Windows Server 2008 R2 and a WSUS SHA-2 issue

[German]Brief information for administrators in corporate environments who manage updates with WSUS. A blog reader told me about a problem he ran into. A bug in the WSUS SHA-2 update prevents certain updates from being downloaded. But there is a workaround if you know the bug.


Problem: WSUS can't download updates

German blog reader Markus K. uses a Windows Server 2008 R2 on which a Windows Server Update Services (WSUS) is installed to manage updates for clients. Markus wrote me in an e-mail:

I don't know if it concerns anybody else, I don't get two updates I need downloaded (had a vacation last week, so I'm only trying to download the updates today).

KB4512506 and KB4517297 cause Event 364 (Content file download failed. Reason: File cert verification failure. Source File).

KB4511872 (IE CU), on the other hand, downloads without any problems, so I think there might be some problem with these two KBs.

The error message with the reference to File cert verification failure would have been spontaneously interpreted as 'the SHA-2 support might be missing'. But Markus wrote me that WSUS is up to date. Under Windows Server 2008 R2 he said all SHA2 updates were installed and WSUS was 3.2.7600.307.

Cause found

Later Markus K. contacted me again by e-mail to wrote that he probably identified the root cause. He referred me to the Microsoft support article SHA-2 Support for Windows Server Update Services 3.0 SP2, which deals with the requirements for SHA-2 support for WSUS 3.0 SP2. The 'known issuses' contain the following text:

After installing this update, content downloads may fail if WSUS is configured to download express installation files. You may receive the following update in the SoftwareDistribution.log, "Info           WsusService.23      CabUtilities.CheckCertificateSignature                  File cert verification failed for *\WsusContent\*\*.psf with 2148098064."

When the KB4484071 update required for SHA-2 support is installed, it configures WSUS for Express Updates. But then the error described above occurs when downloading updates.

Workaround: Disable Express Updates

To resolve this problem, administrators must disable the Download Express Installation Files feature. In the WSUS console, select Options -> Update files and languages -> Save update files locally on this server and clear the Download express installation files check box.


Microsoft is working on a solution and wants to release an update in a future release. Perhaps the information will help one or the other administrator. Thanks to Markus K. for the hint.

Cookies helps to fund this blog: Cookie settings


This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

One Response to Windows Server 2008 R2 and a WSUS SHA-2 issue

  1. yepido44 says:

    Had a similar issue and worked on that with MS Support
    I confirm disable express Updates was a working workaround.
    Problem source was version of psfsip.dll
    Installing the latest KB4484071 from mid september 2019 solved our issue

Leave a Reply

Your email address will not be published. Required fields are marked *