The long-term fix for KB3148812 issues

A new update is available for Windows Server 2012 and 2012 R2.  This update requires manual steps in order to complete the installation. While the KB itself covers those steps, this post provides additional details on the release.

 

What KB3159706 does

Windows 10 feature updates (denoted by the "Upgrades" classification in WSUS) are staged in encrypted packages to Windows Update several days prior to the actual go-live date.  This is to ensure that we can release to all regions simultaneously.  The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this.  Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and error prone.  KB3159706 introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content.  Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms.  Note that Windows Server 2016 will have this functionality at RTM.

 

How to deploy KB3159706

This update has been released through the WSUS and Catalog channels, so that it may be synched or imported to and subsequently deployed from your WSUS. For those that are currently unable to deploy using WSUS, we’ve also shipped this fix to Windows Update. If multiple WSUS servers in your environment are affected by the previous issue, then you can repair the topmost server using Windows Update, and the rest through WSUS itself.  You'll need to manually select this KB for installation if you get it from Windows Update, as the update is marked Optional.

 

If you installed KB3148812 or the test package

Both these updates modify the same files as KB3159706; since the latter is newer, it will simply replace the binaries. You can remove KB3148812 (if you don't recognize this KB, then no action is needed), but it is not necessary. In any case, your “For testing purposes only” watermark will disappear after you’ve removed the test package.  Our recommended order for this deployment is:

  1. Uninstall test package
  2. [Optional] uninstall KB3148812
  3. Install KB3159706
  4. Reboot your WSUS server

 

Still having issues?

This update involves changing some fundamental aspects of WSUS operation, and it may cause friction for some customers.  We're committed to getting you ready for the Anniversary Update (as well as ensuring that you can continue to take monthly updates), and we invite you to visit the WSUS forum if you're having issues deploying KB3159706 after following the KB guidance.