To align with industry standards, Microsoft is moving away from using SHA-1 signatures for future updates and moving to SHA-2 signatures (see KB4472027 for more details). Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks. Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions. This update is necessary for those customers still using WSUS 3.0 SP2. We recommend upgrading to the latest version of WSUS, version 10.0.
Adding SHA-2 support will not add support for Windows 10 feature updates on WSUS 3.0 SP2.
Synchronizing WSUS hierarchy after successful patch installation
We recommend that you synchronize all WSUS servers in your environment after applying this update. If you have a hierarchy of WSUS servers, apply this update and synchronize your servers from the top of the hierarchy.
To synchronize your servers in this manner, follow the steps below
Apply update to the WSUS server that synchronizes with Microsoft Update.
Start the synchronization.
Wait for the synchronization to succeed.
Repeat these steps for each WSUS server that synchronizes to the server that you just updated.
- This update does not support uninstallation via MSI. Microsoft recommends that validations be performed in a non-production environment.
- Remote Microsoft SQL Server administrators must download and install the update by using an account that has SQL Server Administrator permissions. WSUS3.0 SP2 installations using a remote SQL Server will always require manual installation of this update.
You may encounter an error message when testing the local publishing feature. In the WSUS log, search and locate the following error message, “PublishPackage(): Operation Failed with Error: Failed to sign package; error was: 2147942527”.
If you find this error in your log, then you have not installed the applicable Windows operating system prerequisite (KB4489880 or KB4489878). Please install the prerequisite update applicable to your version of Windows and try testing again.
|After installing this update, content downloads may fail if WSUS is configured to download express installation files. You may receive the following update in the SoftwareDistribution.log, “Info WsusService.23 CabUtilities.CheckCertificateSignature File cert verification failed for *\WsusContent\*\*.psf with 2148098064.”|| |
To mitigate this issue, you will need to disable the Download express installation files feature. To do this, in the WSUS console select Options -> Update Files and Languages -> Store update files locally on this server and uncheck Download express installation files.
We are working on a resolution and will provide an update in an upcoming release.