This article describes the update that further improves the security of Windows Server Update Services (WSUS) and the Windows Update Agent (WUA) on computers that are managed by WSUS. This update applies to the following:
Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms
Windows Server 2012 with the WSUS role enabled
Windows Server 2012 R2 with the WSUS role enabled
NOTE This article describes an update that contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update is incompatible with Windows Server Update Services (WSUS) servers without the hardening update 2938066.
This update includes the following improvements:
Hardening of infrastructure files that are used by WSUS
Hardening of the communication channel between WSUS and the WU/MU service
The WUA on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.
WSUS must be in a healthy, working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. Additionally, clients must be able to communicate with the WSUS server.
For more information about how to perform basic health checks on a WSUS server, see the following Microsoft TechNet websites:
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
How to apply this update
We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps.
Note Before WSUS 3.0 SP2 servers (without fix 2828185 or newer) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete these steps:
Apply update 2938066 to the WSUS server that synchronizes with Microsoft Update.
Wait for the synchronization to succeed.
Repeat these steps for each WSUS server that synchronizes to the server that you just updated.
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
For all supported x64-based versions of Windows Server 2012 with Remote Server Administration Toolkit (RSAT) installed
For all supported x64-based versions of Windows Server 2012 R2 with Remote Server Administration Toolkit (RSAT) installed
How to upgrade NLB on all computers
Shut down the NLB service on each node in the NLB cluster. To do this, at a command prompt, type the following command, and then press Enter:
Shut down IIS and the WSUS service. To do this, at a command prompt, type the following commands. Make sure that you press Enter after each command line.
iisreset/stop net stop wsusservice
Make sure that no other services can access the database during the upgrade window. To do this, at a command prompt, type nlb.exe disable together with the appropriate additional parameters for the port or application:
Upgrade each front-end computer individually. To do this, follow these steps:
Set up WSUS. To do this, at a command prompt, type one of the following commands, as applicable for your system:
WSUS-KB2938066-x64.exe /q C:\MySetup.log
WSUS-KB2938066-x86.exe /q C:\MySetup.log
You will not be prompted for anything else. The update process starts immediately.
Review the setup log to verify that the upgrade was successful. To do this, type C:\MySetup.log at a command prompt.
Make sure that IIS and the WSUS service are stopped. To do this, type the following commands at a command prompt:
iisreset/stop net stop wsusservice
Go on to the next computer.
After all nodes are upgraded, start IIS and the WSUS service. To do this, at a command prompt, type iisreset, and then type net start wsusservice on each node in the NLB cluster.
Start the NLB service on each node in the NLB cluster. To do this, at a command prompt, type nlb.exe resume.
At a command prompt, type nlb.exe enable for all ports or applications that you disabled in step 3.
Note You must restart the computer after you apply this update.
If you use the Local Publishing feature from a remote WSUS console: when you have applied the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.
The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.
When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.
For WSUS 3.0 SP2, because this update is cumulative, special considerations of earlier updates are also applicable.
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows Server 2012 R2 Standard, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Standard, Microsoft Windows Server 2003 R2 Datacenter x64 Edition with Service Pack 2, Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1