Upcoming Update to WSUS (KB 2887535)
We recently announced on the Microsoft Update Product Team Blog a set of changes made to the Windows Update Agent. In an effort to provide additional protection for our WSUS customers, we are releasing an update that enhances the security of Windows Update, the Microsoft Update (WU/MU) Client, and Windows Server Update Services. The update applies to WSUS 3.0 SP2, as well as the WSUS role running on Windows Server 2012 and Windows Server 2012 R2.
Improvements include further hardening of the infrastructure used by WU/MU client and the communication channel between WU/MU Client and Service. Additionally, the communication channel between WSUS and WU/MU service has been hardened. This update to WSUS also rolls up all prior updates.
Details on the changes to the WU/MU client can be found at KB 2887535.
Details and additional considerations for the update to WSUS can be found at KB 2938066.
Downloads
The following files are available for download from the Microsoft Download Center:
| All supported x64-based versions of Windows Server 2012 R2 | Download the package now. |
| All supported x64-based versions of Windows Server 2012 | Download the package now. |
| Update for WSUS 3.0 SP2 | Download the package now. |
Comments
- Anonymous
January 01, 2003
Good job. Thank you. - Anonymous
January 01, 2003
thank you - Anonymous
January 01, 2003
thank you - Anonymous
January 01, 2003
thank you - Anonymous
July 09, 2014
Hi,
why is KB2938066 not showing up in WSUS itself like KB2720211 was? - Anonymous
July 14, 2014
Hello guys,
after installing the update on my WSUS upstream server, I am getting error when the machine tries to self-update itself.
The WSUS agent got updated. Here is the part of the log. Can you advice please?
Agent *************
Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
Agent *********
Agent * Online = Yes; Ignore download priority = No
Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
Agent * Search Scope = {Machine}
Setup Checking for agent SelfUpdate
Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320
Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdatewuident.cab with dwProvFlags 0x00000080:
Misc Microsoft signed: NA
Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp with dwProvFlags 0x00000080:
Misc FATAL: Error: 0xc000000d when verifying trust for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp
Misc WARNING: Digital Signatures on file C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp are not trusted: Error 0xc000000d
Setup FATAL: Ident cab verification failed with error 0XC000000D
Setup WARNING: SelfUpdate check failed to download package information, error = 0xC000000D
Setup FATAL: SelfUpdate check failed, err = 0xC000000D
Agent * WARNING: Skipping scan, self-update check returned 0xC000000D
Agent * WARNING: Exit code = 0xC000000D
Agent *********
Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
Agent *************
Agent WARNING: WU client failed Searching for update with error 0xc000000d
AU >>## RESUMED ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
AU # WARNING: Search callback failed, result = 0xC000000D
AU # WARNING: Failed to find updates with error code C000000D
AU #########
AU ## END ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
AU ############# - Anonymous
July 14, 2014
So, I just found out that the problem occurs on other servers (WS2008 R2 SP1) as well. Do not exactly know how to resolve it, if it is related to the WSUS ifrastructure secured with TLS certificate (we use that) or so...
All our WSUS servers had previously installed WSUS 3.0 SP2 with KB2720211 and KB2734608 and it worked like a charm.
After installing the KB2938066 some of our systems started to show problems... :-( - Anonymous
July 21, 2014
@JohnnyH, try this: stop wu service, delete C:WindowsSoftwareDistribution folder and start wu service - Anonymous
July 21, 2014
@Thomas: Already tried, unfortunatelly with no success...
Here is the thread on MS Social Technet forums I started:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/a006e173-2113-41c7-b119-cd1610414fe0/wsus-30-sp2-troubles-after-installing-kb2938066-0xc000000d?forum=winserverwsus - Anonymous
August 01, 2014
So... is this release STABLE?? Should I apply it to WSUS 3.0 SP2 on Server 2008 R2 Standard?
My WSUS has 12 downstream servers and patches 2,000 clients total. - Anonymous
August 06, 2014
Is there any chance that a similar issue could be occurring where clients are unable to interact over HTTPS with WSUS 6.2 (Server 2012) after KB2937636 is installed on the WSUS server? I'm noticing a new issue recently where our SCCM 2012 R2 OSD task sequence "Install Software Update" steps are timing out after 30 minutes without finding any updates to install, but then the required updates install fine after the task sequence completes. It might not be related, but it sounds like it could be related, and KB2937636 does indicate that KB2919355 (listed here) had already made the Windows Update changes in April 2014 that KB2937636 later did in July 2014. - Anonymous
August 06, 2014
And FYI, we are an HTTPS only shop. - Anonymous
August 06, 2014
Forgive me, I meant to make this comment over on an earlier post: (http://blogs.technet.com/b/wsus/archive/2014/04/08/windows-8-1-update-prevents-interaction-with-wsus-3-2-over-ssl.aspx) - Anonymous
August 15, 2014
I too am seeing a failure to update with a C000000D error code after installing the 7.6.7600.320 update (Win7-SP1-64 bit available from here:http://support.microsoft.com/kb/2887535 ). Restoring the system to prior to the installation of this update restores the ability to download updates. I would appreciate a fix because our corporate powers that be are mandating that this new update be used. - Anonymous
August 21, 2014
Spotted a similar issue on a number of Windows 2012/R2 servers a few days ago and my wsus server is on win2012 using ssl. To fix the broken clients I used the troubleshooting pack for windows update but it has it's issues.
1. You need to download it to your servers first.
2. Does not work with server core as the troubleshootingpack feature needs to present on the system which requires a minimum of gui-infra as it uses powershell cmdlets.
At least you can script the repairs using an xml answer file for large scale repairs.
Also noticed that the repair needs a pre or post reboot and it think that might be related to most of my affected servers were systems configured for auto install and reboot. It installed all the updates but the reboot was not triggered. - Anonymous
September 01, 2014
received this mu update on win7 sp1 x64. why isn't it available for vista sp2 x86?
pls offer ralink rt61/rt2561 version 2.1.6 to vista users. currently, windows update says version 2.1.5 is latest when checking for driver update. thanks.
http://www.mediatek.com/en/downloads/pcimpcicb-rt256xrt266x/ - Anonymous
October 21, 2014
How about cumulative updates? I have Windows Server 2008 R2 SP1 + WSUS 3.0 SP2 + KB2828185. WSUS version is 3.2.7600.262.
But WSUS still reports KV2720211 as needed
Same issue:
https://social.technet.microsoft.com/Forums/en-US/9db4011e-a96d-421d-ad59-ff6c3044d0ff/question-concerning-kb2720211-and-updates-there-after?forum=winserverwsus - Anonymous
December 02, 2014
After applied KB 2938066 update Hyper-V Guests Windows 2012 R2 receive updates from WSUS but not appear in console. Any suggestions? - Anonymous
March 22, 2015
thank you
http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera
http://www.gekkog.com Hiphop, Rap, Gekko G
http://www.maskanimasyon.com Animasyon - Anonymous
June 12, 2015
thank you http://www.kodes.com/ http://www.gekkog.com/ - Anonymous
August 13, 2015
Thanks for the its much appreciated..
http://www.kaderim.net