Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

This article describes an update that further improves the reliability of Windows Server Update Services (WSUS). This update applies to the following: 

  • Windows Server Update Services 3.0 Service Pack 2 (SP2) on all applicable and supported platforms


  • This update includes the security update and fixes that were part of KB2938066.

  • This performance improvement is also available on:


This update fixes the following issue:

  • WSUS update metadata processing can cause clients to time out and return a 0x8024401c error.

Update Information

How to obtain this update

Microsoft Download Center

This update is available for manual download and installation from the Microsoft Download Center.

Download Download the 64-bit update for WSUS 3.0 SP2 now.

Download Download the 32-bit update for WSUS 3.0 SP2 now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. 

How to apply this update

We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy. To synchronize your servers in this manner, follow these steps. 

Note Before WSUS 3.0 SP2 servers (without fix 2828185 or later updates) can manage computers that are running Windows 8, Windows Server 2012, or a newer OS version, you must complete the following steps:

  1. Apply update 4039929 to the WSUS server that synchronizes with Microsoft Update.

  2. Start the synchronization.

  3. Wait for the synchronization to succeed.

Repeat these steps for each WSUS server that synchronizes to the server that you just updated.

More Information

Note The following steps aren't required if you have already installed update 2938066.


  1. Shut down the NLB service on each node in the NLB cluster. To do this, type the following command at a command prompt, and then press Enter:

    nlb.exe suspend

  2. Shut down IIS and the WSUS service. To do this, type the following commands at a command prompt, and press Enter after each command.

    net stop wsusservice

  3. Make sure that no other services can access the database during the upgrade window. To do this, type nlb.exe disable at a command prompt together with the appropriate additional parameters for the port or application:

    disable {vip[{:Port | :all}] | all[{:Port | :all}]} {Cluster[:{Host]| all {local | global}}} Note In this step and in the following steps, press Enter after every command.

  4. Back up your database. For more information about how to back up a SQL Server database, see How to back up a database (SQL Server Management Studio).

  5. Upgrade each front-end computer individually. To do this, follow these steps:

    1. Set up WSUS. To do this, type one of the following commands at a command prompt, as applicable for your system:

      • WSUS-KB4039929-amd64.exe /q C:\MySetup.log

      • WSUS-KB4039929-x86.exe /q C:\MySetup.log

      Note You are not prompted to do anything else. The update process starts immediately.

    2. Review the setup log to verify that the upgrade was successful. To do this, type C:\MySetup.log at a command prompt.

    3. Make sure that IIS and the WSUS service are stopped. To do this, type the following commands at a command prompt:

      net stop wsusservice

    4. Go on to the next computer.

  6. After all nodes are upgraded, start IIS and the WSUS service. To do this, type iisreset at a command prompt, and then type net start wsusservice on each node in the NLB cluster.

  7. Start the NLB service on each node in the NLB cluster. To do this, type nlb.exe resume at a command prompt.

  8. At a command prompt, type nlb.exe enable for all ports or applications that you disabled in step 3.

Note You must restart the computer after you apply this update.

Special considerations

  • If you use the Local Publishing feature from a remote WSUS console, after you apply the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match.

  • The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.

  • When a downstream WSUS 3.2 server is configured to communicate with its upstream server over HTTPS, TLS 1.0 must be enabled on both the upstream and downstream WSUS servers.

Note For WSUS 3.0 SP2, special considerations of earlier updates are also applicable because this update is cumulative.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!