You may receive the error 0x80072EFE when running a windows update on Windows Server 2008, 2008R2, 2012 and 2012R2. There are various solutions suggested from running the Microsoft FixIt tool. Or running a RootKit tool called TDSSKiller from Kaspersky.
I tried all of these tools and suggested fixes and none of them worked for me. One clue I did find in the WindowsUpdate.log in C:\Windows the URL listed in the log is:
https://fe2.update.microsoft.com/v10/3/windowsupdate/selfupdate/wuident.cab
When I pasted this URL into internet Explorer on the server it gave me a 404 page cannot be displayed message. Pasting the same URL into another near identical server running on the same VMware host running on the same LAN through the same virtual switch and internet facing router worked perfectly. The servers were both running Exchange 2013 and the difference in configuration is the working server was the mailbox server and the none working one was the CAS server.
Initially when the CAS server was built windows updates worked perfectly and checking the log for installed updates revealed the date it stopped working to be the same time that I completed work to lockdown SSL3... Big clue here!
I ventured over to SSL Labs and did an SSL scan on my CAS server. It showed that my server was locked down so it would not support SSL 2 or SSL 3 and would only support TLS 1.0, 1.1 & 1.3. and critically only using the following cipher suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I then ran the same scan on the Microsoft Windows Update server fe2.update.microsoft.com and it showed that the Windows Update server supported the following cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Notice the mismatch here, my server doesn't not support the same cipher suites that Microsoft Update supports.... basically my server is too secure to talk to the Microsoft servers.
I understand that Microsoft have to maintain compatibility on the Windows Update servers to serve updates to older and unpatched operating systems but I don't see why compatibility with newer more secure cipher suites can not be enabled.
I used IISCrypto to enable TLS_RSA_WITH_AES_256_CBC_SHA256 and rebooted the server and Windows Update is now running perfectly.