Windows Update Error 0x80072F8F — SSL/TLS Security Error Fix

What Does This Error Mean?

Windows Update error 0x80072F8F means Windows could not establish a secure connection to Microsoft's update servers. This is a security (SSL/TLS) error — Windows checks that the server's security certificate is valid before downloading anything. The most common cause is your PC's date and time being set wrong, which makes valid certificates appear expired or not yet valid. Fixing your system clock usually resolves this error immediately.

Affected Models

Windows 10
Windows 11
Windows 7
Windows 8.1

Common Causes

System date or time is set incorrectly, causing SSL certificate validation to fail
System time zone is wrong, which can shift the apparent date enough to invalidate certificates
The CMOS battery on the motherboard is dying, causing the clock to reset to an old date after each restart
Windows does not have the latest root certificates installed, making newer server certificates appear untrusted
A proxy server, firewall, or network device is intercepting the HTTPS connection and presenting an untrusted certificate

How to Fix It

Check and fix your PC's date and time. Right-click the clock in the bottom-right corner of the taskbar and select Adjust date/time. Turn on 'Set time automatically' and 'Set time zone automatically'. Click Sync now.

An incorrect year, month, or even day can cause every SSL certificate check to fail. This is the fix for the vast majority of 0x80072F8F errors.
If the time keeps resetting after a restart, the CMOS battery in your PC may be dead. This is a small coin-sized battery on the motherboard that keeps the clock running when the PC is powered off. Replacement batteries cost under $5 at any electronics store.

Desktop PCs are easy to replace the CMOS battery in. On laptops it requires partial disassembly — a technician can do this quickly.
Update your root certificates. Windows Update normally handles this, but if updates are blocked, download the latest root certificate update from Microsoft's Update Catalog at catalog.update.microsoft.com and install it manually.

Search the catalog for 'root certificate update' and install the most recent one for your Windows version.
Check your internet security software. Some firewalls and parental control tools perform SSL inspection that can interfere with Windows Update. Temporarily disable any such software and try updating again.

Products known to cause this include some versions of ESET, Kaspersky, and certain router-level parental controls.
Run the Windows Update Troubleshooter. Go to Settings > System > Troubleshoot > Other troubleshooters and run the Windows Update troubleshooter. It checks for network and certificate configuration problems.

The troubleshooter can detect and fix some certificate trust store issues automatically.

When to Call a Professional

If your date and time are correct and root certificate updates do not fix it, the issue may be on your network. A corporate IT department or ISP using SSL inspection (a security practice that intercepts HTTPS traffic) can cause this. Contact your network administrator if you are on a work network.

Frequently Asked Questions

Why does the wrong date cause update errors?

SSL certificates have a 'valid from' and 'valid until' date built into them. Your PC checks that today's date falls within that range before trusting the certificate. If your PC thinks it is the year 2010 and the certificate was issued in 2024, your PC sees an invalid certificate and refuses to connect. The same happens in reverse — if your clock is years ahead, the certificate looks expired. This is a security feature designed to prevent the use of old, revoked certificates.

What is SSL inspection and does it affect home users?

SSL inspection is a technique used by corporate networks, schools, and some parental control systems. It intercepts encrypted HTTPS traffic, decrypts it to scan for threats, then re-encrypts it and sends it on. To do this, it presents its own certificate instead of the real server's certificate. If Windows does not trust that certificate, you get this error. At home with a standard ISP connection, SSL inspection is not the cause — set the right time and date and the error will go away.

Can I check which certificate is failing?

Yes, using a web browser. Open Edge or Chrome and try to navigate to windowsupdate.microsoft.com. If there is a certificate error, the browser will show you a warning with details about which certificate failed and why. This gives you more specific information about whether it is a date problem, an untrusted root, or a network-level inspection issue.