microsoft.com
• https://update.microsoft.com
• http://*.update.microsoft.com
• https://*.update.microsoft.com
• http://download.windowsupdate.com

- The internet zones security has been either: 1. Set according to http://support.microsoft.com/kb/818018/en-au 2. Set to low for all zones. - The client firewall has been disabled. - The client AV (Windows Defender) has been disabled. - sfc /scannow reports no violations. - Root certificates have been manually refreshed (as per http://gavinmckay.wordpress.com/2010/09/28/howto-fixing-windows-update-error-code-80072f8f/ && http://www.danielfortier.com/?p=133). - Can't Open http://www.update.microsoft.com:443 (IE says this page can't be displayed). - The OS has been re-installed (many times now...). Interestingly enough:

• Before joining the Surface Pro 2 to the domain (ie. while playing w/a LocalAdmin Account...), Windows Update works.
• After joining the Surface Pro 2 w/Windows 8.1 to the domain, Windows Update stops working & reports error 80072F8F.

My personal conclusions is that this is a bug, 'though I'm no expert and I welcome your input :)

Here's an extract of my WindowsUpdate.log:
2013-11-30 18:32:30:482 908 9b8 Agent  * Online = Yes; Ignore download priority = No 2013-11-30 18:32:30:482 908 9b8 Agent  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" 2013-11-30 18:32:30:482 908 9b8 Agent  * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update 2013-11-30 18:32:30:482 908 9b8 Agent  * Search Scope = {Machine & All Users} 2013-11-30 18:32:30:482 908 9b8 Agent  * Caller SID for Applicability: S-1-5-21-1835897545-4208736467-1658248972-2678 2013-11-30 18:32:30:482 908 9b8 SLS Retrieving SLS response from server... 2013-11-30 18:32:30:482 908 9b8 SLS Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-GB;ru-RU;zh-HK&P=&PT=0x30&WUA=7.9.9600.16384 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: Send failed with hr = 80072f8f. 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None> 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: Send request failed, hr:0x80072f8f 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-GB;ru-RU;zh-HK&P=&PT=0x30&WUA=7.9.9600.16384>. error 0x80072f8f 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f 2013-11-30 18:32:30:686 908 9b8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f 2013-11-30 18:32:30:686 908 9b8 SLS FATAL: GetResponse failed with hresult 0x80072f8f... 2013-11-30 18:32:30:686 908 9b8 EP FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072F8F 2013-11-30 18:32:30:686 908 9b8 EP FATAL: EP: CSLSEndpointProvider::GetEndpointFromSLS - Failed to get client data and init parser, error = 0x80072F8F 2013-11-30 18:32:30:686 908 9b8 EP FATAL: Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL, error = 0x80072F8F 2013-11-30 18:32:30:686 908 9b8 Agent WARNING: Failed to obtain the authorization cab URL for service 117cab2d-82b1-4b5a-a08c-4d62dbee7782, hr=0 2013-11-30 18:32:30:686 908 9b8 Agent FATAL: Caller Service Recovery failed to opt in to service 117cab2d-82b1-4b5a-a08c-4d62dbee7782, hr=0X80072F8F 2013-11-30 18:32:30:686 908 9b8 SLS Retrieving SLS response from server... 2013-11-30 18:32:30:686 908 9b8 SLS Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-GB;ru-RU;zh-HK&P=&PT=0x30&WUA=7.9.9600.16384 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: Send failed with hr = 80072f8f. 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None> 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: Send request failed, hr:0x80072f8f 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-GB;ru-RU;zh-HK&P=&PT=0x30&WUA=7.9.9600.16384>. error 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 SLS FATAL: GetResponse failed with hresult 0x80072f8f... 2013-11-30 18:32:30:904 908 9b8 EP FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072F8F 2013-11-30 18:32:30:904 908 9b8 EP FATAL: EP: CSLSEndpointProvider::GetEndpointFromSLS - Failed to get client data and init parser, error = 0x80072F8F 2013-11-30 18:32:30:904 908 9b8 EP FATAL: Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Client/Server URL, error = 0x80072F8F 2013-11-30 18:32:30:904 908 9b8 PT WARNING: PTError: 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 PT WARNING: Initialization failed for Protocol Talker Context: 0x80072f8f 2013-11-30 18:32:30:904 908 9b8 Agent  * WARNING: Exit code = 0x80072F8F 2013-11-30 18:32:30:904 908 9b8 Agent ********* 2013-11-30 18:32:30:904 908 9b8 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdatesWuApp  Id = 2]

• gpresult /Z after domain-join: Supplied upon request.

Hey, thanks for your "sit and wait" answer.

Today I've tested Windows Update:

1. By first logging-in as a Local Admin (while joined to the domain).
2. By unjoining the Surface Pro 2 from the Domain.

Unfortunately I get the same error...

That would mean that even if I wanted, I couldn't follow your advice.

Apparently the only way to get updates on my Surface Pro 2 would be to wipe it, get the full updates & re-join the domain (to be repeated every time a new update is released :) ).

Today I joined a Windows Server 2012 R2 Datacenter to my 2012 Domain and it experienced the same 80072f8f issue.

To summarise, I experience this issue on all Win8.1 & Win2012R2 domain members.

Is it only me and 'DarkProcessor' (http://social.technet.microsoft.com/Forums/windows/en-US/45116c40-07ae-450f-b64a-e824e46591b1/windows-update-error-80072f8f-on-windows-81-enterprise?forum=w8itprogeneral&prof=required) experiencing it?

That's it, I'm done with it :)

• I fixed the 80072f8f error by redesigning my Domain from scratch.

The issue was one of my 50+ GPOs.

I confirm the above b/c on my new (blank) 2012 R2 dc the issue is non-existent.

• Marked as answer by amatesi Saturday, December 14, 2013 4:59 AM

That's it, I'm done with it :)

• I fixed the 80072f8f error by redesigning my Domain from scratch.

The issue was one of my 50+ GPOs.

I confirm the above b/c on my new (blank) 2012 R2 dc the issue is non-existent.

• Marked as answer by amatesi Saturday, December 14, 2013 4:59 AM

That's it, I'm done with it :)

• I fixed the 80072f8f error by redesigning my Domain from scratch.

The issue was one of my 50+ GPOs.

I confirm the above b/c on my new (blank) 2012 R2 dc the issue is non-existent.

• Marked as answer by amatesi Saturday, December 14, 2013 4:59 AM

Hi folks,

I have the same issue with a blank 2012 R2 domain....

Only 2 GPOs are effective:

-- Default Domain Policy : Default Settings

- Company Global Policy :

- Computer Configuration (Enabled)
-- Policies
--- Windows Settings
---- Security Settings
----- Public Key Policies/Trusted Root Certification Authorities

Company Root CA Company Root CA 14.01.2024 22:41:18 <All> 

--- Administrative Templates
---- Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
----- Server authentication certificate template - Enabled  

Certificate Template Name: RemoteDesktopComputer 

Additional information:

The Domain is being set up with an Enterprise CA (Root CA offline, Sub CA online) while the hashing algorithm has been defined as SHA512.

No WSUS has been implemented.

My Windows Update log:

2014-01-30	16:41:10:869	 816	1070	SLS	Retrieving SLS response from server...
2014-01-30	16:41:10:869	 816	1070	SLS	Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x8&WUA=7.9.9600.16422
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: Send failed with hr = 80072f8f.
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None>
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: Send request failed, hr:0x80072f8f
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x8&WUA=7.9.9600.16422>. error 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	SLS	FATAL: GetResponse failed with hresult 0x80072f8f...
2014-01-30	16:41:11:058	 816	1070	EP	FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072F8F
2014-01-30	16:41:11:058	 816	1070	EP	FATAL: EP: CSLSEndpointProvider::GetEndpointFromSLS - Failed to get client data and init parser, error = 0x80072F8F
2014-01-30	16:41:11:058	 816	1070	EP	FATAL: Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Client/Server URL, error = 0x80072F8F
2014-01-30	16:41:11:058	 816	1070	PT	WARNING: PTError: 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	PT	WARNING: Initialization failed for Protocol Talker Context: 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	PT	WARNING: PTError: 0x80072f8f
2014-01-30	16:41:11:058	 816	1070	SLS	Retrieving SLS response from server...
2014-01-30	16:41:11:058	 816	1070	SLS	Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x8&WUA=7.9.9600.16422
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: Send failed with hr = 80072f8f.
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None>
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: Send request failed, hr:0x80072f8f
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x8&WUA=7.9.9600.16422>. error 0x80072f8f
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
2014-01-30	16:41:11:215	 816	1070	Misc	WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f
2014-01-30	16:41:11:215	 816	1070	SLS	FATAL: GetResponse failed with hresult 0x80072f8f...
2014-01-30	16:41:11:215	 816	1070	EP	FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072F8F
2014-01-30	16:41:11:215	 816	1070	EP	FATAL: EP: CSLSEndpointProvider::GetEndpointFromSLS - Failed to get client data and init parser, error = 0x80072F8F
2014-01-30	16:41:11:215	 816	1070	EP	FATAL: Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Reporting URL, error = 0x80072F8F
2014-01-30	16:41:11:215	 816	1070	PT	WARNING: PTError: 0x80072f8f
2014-01-30	16:41:11:215	 816	1070	Report	FATAL: OpenReportingWebServiceConnection, GetReportingServerUrl failed with error, hr = 0x80072F8F.
2014-01-30	16:41:11:215	 816	1070	Report	WARNING: HandleEvents, OpenReportingWebServiceConnection, with NULL CallerIdentity failed with error, hr = 0x80072F8F.
2014-01-30	16:41:11:215	 816	1070	Report	WARNING: Reporter failed to upload events with hr = 80072f8f.
2014-01-30	16:43:11:853	 816	6f4	AU	###########  AU: Uninitializing Automatic Updates  ###########
2014-01-30	16:43:11:853	 816	6f4	WuTask	Uninit WU Task Manager
2014-01-30	16:43:12:018	 816	6f4	Service	*********
2014-01-30	16:43:12:018	 816	6f4	Service	**  END  **  Service: Service exit [Exit code = 0x240001]
2014-01-30	16:43:12:018	 816	6f4	Service	*************

What could be the reason for this?

Calling the 

HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x8&WUA=7.9.9600.16422

is resulting in downloading the (probably) expected CAB File without any issues.

Cheers,

Matthias

Ok, that's quite a solution you gave ;-)

We are having the same problem and we manage 700+ servers so recreating a forest from scratch is not even possible. Can somebody eager to find a very difficult problem a solution for it? The error is still

0x80072f8f

Hi Michael140,

I found a solution:

Disable TLS 1.2 by following the below steps:
- On the server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols
- Create the following Key under Protocol: TLS 1.2
- Create the following two Keys under TLS 1.2: Client and Server
- Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled
- Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0
- Reboot the server.

retry Windows Update :)

Note: This is based on SHA512 - if you're choosing SHA256 throughout the chain, everything is running fine.

Kind regards,

Matthias

• Edited by Matthias R. Wiora [MSFT]Microsoft employee 21 hours 21 minutes ago

Hi Michael140,

I found a solution:

Disable TLS 1.2 by following the below steps:
- On the server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols
- Create the following Key under Protocol: TLS 1.2
- Create the following two Keys under TLS 1.2: Client and Server
- Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled
- Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0
- Reboot the server.

retry Windows Update :)

Note: This is based on SHA512 - if you're choosing SHA256 throughout the chain, everything is running fine.

Kind regards,

Matthias

• Edited by Matthias R. Wiora [MSFT]Microsoft employee Friday, July 24, 2015 10:02 AM

Hi Michael140,

I found a solution:

Disable TLS 1.2 by following the below steps:
- On the server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols
- Create the following Key under Protocol: TLS 1.2
- Create the following two Keys under TLS 1.2: Client and Server
- Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled
- Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0
- Reboot the server.

retry Windows Update :)

Note: This is based on SHA512 - if you're choosing SHA256 throughout the chain, everything is running fine.

Kind regards,

Matthias

• Edited by Matthias R. Wiora [MSFT]Microsoft employee Friday, July 24, 2015 10:02 AM

Hi Michael140,

I found a solution:

Disable TLS 1.2 by following the below steps:
- On the server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols
- Create the following Key under Protocol: TLS 1.2
- Create the following two Keys under TLS 1.2: Client and Server
- Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled
- Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0
- Reboot the server.

retry Windows Update :)

Note: This is based on SHA512 - if you're choosing SHA256 throughout the chain, everything is running fine.

Kind regards,

Matthias

• Edited by Matthias R. Wiora [MSFT]Microsoft employee Friday, July 24, 2015 10:02 AM

Ok, tried it but maybe I'm missing something

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

On old win2003 and win2008 all are updating fine but newly win2012R2 it isn't. Is there a new protocol or something else that came with updates? We are using a hardware firewall for internet on servers. Maybe we need to update firmware on that?

• Edited by Michael140 55 minutes ago

Ok, 2 workarounds that work;

1. Attach the server to a port directly attached to internet (without firewall/proxy/...). Updates will work and put server back on internal network and disconnect internet cable

2. Execute command -> w32tm /debug /enable /file:%userprofile%\desktop\time.txt /size:4000000 /entries:0-300. After 2 or 3h waiting retry to update the server.

Ok, tried it but maybe I'm missing something

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

On old win2003 and win2008 all are updating fine but newly win2012R2 it isn't. Is there a new protocol or something else that came with updates? We are using a hardware firewall for internet on servers. Maybe we need to update firmware on that?

• Edited by Michael140 Monday, July 27, 2015 6:27 AM