TR Forums

As I understand it this error means WU had a problem with the ssl connection back to MS and usually that's just a case of making sure the computer is on the right date, time etc.

However I have a computer throwing up that error with the correct date etc set. It can also browse https websites in IE (even microsoft.com) without any problems.
Over the weeks I've had several goes at fixing it and I'm afraid I can't list all the things I've tried because... I'm stupid.

The windows update troubleshoot thing from here
https://support.microsoft.com/en-gb/ins ... bleshooter
doesn't find any problems.

I'm not noticing any certificate errors while visiting websites in IE.

EDIT: Forgot to add that MS Security Essentials is on this machine and that is still receiving updates. I assumed they came through windows update which confuses me even more.

Any suggestions?

Thanks

Are you sure you're configured for the correct time zone?

Double and triple checked all the time and date stuff including the timezone. Plus if that was out I should be seeing certificate errors on everything not just WU (I assume anyway).

I finally managed to sit down with this machine and get it "fixed".

Since an upgrade to 10 was on the cards anyway I thought I'd just do an in place upgrade and hope for the best. Just hoping for something doesn't do any good as things were exactly the same afterwards. Windows update gave the windows 10 version of the error (something along the lines of "Couldn't contact the update system") but Defender still downloaded it's updates fine. I did notice that it couldn't contact the activation servers either.

Anyway I did the obvious thing that I should have done at the start and had a closer look in the event logs which showed a bunch of schannel errors when running ran WU. A bit of googling suggested that I enable "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" in Local Security Policy (Local Policies => Security Options). A quick gpupdate /force and low and behold WU started working. Activation worked too.

So the reason I said "fixed" in the first line is that I'm not too sure what the implications are of leaving this setting on. It's not something I've ever had to touch before so I've no idea if it's safe to leave it like this. I know FIPS is supposed to be "government approved crypto" but aren't many of the FIPS standards very out of date?

Any suggestions?

So "Use FIPS compliant algorithms" us indeed bad M'kay. Apart from anything it broke several bits of software on this machine.

After chatting with one of the techs at the company who's software I suspect broke the machine in the first place he suggested I use this:
https://www.nartac.com/Products/IISCrypto/Download
which can set "best practice" settings for windows crypto stuff.

This seems to have fixed everything for me.

Hope someone else finds this useful.