Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Windows Update Client does not scan against WSUS 3.0 SP2 if HTTPS is configured and TLS 1.2 is not enabled

Windows Update Client does not scan against WSUS 3.0 SP2 if HTTPS is configured and TLS 1.2 is not enabled

View products that this article applies to.

Summary

Some computers that have the Windows 8.1 and Windows Server 2012 R2 Update (KB 2919355 ) installed stop scanning against Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2 or WSUS 3.2)-based servers that are configured to use HTTPS and do not have TLS 1.2 enabled.

This problem occurs only when the following conditions are true:
  • The computer is running Windows 8.1 or Windows Server 2012 R2 and has the KB 2919355 update installed.
  • The computer is managed by a WSUS 3.2-based server.
  • WSUS 3.2 server is configured to have the managed clients communicate with the WSUS server over HTTPS by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • The WSUS 3.2 server does not support the TLS 1.2 protocol.

↑ Back to the top

How to check whether the problem applies to your environment

Are you using or do you plan to use WSUS 3.2 to manage Windows 8.1-based or Windows Server 2012 R2-based computers?

  • If your answer is no, you are not affected by this problem, and you can skip the rest of this article.
  • If your answer is yes, you should read the rest of this section to see whether you are affected.
Note If you are using the WSUS Server role on Windows Server 2012 or Windows Server 2012 R2 to manage Windows 8.1 or Windows Server 2012 R2-based devices, you are not affected by this problem.

Did you configure the WSUS 3.2-based server so that managed computers communicate with the WSUS-based server over HTTPS?

  • If your answer is no, you are not affected by this problem, and you can skip the rest of this article.
  • If your answer is yes, you should read the rest of this section to see whether you are affected.

Is TLS 1.2 supported and enabled on your WSUS 3.2-based server?

How to check whether TLS 1.2 is supported and enabled

If your WSUS 3.2-based server is running on any of the following server platforms, the TLS 1.2 protocol is not supported:
  • Windows Server 2003 Service Pack 2 (SP2)
  • Windows Server 2003 R2 SP2
  • Windows Server 2008 SP2
If your WSUS 3.2-based server is running on Windows Server 2008 R2 SP1, the TLS 1.2 protocol is supported. To check whether the TLS 1.2 protocol is enabled, follow these steps:
  1. Start Registry Editor, and then locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  2. Check whether the TLS 1.2\Server registry subkey exists.
    • If the subkey does not exist, TLS 1.2 is not enabled on your Windows Server 2008 R2-based server.
    • If the subkey does exist, you should check whether the DisabledByDefault DWORD value exists. If the value exists and is set to 0x0, the TLS 1.2 protocol is enabled.
  • If your answer is yes, you are not affected by this problem, and you can skip the rest of this article.
  • If your answer is no, you are affected by this problem.

↑ Back to the top

How to prevent the problem in your environment

Deploy the revised Windows 8.1, Windows Server 2012 R2 Update (KB 2919355)

Microsoft has released a revised Windows 8.1 and Windows Server 2012 R2 Update (KB 2919355) that addresses this problem. The revised update is now available on WSUS and the Microsoft Download Center.

Note If you use the volume license media that is provided by Microsoft and that is integrated with the KB 2919355 update to deploy Windows 8.1 or Windows Server 2012 R2, you should apply the KB 2959977 update to the image before you deploy. You can follow the steps in the following Microsoft TechNet topic to apply the KB 2959977 update for Windows 8.1 and Windows Server 2012 R2:

Add or Remove Packages Offline Using DISM
If you manage computers that are currently affected by the problem that is discussed in this article, you can obtain and deploy the following stand-alone update package from the Microsoft Download Center. For more information, go to the Microsoft Download Center, and then search for KB2959977.

Operating systemUpdate
All supported x86-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows Server 2012 R2Download Download the package now.
Release Date: April 15, 2014

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: kbsurveynew, kbexpertiseadvanced, kbtshoot, kb

↑ Back to the top

Article Info
Article ID : 2959977
Revision : 2
Created on : 4/9/2020
Published on : 4/9/2020
Exists online : False
Views : 438