WSUS: Downloadmgr error 0x80072AFC after approving updates

I was talking with my good friend Joao Madureira about some of the recent issues he's been seeing on WSUS and he pointed me to an interesting one where you get an 0x80072AFC error after approving updates.  We didn't see a lot of documentation on this already so we decided to post his analysis here:

========

Issue: After approving updates in WSUS 3.x , download manager shows error 0x80072AFC saying that updates cannot be downloaded.  The BITS service may also be paused. You will also see the following in the Windowsupdate.log:

7.1.6001.65, tz: -0600) ===========
2009-01-28 22:28:54:953 2420 15ac Misc = Process: C:\WINDOWS\system32\wuauclt.exe
2009-01-28 22:28:54:953 2420 15ac AUClnt Launched Client UI process
2009-01-28 22:28:55:000 2420 15ac Misc =========== Logging initialized (build: 7.1.6001.65, tz: -0600) ===========
2009-01-28 22:28:55:000 2420 15ac Misc = Process: C:\WINDOWS\system32\wuauclt.exe
2009-01-28 22:28:55:000 2420 15ac Misc = Module: C:\WINDOWS\system32\wucltui.dll
2009-01-28 22:28:55:000 2420 15ac CltUI AU client got new directive = 'Download Progress', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2009-01-28 22:28:55:000 2420 15ac CltUI AU client creating default WU/WSUS UI plugin
2009-01-28 22:28:55:344 824 127c DnldMgr Error 0x80072afc occurred while downloading update; notifying dependent calls.
2009-01-28 22:28:55:344 824 1094 AU AU checked download status and it changed: Downloading is paused
2009-01-28 22:28:55:344 2420 15ac CltUI AU client got new directive = 'Shutdown', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000

Cause: This can occur if the clients are unable to access any or all of the following sites and WSUS is set not to store updates locally:

Many times this can occur if the clients access the Windows Update website through a server that is running Microsoft Internet Security and Acceleration (ISA) Server and that server requires authentication.

For more details on this see KB885819You experience problems when you access the Windows Update Version 6 Web site through a server that is running ISA Server.

More Information: When updates are set to not be stored locally, the client machines will be using the Microsoft Update website to download the updates. The agent will get the approvals from WSUS and create a BITS job to handle the downloads, then BITS will create the Winhttp request for the Microsoft Update site.  If the client cannot reach the websites it will generate error 0x80072AFC and will retry the download again later.

Resolution:   To resolve this issue configure the clients to download the updates from the WSUS server instead of from Windows Update.  This requires that we configure WSUS to download and store the updates locally.  To do this, open the WSUS admin console and select Update files and languages:

image

Then check Download update files to this server only when updates are approved:

image

By doing this the client machines will use WSUS to download the updates instead of Microsoft Update.

A special thanks to Joao Madureira and Rich Pesenko for putting in the labor to get this tracked down and bringing it to my attention.  Thanks guys!

J.C. Hornbeck | Manageability Knowledge Engineer