Windows Server 2012 R2: Fix for WSUS Sync Bug (from July 2020 updates)

[German]If updates are managed with WSUS under Windows Server 2012 R2, there may be synchronization issues problems on some systems since July 1, 2020 due to disabled TLS 1.0/1.1 support. But there is a workaround: Use a downgrade of TLS support.


Background information on the problem

Administrators of Windows Server 2012 R2 on which updates are managed with WSUS have had problems since July 1, 2020. WSUS can no longer synchronize updates. Also an import of the packages in WSUS fails because then an error 0x80131509 is ejected. The reason for this problem is the 'TLS hardening', which was performed by the July 2020 updates (see Patchday: Windows 8.1/Server 2012-Updates (July 14, 2020)).

Microsoft did not specify it, but the updates disabled TLS 1.0/1.1 support and enabled TLS 1.2. The problem is, however, that WSUS is then no longer able to synchronize the required updates with the Microsoft servers. I already mentioned this in the blog post Windows Server 2012 R2: WSUS issues since July 1, 2020.

Workaround: Reactivate TLS 1.0/1.1

In the comments to the German edition of my old blog post, blog readers suggested some solutions as workarounds. German blog reader Axel R had posted this workaround for the import problem. German blog reader Karl Wester-Ebbinghaus posted this comment on October 20, 2020. He reported about a server side change from Microsoft, after which synchronization worked for him again. 

Karl pointed out that in case of further issues TLS 1.2 support should be activated via PowerShell. This is described in this Microsoft support article for MBAM. In the English article I also received this comment, where a reader wrote that they had the same problems and got this link from Microsoft which solved the problem (thanks for the tip). In the blog post YOU YOU NEED TO LOWER THE TLS SECURITY TO MANUALLY IMPORT UPDATES IN #WSUS the author presents a workaround to import updates manually in WSUS without the error 0x80131509.

Create a text file named w3wp.exe.config in 'C:\Windows\System32\inetsrv'. The following XML data must be entered in the file:


<?xml version="1.0" encoding="utf-8"?>
        <appcontextswitchoverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false" />

Afterwardsexecute iisreset. This approach allows a TLS fallback for all 23wp instances. After that the import should work in WSUS.

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *