Error 0x8024b304 in Windows Update, and when adding Optional Features

Question

Error 0x8024b304 is being displayed by Windows Update, and attempting to install Optional Features via the Settings applet also fails with 0x8024b304.

I am using Windows Server Update Services on my local network - many other machines on the network correctly download updates from WSUS. I've recently completely re-installed Windows Server Update Services on the server, which had no effect on the error - it still shows up in exactly the same way.

This is what I see from Windows Update:

Yes, I have a properly configured Group Policy controlling the Windows Update parameters network-wide.

This is what is seen from the Optional Features page:

I used PowerShell to obtain the Windows Update logs via Get-WindowsUpdateLog, and the pertinent couple of lines from the generated log file are:

WS error: There was an error communicating with the endpoint at 'https://xxx.xxx.xxx:8531/ClientWebService/client.asmx'.
FAILED [8024B304] Web service call

I can browse the URL from Edge without issue:

Being able to browse the WebService with Edge, without seeing any error reported, makes me wonder what the "error communication with endpoint" message above is actually indicating. Of course, 0x8024b304 is not documented anywhere I can find, so that by itself is unhelpful. I've even used Microsoft's error utility which typically shows at least a semblance of an error message, but it simply shows this:

C:\> Err_6.4.5.exe 0x8024B304
# No results found for hex 0x8024b304 / decimal -2145078524
# NOT FOUND: 0x8024B304

A couple of notes:

1. I've restarted my computer three times.
2. I have reinstalled Windows, albeit with the option to keep my files and settings. That didn't work.
3. If I rename the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key, and restart the Update Orchestrator and Windows Update services, I can download updates. The settings present in that key are the same across the network due to Group Policy, however for sake of completeness here's a screenshot of that:

Details about the machine: Windows 10 Pro Windows version is: 21H1 OS Build is 19043.1526 Windows Feature Experience Pack 120.2212.4170.0 is installed.

Answer 1

0x8024b304 indicates WU_E_TRUST_PROVIDER_UNKNOWN - chances are this means there is a certificate in the local computer certificate store that is either revoked, or out of date, or otherwise invalid that is getting in the way of Windows Update trusting the Windows Server Update Services server.

For me, the problem was my local Certification Authority root certificate was installed incorrectly in the "Intermediate Certification Authorities\Certificates" store - once I removed that cert I was able to restart the Windows Update service and successfully install Windows Updates.

Since I use Group Policy to distribute the root certificate for my domain, this document fits the symptoms, and may offer a reliable workaround.

If the above doesn't resolve the issue, check the local machines certificate store (certlm.msc) for the presence of a "WindowsServerUpdateServices" Certificate Store. If the store contains more than zero certificates, the certificate presented by the Windows Server Update Services server must be present for the Windows Update service to be able to communicate with the WSUS server. Either remove the certificates from that store, or import the WSUS server's certificate, and try checking for updates. See this site for details.