Update assessment fails "Windows update API failed to assess the machine for available updates" 0x80240438

Question

Update assessment fails "Windows update API failed to assess the machine for available updates" 0x80240438

Steve Downey 5

I can run manual updates on my Windows server in Azure no problem, but the Update manager assessment always fails with the error "Windows update API failed to assess the machine for available updates" 0x80240438

Bipan Chaudhary 0 Reputation points

2025-11-28T14:01:55.38+00:00

It worked for me. I missed *.delivery.mp.microsoft.com in azure firewall-Application rules

My error was:

Assessment failed due to this reason: "6 errors reported. The latest 3 errors are shared in details. To view all errors, review this log file on the machine:[C:\WindowsAzure\Logs\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension\1.5.75] "["Windows update API failed to assess the machine for available updates. Error:Exception from HRESULT: 0x80072F8F, Hresult:2147954402"]." "["Windows update API failed to assess the machine for available updates. Error:Exception from HRESULT: 0x80072F8F, Hresult:2147954402"]."

1 answer

Your answer

Bipan Chaudhary 0 Reputation points

2025-11-28T14:01:55.38+00:00

It worked for me. I missed *.delivery.mp.microsoft.com in azure firewall-Application rules

My error was:

Assessment failed due to this reason: "6 errors reported. The latest 3 errors are shared in details. To view all errors, review this log file on the machine:[C:\WindowsAzure\Logs\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension\1.5.75] "["Windows update API failed to assess the machine for available updates. Error:Exception from HRESULT: 0x80072F8F, Hresult:2147954402"]." "["Windows update API failed to assess the machine for available updates. Error:Exception from HRESULT: 0x80072F8F, Hresult:2147954402"]."

Answer 1

Vinodh247 40,051 MVP Volunteer Moderator

Hi ,

Thanks for reaching out to Microsoft Q&A.

The error code 0x80240438 with the message "Windows update API failed to assess the machine for available updates" typically indicates that your Azure VM cannot reach the Windows Update service endpoints when azure update manager (or Update Management) runs its assessment. Manual updates work because you are initiating them interactively, but the assessment runs under system context and depends on proper outbound connectivity. The most common causes are blocked outbound access in NSGs or firewalls, missing proxy configuration, or restricted internet access due to private networking. To fix this, ensure the VM can reach Windows Update endpoints such as *.windowsupdate.com, *.update.microsoft.com, and *.delivery.mp.microsoft.com over ports 80 and 443. If the VM is in a private subnet without internet, you will need to configure an outbound proxy or use azure update manager private endpoints. Once network connectivity to the update service endpoints is available, the assessment should succeed.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Steve Downey 5 Reputation points

2025-09-10T09:30:42.3933333+00:00

Thank you for your response, I have tested those sites on ports 80 & 443 and get the error "Local Error: DNSResolution", even though I have allowed port 53 outbound in my NSG.

I am using Azure VM domain controllers as our DNS servers, all VMs have outbound internet connectivity.
Vinodh247 40,051 Reputation points MVP Volunteer Moderator

2025-09-14T12:11:58.7866667+00:00

The issue is with DNS resolution rather than ports. Since your VMs use domain controllers as DNS, those DCs must be able to resolve external names. You need to configure DNS forwarders on the DCs (for example, azure DNS 168.63.129.16 or a public resolver) so they can forward queries for external domains like windowsupdate.microsoft.com. Once the forwarders are set and tested with nslookup, your vm's will resolve update endpoints correctly and the azure update manager assessment will succeed.
Steve Downey 5 Reputation points

2025-09-18T12:53:26.1766667+00:00

I have google dns forwarders set and added 168.63.129.16 (which couldn't resolve).
I can nslookup windowsupdate.microsoft.com no problem but this issue still remains.
There are no errors in our firewall logs or event logs relating to this.
Outbound port 53 is already allowed in our NSG, so i don't know what to do.
Vinodh247 40,051 Reputation points MVP Volunteer Moderator

2025-09-23T15:28:03.3333333+00:00

If DNS and port 53 are good, usually the issue is either (a) TLS outbound on 443 blocked to *.windowsupdate.com / *.delivery.mp.microsoft.com, or (b) WSUS GPO redirecting updates away from microsoft update. Do you want me to give you a PowerShell script that runs through all the required endpoint checks (DNS + 443 connectivity + WSUS registry check)
Steve Downey 5 Reputation points

2025-09-30T16:02:04.7733333+00:00

Can you send me the script please. The VMs already have full internet access through port 443
Steve Downey 5 Reputation points

2025-10-06T15:29:37.1733333+00:00

In the registry and group policy I noticed we had a server set as WSUS, which we don't use so I removed that and the Update Assessment has run successfully now :)
Vinodh247 40,051 Reputation points MVP Volunteer Moderator

2025-10-07T16:00:31.1666667+00:00

Thanks for sharing Steve

Share via

Update assessment fails "Windows update API failed to assess the machine for available updates" 0x80240438

1 answer

Your answer