WSUS 3.2.7600.307 can’t verify PSF files

[German]A German blog reader contacted me last week and pointed out a problem related to WSUS. His WSUS 3.2.7600.307 can no longer check PSF files. Here is some information about this topic.

This topic only affects administrators in corporate environments who use Windows Server Update Services (WSUS) to manage updates for their clients and servers. Currently, the message refers to WSUS 3.2.7600.307.

What are PSF files for?

Since I don't use WSUS, I'm not familar with PSF files. According to this document, the Express Update packages are stored into PSF files. PSF could stand for patch storage files (see also this Microsoft page).

PSF file check fails in WSUS 3.2.7600.307

German blog reader Franz W. sent me a mail last week (thanks for that) describing a problem he has with his WSUS. Franz wrote:

I now have the following problem with the conversion of the MS updates to SHA256:

The WSUS can't check updates that contain PSF files and then discards the download. EXE and CAB (only SHA256 signed) don't cause any problems.

Currently I cannot distribute the updates KB4509094 and KB4507435 for Windows 10 1803.

Franz searched the internet and found this Technet forum thread, where the issues also has been described.

More affected users in Technet

A user named Deniz opened a thread on July 13, 2019 called File cert verification failure regarding only KB4504418 and described the problem.

I'm currently experiencing the following problem:

A WSUS 3.2.7600.307 running on a Windows 2008 R2 Standard server repeatedly fails to download two specific files. The server itself is fully updated; .NET 3.5.1 is installed; WID is used for the WSUS database.

The problematic files are two express installation files for KB4504418 (Servicing Stack Update for Windows 8.1, Server 2012, und Server 2012 R2), as reported by the corrsponding events:

Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x86_cbfca28e203
c05cf0d8bf6e8c56d81c9bd170789.psf Zieldatei: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf.

Inhaltdateisynchronisierung ist fehlgeschlagen. Ursache: File cert verification failure. Quelldatei: /c/msdownload/update/software/secu/2019/07/windows8-rt-kb4504418-x64_7fc2ec35606
f12f6065408850962706ebd9c9816.psf Zieldatei: c:\WSUS\WsusContent\16\7FC2EC35606F12F6065408850962706EBD9C9816.psf.

WSUS cannot download two specific PSF files. He then investigated the problem further and found the following:

• Manually downloading the file windows8-rt-kb4504418-x86_cbfca28e203c05cf0d8bf6e8c56d81c9bd170789.psf works in general.
• The SHA1 hash value of this file matches the file name as well as the FileDigest entry found in tbFile.
• The SHA256 hash value of the file should be 0x52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA according to tbFileHash.

The manual download works and the hash value of the file is found. But there is an error in the log file SoftwareDistribution.log:

[…]
2019-07-11 04:34:31.281 UTC      Info      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Processing Item: 316170c4-97ec-4dbc-9364-17b6832294f3, State: 10
2019-07-11 04:34:31.921 UTC      Info      WsusService.12      ContentSyncAgent.VerifyCRC      calculated sha2 sha256 hash is 52A3560EB5DB626E0CF52894CBB41D09B360C0310FF9692DE867FB2F2F3C7DFA
2019-07-11 04:34:31.936 UTC      Info      WsusService.12      CabUtilities.CheckCertificateSignature      File cert verification failed for c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf with 2148098064
2019-07-11 04:34:31.983 UTC      Warning      WsusService.12      ContentSyncAgent.WakeUpWorkerThreadProc      Invalid file deleted: c:\WSUS\WsusContent\89\CBFCA28E203C05CF0D8BF6E8C56D81C9BD170789.psf
[…]

The check of the Cert file probably fails. The source of the error will be in another post than in the file:

C:\Windows\System32\Psfsip.dll

located. This is the "Crypto SIP provider for signing and verifying .psf patch storage files". Besides blog reader Franz, there are other people who have reported in the thread. Therefore two questions: Is any of you also affected? And is there a fix?