Upcoming Update to WSUS (KB 2887535)

We recently announced on the Microsoft Update Product Team Blog a set of changes made to the Windows Update Agent. In an effort to provide additional protection for our WSUS customers, we are releasing an update that enhances the security of Windows Update, the Microsoft Update (WU/MU) Client, and Windows Server Update Services. The update applies to WSUS 3.0 SP2, as well as the WSUS role running on Windows Server 2012 and Windows Server 2012 R2.

Improvements include further hardening of the infrastructure used by WU/MU client and the communication channel between WU/MU Client and Service. Additionally, the communication channel between WSUS and WU/MU service has been hardened. This update to WSUS also rolls up all prior updates.

Details on the changes to the WU/MU client can be found at KB 2887535.

Details and additional considerations for the update to WSUS can be found at KB 2938066.


The following files are available for download from the Microsoft Download Center:

All supported x64-based versions of Windows Server 2012 R2 Download the package now.
All supported x64-based versions of Windows Server 2012 Download the package now.
Update for WSUS 3.0 SP2 Download the package now.

Comments (21)

  1. Ed (DareDevil57) says:

    thank you

  2. Ed (DareDevil57) says:

    thank you

  3. thomas says:

    why is KB2938066 not showing up in WSUS itself like KB2720211 was?

  4. JohnnyH. says:

    Hello guys,

    after installing the update on my WSUS upstream server, I am getting error when the machine tries to self-update itself.

    The WSUS agent got updated. Here is the part of the log. Can you advice please?

    Agent *************
    Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
    Agent *********
    Agent * Online = Yes; Ignore download priority = No
    Agent * Criteria = "IsInstalled=0 and DeploymentAction=’Installation’ or IsPresent=1 and DeploymentAction=’Uninstallation’ or IsInstalled=1 and DeploymentAction=’Installation’ and RebootRequired=1 or IsInstalled=0 and DeploymentAction=’Uninstallation’ and RebootRequired=1"
    Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    Agent * Search Scope = {Machine}
    Setup Checking for agent SelfUpdate
    Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320
    Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdatewuident.cab with dwProvFlags 0x00000080:
    Misc Microsoft signed: NA
    Misc Validating signature for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp with dwProvFlags 0x00000080:
    Misc FATAL: Error: 0xc000000d when verifying trust for C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp
    Misc WARNING: Digital Signatures on file C:WindowsSoftwareDistributionSelfUpdateTMPC435.tmp are not trusted: Error 0xc000000d
    Setup FATAL: Ident cab verification failed with error 0XC000000D
    Setup WARNING: SelfUpdate check failed to download package information, error = 0xC000000D
    Setup FATAL: SelfUpdate check failed, err = 0xC000000D
    Agent * WARNING: Skipping scan, self-update check returned 0xC000000D
    Agent * WARNING: Exit code = 0xC000000D
    Agent *********
    Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
    Agent *************
    Agent WARNING: WU client failed Searching for update with error 0xc000000d
    AU >>## RESUMED ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
    AU # WARNING: Search callback failed, result = 0xC000000D
    AU # WARNING: Failed to find updates with error code C000000D
    AU #########
    AU ## END ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
    AU #############

  5. JohnnyH. says:

    So, I just found out that the problem occurs on other servers (WS2008 R2 SP1) as well. Do not exactly know how to resolve it, if it is related to the WSUS ifrastructure secured with TLS certificate (we use that) or so…

    All our WSUS servers had previously installed WSUS 3.0 SP2 with KB2720211 and KB2734608 and it worked like a charm.

    After installing the KB2938066 some of our systems started to show problems… 🙁

  6. thomas says:

    @JohnnyH, try this: stop wu service, delete C:WindowsSoftwareDistribution folder and start wu service

  7. Chris Kaminsky says:

    So… is this release STABLE?? Should I apply it to WSUS 3.0 SP2 on Server 2008 R2 Standard?
    My WSUS has 12 downstream servers and patches 2,000 clients total.

  8. StephenK says:

    Is there any chance that a similar issue could be occurring where clients are unable to interact over HTTPS with WSUS 6.2 (Server 2012) after KB2937636 is installed on the WSUS server? I’m noticing a new issue recently where our SCCM 2012 R2 OSD task sequence
    "Install Software Update" steps are timing out after 30 minutes without finding any updates to install, but then the required updates install fine after the task sequence completes. It might not be related, but it sounds like it could be related, and KB2937636
    does indicate that KB2919355 (listed here) had already made the Windows Update changes in April 2014 that KB2937636 later did in July 2014.

  9. StephenK says:

    And FYI, we are an HTTPS only shop.

  10. Warren says:

    I too am seeing a failure to update with a C000000D error code after installing the 7.6.7600.320 update (Win7-SP1-64 bit available from here:
    http://support.microsoft.com/kb/2887535 ). Restoring the system to prior to the installation of this update restores the ability to download updates. I would appreciate a fix because our corporate powers
    that be are mandating that this new update be used.

  11. mikep says:

    Spotted a similar issue on a number of Windows 2012/R2 servers a few days ago and my wsus server is on win2012 using ssl. To fix the broken clients I used the troubleshooting pack for windows update but it has it’s issues.

    1. You need to download it to your servers first.
    2. Does not work with server core as the troubleshootingpack feature needs to present on the system which requires a minimum of gui-infra as it uses powershell cmdlets.

    At least you can script the repairs using an xml answer file for large scale repairs.

    Also noticed that the repair needs a pre or post reboot and it think that might be related to most of my affected servers were systems configured for auto install and reboot. It installed all the updates but the reboot was not triggered.

  12. adwbust says:

    received this mu update on win7 sp1 x64. why isn’t it available for vista sp2 x86?

    pls offer ralink rt61/rt2561 version 2.1.6 to vista users. currently, windows update says version 2.1.5 is latest when checking for driver update. thanks.


  13. Katbert says:

    How about cumulative updates? I have Windows Server 2008 R2 SP1 + WSUS 3.0 SP2 + KB2828185. WSUS version is 3.2.7600.262.
    But WSUS still reports KV2720211 as needed
    Same issue:

  14. Roberto says:

    After applied KB 2938066 update Hyper-V Guests Windows 2012 R2 receive updates from WSUS but not appear in console. Any suggestions?

  15. hiphop says:

    thank you

    http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera

    http://www.gekkog.com Hiphop, Rap, Gekko G

    http://www.maskanimasyon.com Animasyon

  16. orhan says:

    Thanks for the its much appreciated..

Skip to main content