[German]Administrators of Windows Server 2012 R2 might be facing a serious problem (not sure, how many will see this), which German blog reader Axel R. recently drew my attention to by mail. If updates are managed with WSUS, there are problems since July 1, 2020, because of deactivated TLS 1.0/1.1 support.
I’ll post the information from Axel here, maybe there will be feedback from other affected people or new findings. I also try to pass it on to Microsoft.
The error description
Axel wrote me ‘maybe I have something interesting here for your blog and if you have any contacts at Microsoft, it would be great to pass it on’ and then gave me the following description of the error pattern:
The WSUS on Windows Server 2012 R2 has had problems synchronizing with Microsoft since July 1, 2020. In the beginning, the sync was often successful on retries. But this worked less and less often, since 25 July it didn’t work at all. Google still does not spit out anything useful about it.
This is of course pretty stupid, so the WSUS is in fact useless, the update distribution is useless because no new packages can be obtained. It will become a problem in August 2020 at the latest.
TLS 1.0/1.2 shutdown as a root cause?
Axel R. then researched on the Internet, but did not find out anything concrete about the case in question. Google knows nothing about it. But there is a suspicion about the cause. Axel writes:
After days of research I found out what’s going on. It seems that Microsoft has gradually switched off TLS 1.0 on its update servers since July 1st. This makes sense, of course, but the WSUS on the 2012 R2 can’t handle it. At least some people can, because only [WSUS on] 2012 [servers] that have been fed with Security Only Updates are affected.
The TLS 1.2 support for WSUS is only in the rollups. If you import the last rollup, the synchronization works fine again.
The pitfall is that the WSUS installation in question was never upgraded by the Security Only updates to support TLS 1.2.
Import from the Microsoft Update Catalog fails
My first thought when reading the above lines was: You could download the update packages manually from the Microsoft Update Catalog and import them in WSUS. Axel R. writes:
The import function via the catalog is also no longer available. It only throws the error 0x80131509, this affects ALL servers, including 2016 and 2019. Apparently this function still requires IE 11, Active X and TLS 1.0. And the latter seems to be no longer activated.
Error code 0x80131509 stands for COR_E_INVALIDOPERATION, An operation is not legal in the current state. The operation is no longer legal at this point. Axel writes about this:
That’s how I put it together, when I put 1 and 1 together. There doesn’t seem to be a confirmation or even a solution and the workarounds you describe in your blog article from June 8, 2018 don’t work anymore. You can’t even import updates via Powershell.
The mentioned blog post is WSUS: Microsoft Update Catalog Import failure? Any of you who have any further explanations or information? I’ll try to play the English version through my channels to the Windows Update group.
Axel reported later, that he found a workaround to enable an import of update pachtes. Use the following registry key.
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
This allows an import again.