Upcoming Update to WSUS (KB 2887535)

We recently announced on the Microsoft Update Product Team Blog a set of changes made to the Windows Update Agent. In an effort to provide additional protection for our WSUS customers, we are releasing an update that enhances the security of Windows Update, the Microsoft Update (WU/MU) Client, and Windows Server Update Services. The update applies to WSUS 3.0 SP2, as well as the WSUS role running on Windows Server 2012 and Windows Server 2012 R2.

Improvements include further hardening of the infrastructure used by WU/MU client and the communication channel between WU/MU Client and Service. Additionally, the communication channel between WSUS and WU/MU service has been hardened. This update to WSUS also rolls up all prior updates.

Details on the changes to the WU/MU client can be found at KB 2887535.

Details and additional considerations for the update to WSUS can be found at KB 2938066.

Downloads

The following files are available for download from the Microsoft Download Center:

All supported x64-based versions of Windows Server 2012 R2 Download the package now.
All supported x64-based versions of Windows Server 2012 Download the package now.
Update for WSUS 3.0 SP2 Download the package now.

Comments

  • Anonymous
    January 01, 2003
    Good job. Thank you.
  • Anonymous
    January 01, 2003
    thank you
  • Anonymous
    January 01, 2003
    thank you
  • Anonymous
    January 01, 2003
    thank you
  • Anonymous
    July 09, 2014
    Hi,
    why is KB2938066 not showing up in WSUS itself like KB2720211 was?
  • Anonymous
    July 14, 2014
    Hello guys,

    after installing the update on my WSUS upstream server, I am getting error when the machine tries to self-update itself.

    The WSUS agent got updated. Here is the part of the log. Can you advice please?

    Agent *************
    Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
    Agent *********
    Agent * Online = Yes; Ignore download priority = No
    Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    Agent * Search Scope = {Machine}
    Setup Checking for agent SelfUpdate
    Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320
    Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdatewuident.cab with dwProvFlags 0x00000080:
    Misc Microsoft signed: NA
    Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp with dwProvFlags 0x00000080:
    Misc FATAL: Error: 0xc000000d when verifying trust for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp
    Misc WARNING: Digital Signatures on file C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp are not trusted: Error 0xc000000d
    Setup FATAL: Ident cab verification failed with error 0XC000000D
    Setup WARNING: SelfUpdate check failed to download package information, error = 0xC000000D
    Setup FATAL: SelfUpdate check failed, err = 0xC000000D
    Agent * WARNING: Skipping scan, self-update check returned 0xC000000D
    Agent * WARNING: Exit code = 0xC000000D
    Agent *********
    Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
    Agent *************
    Agent WARNING: WU client failed Searching for update with error 0xc000000d
    AU >>## RESUMED ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
    AU # WARNING: Search callback failed, result = 0xC000000D
    AU # WARNING: Failed to find updates with error code C000000D
    AU #########
    AU ## END ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
    AU #############
  • Anonymous
    July 14, 2014
    So, I just found out that the problem occurs on other servers (WS2008 R2 SP1) as well. Do not exactly know how to resolve it, if it is related to the WSUS ifrastructure secured with TLS certificate (we use that) or so...

    All our WSUS servers had previously installed WSUS 3.0 SP2 with KB2720211 and KB2734608 and it worked like a charm.

    After installing the KB2938066 some of our systems started to show problems... :-(
  • Anonymous
    July 21, 2014
    @JohnnyH, try this: stop wu service, delete C:WindowsSoftwareDistribution folder and start wu service
  • Anonymous
    July 21, 2014
    @Thomas: Already tried, unfortunatelly with no success...

    Here is the thread on MS Social Technet forums I started:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/a006e173-2113-41c7-b119-cd1610414fe0/wsus-30-sp2-troubles-after-installing-kb2938066-0xc000000d?forum=winserverwsus
  • Anonymous
    August 01, 2014
    So... is this release STABLE?? Should I apply it to WSUS 3.0 SP2 on Server 2008 R2 Standard?
    My WSUS has 12 downstream servers and patches 2,000 clients total.
  • Anonymous
    August 06, 2014
    Is there any chance that a similar issue could be occurring where clients are unable to interact over HTTPS with WSUS 6.2 (Server 2012) after KB2937636 is installed on the WSUS server? I'm noticing a new issue recently where our SCCM 2012 R2 OSD task sequence "Install Software Update" steps are timing out after 30 minutes without finding any updates to install, but then the required updates install fine after the task sequence completes. It might not be related, but it sounds like it could be related, and KB2937636 does indicate that KB2919355 (listed here) had already made the Windows Update changes in April 2014 that KB2937636 later did in July 2014.
  • Anonymous
    August 06, 2014
    And FYI, we are an HTTPS only shop.
  • Anonymous
    August 06, 2014
    Forgive me, I meant to make this comment over on an earlier post: (http://blogs.technet.com/b/wsus/archive/2014/04/08/windows-8-1-update-prevents-interaction-with-wsus-3-2-over-ssl.aspx)
  • Anonymous
    August 15, 2014
    I too am seeing a failure to update with a C000000D error code after installing the 7.6.7600.320 update (Win7-SP1-64 bit available from here:http://support.microsoft.com/kb/2887535 ). Restoring the system to prior to the installation of this update restores the ability to download updates. I would appreciate a fix because our corporate powers that be are mandating that this new update be used.
  • Anonymous
    August 21, 2014
    Spotted a similar issue on a number of Windows 2012/R2 servers a few days ago and my wsus server is on win2012 using ssl. To fix the broken clients I used the troubleshooting pack for windows update but it has it's issues.

    1. You need to download it to your servers first.
    2. Does not work with server core as the troubleshootingpack feature needs to present on the system which requires a minimum of gui-infra as it uses powershell cmdlets.

    At least you can script the repairs using an xml answer file for large scale repairs.

    Also noticed that the repair needs a pre or post reboot and it think that might be related to most of my affected servers were systems configured for auto install and reboot. It installed all the updates but the reboot was not triggered.
  • Anonymous
    September 01, 2014
    received this mu update on win7 sp1 x64. why isn't it available for vista sp2 x86?

    pls offer ralink rt61/rt2561 version 2.1.6 to vista users. currently, windows update says version 2.1.5 is latest when checking for driver update. thanks.

    http://www.mediatek.com/en/downloads/pcimpcicb-rt256xrt266x/
  • Anonymous
    October 21, 2014
    How about cumulative updates? I have Windows Server 2008 R2 SP1 + WSUS 3.0 SP2 + KB2828185. WSUS version is 3.2.7600.262.
    But WSUS still reports KV2720211 as needed
    Same issue:
    https://social.technet.microsoft.com/Forums/en-US/9db4011e-a96d-421d-ad59-ff6c3044d0ff/question-concerning-kb2720211-and-updates-there-after?forum=winserverwsus
  • Anonymous
    December 02, 2014
    After applied KB 2938066 update Hyper-V Guests Windows 2012 R2 receive updates from WSUS but not appear in console. Any suggestions?
  • Anonymous
    March 22, 2015
    thank you

    http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera

    http://www.gekkog.com Hiphop, Rap, Gekko G

    http://www.maskanimasyon.com Animasyon
  • Anonymous
    June 12, 2015
    thank you http://www.kodes.com/ http://www.gekkog.com/
  • Anonymous
    August 13, 2015
    Thanks for the its much appreciated..
    http://www.kaderim.net