Microsoft Warns Against Applying Flawed WSUS Update
Microsoft said that enterprises using Windows Server Update Services (WSUS) should avoid applying update KB3148812.
This update has known issues, the WSUS team warned. It makes the WSUS admin console inaccessible. Moreover, "clients can't contact WSUS" after KB3148812 gets installed.
Microsoft's initial explanation on the steps IT pros needed to take, given this problem, appears to have gotten pulled by Microsoft. For instance, this page wasn't available this morning. However, the WSUS team posted a "Part 2" with advice as of April 22:
- "Until further notice, if you have not already installed this update, do not install KB3148812.
- "If you have installed it and not yet performed the "wsusutil postinstall" step, then uninstall KB3148812.
- "If you have installed it and have already performed the manual steps recommended in a previous post, then please Email Blog Author so that we can work directly with you"
Microsoft's KB3148812 release isn't a security patch. It's designed to enable WSUS to automatically decrypt Windows Server 2012/R2 updates. WSUS is a free Microsoft patch management solution that's typically used by large organizations to control the update process. Microsoft's Knowledge Base article explains that KB3148812 is designed for organizations planning to use WSUS to "sync and distribute Windows 10 updates (feature updates) that are released after May 1, 2016."
The Part 2 blog post explained that WSUS users eventually will have to install KB3148812 to support the "anniversary update" of Windows 10. It's currently at the preview stage, but the Windows 10 anniversary feature update is expected to get released sometime this summer.
Microsoft typically uses the term, "feature update," to refer to its big Windows 10 releases, rather than its monthly Windows 10 updates, according to an explanation by Microsoft patch expert Michael Niehaus. These feature updates typically follow a summer/fall release cycle, or at least that was true last year. The so-called "Redstone" Windows 10 feature updates may follow a different schedule.
Microsoft's inaccessible Part 1 explanation had explained that KB3148812 will be needed for WSUS because Microsoft now stages Windows 10 builds as encrypted packages. To get them to work with WSUS, Microsoft has been manually decrypting them. KB3148812 will permit WSUS to "natively decrypt this content," according to Microsoft's inaccessible Part 1 content, as described in this Myonlinesecurity blog post.
The Part 1 explanation perhaps was somewhat controversial because Microsoft was claiming that WSUS users will have to perform manual changes when applying KB3148812, although Microsoft had released KB3148812 first before describing what those manual changes were. The manual steps weren't available at press time. IT pros literally can't make them, since Microsoft hasn't published them, at least at press time.
The WSUS team's Part 2 post avoids that whole discussion, but it's at the heart of general IT pro complaints about Microsoft's more agile software release approach. Microsoft's faster software releases typically arrive with less documentation than in the past.
Microsoft's advice in Part 2 is for IT pros to hang tight, although there's no timeline for a fix:
This issue was unfortunately not observed in our testing, so we are in a live debugging situation today. For the folks in pain, hang tight: this is our top priority, and we want to get your environments up and running again as soon as possible.
Clearly, though, the fix has to arrive before Microsoft's May 1 deadline imposed on IT pros using WSUS. Otherwise, WSUS won't be able to handle the coming Windows 10 anniversary edition updates.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.