Microsoft replaces WSUS patch KB 3148812 with KB 3159706

Microsoft tries again with a faulty WSUS patch, but more work will be required of users to fix the problems caused by its predecssor

If you’re using Windows Server Update Services (WSUS) on Server 2012 R2, you’ve gone through a tough month. On April 19, Microsoft released KB 3148812, a patch that was supposed to make your version of WSUS compatible with the new Electronic Software Distribution (ESD)-encrypted patches rolling out starting May 1. Unfortunately, the patch threw errors, froze machines, and generally caused so much mayhem that Microsoft tried to document workarounds before finally pulling it.

On April 20, Microsoft announced it had “identified the root cause, and the good news is that this is not an issue of code quality. The package is good as is, but it requires some additional manual steps to be taken afterward in order to realign the moving parts of the system.” Two TechNet posts each tried to explain how to apply fixes after the patch was installed. Neither worked.

Now, finally, we have a new blog post with a new patch KB 3159706. The documentation says this version will work:

Windows 10 feature updates (denoted by the “Upgrades” classification in WSUS) are staged in encrypted packages to Windows Update several days prior to the actual go-live date.  This is to ensure that we can release to all regions simultaneously.  The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this.  Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and error prone.  KB3159706 introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content.  Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms.  Note that Windows Server 2016 will have this functionality at RTM.

It goes on to say you don’t have to uninstall KB 3148812 before you install this patch:

Both these updates modify the same files as KB3159706; since the latter is newer, it will simply replace the binaries. You can remove KB3148812 (if you don’t recognize this KB, then no action is needed), but it is not necessary

Note: After you install the patch, you have to go into WSUS and run through a complex series of manual steps, documented in the KB article, to get it to work.

If you have a problem with it, I suggest you post a response on the TechNet article.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon