WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

Windows 8.1 Update (KB 2919355) prevents interaction with WSUS 3.2 over SSL

Windows 8.1 Update (KB 2919355) prevents interaction with WSUS 3.2 over SSL

  • Comments 38
  • Likes

Update Monday 4/14/2014 - Please see http://support.microsoft.com/kb/2959977 for additional information.


There is a known issue which causes some PCs updated with the Windows 8.1 Update (KB 2919355) to stop scanning against Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2 or WSUS 3.2) servers which are configured to use SSL and have not enabled TLS 1.2.

Issue Description

The problem is specific to the following scenario when all of the following are true

  1. Client PC has installed Windows 8.1 Update KB 2919355
  2. Windows 8.1 with Windows 8.1 Update KB 2919355 attempts to scan against WSUS 3.2 running on any affected platform:
    • Windows Server 2003 SP2, or
    • Windows Server 2003 R2 SP2, or
    • Windows Server 2008 SP2, or
    • Windows Server 2008 R2 SP1
  3. HTTPS and Secure Sockets Layer (SSL) are enabled on the WSUS server
  4. TLS 1.2 is not enabled on the server

Only users who have enabled HTTPS and have not enabled TLS 1.2 on their WSUS 3.2 servers and who are also using these WSUS 3.2 servers to manage PCs running the Windows 8.1 Update KB 2919355 are affected by this issue. Please note, while we do recommend the use of HTTPS on WSUS servers, HTTPS and TLS 1.2 are not enabled by default.

Workarounds

If you are using WSUS 3.2 on Windows Server 2008 R2, you may perform either of the following steps to restore the scan functionality if you have deployed the Windows 8.1 Update KB2919355.

  • Enable TLS 1.2 (follow the instructions under More Information > SCHANNEL\Protocols subkey), or
  • Disable HTTPS on WSUS

If you are using WSUS 3.2 on an operating system other than Windows Server 2008 R2, you may perform the following step to restore the scan functionality.

  • Disable HTTPS on WSUS

When Microsoft releases an update that resolves the issue, you may re-enable HTTPS on WSUS.

Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers.

You may still obtain the Windows 8.1 Update (KB 2919355) from the Windows Update Catalog or MSDN. However, we recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue. You may also find the workarounds discussed in this article to be useful for testing this Windows 8.1 Update for your organization. Thank you for your patience during this time.

The WSUS and Windows Update Teams

Comments
  • Does this affect the Windows Server 2012 R2 update as well, or only 8.1?

  • Hi
    there is also no 2919355 for 2012r2 on wsus yet

  • bit off-Topic
    IE 11 (also for W7) now have Enterprise mode. But why still not IE 11 for W7 on WSUS ?

  • Combine this with the *wise* decision to prevent any future updates from being distributed to systems that don't have this Service Pack in disguise, and I would say that a great big ball is being dropped somewhere in Redmond.

  • Could you not release the update to WSUS on Server 2012R2 since it is out of scope for this issue?

  • I installed Windows 8.1 update 1, and our family members were not able to use IE 11 on their computers or laptops. I had to go back to original Windows 8.1 as soon as possible. Once Microsoft fixes this problem on IE11, I will be able to go back to Windows again, otherwise we are going with Ubuntu Linux. Microsoft should not provide a fake re-finement that causes more problems that original Windows 8.1 update 1. Fix Windows 8.1 update 1 now or we are moving to Ubuntu Linux and you are not going to be making any profits from our family anymore.

  • > Could you not release the update to WSUS on Server 2012R2 since it is out of scope for this issue?

    Pierre and a127 - The problematic update is not an update to the WSUS server code. Rather, the broken update is to the Windows Update Agent, which was updated as part of the Windows 8.1 spring 2014 Update.

    The bug affects all Windows 8.1 systems with the spring 2014 Update. It just happens that client computers are not affected when connecting to WSUS for Windows Server 2012 (with or without R2), because on those WSUS servers, IIS is configured to support TLS 1.2 by default.

  • So if I had a 2012/WSUS 4 server with TLS 1.2 disabled, affected clients would be unable to use it?

  • > So if I had a 2012/WSUS 4 server with TLS 1.2 disabled, affected clients would be unable to use it?

    Peter - Yes, that's correct. There are 3 requirements for a client computer to be unable to connect to WSUS due to this bug:

    1. The client has Windows 8.1 with the spring 2014 Update.
    2. The WSUS server URL is over SSL or TLS (https://...).
    3. On the WSUS server, Windows is not configured to allow the use of TLS 1.2.

    If your WSUS server running Server 2012 was configured to not use TLS 1.2, then 8.1 Update clients wouldn't be able to use it. But again, this is not the default configuration on Server 2012.

  • what if SCCM is being used...but this is true of the backing WSUS server?

  • Hello, As SCCM uses WSUS components to update computers, I guess it's also true for SCCM SUP

  • ETA?

  • We need an ETA to determine if we proceed with the current updates (which would double the work involved for change management) or wait for the fix for KB 2919355.

  • We imported the Update to our WSUS on Win2003 using Catalog as source because we need to distrubte it and HTTPS is not active. Now WSUS is trying to download 3 Updates (Win 8.1.1 as x86 and x64, Win 2012r2) again and again without success. Any hint for us?

  • windos xp support

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment