🟡 Medium   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2019

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

WSUS cannot download updates, leaving servers unpatched and out of compliance.

Environment & Reproduction

Windows Server 2019 WSUS with HTTPS upstream and proxy inspection changes.

Get-WsusServer
Get-WinEvent -LogName Application -MaxEvents 80 | Where-Object Message -match 'WSUS|Windows Server Update Services'

Root Cause Analysis

Missing root/intermediate certificates or TLS inspection breaks trust validation to upstream update endpoints.

Quick Triage

Check WSUS sync status and test TLS connectivity from the WSUS host.

Test-NetConnection download.windowsupdate.com -Port 443
netsh winhttp show proxy

Step-by-Step Diagnosis

Inspect SoftwareDistribution sync logs and Schannel errors for certificate failures.

Get-WinEvent -LogName System -MaxEvents 120 | Where-Object ProviderName -eq 'Schannel'
certutil -verify -urlfetch C:Tempupstream.cer
Illustrative mockup for windows-server-2019 — terminal_or_powershell
WSUS sync diagnostics and certificate checks — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Import required CA certificates and reset WSUS synchronization components.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

certutil -addstore -f root C:Tempcorp-root.cer
wsusutil reset
Restart-Service WsusService
Illustrative mockup for windows-server-2019 — event_or_log_viewer
WSUS and Windows Update error events — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Bypass SSL interception for Microsoft update domains in proxy policy.

netsh winhttp set proxy proxy-server='http=proxy.contoso.local:8080;https=proxy.contoso.local:8080' bypass-list='*.windowsupdate.com;*.microsoft.com'

Verification & Acceptance Criteria

WSUS sync completes without SSL errors and new updates appear in console.

Get-WsusServer | ForEach-Object { $_.GetSubscription().StartSynchronization() }

Rollback Plan

Remove recently imported certificates if chain trust was misapplied.

certutil -delstore root

Prevention & Hardening

Monitor certificate expiry and keep proxy allowlists aligned with Microsoft endpoints.

Get-ChildItem Cert:LocalMachineRoot | Select Subject,NotAfter

Common with Schannel 36882/36885 and WinHTTP proxy misconfiguration.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: WSUS synchronization and TLS certificate requirements.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.