Further Hardening of WSUS Now Available


As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

Please follow the following steps to ensure a smooth deployment:

  1. Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
  2. Apply the WSUS update, issued on June 08, see KB 2720211.


Thank you,

WSUS team

Comments (24)
  1. Chris Lamont Mankowski says:

    Why don't you fix the problem by supporting OCSP Nonces?  The client validation portion of the crypto library.  Read more here:::::   security.stackexchange.com/…/396

    Will you also set path constraints on all other CAs, and set Basic Constraints to Critical?

    Lastly, why do I have to trust a CA with all purposes enabled?  Why not allow me to set the starting point of the trust within the PKI tree?  Contrain a tier 3 CA with just code signing and let me use that for WSUS.  

    Frankly I want to trust as few roots as possible.  See this post: How feasible is it for a CA to be hacked, and how do I remove non-trusted roots::::: security.stackexchange.com/…/396

  2. Chris says:

    If you want to follow up, you can do so here: http://www.linkedin.com/…/makerofthings

  3. tom says:

    Installed later update, keeps asking for in after every reboot, MMC broke down

    Running on Windows Server 2008 R1 x64

  4. tom says:

    Sorry, my bad, Server service was off 🙂

  5. Ricky says:

    Does the average Joe home PC user need to apply this update?

  6. Todd says:

    Since Security Advisory Update 2718704, was issued first on June 3 does this mean that we need approve 2718704 and have it installed everywhere BEFORE approving the WSUS update KB 2720211, issued on June 08?

    Or can I approve both at the same time now?

  7. manuel says:

    Cannot install update KB 2720211 error message: "Product: Windows Server Update Services 3.0 SP2 — Error 1712. One or more of the files required to restore your computer to its previous state could not be found.  Restoration will not be possible."

  8. Jørn Stoveland says:

    I had to rebuild my WSUS server after installing KB272011. Just a heads up. Take a snapshot of the Wsus server before installing this. I could roll back at all…

  9. Argh! says:

    Thanks for breaking our WSUS. Errors 12012, 13042, 12002, 12032, 12022, 12042, 12052 – all for free with this "fix".

  10. Bijoy says:

    Wsus Server crashed . Error ( mmc has detected an error in a snap-in and will unload it )

  11. tom says:

    Install update via download, not via wsus

  12. Jay Harper says:

    My WSUS Server became corrupted as well! I manually downloaded the WSUS update and ran the executable. The WSUS app had to be removed and reinstalled. The databases were rebuilt from scratch (including our 3rd party updates via SolarWinds Patch Manager). This is definitely a notable issue that is occurring for a lot of folks.

  13. Matt says:

    Now that I have installed the update, WSUS won't start.  The application log is full of SQL errors like:

    (Event 33002)

    Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

    Access to module dbo.spConfiguration is blocked because the signature is not valid.

  14. jim says:

    KB2720211 was a disaster here also. Looks like an inability to connect to the DB after the reboot. What fun..

  15. Matt says:

    The problem that I ran across is the installer just doesn't work correctly.  I had to manually extract a DLL file, a CER file, and a SQL file and place them in the appropriate location on my machine and then re-run the patch for it to correctly install.  Before, I was getting a ton of errors about not accepting the signed files.  Look at the response from chucker2.


  16. Rob says:

    We have applied the update to several of our SCCM servers (with a SUP) and the update appears to have broken the update services service as it refuses to start now.  Those servers are now throwing wsus sync errors back to the primary.   Not looking forward to 20+ boxes to reinstall…..

  17. kodes says:

    thank you

    http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera

    http://www.gekkog.com Hiphop, Rap, Gekko G

    http://www.maskanimasyon.com Animasyon

  18. Karanlik says:

    Thanks you comment's room http://www.cinselsohbetchat.org

  19. Anonymous says:

    This is a collection of the top Microsoft Support solutions to the most common issues experienced using

  20. Markko says:

    Sigh, problem hit me with SCCM 2007 after installing October 2014 patches. WSUS didn’t syncronize anymore with error messages "The given certificate chain has not Microsoft Root CA signed root" and "The server certificate did not comply with the following
    policy: CertificateChainPolicy". After I installed both paches synchronization started working again. Wonder, what changed with October 2014 updates…

  21. gece says:

    Thank you for sharing this fine article. Keep up the good works.
    dizi fragmanlari http://www.trbolumfragman.com

  22. Kurumsal SEO says:


Comments are closed.

Skip to main content