Windows 8.1 Update (KB 2919355) prevents interaction with WSUS 3.2 over SSL

Update Monday 4/14/2014 - Please see https://support.microsoft.com/kb/2959977 for additional information.

There is a known issue which causes some PCs updated with the Windows 8.1 Update (KB 2919355) to stop scanning against Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2 or WSUS 3.2) servers which are configured to use SSL and have not enabled TLS 1.2.

Issue Description

The problem is specific to the following scenario when all of the following are true

1. Client PC has installed Windows 8.1 Update KB 2919355
2. Windows 8.1 with Windows 8.1 Update KB 2919355 attempts to scan against WSUS 3.2 running on any affected platform:
   • Windows Server 2003 SP2, or
   • Windows Server 2003 R2 SP2, or
   • Windows Server 2008 SP2, or
   • Windows Server 2008 R2 SP1
3. HTTPS and Secure Sockets Layer (SSL) are enabled on the WSUS server
4. TLS 1.2 is not enabled on the server

Only users who have enabled HTTPS and have not enabled TLS 1.2 on their WSUS 3.2 servers and who are also using these WSUS 3.2 servers to manage PCs running the Windows 8.1 Update KB 2919355 are affected by this issue. Please note, while we do recommend the use of HTTPS on WSUS servers, HTTPS and TLS 1.2 are not enabled by default.

Workarounds

If you are using WSUS 3.2 on Windows Server 2008 R2, you may perform either of the following steps to restore the scan functionality if you have deployed the Windows 8.1 Update KB2919355.

• Enable TLS 1.2 (follow the instructions under More Information > SCHANNEL\Protocols subkey), or
• Disable HTTPS on WSUS

If you are using WSUS 3.2 on an operating system other than Windows Server 2008 R2, you may perform the following step to restore the scan functionality.

• Disable HTTPS on WSUS

When Microsoft releases an update that resolves the issue, you may re-enable HTTPS on WSUS.

Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers.

You may still obtain the Windows 8.1 Update (KB 2919355) from the Windows Update Catalog or MSDN. However, we recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue. You may also find the workarounds discussed in this article to be useful for testing this Windows 8.1 Update for your organization. Thank you for your patience during this time.

The WSUS and Windows Update Teams

Comments

• Anonymous
  January 01, 2003
  So if TLS 1.2 is now mandatory for secured Connections to WSUS maybe a SHA512 signed certificate in chain might produce the same problem. Maybe someone is able to test this?
  Have a look at: http://www.michaelm.info/blog/?p=1273
• Anonymous
  January 01, 2003
  Could you not release the update to WSUS on Server 2012R2 since it is out of scope for this issue?
• Anonymous
  January 01, 2003
  @a127: You can deploy IE 11 with WSUS. If you don´t see it in the Console, have a look on the Microsoft Update Catalogue. From there you can import it into WSUS
• Anonymous
  January 01, 2003

So if I had a 2012/WSUS 4 server with TLS 1.2 disabled, affected clients would be unable to use it?

Peter - Yes, that's correct. There are 3 requirements for a client computer to be unable to connect to WSUS due to this bug:

1. The client has Windows 8.1 with the spring 2014 Update.
2. The WSUS server URL is over SSL or TLS (https://...).
3. On the WSUS server, Windows is not configured to allow the use of TLS 1.2.

If your WSUS server running Server 2012 was configured to not use TLS 1.2, then 8.1 Update clients wouldn't be able to use it. But again, this is not the default configuration on Server 2012.

• Anonymous
  January 01, 2003
  Hi
  there is also no 2919355 for 2012r2 on wsus yet
• Anonymous
  January 01, 2003
  bit off-Topic
  IE 11 (also for W7) now have Enterprise mode. But why still not IE 11 for W7 on WSUS ?
• Anonymous
  January 01, 2003
  thank you
• Anonymous
  January 01, 2003
  The solution is available on the link below:
  http://www.cravingtech.com/finally-fix-error-80073712-windows-8-1-update-kb2919355.html?utm_source=dlvr.it&utm_medium=twitter
• Anonymous
  January 01, 2003

Could you not release the update to WSUS on Server 2012R2 since it is out of scope for this issue?

Pierre and a127 - The problematic update is not an update to the WSUS server code. Rather, the broken update is to the Windows Update Agent, which was updated as part of the Windows 8.1 spring 2014 Update.

The bug affects all Windows 8.1 systems with the spring 2014 Update. It just happens that client computers are not affected when connecting to WSUS for Windows Server 2012 (with or without R2), because on those WSUS servers, IIS is configured to support TLS 1.2 by default.

• Anonymous
  January 01, 2003
  thanks
• Anonymous
  April 09, 2014
  Does this affect the Windows Server 2012 R2 update as well, or only 8.1?
• Anonymous
  April 09, 2014
  Combine this with the wise decision to prevent any future updates from being distributed to systems that don't have this Service Pack in disguise, and I would say that a great big ball is being dropped somewhere in Redmond.
• Anonymous
  April 09, 2014
  I installed Windows 8.1 update 1, and our family members were not able to use IE 11 on their computers or laptops. I had to go back to original Windows 8.1 as soon as possible. Once Microsoft fixes this problem on IE11, I will be able to go back to Windows again, otherwise we are going with Ubuntu Linux. Microsoft should not provide a fake re-finement that causes more problems that original Windows 8.1 update 1. Fix Windows 8.1 update 1 now or we are moving to Ubuntu Linux and you are not going to be making any profits from our family anymore.
• Anonymous
  April 09, 2014
  So if I had a 2012/WSUS 4 server with TLS 1.2 disabled, affected clients would be unable to use it?
• Anonymous
  April 09, 2014
  what if SCCM is being used...but this is true of the backing WSUS server?
• Anonymous
  April 10, 2014
  こんにちは。WSUS サポートチームです。
  2014 年 4 月 9 日に Windows 8.1 の操作性を向上した更新プログラムである Windows 8.1 Update (KB 2919355
• Anonymous
  April 10, 2014
  The comment has been removed
• Anonymous
  April 11, 2014
  ETA?
• Anonymous
  April 11, 2014
  We need an ETA to determine if we proceed with the current updates (which would double the work involved for change management) or wait for the fix for KB 2919355.
• Anonymous
  April 11, 2014
  Avec la sortie mardi dernier des derniers correctifs pour Windows XP, Microsoft a diffusé la première
• Anonymous
  April 11, 2014
  Microsoft has been listening to customer feedback. Much of this feedback has been received and some of
• Anonymous
  April 12, 2014
  We imported the Update to our WSUS on Win2003 using Catalog as source because we need to distrubte it and HTTPS is not active. Now WSUS is trying to download 3 Updates (Win 8.1.1 as x86 and x64, Win 2012r2) again and again without success. Any hint for us?
• Anonymous
  April 13, 2014
  windos xp support
• Anonymous
  April 14, 2014
  I installed Windows 8.1 Update 1 and after updating I can no longer scan or use Bluetooth. Just before the update, my Brother MFC-9440CN scanner worked wonderfully (scan directly to a document in Adobe Acrobat) and I had a Bluetooth receiver that worked just fine to receive Pandora music streamed via my PC. Immediately after the update, neither of these functions work. Windows can’t find the scanner (although the print function isn’t affected) or connect to the Bluetooth device (although it does recognize it). I worked with Brother for a couple of hours last week and installed their latest software for my MFC printer, but no luck.
• Anonymous
  April 14, 2014
  !!! IMPORTANT !!!
  I also saw this exact problem on our corporate Windows 2012 R2 Servers.
  After installing KB2919355, I could check again Updates against our WSUS Server on 2008 R2.
  However: I got error 0x80072EE2 when I checked for Microsoft Online Updates via our corporate Proxy Servers.
  
  After uninstalling KB2919355, I could again successfully check for online updates through our proxy.
  So the problem is not only with local WSUS installations, but also affects customers using a normal http/https proxy to access the internet.
• Anonymous
  April 14, 2014
  Sorry, a small correction: It was error 0x80072F8F I got in WindowsUpdateClient log.
• Anonymous
  April 15, 2014
  KB2919355 also broke checkpoint ssl vpn snx. After installing the update, we now get a page cannot be displayed message when visiting the ssl VPN portal site. Uninstalling the update resolves the problem
• Anonymous
  April 16, 2014
  I've got the same issue as WSUS when getting updates from Windows Intune. Any idea when Intune will be fixed?
• Anonymous
  April 16, 2014
  227 Microsoft Team blogs searched, 56 blogs have new articles. 151 new articles found searching from
• Anonymous
  April 17, 2014
  I drilled down the problem to the Update breaking functionality to connect to official microsoft servers via http/https proxies.
• Anonymous
  April 23, 2014
  Addition to my comment above: The problem also only occurs when the machine also gets WSUS Settings (corporate WSUS) applied via group policy. Without any WSUS-Settings, it works fine.
• Anonymous
  May 08, 2014
  Pingback from Windows 8.1 Update halted to some enterprise users amid WSUS issues | Cardiff Computer Rescue
• Anonymous
  May 13, 2014
  Pingback from Windows Update Breaks After KB 2919355 | The Geek Post
• Anonymous
  May 15, 2014
  I don't understand most of the computer speak here, but I can tell you this much: When I bought this laptop I was looking forward to having the most updated and easy to use system. This is so much not the case. Anyhow, back to the topic...
  I installed the 8.1 update that is required, and in the process lost my touchpad mouse. Nothing I tried short of rolling back to the original driver fixed it. I could still use a USB mouse, but if I had wanted to use an add-on mouse, I would have never bought the touch screen. And I really miss my XP's, because at least I got a notifier that the error was reported and had a hope of the bug being worked out...
  I realize that there is a big learning curve, but I really expected so much more from Microsoft. I don't mind helping with that, but I really only wanted a laptop that was easy to use with the ability to keep current with todays technology and as much ability as todays smartphones...
• Anonymous
  May 29, 2014
  Update 4/16/2014: Please refer to the following updates posted in the blog posts below released on April
• Anonymous
  August 06, 2014
  Is there any chance that a similar issue could be occurring where clients are unable to interact over HTTPS with WSUS 6.2 (Server 2012) after KB2937636 (July 2014) is installed on the WSUS server and the corresponding Win7 clients are updated? I'm noticing a new issue recently where our SCCM 2012 R2 Win7 OSD task sequence "Install Software Update" steps are timing out after 30 minutes without finding any updates to install, but then the required updates install fine after the task sequence completes. It might not be related, but it sounds like it could be related, and KB2937636 does indicate that KB2919355 (listed here) had already made the Windows Update changes in April 2014 that KB2937636 later did in July 2014. We are an HTTPS-only shop.
  
  Note that I'm revisiting this topic because it appears similar changes were made beyond just Win8.1 and KB2919355 now. See later blog post: (http://blogs.technet.com/b/wsus/archive/2014/07/08/upcoming-update-to-wsus-kb-2887535.aspx)
• Anonymous
  October 22, 2014
  We have a similar problem but with WSUS for Windows Server 2012 (version 6.3.9600.16384) over https - none of our 2012 R2 clients report their daily status to the WSUS server (also 2012 R2) after their initial status report. At the minute, our workaround is a scheduled task on each client that does the following on a daily basis:
  
  net stop wuauserv
  rd /q /s %windir%softwaredistribution
  reg delete HKLMSoftwareMicrosoftWindowsCurrentVersion
  /WindowsUpdate /f
  net start wuauserv
  
  Is it possible that an update that fixed a prior issue has re-introduced this issue into 2012 clients?
• Anonymous
  November 26, 2014
  some of my programs will not work on windows 8.1. help please
• Anonymous
  March 19, 2015
  March 2015 still no fix ???
  what about the ASAP fix?
• Anonymous
  June 12, 2015
  thank you
  
  http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera
  
  http://www.gekkog.com Hiphop, Rap, Gekko G
  
  http://www.maskanimasyon.com Animasyon
• Anonymous
  August 13, 2015
  Thanks for the its much appreciated..
  http://www.kaderim.net
• Anonymous
  September 09, 2015
  helped enabling SSL on WSUS regedit
  https://support.microsoft.com/ru-ru/kb/245030 - check in the end of page
• Anonymous
  March 24, 2017
  8.1 updates have become a nightmare. History says succeeded, Belarc says critical and important uninstalled. Computer always "hangs" on restart telling me undoing changes. The worst of it is I "never" get any error codes when updates are performed. "Check for Updates" always "hangs" in a loop or ?