[German]A brief note for corporate administrators who distribute updates using WSUS. Microsoft shuts down an endpoint before the next patchday. I would also like to remind you of the SHA2 migration issue.
Advertising
WSUS: Synchronization endpoint is decommissioned
Windows Server Update Services (WSUS) uses certain server URLs to synchronize updates. Now I have been alerted by the following tweet that Microsoft will disable such a synchronization endpoint for the upcoming patchday.
HEADS UP ENTERPRISE FOLKS, using SCCM & WSUS:
EP SYNC being Decommissioned.Thank You: @MPECSInc
ICYMI: @SBSDiva @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @JobCacka @etguennihttps://t.co/2BEArylkU7
1/3
— Crysta T. Lacey (@PhantomofMobile) 3. Juli 2019
Microsoft announced within the Techcommunity articleWSUS synchronization endpoint being decommissioned on Monday, July 8, that the endpoint:
fe2.update.microsoft.com
will be decommissioned (shut down) next Monday, July 8, 2019. This URL will no longer be available for WSUS. For WSUS servers that are still configured for the old endpoint, this change should result in a one-time slow synchronization (typically only a few minutes), since the WSUS server automatically switches to the new endpoint.
Advertising
Although the change should take place automatically, it is recommended to keep an eye on it as an administrator. If synchronization errors occur after Monday, those affected will find hints in KB article 4482416 – WSUS synchronization fails with SoapException to check whether they are affected by the problem. If this is the case, there are also instructions to fix it.
Note the mandatory SHA2 update for Win 7/Server 2008
Microsoft had announced in 2018 that it would only add SHA-2 signatures to its Windows updates from mid-2019 onwards – signing with SHA-1 would then no longer be necessary for security reasons. I had in the article Windows 7: From April 2019 'SHA-2-Support' is required is needed and reported in further blog posts (see article end) about it.
Users of Windows 7 SP1 (as well as its server counterparts) and WSUS will need a special update from April 2019, which upgrades the machine for SHA2 code signatures. Without this update, these machines will not be able to process new updates in the future. As of March 12, 2019, Microsoft provided the required updates for Windows 7 SP1 and Server 2008/R2 as part of the patchday.
For Windows Server Update Services, Microsoft provided the standalone update KB4484071 for WSUS 3.0 SP2 (SHA-2 Support for Windows Server Update Services 3.0 SP2), according to this support article. This upgrades the SHA-2 support for WSUS 3.0 SP2. Administrators using WSUS 3.0 SP2 must manually install this update by June 18, 2019. Now it is ensured that updates for Windows 7 and Windows Server 2008/R2 can be distributed via WSUS 3.0 SP2. The prerequisite for manual installation of update KB4484071 is that the following updates:
- Windows Monthly Rollup KB4489880 (or later) for Windows Server 2008 SP2
- KB4489878 (or later) for Windows Server 2008 R2 SP1
- and .NET 3.5 were previously installed.
If this is ignored, errors may occur during installation. Microsoft also recommends backing up the WSUS database before installing these updates. If you have considered this, you can look forward to the July patchday on Tuesday, July 9, 2019.
Similar articles:
SHA-2 patch for Windows 7 arrives on March 2019
Windows 7: From April 2019 'SHA-2-Support' is required
I have 1 SBS 2011 customer who will be migrating to the cloud, but we need to keep WSUS running for the time being. I can't seem to get these updates to install manually or otherwise. What is missing I get a 673 error.