SHA-2 Support for Windows Server Update Services 3.0 SP2

A következőkre vonatkozik: Windows Server Update Services 3.0 Service Pack 2

Summary


To align with industry standards, Microsoft is moving away from using SHA-1 signatures for future updates and moving to SHA-2 signatures (see KB4472027 for more details). Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks. Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions. This update is necessary for those customers still using WSUS 3.0 SP2. We recommend upgrading to the latest version of WSUS, version 10.0.

 

Prerequisites


  • Windows Monthly Rollup released March 12, 2019 or later, such as
    • KB4489880 or higher rollup for Windows Server 2008 SP2 installed.

    • KB4489878 or higher rollup for Windows Server 2008 R2 SP1 installed.

  • .Net 3.5

 

Synchronizing WSUS hierarchy after successful patch installation


We recommend that you synchronize all WSUS servers in your environment after applying this update. If you have a hierarchy of WSUS servers, apply this update and synchronize your servers from the top of the hierarchy.  

To synchronize your servers in this manner, follow the steps below   

  1. Apply update to the WSUS server that synchronizes with Microsoft Update. 

  1. Start the synchronization.

  1. Wait for the synchronization to succeed.

Repeat these steps for each WSUS server that synchronizes to the server that you just updated. 

Known issues


 

Symptom Workaround

You may encounter an error message when testing the local publishing feature. In the WSUS log, search and locate the following error message, “PublishPackage(): Operation Failed with Error: Failed to sign package; error was: 2147942527”.

If you find this error in your log, then you have not installed the applicable Windows operating system prerequisite (KB4489880 or KB4489878).  Please install the prerequisite update applicable to your version of Windows and try testing again.

After installing this update, content downloads may fail if WSUS is configured to download express installation files. You may receive the following update in the SoftwareDistribution.log, “Info           WsusService.23      CabUtilities.CheckCertificateSignature                  File cert verification failed for *\WsusContent\*\*.psf with 2148098064.”

To mitigate this issue, you will need to disable the Download express installation files feature.  To do this, in the WSUS console select Options -> Update Files and Languages -> Store update files locally on this server and uncheck Download express installation files.

We are working on a resolution and will provide an update in an upcoming release.

 

How to obtain the update


Method 1: Windows Update

This update will be downloaded and installed automatically.

Note: This update is also available through Windows Server Update Services (WSUS).

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

References


Learn about the terminology that Microsoft uses to describe software updates.