WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
1 of 13
This is Google's cache of https://support.microsoft.com/en-us/kb/3138270. It is a snapshot of the page as it
appeared on 8 May 2016 16:08:09 GMT.
The current page could have changed in the meantime. Learn more
Full version
Text-only version
View source
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.
You are currently offline, waiting for your internet to reconnect
Microsoft
Store
Store home
Devices
Software
Apps
Games
Microsoft Surface
PCs & tablets
Xbox
Accessories
Windows phone
Microsoft Band
Office
Windows
Additional software
All apps
Windows apps
Windows phone apps
Xbox One games
Xbox 360 games
PC games
Windows games
Windows phone games
Entertainment
All Entertainment
Movies & TV
Music
Business & Education
Business Store
Education Store
Developer
Sale
Sale
Mother's Day Gift Guide
Graduation Gift Guide
Find a store
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
2 of 13
Gift cards
Products
Software & services
Windows
Office
Free downloads & security
Internet Explorer
Microsoft Edge
Skype
OneNote
OneDrive
Microsoft Health
MSN
Bing
Microsoft Groove
Microsoft Movies & TV
Devices & Xbox
All Microsoft devices
Microsoft Surface
All Windows PCs & tablets
PC accessories
Xbox & games
Microsoft Band
Microsoft Lumia
All Windows phones
Microsoft HoloLens
For business
Cloud Platform
Microsoft Azure
Microsoft Dynamics
Windows for business
Office for business
Skype for business
Surface for business
Enterprise solutions
Small business solutions
Find a solutions provider
Volume Licensing
For developers & IT pros
Develop Windows apps
Microsoft Azure
MSDN
TechNet
Visual Studio
For students & educators
Office for students
OneNote in classroom
Shop PCs & tablets perfect for students
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
3 of 13
Support
Microsoft in Education
Sign in
Cart
Cart
Manage my account
Ask the community
Contact Answer Desk
Find downloads
Virtual Support Agent
Virtual Support Agent
<div class="error-content text-center"> <div><span class="win-icon warning-symbol win-iconEmojiNeutral"></span></div> <h2> Javascript is disabled </h2> <p> Please enable javascript and refresh the
page </p> </div>
Your browser is out-of-date
You need to update your browser to use the site.
Update to the latest version of Internet Explorer
CV: h7lHW3vwb2VunbyW.0
WinX: W32Time: Time skews if DJ client can't
access SSL Time Server at boot
Email
Print
Symptoms
System time incorrectly reverts to a previous date and time on domain joined Windows 10 computers Version
1511 OS Build 10586.xx) computers that boot on a private network after previously booting from a public
network that has access to SSL time servers on the internet.
Specifically, system time may revert to the time value stored under the following registry path and setting
rather than use the correct value obtained from the local NTP server:
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
4 of 13
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits
Pertinent logs show:
413 151553 17:36:47.2887167s - ClockDispln Discipline: Check and set secure time
414 151553 17:36:47.2888630s - Setting the system time because it is outside the secure time limits.
415 151553 17:36:47.2888919s - Current system time: 17:36:47.288 12/10/2015
<<- Time
from NTP
416 151553 17:36:47.2889102s - Target system time: 17:29:32.33 12/7/2015
<<- Time
from SecureTimeLimits registry
417 151550 17:29:32.0328739s - ClockDispln Discipline: *SET*SECURE*TIME*
Other symptoms include but are not limited to:
System Time jumps when viewed in the time applet (may correct every ~ 3 seconds)
Events in the event log have invalid time stamps in the past or future
Kerberos authentication fails
Repro Steps
1. Domain join a build 1511 Windows 10 computer to an Active Directory domain
2. Boot the computer on a public network that has access SSL Time servers on the internet, causing
Secure Time and high confidence values to be saved in the registry
3. Shut down the computer so that Secure Time and high confidence are persisted in the registry.
4. Boot the same Windows 10 computer on a private network with no network access SSL Time Servers,
thus causing the SecureTimeAggregator.dll to never load.
5. W32time starts up and initially rejects the secure time value in the registry because of large tickcount,
although the confidence value is high.
6. After some runtime, the large tickcount from the registry becomes valid. W32time considers the secure
time from registry to be valid and of high confidence.
7. If the current system clock is outside the secure time range by more than 15 hrs, the system clock is set
to the incorrect time in the \SecureTimeLimits registry setting value by w32time.
Cause
The Windows Time service incorporates a new feature called Secure Time Synchronization which is enabled
when the client recognizes SSL servers for time sync and then is unable to locate them afterward.
This scenario may occur on a domain joined Windows 10 computer residing on network that has internet
access, and is able to reach the SSL servers for time sync and subsequently configures itself to use Secure
Time Synchronization.
Time rollback can occur such computers are later restarted on a network without internet access . The SSL
Crypto DLL is not loaded because no SSL connections are made (by design), which results in the registry not
getting cleared.
W32time service notices the SSL time in registry being bogus around startup based on the tick count, but
uses it after some time because it the tick count becomes legitimate.
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
5 of 13
Resolution
This behavior is suboptimal and the following two workarounds have been tested and will resolve the issue:
1. Track the status of bug 6257513.
Current status as of 2016.03.08 is that problem is fixed in Redstone 1 release of Windows 10. No
backports have been requested due to lack of volume and impact.
The fix FI’d to rs1_release on 2/22. It should be available in rs1_release builds after that.
If you have an enlistment, you can verify using this cmd (the particular file was modified in this
change):
sdv //depot/rs1_release/onecore/ds/security/services/w32time/lib/TimeHelperFunctions.cpp
The fix will be in Server 2016 TP2 release and the next Windows 10 client public release.
2. Workaround 1:
Once the machine is connected to the non-internet accessible network (Network2 in the above
example) follow these commands, omitting the portion inside parenthesis:
1. Net stop w32time (stop Time Service)
2. W32tm /unregister (unregister Time Service)
3. W32tm /register (register time service)
4. W32tm /start (starts Time Service)
5. W32tm /resync /force (Force sync the time ignoring the time delta between internal NTP/NT5DS
server and the client)
3. Workaround 2:
The issue clears itself when the client machine connects to the internet. This may not always be
possible, in which case the previous workaround should work.
4. Disabling the feature:
Although not recommended the Secure Time Seeding feature can be disabled by setting this registry key to 0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\UtilizeSslTimeData
This change requires a reboot.
To re-enable set the value to 1 and reboot. This will enable Secure Time Seeding.
More Information
Related Bugs
Bug #
Synopsis
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
6 of 13
WSSC 6257513.
Marked for RS. The fix requires SecureTimeAggregator.dll to detect shutdown and
clear the registry as well as for W32time to bad secure time scenario (as detected in
step 5 above) and clear the registry.
Related Content
Resource
Synopsis
Related Social Media Threads
Resource
Synopsis
Related Cases
Case #
115120913472420
116022913767023
N/A
N/A
Synopsis
intermitently, workstation "WORKSTATION01", which runs Windows 10
Professional (Build 10586.17) and is a member of domain "corp.contoso.com",
changes its date and time to "December 7th - 3:29 pm (GMT -3)" until it
synchronizes with DC "DC1.corp.contoso.com" again.
Cx mentioned He is deploying windows 10 machines and after 2-3 hours post
deployment, System time incorrectly reverts to a previous date and time on
domain joined Windows 10 computers.
Internal customer = John Marlin on VM computer on Microsoft network. Worked
around by disabling time sync in VM guest + manually setting time to good value.
Feb 2016.
Internal customer = Ryan Sokolowski on or ~ 2016.03.07 for ~ 2 weeks time.
These values are added to the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Config
UseSslTimeData
DWORD Type (nonzero value == Use the SSL time data. We don’t
want ask users to turn this feature off using this for transient issues because they will never turn it back on
even in situations where it would help them. Let’s keep this as the last option.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\SecureTimeLimits
SecureTimeConfidence
change this definition as needed)
DWORD type (>= 6 is high confidence and we want the ability to
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
7 of 13
SecureTimeTickCount
determined.)
SecureTimeHigh/Estimated/Low
time range”).
QWORD type (local machine tick count when the secure time was
QWORD type (high/estimated/low values of the determined “secure
There are new debug flags to capture this feature. Please use this updated command line from an
administrative command prompt to gather data that includes the new feature:
W32tm /debug /enable /file:c:\w32time.log /size:10000000 /entries:0-1100
A restart is required for this to take effect on the SSL data collection part. This generates 2 log files named
c:\w32time.log*.
NTP goes only so far in supplying us with reliable time and it has been a single point of failure in the NTP
server chain. That is the reason we imposed limits on the changes we accept over NTP because we are not
certain if the time we are receiving over NTP is always good. This new feature is the backup mechanism to
prevent spurious time changes on each machine using SSL based time.
This feature is to securely determine the time to within ±15 hours accuracy of the actual time and use this
information in combination with existing secured/unsecured NTP to sync time. The combined solution will
help maintain time securely, accurately and in a scalable fashion on all connected Windows clients.
Windows client is being designed to be increasingly a connected OS. As with existing versions of Windows,
SSL/PKI is the primary choice for secure network communication over the internet for OS components as
well as for applications. There is an ongoing effort by OSG Security to improve the SSL performance in
Windows by centralizing some of the SSL Certificate processing to reduce duplication in certificate
validation and other related performance improvements.
SSL protocol uses server system time and various time stamps as part of its handshake. This time information
in isolation is not very accurate for time synchronization purposes. However, the centralization of SSL
processing gives us sufficient information from various SSL connections to allow us to securely compute an
approximate secure time on the client that is good enough to be used for synchronization purposes.
Time information can be gleaned securely from SSL connections to Microsoft and non-Microsoft servers and
can be used to boot strap system time on the client to allow unsecure NTP to synchronize time more
precisely.
Tablets and other newer Windows client devices depend solely on a rechargeable battery to power their
system clocks, including when the device is turned off/hibernating. Draining of batteries leads to the system
clock being reset to a random value in most cases.
Secure network protocols, including SSL, depend on client system time. A number of applications and
scenarios break when the client system time is grossly incorrect.
In case of the battery discharge scenario, we cannot correct synchronize clocks securely over the network if
the system time is set to a random value. Fixing system time securely requires us to solve a circular
dependency between time and security.
Since Windows Client OS implicitly trusts Microsoft Product servers and to some extent trusts servers
w/certs pinned to the Microsoft Root CA, the client could ignore time based restrictions on these connections
to break the circular dependency between secure protocols and client system time.
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
8 of 13
As mentioned above, time information can be gleaned securely from SSL connections to Microsoft and
non-Microsoft servers and can be used to boot-strap system time on the client.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The
information contained herein is provided as-is in response to emerging issues. As a result of the speed in
making it available, the materials may include typographical errors and may be revised at any time without
notice. See Terms of Use for other considerations.
Properties
Article ID: 3138270 - Last Review: 04/28/2016 02:15:00 - Revision: 15.0
Applies to
Windows 10
Keywords:
KB3138270
Feedback
Was this information helpful? Yes Somewhat No
Tell us what we can do to improve the article
Submit
Thanks! Your feedback will help us improve the support experience. For more help, try searching for what
you need at the top of the page.
Feedback
Was this information helpful?
Yes
No
Somewhat
Tell us what we can do to improve the article
Submit
Thanks! Your feedback will help us improve the support experience. For more help, try searching for what
you need at the top of the page.
Support
Support
Account support
Supported products list
Product support lifecycle
Security
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
9 of 13
Security
Safety & Security Center
Download Security Essentials
Malicious Software Removal Tool
Contact Us
Contact Us
Report a support scam
Disability Answer Desk
Locate Microsoft addresses worldwide
This site in other countries/regions
Algérie - Français
Argentina - Español
Australia - English
Belgique - Français
België - Nederlands
Bolivia - Español
Bosna i Hercegovina - Hrvatski
Brasil - Português
Canada - English
Canada - Français
Chile - Español
Colombia - Español
Costa Rica - Español
Crna Gora - Srpski
Danmark - Dansk
Deutschland – Deutsch
Dominican Republic - Español
Ecuador - Español
Eesti - Eesti
El Salvador - Español
España - Español
Estados Unidos - Español
France - Français
Guatemala - Español
Hong Kong SAR - English
Hrvatska - Hrvatski
India - English
Indonesia (Bahasa) - Bahasa
Ireland - English
Italia - Italiano
Latvija - Latviešu
Lietuva - Lietuvių
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
10 of 13
Luxembourg - Français
Magyarország - Magyar
Malaysia - English
Maroc - Français
México - Español
Nederland - Nederlands
New Zealand - English
Norge - Bokmål
Panamá - Español
Paraguay - Español
Perú - Español
Philippines - English
Polska - Polski
Portugal - Português
Puerto Rico - Español
România - Română
Schweiz - Deutsch
Singapore - English
Slovenija - Slovenščina
Slovensko - Slovenčina
South Africa - English
Srbija - Srpski
Suisse - Français
Suomi - Suomi
Sverige - Svenska
Tunisie - Français
Türkiye - Türkçe
United Kingdom - English
United States (English)
Uruguay - Español
Venezuela - Español
Việt Nam - Tiếng việt
Ísland - Íslenska
Österreich - Deutsch
Česká Republika - Čeština
Ελλάδα - Ελληνικά
България - Български
Казахстан - Русский
Россия - Русский
Україна - Українська
‫ עברית‬- ‫ישראל‬
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﺍﻹﻣﺎﺭﺍﺕ ﺍﻟﻌﺮﺑﻴﺔ ﺍﻟﻤﺘﺤﺪﺓ‬
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﺍﻟﻤﻤﻠﻜﺔ ﺍﻟﻌﺮﺑﻴﺔ ﺍﻟﺴﻌﻮﺩﻳﺔ‬
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﻣﺼﺮ‬
भारत - िहं दी
ไทย - ไทย
中国 - 简体中文
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
11 of 13
台灣 - 繁體中文
日本 - 日本語
香港特別行政區 - 繁體中文
대한민국 - 한국어
Algérie - Français
Estados Unidos - Español
Perú - Español
Việt Nam - Tiếng việt
Argentina - Español
France - Français
Philippines - English
Ísland - Íslenska
Australia - English
Guatemala - Español
Polska - Polski
Österreich - Deutsch
Belgique - Français
Hong Kong SAR - English
Portugal - Português
Česká Republika - Čeština
België - Nederlands
Hrvatska - Hrvatski
Puerto Rico - Español
Ελλάδα - Ελληνικά
Bolivia - Español
India - English
România - Română
България - Български
Bosna i Hercegovina - Hrvatski
Indonesia (Bahasa) - Bahasa
Schweiz - Deutsch
Казахстан - Русский
Brasil - Português
Ireland - English
Singapore - English
Россия - Русский
Canada - English
Italia - Italiano
Slovenija - Slovenščina
Україна - Українська
Canada - Français
Latvija - Latviešu
Slovensko - Slovenčina
‫ עברית‬- ‫ישראל‬
Chile - Español
Lietuva - Lietuvių
South Africa - English
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
12 of 13
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﺍﻹﻣﺎﺭﺍﺕ ﺍﻟﻌﺮﺑﻴﺔ ﺍﻟﻤﺘﺤﺪﺓ‬
Colombia - Español
Luxembourg - Français
Srbija - Srpski
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﺍﻟﻤﻤﻠﻜﺔ ﺍﻟﻌﺮﺑﻴﺔ ﺍﻟﺴﻌﻮﺩﻳﺔ‬
Costa Rica - Español
Magyarország - Magyar
Suisse - Français
‫ ﺍﻟﻌﺮﺑﻴﺔ‬- ‫ﻣﺼﺮ‬
Crna Gora - Srpski
Malaysia - English
Suomi - Suomi
भारत - िहं दी
Danmark - Dansk
Maroc - Français
Sverige - Svenska
ไทย - ไทย
Deutschland – Deutsch
México - Español
Tunisie - Français
中国 - 简体中文
Dominican Republic - Español
Nederland - Nederlands
Türkiye - Türkçe
台灣 - 繁體中文
Ecuador - Español
New Zealand - English
United Kingdom - English
日本 - 日本語
Eesti - Eesti
Norge - Bokmål
United States (English)
香港特別行政區 - 繁體中文
El Salvador - Español
Panamá - Español
Uruguay - Español
대한민국 - 한국어
España - Español
Paraguay - Español
Venezuela - Español
English (United States)
Terms of use
Privacy & cookies
Trademarks
© 2016 Microsoft
26-05-2016 18:01
WinX: W32Time: Time skews if DJ client can't access SSL Time Server ... http://webcache.googleusercontent.com/search?q=cache:tw3bl6-5KH8J:h...
13 of 13
<img alt="" width="1" height="1" src="https://c.microsoft.com/trans_pixel.aspx">
26-05-2016 18:01