Certificate issue with Windows Sever 2012 ?

Topics: Configuration Issue
Feb 4, 2016 at 2:20 PM

I am working for a company where there is no Enterprise CA.
So far we have been using WPP on the WSUS Server running Windows Server 2003 using the WPP self-signed certificate.

New downstream servers running Windows Server 2012 R2 are implemented and despite that the certificate has been imported, the new updates are not downloaded on those downstream servers.

I wonder if there is anything linked with the certificate....

Any help will be much appreciated.

Feb 4, 2016 at 4:03 PM
Are there any error messages in Windows Eventlog? SoftwareDistribution.log on downstreamservers in %programfiles%\Update Services\Logs?
Feb 4, 2016 at 5:30 PM
Hello and thank you for your reply.

Unfortunately I have not found anything to troubleshoot.

However, I have read on TechNet that self-signed certificates are not usable anymore in WSUS under Windows Server 2012.

Could someone please confirm?
If it is the case, does someone use WPP with a code signing certificate from Symantec or GoDaddy ?
Feb 4, 2016 at 6:33 PM
Self signing certificate is working in W2012.

Create a DWORD EnableSelfSignedCertificates=1 unter HKLM\Software\Microsoft\Update Services\Server\Setup\

The blog post from WSUS Product Team Blog: http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx
Feb 4, 2016 at 7:26 PM
Thank you WinfriedSonntag.

I saw that today and applied it.
So far, the updates did not transfer from the upstream server running Windows Server 2003 to the downstream running 2012.

Should I build a new upstream server running Windows Server 2012 and issue a new certificate ?

I'm a bit scared about that because there are about 20 downstream servers and about 6400 workstations.
But if it's the way to proceed.... Then I will try.

Is that your recommendation ?
Feb 4, 2016 at 7:38 PM
You have 6400 Clients and works with WPP?

You don't see the updates on your downstream-WSUS? They are there or your client don't picked up the Software from the downstream WSUS?
Feb 4, 2016 at 10:35 PM
Trust me, it works perfectly well for 2003 downstream servers but not with 2012 downstream servers...

So far we had no issues using WPP in production with so many clients spread worldwide, until we started to migrate few servers from 2003 to 2012.

I confirm the updates are not present on 2012 which made me believe in a cert issue.
Now, thanks to you, it is confirmed and the important question now is to know if the reg modification on the 2012 downstream servers is sufficient or if I have to migrate the 2003 upstream server to 2012, apply the reg and reissue a cert.
Feb 5, 2016 at 4:47 AM
Pls check the Build from your Upstream WSUS. Here you will see where you see the correct build:

In WSUS-FAQ No. 44 you see the KB-Numbers and the Build Numbers: http://wsus.de/faq

WSUS 3.0 (SP2): Build 3.2.7600.226
WSUS 3.0 (SP2) + KB2720211: Build 3.2.7600.251
WSUS 3.0 (SP2) + KB2734608: Build 3.2.7600.256
WSUS 3.0 (SP2) + KB2828185: Build 3.2.7600.262
WSUS 3.0 (SP2) + KB2938066: Build 3.2.7600.274

On a WSUS which is installed on W2008R2 or lower, your WSUS have to had Build .274.
Feb 5, 2016 at 7:47 AM
We were at version .251 so I am performing the updates and will let you now the outcome.
Feb 5, 2016 at 8:34 AM
Wow, .251 is very old. After the WSUS is on .274, you have restart the whole server. Synchronize with MS and now you can synchronize the downstream WSUS with your upstream. Best way is the Upstream WSUS is the newest available System.

If the WSUS.MSC is installed on a Client/Server with W2008R2 or lower, install on this Clients/Servers the patches too.
Feb 5, 2016 at 9:00 AM
Good news !

I installed the updates on the upstream server and after the reboots, the downstream servers received the WPP updates.
So from an infrastructure perspective, it seems ot be all fine now.

Next step is to approve the flash updates on an OU and see if the clients get it.

To be continued.....
Feb 5, 2016 at 3:02 PM
It all works like a charm !

Thank you very much WinfriedSonntag for great help ! Danke vielmals ;-)
Feb 5, 2016 at 3:05 PM
Thanks for response. ;)