This article describes the update that further improves the security of Windows Server Update Services (WSUS) and the Windows Update Agent (WUA) on computers that are managed by WSUS. This update applies to the following:
- Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms
- Windows Server 2012 with the WSUS role enabled
- Windows Server 2012 R2 with the WSUS role enabled
NOTE This article describes an update that contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update is incompatible with Windows Server Update Services (WSUS) servers without the hardening update 2938066.
- Hardening of infrastructure files that are used by WSUS
- Hardening of the communication channel between WSUS and the WU/MU service
- The WUA on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.
- WSUS must be in a healthy, working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. Additionally, clients must be able to communicate with the WSUS server.
For more information about how to perform basic health checks on a WSUS server, see the following Microsoft TechNet websites:
How to obtain this update
Windows UpdateThis update for Windows Server 2012 and Windows Server 2012 R2 is available from Windows Update.
Microsoft Download CenterThe following files are available for download from the Microsoft Download Center:
|All supported x64-based versions of Windows Server 2012 R2||Download the package now.|
|All supported x64-based versions of Windows Server 2012||Download the package now.|
|Update for WSUS 3.0 SP2||Download the package now.|
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
How to apply this updateWe recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps.
Note Before WSUS 3.0 SP2 servers (without fix 2828185 or newer) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete these steps:
- Apply update 2938066 to the WSUS server that synchronizes with Microsoft Update.
- Start synchronization.
- Wait for the synchronization to succeed.
- If you use the Local Publishing feature from a remote WSUS console: when you have applied the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.
- The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.
- When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.
Article ID: 2938066 - Last Review: Dec 10, 2015 - Revision: 1