On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019

[Dave-H]

1 hour ago, AstroSkipper said:

@Dave-H I am analyzing the automatic updates applet problem we both have. For me it doesn't matter actually I don't use automatic updates but you know I hate errors in my system. Using HTTPSProxy switched on and setting automatic updates to "Notify but don't automatically download or install them" could you trigger automatic updates by executing command wuauclt /resetauthorization /detectnow under two different conditions? First condition is to execute command proxycfg -u and second condition is to execute command proxycfg -d. Then I would like to ask you to upload a copy of your Windows Update log.

PS: And don't be afraid! None of these commands will harm your system.

OK, I'll give that a try and report back.
Since ticking "Automatically Detect Settings" in my Internet LAN settings I've not seen the Event Log error message, so that may well have fixed that.
I'll have to leave it a few more days to be sure though, the messages were appearing every 24 hours.

[ExtremeGrief]

2 hours ago, AstroSkipper said:

@ExtremeGrief Without WSUS proxy does automatic updates notification work in your system too?

Nope, only with it on, even if PrHP is on

[maile3241]

1 hour ago, AstroSkipper said:

And what else do you use? A bit more detailed information would be helpful!

As far as I can remember, the yellow shield only appeared after I checked for updates via the website for the first time. As you already know I only use httpsproxy.

[AstroSkipper]

34 minutes ago, ExtremeGrief said:

Nope, only with it on, even if PrHP is on

Thanks for clarifying! Good to know!

[AstroSkipper]

33 minutes ago, maile3241 said:

As far as I can remember, the yellow shield only appeared after I checked for updates via the website for the first time. As you already know I only use httpsproxy.

Ok, I have set Automatic Updates to "Notify but don't automatically download or install them", HTTPSProxy switched on and opened MU web site in IE without any searching. In this moment the yellow shield is popping up with update notification. Very strange! But anyway, thanks for more detailed information!

[AstroSkipper]

1 hour ago, AstroSkipper said:

Ok, I have set Automatic Updates to "Notify but don't automatically download or install them", HTTPSProxy switched on and opened MU web site in IE without any searching. In this moment the yellow shield is popping up with update notification. Very strange! But anyway, thanks for more detailed information!

@Dave-H Forget my previous request! Try what I did in quotation above!  And one thing is clear. If MU or WU can't find any urgent updates you won't get any notification. Therefore you either have to restore a suppressed update (that's what I did) or you have to uninstall a non-relevant lastly installed update (installer version of this update should be available in your system) to get the little yellow notification shield. Anyway I can report notification shield is now working even if IE isn't called up. And if you want to know why it is working all at once I'll say: Windows is a grab bag!

PS: That doesn't mean the problem is completely solved. Automatic Updates service (not MU web version) causes error code 0x80072EFE anyway. The game is not over yet!

Edited February 18, 2022 by AstroSkipper
addition

[Dave-H]

Well my system is already set up exactly as yours is now, and has been for some time, that is to say with Automatic Updates set to "notify" mode.
Presumably it was its checks which were generating the Event Log error messages, which seem to have now stopped, although I'll need another couple of days to confirm that.
Does that mean that it's now working?
As you say, I guess the only way to know for sure is to artificially trigger a missing update.
I do have some hidden hardware updates, I could just try unhiding one of those I guess.

[AstroSkipper]

14 minutes ago, Dave-H said:

Does that mean that it's now working?

As mentioned above I would say it's working at the moment but I don't really know why and unfortunately new updates won't come definitely. So we won't realize whether it is working or not. And I really meant what I said above:
 

Quote

Windows is a grab bag!

 

Edited February 18, 2022 by AstroSkipper
addition

[maile3241]

10 minutes ago, AstroSkipper said:

As mentioned above I would say it's working at the moment but I don't really know why and unfortunately new updates won't come definitely. So we won't realize whether it is working or not.

I added the proxy settings from httpsproxy to winhttp. Now the error is 0x80096010.

Edited February 18, 2022 by maile3241

[AstroSkipper]

14 minutes ago, maile3241 said:

I added the proxy from httpsproxy to winhttp. Now the error is 0x80096010.

When I had analyzed the problem I added HTTPSProxy to winhttp by executing command proxycfg -u and I got the same error code 0x80096010. Microsoft doesn't trust its own certificate of wuident.cab file all at once. Surprisingly!

Edited February 18, 2022 by AstroSkipper
addition

[Dave-H]

No sign of the yellow shield after unhiding one of my hidden hardware updates, but I guess that's because it's an optional update.
What I think I'll do now to test it is to uninstall the latest time zones update, as that will do no damage if there's a problem.
The last one for POSReady2009 was KB4501226, on 11/06/19.
That was widely considered to have been a mistake by Microsoft though, as support had ended, and it's not now available in the catalogue.
I have got its installation file, but I suspect that if I remove it, it won't appear as an update as it's effectively been withdrawn for POSReady2009.
The previous one was KB4487990, issued on 10/04/19.
I will try removing that, and see if Automatic Updates prompts me to reinstall it.

[AstroSkipper]

18 minutes ago, Dave-H said:

I will try removing that, and see if Automatic Updates prompts me to reinstall it.

You're right. Selecting a non-relevant lastly installed update is a safe way for testing. I think it will work. You know our systems are a bit like twins.

[xpandvistafan]

A little OT, but I found it interesting that 2 Microsoft Root Certificates expired in the past 2 years. One of them is the Microsoft Root Authority, signed using MD5 and valid from January 10, 1997 to December 31, 2020. The other one is the Microsoft Root Certificate Authority signed using SHA-1 and valid from May 9, 2001 to May 9, 2021. Both of the expiry dates lined up with Microsoft's SHA-1 deprecation plan.

[Compa]

2 hours ago, xpandvistafan said:

A little OT, but I found it interesting that 2 Microsoft Root Certificates expired in the past 2 years. One of them is the Microsoft Root Authority, signed using MD5 and valid from January 10, 1997 to December 31, 2020. The other one is the Microsoft Root Certificate Authority signed using SHA-1 and valid from May 9, 2001 to May 9, 2021. Both of the expiry dates lined up with Microsoft's SHA-1 deprecation plan.

Well, MD5 and SHA-1 have had known vulnerabilities in them for a while, to the point one could craft a backdoored file, or certificate or whatever, and it would return the same hash if they so wished.

https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/ I still remember this, and reading up on it.

It's no wonder MSFT decided to discontinue the SHA-1 endpoints as a result.

Edited February 19, 2022 by Compa

[AstroSkipper]

10 hours ago, xpandvistafan said:

A little OT, but I found it interesting that 2 Microsoft Root Certificates expired in the past 2 years. One of them is the Microsoft Root Authority, signed using MD5 and valid from January 10, 1997 to December 31, 2020. The other one is the Microsoft Root Certificate Authority signed using SHA-1 and valid from May 9, 2001 to May 9, 2021. Both of the expiry dates lined up with Microsoft's SHA-1 deprecation plan.

It's not as off-topic as you seem to think. Of course the validity of certificates are important to fix MU's error codes. On the other hand invalid certificates can still be used by system and are very often in use without any problems. The more difficult problem is an invalid signature of a file. And that's the reason for error code 0x80096010 relating to file wuident.cab. But usimg WSUS proxy method or using HTTPSProxy for accessing MU web site this error code does not occur. Now we have to find the reason for that and then we'll be able to solve error code 0x80096010 if fixing is necessary at all.

Edited February 19, 2022 by AstroSkipper
addition