Microsoft has suspended distribution of April's Windows 8.1 Update to some enterprise customers after a bug was discovered that could bork affected machines' ability to receive future updates.
The issue affects businesses that distribute software updates via Windows Server Update Services (WSUS) 3.0 Service Pack 2, which shipped with Windows Server 2008 R2 but can also be used with earlier versions of Windows Server.
After installing the Windows 8.1 Update, affected PCs will try to contact their WSUS servers using the TLS 1.2 secure communications protocol. But because TLS 1.2 support is not enabled on WSUS 3.0 SP2 by default – that version defaults to the older SSL protocol – in many cases these attempts will fail, and the PCs will no longer be able to receive future software updates.
This unfortunate side effect is delivered in Windows update KB2919355, the 707MB code chunk that makes up the majority of the Windows 8.1 Update set of patches.
Systems admins have a couple of workarounds available to resolve the problem, at least temporarily. First, if they're running WSUS 3.0 SP2 on Windows Server 2008 R2, they can enable TLS 1.2 support via some Registry tweaks. A Microsoft Knowledge Base article explains how.
Earlier versions of Windows Server, however, lack support for TLS 1.2. In these cases, the only way to re-enable software updates is to disable HTTPS in WSUS 3.0 SP2 and ship updates to PCs unencrypted.
Redmond says – with some small irony – that it's working on a software update that will restore proper behavior for all supported versions of WSUS, though it hasn't said when to expect that update to arrive.
Until then, Microsoft will no longer be distributing update KB2919355 to WSUS servers, and the only way for customers in WSUS environments to get the Windows 8.1 Update will be to download it from the Windows Update Catalog or from MSDN. ®