Windows 8.1 Update Cannot Connect to SSL-Enabled WSUS 3 SP 2

If you’re running Windows Server Update Services (WSUS) 3.0 Service Pack 2, have enabled SSL (the default I think) and now have Windows 8.1 Update clients, you’ll find that those clients are unable to connect to the WSUS server to check for updates.

I am writing this blog post to collect all symptoms and all workarounds and solutions in one place.

Symptoms

The symptoms are as follows:

  • Windows Update fails with Code 80072F8F
    Lots of material has been written about this Windows Update error. While it all relates to SSL/TLS failures, there is likely nothing wrong with your computer’s time or root certificates if it’s only happening to Windows 8.1 Update (KB 2919355) machines.
  • System Event Log Event ID 36888 from Schannel source
    Schannel is the Windows component responsible for establishing “secure channels,” like SSL and TLS.
    If you arrived at this page looking for info about this error but not related to WSUS, try eventid.net.

If you try to get updates online from Microsoft Update, you will find that it works because Microsoft’s servers are configured to accept TLS 1.2 connections.

Cause

The cause of the problem is that Windows 8.1 Update will check for updates using the TLS 1.2 protocol, which is not enabled by default on Server 2008 R2 and not at all available on earlier versions.

Solution and Workarounds

For WSUS running on Windows Server 2008 R2, my recommended action is to enable TLS 1.2. It requires a registry edit for which I’ve provided the contents of a .reg file below. You can also use the workarounds for older versions below, but those are less attractive options, IMHO.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

If you would rather not edit the registry yourself or want to enable numerous protocols and ciphers all at the same time, you may be interested in a tool by Nartac Software that can do it for you: https://www.nartac.com/Products/IISCrypto/Default.aspx
[Please note: I have not tested this tool and can’t vouch for its effectiveness or reliability.]

You will need to reboot the server after making the change.

For WSUS running on Windows Server 2008 and earlier, you will need to either

  • Disable SSL until the fix is available
  • Manually have those clients check Microsoft Update

Additional references

Enabling TLS 1.2: KB 245030

WSUS Product Team Blog: Windows 8.1 Update (KB 2919355) prevents interaction with WSUS 3.2 over SSL

Advertisements

2 thoughts on “Windows 8.1 Update Cannot Connect to SSL-Enabled WSUS 3 SP 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s