Fix for 0x8024400E Errors on WSUS Clients

Friday, April 3, 2009
You may have problems with WSUS clients that are not able to download updates from WSUS. Check the %SystemRoot%\Windows\WindowsUpdate.log file for the following error:

2009-03-27 11:55:29:193 1044 afc PT WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

Resetting the client by clearing the SoftwareDistribution folder and forcing the Automatic Updates client to detect new updates results in the same error.

This is caused by a revision to the 'Office 2003 Service Pack 1' update. It results in some WSUS 3.0 servers enter an inconsistent state with respect to the update's approvals. When computers with products related to Office 2003 sync to a WSUS server with this revision, the web service is unable to process the approvals resulting in the detection failure.

To fix this problem, approve and then decline the Office 2003 Service Pack 1 update in WSUS. Here are the steps to do this:

  • Open the WSUS Administration console

  • Find the Office 2003 Service Pack 1 update in the updates list. You may have to change the Approval and Status filters to find it. Set the Status to Any and the Approval to Declined. If you still don't see it then set the Approval to Any except Declined.

  • First, make sure the update is declined. If the update is not yet declined, right click on the update and decline it.

  • Next, approve the update. Right-click the update and select the Approve... option in the context menu. Click OK in the Approve Updates dialog that opens (no need to change any options here). Dismiss the Approval Progress dialog that appears.

  • Next, decline the update. Right-click the update and select Decline.

The computers that were failing detection will now successfully complete detection against the WSUS server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica downstream server, you must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog in the WSUS Administration console.

Also, take a look at KB 954960 - Some computers do not receive updates from the WSUS server. It includes a hotfix for WSUS 3.0 SP1 servers that prevents the problem from reoccurring.