Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


This article describes the update that further improves the security of Windows Server Update Services (WSUS) and the Windows Update Agent (WUA) on computers that are managed by WSUS. This update applies to the following:

  • Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms

  • Windows Server 2012 with the WSUS role enabled

  • Windows Server 2012 R2 with the WSUS role enabled


NOTE This article describes an update that contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update is incompatible with Windows Server Update Services (WSUS) servers without the hardening update 2938066.
 

Improvements

This update includes the following improvements:

  • Hardening of infrastructure files that are used by WSUS

  • Hardening of the communication channel between WSUS and the WU/MU service

Notes

  • The WUA on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.

  • WSUS must be in a healthy, working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. Additionally, clients must be able to communicate with the WSUS server.

    For more information about how to perform basic health checks on a WSUS server, see the following Microsoft TechNet websites:
     

    Reindex the WSUS database
    Use the Server Cleanup Wizard

Update Information

How to obtain this update

Windows Update

This update for Windows Server 2012 and Windows Server 2012 R2 is available from Windows Update.

Microsoft Download Center

The following files are available for download from the Microsoft Download Center:

Operating system

Update

All supported x64-based versions of Windows Server 2012 R2

Download Download the package now.

All supported x64-based versions of Windows Server 2012

Download Download the package now.


For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

How to apply this update

We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps.

Note Before WSUS 3.0 SP2 servers (without fix 2828185 or newer) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete these steps:

  1. Apply update 2938066 to the WSUS server that synchronizes with Microsoft Update.

  2. Start synchronization.

  3. Wait for the synchronization to succeed.

Repeat these steps for each WSUS server that synchronizes to the server that you just updated.

More Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

 

For all supported x64-based versions of Windows Server 2012 with Remote Server Administration Toolkit (RSAT) installed

File name

File version

File size

Date

Time

Platform

Microsoft.updateservices.corecommon.dll

6.2.9200.16859

215,552

01-Mar-2014

10:15

x86

Microsoft.updateservices.corecommon.dll

6.2.9200.20978

215,552

01-Mar-2014

10:58

x86

For all supported x64-based versions of Windows Server 2012 R2 with Remote Server Administration Toolkit (RSAT) installed

File name

File version

File size

Date

Time

Platform

Microsoft.updateservices.corecommon.dll

6.3.9600.17038

216,576

03-Mar-2014

11:05

x86

  1. Shut down the NLB service on each node in the NLB cluster. To do this, at a command prompt, type the following command, and then press Enter:

    nlb.exe suspend

  2. Shut down IIS and the WSUS service. To do this, at a command prompt, type the following commands. Make sure that you press Enter after each command line.

    iisreset/stop
    net stop wsusservice

  3. Make sure that no other services can access the database during the upgrade window. To do this, at a command prompt, type nlb.exe disable together with the appropriate additional parameters for the port or application:
     

    disable {vip[{:Port | :all}] | all[{:Port | :all}]} {Cluster[:{Host]| all {local | global}}}Note In this step and in the following steps, press Enter after every command line.

  4. Back up your database. For more information about how to back up a SQL Server database, see How to back up a database (SQL Server Management Studio).

  5. Upgrade each front-end computer individually. To do this, follow these steps:

    1. Set up WSUS. To do this, at a command prompt, type one of the following commands, as applicable for your system:

      • WSUS-KB2938066-x64.exe /q C:\MySetup.log

      • WSUS-KB2938066-x86.exe /q C:\MySetup.log

      You will not be prompted for anything else. The update process starts immediately.

    2. Review the setup log to verify that the upgrade was successful. To do this, type C:\MySetup.log at a command prompt.

    3. Make sure that IIS and the WSUS service are stopped. To do this, type the following commands at a command prompt:

      iisreset/stop
      net stop wsusservice

    4. Go on to the next computer.

  6. After all nodes are upgraded, start IIS and the WSUS service. To do this, at a command prompt, type iisreset, and then type net start wsusservice on each node in the NLB cluster.

  7. Start the NLB service on each node in the NLB cluster. To do this, at a command prompt, type nlb.exe resume.

  8. At a command prompt, type nlb.exe enable for all ports or applications that you disabled in step 3.

Note You must restart the computer after you apply this update.
 

Special considerations

  • If you use the Local Publishing feature from a remote WSUS console: when you have applied the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.

  • The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.

  • When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.

For WSUS 3.0 SP2, because this update is cumulative, special considerations of earlier updates are also applicable.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×