Botched WSUS patch KB 3148812 throws errors 80244019, 80244008, 8024401f

Two days after the patch rolled out, Microsoft provided instructions for dealing with reported problems -- but the new fixes don't work either

Be glad you aren't in charge of a Windows Server Update Services (WSUS) server.

WSUS admins on April 19 received patch KB 3148812, described in the KB article as "an update to a feature that enables Windows Server Update Services (WSUS) to natively decrypt Electronic Software Distribution (ESD) in Windows Server 2012 and Windows Server 2012 R2. Before you install this update, see the Prerequisites section."

Admins were keen to get it working because, per Microsoft, "You must install this update on any WSUS server that is intended to sync and distribute Windows 10 updates (feature updates) that are released after May 1, 2016."

When gathering the information about this week's 24 patches, I noted that problems had already been reported with this update and pointed would-be patchers to this post from Microsoft on TechNet. It says:

We've received word of some issues happening (e.g., WSUS admin console is inaccessible, clients can't contact WSUS) in the wild after installing KB3148812.  It is critical functionality; however, you don't lose anything by skipping installation until we publish media that leverages this scenario, which will not be happening this month.  For now, feel free to remove the patch if it's causing you problems, and we'll get to the bottom of the issues that have been reported.

The post was amended the morning of April 20 to say, in the comments:

Update: We've identified the root cause, and the good news is that this is not an issue of code quality. The package is good as is, but it requires some additional manual steps to be taken afterward in order to realign the moving parts of the system. More information on that will be available via the KB article and this blog later this week.

Late on April 21, Microsoft posted a WSUS Product Team blog with instructions for completing the installation of KB 3148812. Two days after the patch rolled out, Microsoft provided these instructions:

This update introduces two changes that require additional manual steps in order to complete the installation: those who installed it right away had a bit of a panic because the guidance was not yet published.

The post goes on to describe two scenarios, with complex steps for fixing the attendant problems.

Big problem: The new fixes don't work. A tirade of complaints on the TechNet forum said the manual fixes that Microsoft offered after the fact don't fix the patch. Win10 PCs attached to the patched WSUS server still couldn't see the server. Clients are reporting errors 80244007, 80244019, 80244008, and 8024401f.

One poster noted that the situation could be fixed by appending one final step: Deleting the SoftwareDistribution folder on all of the clients -- a fun trick for a large, managed environment.

On Friday morning Microsoft pulled the WSUS Product Team blog post. There's no indication why or when it might reappear, and the original KB article still doesn't mention the problem.

It looks like this might be a good time to roll back your server to a couple of days ago and sit this one out through the weekend at least.

Yes, even WSUS admins need to wait a while before installing new patches, or risk wasting a few days in the attempt.

Copyright © 2016 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon