Distribution of the Windows 8.1 Update, Microsoft's hefty patch for Windows 8.1 that updates the user interface for desktop and mouse users, has been temporarily suspended for some enterprise users after the company discovered that patched systems are no longer able to receive future updates from Windows Server Update Services (WSUS) servers.
The problem occurs when clients connect to WSUS with HTTPS enabled, but without TLS 1.2. Windows 8.1 machines with the KB 2919355 update installed will no longer be able to receive future updates from those servers. Microsoft describes it primarily as an issue for WSUS 3.0 Service Pack 2, also known as WSUS 3.2, when run on Windows Server 2003, 2003 R2, 2008, and 2008 R2; this version does not have HTTPS or TLS 1.2 enabled by default, but HTTPS is part of the recommended configuration.
WSUS 4 on Windows Server 2012 and 2012 R2 is also technically affected, as the bug is client-side, but Windows Server enables TLS 1.2 by default, so issues are unlikely to arise in practice.
We first became aware of a problem with Windows 8.1 Update and WSUS servers on Monday, and we know that Microsoft has been working to diagnose the problem since then, if not before. Microsoft will have to come up with a proper fix soon, however, as the Windows 8.1 Update is a mandatory security update that will be a prerequisite for all future security fixes for Windows 8.1. The company says that a fix will be published "as soon as possible," but there is currently no schedule for its release.
If client machines have the update installed, an interim fix can be achieved by either enabling TLS 1.2 on the servers (though this is only possible on Windows Server 2008 R2), or disabling HTTPS entirely.
reader comments
27