Domain Controller not updating from WSUS server


I have just inherited some existing issues in my new Sys Admin position, as i have never used WSUS before i thought i would ask you fine people for some input!

All servers are 2008R2, 2 physical servers running Hyper-V and these run 8 Virtual machines, each physical has one domain controller on it.

One of the virtual domain controllers is not taking MS Updates, a few months ago it did then something happened and it changed, so WSUS is not updating it and when i try it manually i am getting Error code: 8000FFFF, the other DC is updating fine

When i check C:Windows windowsupdate

Setup    Downloading setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
Setup    Downloading setup package from http:local/selfupdate/WSUS3/x64/Vista
Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Packages\WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256\
Misc     Microsoft signed: Yes


WARNING: LoadLibrary failed for srclient.dll with hr:8007007E
Setup    Staging setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
Setup    WARNING: CBS staging operation failed, error = 0x8000FFFF
Setup    FATAL: Failed to stage setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256", error = 0x8000FFFF
Setup    WARNING: Failed to stage applicable setup packages, error = 0x8000FFFF
Setup    FATAL: Downloading binaries for SelfUpdate failed, err = 0x8000FFFF
Agent      * WARNING: Skipping scan, self-update check returned 0x8000FFFF
Agent      * WARNING: Exit code = 0x8000FFFF

I have checked the registry as suggested in KB946414 and the values were not in it on the server running WSUS and the values are not there.

I tried installing the SURT but it just hangs about half way through, I have also just tried updating as normal and im getting event ids 1001 and 256, any thoughts on this?

Could it be folder permissions?

I have also looked at the group policy and when i check the settings, I'm getting: An error has occured while collecting data for administrative templates

namespace 'Microsoft policies........' is already defined as the target namespace for another file in the store

asked on Server Fault Mar 22, 2013 by Karl • edited Mar 22, 2013 by tombull89

3 Answers


Probably easier to start with a few standard things first, and then maybe rebuilding the Wnidows Update component, rather than rebuilding the DC totally (although this is a valid way of solving the problem, and probably not that much effort)

I would try running from an elevated command-prompt, the command 'wuauclt /detectnow /resetauthorization' you never know it may just fix it. But in this case, I do doubt it.

The next thing to do is to completely rebuild the Windows Update component. This has fixed problem-servers for me.

Follow the article KB971058

There is a fix-it utility on that page, or you can do it yourself (I prefer this method) by going to this link

Hope this helps.

answered on Server Fault Mar 22, 2013 by Snellgrove

Demote the problem DC. Trash it, and bring up a new box one. Or backwards, promote a new AD then decom the old VM.

answered on Server Fault Mar 22, 2013 by gregorcy

I had the same problem 1000 times on different machines. This di always the trick for me (found on

Set permissions for the CrytoServiceProvider:

answered on Server Fault Dec 23, 2014 by bjoster

User contributions licensed under CC BY-SA 3.0