To align with industry standards, Microsoft is moving away from using SHA-1 signatures for future updates and moving to SHA-2 signatures (see KB4472027 for more details). Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks. Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions. This update is necessary for those customers still using WSUS 3.0 SP2. We recommend upgrading to the latest version of WSUS, version 10.0.
Adding SHA-2 support will not add support for Windows 10 feature updates on WSUS 3.0 SP2.
Synchronizing WSUS hierarchy after successful patch installation
We recommend that you synchronize all WSUS servers in your environment after applying this update. If you have a hierarchy of WSUS servers, apply this update and synchronize your servers from the top of the hierarchy.
To synchronize your servers in this manner, follow the steps below
Apply update to the WSUS server that synchronizes with Microsoft Update.
Start the synchronization.
Wait for the synchronization to succeed.
Repeat these steps for each WSUS server that synchronizes to the server that you just updated.
- If you have not installed the applicable Windows operating system prerequisite (KB4489880 or KB4489878), you may encounter an error message if you test the local publishing feature. In the WSUS log, search and locate the following error message:
“PublishPackage(): Operation Failed with Error: Failed to sign package; error was: 2147942527”
- This update does not support uninstallation via MSI. Microsoft recommends that validations be performed in a non-production environment.