Sometimes WSUS has issues synchronizing with the upstream server – usually Microsoft, but it can be a local upstream server. Why these errors happen can be for many reasons.

Microsoft requires several websites to be accessible through the firewall to synchronize. These are hostname-based servers and not IP addresses because for scalability and redundancy, these servers can have multiple IP addresses. Your firewall should allow access to these websites outbound.

Microsoft sometimes has issues with a specific product. Sometimes it is temporary, but other times it is a permanent error because the product was accidentally released to the public.

This unfortunately is harder to figure out and must be figured out through trial and error. It requires you to manually deselect several update products in WSUS options (usually following the rule of half noted below) and then initiate a sync manually.

• • • If the issue doesn’t exist anymore and the sync is successful, then you will need to add back the products you selected in groups to figure out which product is the culprit causing the errors in synchronizing (again, usually following the rule of half).
    • If the issue still exists, you can re-select all the products you just deselected and then deselect the other half and then initiate a sync manually.

In the event that it is temporary, adding the product back in a few days will give Microsoft enough time to fix the problem and syncing will return to normal.

In the event that the issue is permanent, such as for the “Windows Insider Dev Group” product that was accidentally released to the public, WSUS Automated Maintenance has a tool called Remove-WsusProduct that will completely remove the aforementioned product from the WSUS database.