An update to harden Windows Server Update Services


This article describes the update that further improves the security of Windows Server Update Services (WSUS) and the Windows Update Agent (WUA) on computers that are managed by WSUS. This update applies to the following:
  • Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms
  • Windows Server 2012 with the WSUS role enabled
  • Windows Server 2012 R2 with the WSUS role enabled

NOTE This article describes an update that contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update is incompatible with Windows Server Update Services (WSUS) servers without the hardening update 2938066.

Improvements
This update includes the following improvements:
  • Hardening of infrastructure files that are used by WSUS
  • Hardening of the communication channel between WSUS and the WU/MU service
Notes
  • The WUA on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.
  • WSUS must be in a healthy, working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. Additionally, clients must be able to communicate with the WSUS server.

    For more information about how to perform basic health checks on a WSUS server, see the following Microsoft TechNet websites:

Update Information

How to obtain this update

Windows Update
This update for Windows Server 2012 and Windows Server 2012 R2 is available from Windows Update.
Microsoft Download Center
The following files are available for download from the Microsoft Download Center:
Operating systemUpdate
All supported x64-based versions of Windows Server 2012 R2DownloadDownload the package now.
All supported x64-based versions of Windows Server 2012DownloadDownload the package now.
Update for WSUS 3.0 SP2DownloadDownload the package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

How to apply this update

We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps.

Note Before WSUS 3.0 SP2 servers (without fix 2828185 or newer) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete these steps:
  1. Apply update 2938066 to the WSUS server that synchronizes with Microsoft Update.
  2. Start synchronization.
  3. Wait for the synchronization to succeed.
Repeat these steps for each WSUS server that synchronizes to the server that you just updated.
More information

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

For all supported x64-based versions of Windows Server 2012 with Remote Server Administration Toolkit (RSAT) installed

File nameFile versionFile sizeDateTimePlatform
Microsoft.updateservices.corecommon.dll6.2.9200.16859215,55201-Mar-201410:15x86
Microsoft.updateservices.corecommon.dll6.2.9200.20978215,55201-Mar-201410:58x86

For all supported x64-based versions of Windows Server 2012 R2 with Remote Server Administration Toolkit (RSAT) installed

File nameFile versionFile sizeDateTimePlatform
Microsoft.updateservices.corecommon.dll6.3.9600.17038216,57603-Mar-201411:05x86

How to upgrade NLB on all computers

  1. Shut down the NLB service on each node in the NLB cluster. To do this, at a command prompt, type the following command, and then press Enter:

    nlb.exe suspend
  2. Shut down IIS and the WSUS service. To do this, at a command prompt, type the following commands. Make sure that you press Enter after each command line.

    iisreset/stop
    net stop wsusservice
  3. Make sure that no other services can access the database during the upgrade window. To do this, at a command prompt, type nlb.exe disable together with the appropriate additional parameters for the port or application:

    disable {vip[{:Port | :all}] | all[{:Port | :all}]} {Cluster[:{Host]| all {local | global}}}
    Note In this step and in the following steps, press Enter after every command line.
  4. Back up your database. For more information about how to back up a SQL Server database, see How to back up a database (SQL Server Management Studio).
  5. Upgrade each front-end computer individually. To do this, follow these steps:
    1. Set up WSUS. To do this, at a command prompt, type one of the following commands, as applicable for your system:
      • WSUS-KB2938066-x64.exe /q C:\MySetup.log
      • WSUS-KB2938066-x86.exe /q C:\MySetup.log
      You will not be prompted for anything else. The update process starts immediately.
    2. Review the setup log to verify that the upgrade was successful. To do this, type C:\MySetup.log at a command prompt.
    3. Make sure that IIS and the WSUS service are stopped. To do this, type the following commands at a command prompt:

      iisreset/stop
      net stop wsusservice
    4. Go on to the next computer.
  6. After all nodes are upgraded, start IIS and the WSUS service. To do this, at a command prompt, type iisreset, and then type net start wsusservice on each node in the NLB cluster.
  7. Start the NLB service on each node in the NLB cluster. To do this, at a command prompt, type nlb.exe resume.
  8. At a command prompt, type nlb.exe enable for all ports or applications that you disabled in step 3.
Note You must restart the computer after you apply this update.

Special considerations

  • If you use the Local Publishing feature from a remote WSUS console: when you have applied the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.
  • The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.
  • When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.
For WSUS 3.0 SP2, because this update is cumulative, special considerations of earlier updates are also applicable.
Properties

Article ID: 2938066 - Last Review: 12/10/2015 02:53:00 - Revision: 4.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows Server 2012 R2 Standard, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Standard, Microsoft Windows Server 2003 R2 Datacenter x64 Edition with Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1

  • atdownload kbexpertiseinter kbfix kbsurveynew kbhotfixserver KB2938066
Feedback