How To Fix Error 80072EFD On Small Business Server 2008

For several months, I had a client with a Small Business Server 2008 that just would not update. It worked for a while and just suddenly quit after a round of updates through automatic update. No matter what I tried from confirming network connectivity, checking firewall settings, adding and re-adding the update sites to firewall exceptions, disabling anti-virus applications and software accelerators to spending long hours reading Technet articles and suggested fixes from Microsoft, and a thorough step-by-step  here, the problem would not go away and kept giving “Windows can’t connect to update…”  error 80072efd.

I finally found a solution in the notes I took while researching this problem that worked, at least temporarily, to allow updates to the server. I am not sure who the original provider of this solution is, but if I come across it again, I will surely give them credit for it.

It appears that the major cause of the 0x80072efd error, at least on the SBS 2008, is a misconfiguration or meltdown of Windows Server Update Services (WSUS) and it can happen if your network goes out of alignment or something screws up like if your NT AUTHORITYNETWORK SERVICE  entry in the registry says 0 instead of 1.

Since WSUS is a core part of SBS 2008 and is supposed to pull updates from Microsoft and distribute the updates to computers on your network, when you call for updates, the agent goes to http://server:8530 expecting to communicate with the Windows Update Server locally. A problem with WSUS will affect the ability of  the update agent to pull down updates since the WUAgent gets no response back from an assigned WSUS server. It then throws up error 80072efd.

A quick and dirty fix is to temporarily hide or remove the local server and allow the agent to pull down updates directly from the Microsoft website. To do this, I uninstalled WSUS and edited the Windows Update entry in the registry.
To edit the registry:

  • Click Start > Run > type “regedit” without the quotes, and accept the UAC prompt to continue
  • Navigate to HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate
  • Look at the keys in that folder, if they look something like this:
    that means Windows Update is trying to look for updates on your own server. Chances are those updates don’t exist on the server (unless you have a successful installation of WSUS which was not our case).
  • Delete the “WindowsUpdate” key from the registry at HKLMSoftwarePoliciesMicrosoftWindows.  I’d recommend you export this to a .reg file to be safe. Right-click on the folder and select “export” to save.
  • Restart the Windows Update service. (located in Start > Run > type “services.msc” without quotes), or Start > Administrative Tools > Services > Windows Update Service (for those who like doing things the hard way).

If you don’t even see the HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate folder then this probably doesn’t apply to you.

This worked for me and I was able to update a server that had not been updated since November 2009!

After making sure that all updates were current, I went back and added WSUS as a role causing a fresh install of the update server. Your mileage may vary on this one. Make sure you have a reliable backup of your server before messing with the registry, and do this on a weekend just in case things go sour for you.

Good luck.