Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. SHA-2 Support for Windows Server Update Services 3.0 SP2

SHA-2 Support for Windows Server Update Services 3.0 SP2

View products that this article applies to.

Summary

To align with industry standards, Microsoft is moving away from using SHA-1 signatures for future updates and moving to SHA-2 signatures (see KB4472027 for more details). Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks. Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions. This update is necessary for those customers still using WSUS 3.0 SP2. We recommend upgrading to the latest version of WSUS, version 10.0.

 

↑ Back to the top

Prerequisites

  • Windows Monthly Rollup released March 12, 2019 or later, such as

    • KB4489880 or higher rollup for Windows Server 2008 SP2 installed.

    • KB4489878 or higher rollup for Windows Server 2008 R2 SP1 installed.

  • .NET Framework 3.5

 

↑ Back to the top

Synchronizing WSUS hierarchy after successful patch installation

We recommend that you synchronize all WSUS servers in your environment after applying this update. If you have a hierarchy of WSUS servers, apply this update and synchronize your servers from the top of the hierarchy.  

To synchronize your servers in this manner, follow the steps below   

  1. Apply update to the WSUS server that synchronizes with Microsoft Update. 

  1. Start the synchronization.

  1. Wait for the synchronization to succeed.

Repeat these steps for each WSUS server that synchronizes to the server that you just updated. 

↑ Back to the top

Known issues

 

Symptom Workaround

You may encounter an error message when testing the local publishing feature. In the WSUS log, search and locate the following error message, “PublishPackage(): Operation Failed with Error: Failed to sign package; error was: 2147942527”.

If you find this error in your log, then you have not installed the applicable Windows operating system prerequisite (KB4489880 or KB4489878).  Please install the prerequisite update applicable to your version of Windows and try testing again.
After installing this update, content downloads may fail if WSUS is configured to download express installation files. You may receive the following update in the SoftwareDistribution.log, “Info           WsusService.23      CabUtilities.CheckCertificateSignature                  File cert verification failed for *\WsusContent\*\*.psf with 2148098064.”

To resolve this issue, install the latest version of this update (KB4484071) released September 9, 2019. To verify that you have the latest version installed, go to %windir%\system32\psfsip.dll and verify that it is version 7.6.7600.324.

Now psf files should get downloaded locally when download express installation files is configured on the WSUS server.

 

↑ Back to the top

How to obtain the update

Method 1: Windows Update

This update will be downloaded and installed automatically.

Note: This update is also available through Windows Server Update Services (WSUS).

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

↑ Back to the top

References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Keywords: wsus

↑ Back to the top

Article Info
Article ID : 4484071
Revision : 41
Created on : 10/8/2019
Published on : 10/8/2019
Exists online : False
Views : 274