An update to harden Windows Server Update Services

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Foundation

This article describes the update that further improves the security of Windows Server Update Services (WSUS) and the Windows Update Agent (WUA) on computers that are managed by WSUS. This update applies to the following:
  • Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms
  • Windows Server 2012 with the WSUS role enabled
  • Windows Server 2012 R2 with the WSUS role enabled

NOTE This article describes an update that contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update is incompatible with Windows Server Update Services (WSUS) servers without the hardening update 2938066.


This update includes the following improvements:
  • Hardening of infrastructure files that are used by WSUS
  • Hardening of the communication channel between WSUS and the WU/MU service
  • The WUA on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.
  • WSUS must be in a healthy, working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. Additionally, clients must be able to communicate with the WSUS server.

    For more information about how to perform basic health checks on a WSUS server, see the following Microsoft TechNet websites:

Update Information

How to obtain this update

Windows Update
This update for Windows Server 2012 and Windows Server 2012 R2 is available from Windows Update.
Microsoft Download Center
The following files are available for download from the Microsoft Download Center:
Operating systemUpdate
All supported x64-based versions of Windows Server 2012 R2Download Download the package now.
All supported x64-based versions of Windows Server 2012Download Download the package now.
Update for WSUS 3.0 SP2Download Download the package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

How to apply this update

We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps.

Note Before WSUS 3.0 SP2 servers (without fix 2828185 or newer) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete these steps:
  1. Apply update 2938066 to the WSUS server that synchronizes with Microsoft Update.
  2. Start synchronization.
  3. Wait for the synchronization to succeed.
Repeat these steps for each WSUS server that synchronizes to the server that you just updated.

More Information

Special considerations

  • If you use the Local Publishing feature from a remote WSUS console: when you have applied the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.
  • The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.
  • When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.
For WSUS 3.0 SP2, because this update is cumulative, special considerations of earlier updates are also applicable.