{"id":10815,"date":"2019-08-20T00:41:41","date_gmt":"2019-08-19T22:41:41","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=10815"},"modified":"2019-08-20T00:52:57","modified_gmt":"2019-08-19T22:52:57","slug":"windows-server-2008-r2-and-a-wsus-sha-2-issue","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/08\/20\/windows-server-2008-r2-and-a-wsus-sha-2-issue\/","title":{"rendered":"Windows Server 2008 R2 and a WSUS SHA-2 issue"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/08\/20\/windows-server-2008-r2-und-ein-wsus-sha-2-problem\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Brief information for administrators in corporate environments who manage updates with WSUS. A blog reader told me about a problem he ran into. A bug in the WSUS SHA-2 update prevents certain updates from being downloaded. But there is a workaround if you know the bug.<\/p>\n<p><!--more--><\/p>\n<h2>Problem: WSUS can't download updates<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg01.met.vgwort.de\/na\/7be61a5ef71c41e9a35462937e070ceb\" alt=\"\" width=\"1\" height=\"1\" \/>German blog reader Markus K. uses a Windows Server 2008 R2 on which a Windows Server Update Services (WSUS) is installed to manage updates for clients. Markus wrote me in an e-mail:<\/p>\n<blockquote><p>I don't know if it concerns anybody else, I don't get two updates I need downloaded (had a vacation last week, so I'm only trying to download the updates today).<\/p>\n<p>KB4512506 and KB4517297 cause Event 364 (Content file download failed. Reason: File cert verification failure. Source File).<\/p>\n<p>KB4511872 (IE CU), on the other hand, downloads without any problems, so I think there might be some problem with these two KBs.<\/p><\/blockquote>\n<p>The error message with the reference to File cert verification failure would have been spontaneously interpreted as 'the SHA-2 support might be missing'. But Markus wrote me that WSUS is up to date. Under Windows Server 2008 R2 he said all SHA2 updates were installed and WSUS was 3.2.7600.307.<\/p>\n<h2>Cause found<\/h2>\n<p>Later Markus K. contacted me again by e-mail to wrote that he probably identified the root cause. He referred me to the Microsoft support article <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4484071\/windows-server-update-services-update-kb4484071\" target=\"_blank\" rel=\"noopener noreferrer\">SHA-2 Support for Windows Server Update Services 3.0 SP2<\/a>, which deals with the requirements for SHA-2 support for WSUS 3.0 SP2. The 'known issuses' contain the following text:<\/p>\n<blockquote><p>After installing this update, content downloads may fail if WSUS is configured to <strong>download express installation files<\/strong>. You may receive the following update in the SoftwareDistribution.log, \"<em>Info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WsusService.23\u00a0\u00a0\u00a0\u00a0\u00a0 CabUtilities.CheckCertificateSignature\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 File cert verification failed for *<strong>\\WsusContent\\<\/strong>*\\*.psf with 2148098064.\"<\/em><\/p><\/blockquote>\n<p>When the KB4484071 update required for SHA-2 support is installed, it configures WSUS for Express Updates. But then the error described above occurs when downloading updates.<\/p>\n<h2>Workaround: Disable Express Updates<\/h2>\n<p>To resolve this problem, administrators must disable the Download Express Installation Files feature. In the WSUS console, select Options -&gt; Update files and languages -&gt; Save update files locally on this server and clear the Download express installation files check box.<\/p>\n<p>Microsoft is working on a solution and wants to release an update in a future release. Perhaps the information will help one or the other administrator. Thanks to Markus K. for the hint.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Brief information for administrators in corporate environments who manage updates with WSUS. A blog reader told me about a problem he ran into. A bug in the WSUS SHA-2 update prevents certain updates from being downloaded. But there is a &hellip; <a href=\"https:\/\/borncity.com\/win\/2019\/08\/20\/windows-server-2008-r2-and-a-wsus-sha-2-issue\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,22,2],"tags":[166,159,569],"class_list":["post-10815","post","type-post","status-publish","format-standard","hentry","category-issue","category-update","category-windows","tag-issues","tag-windows-server","tag-wsus"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=10815"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10815\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=10815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=10815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=10815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}