Windows 10: WSUS Error 0x8024401c

One of my customers encountered the problem when trying to update new PCs running Windows 10 1607 and Windows Server 2016 from the internal WSUS server (running Windows Server 2012 R2). The computers running Windows 10 are displayed in WSUS console, but when searching for updates, a client takes a long time to find them and finally returns the error 0x8024401c.

According to the list of Windows Update error codes, error 0x8024401C means the client response timeout: WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT — HTTP status 408 — the server timed out waiting for the request.

In the new Windows 10 WindowsUpdate.log, the error related to WSUS timeout is also registered from time to time.

2017-08-29 11:14:21:870  816 1244 WS WARNING: There was an error communicating with the endpoint at 'http://dub-wsus:8530/ClientWebService/client.asmx'.
2017-08-29 11:14:21:870  816 1244 WS WARNING: There was an error receiving the HTTP reply.
2017-08-29 11:14:21:870  816 1244 WS WARNING: The operation did not complete within the time allotted.
2017-08-29 11:14:21:870  816 1244 WS WARNING: The operation timed out

The page http://dub-wsus:8530/ClientWebService/client.asmx is available and successfully opened on the client side, and it seems that the WSUS server or the client just don’t have enough time to perform some operation, so the client gets disconnected due to the timeout. During the initial search, a client may get a too huge list of updates and some limits of IIS workflow are exceeded.

To solve the issue with clients, I had to install KB3159706 update on my WSUS server first (Wndows Server 2012 R2 Update 1 has to be installed on the server).

In the KB 3159706 (Update enables ESD decryption provision in WSUS in Windows Server 2012 and Windows Server 2012 R2), pay attention to manual operations to be performed after the update is installed (or WSUS console may not open next time).

• Run the command “C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing 
• Check if .NET Framework 4.5 -> HTTP Activation is installedGet-WindowsFeature -Name NET-WCF-HTTP-Activation45 If not, install it:
• If SSL is used in WSUS, edit C:\Program Files\Update Services\WebServices\ClientWebService\Web.config according to the recommendations in the article (in our case, we didn’t have to do it).
• Edit the config file (C:\Program Files\Update Services\WebServices\ClientWebService\web.config) by replacing <httpRuntime maxRequestLength="4096" /> to<httpRuntime maxRequestLength="204800" executionTimeout="7200"/>
• Restart WSUS service using PowerShell: Get-Service -Name WsusService | Restart-Service -Verbose

Then using IIS Manager, make the following changes to WsusPool settings (Application Pools -> WsusPool -> Advanced settings)

• Private Memory Limit (KB) – 0 (the previous value was 1258015. A value of 0 means that  the limit on memory usage by WSUS workflow is removed, so the service may use more than 1.2 GB of memory)
• Queue Length – 25000 (increase the length of the queue to the pool from 10000)
• Limit Interval (minutes) — 15 (increase the time to reset the counters and run CPU Throttling from 5 to 15 minutes)
• Service Unavailable Response — TcpLevel (with the previous value, HttpLevel, error HTTP 503 is returned to the client, now the connection is simply dropped)

Then change the value of Connection Time-out from 180 to 320 in WSUS Administration -> Advanced settings.

Now restart IIS:

IISReset

We increased the timeouts and resources of the server, necessary to Windows 10 clients to search and check for updates on WSUS Update server. The next day all clients were able to find and install the necessary updates.