If you use Windows Server Update Services (WSUS) to update devices, the process of importing updates has changed. You’ll now use a new PowerShell script to import updates. Regularly updating your dev...
Updated Jul 26, 2023
Version 2.0
Blog Post
gabrielluizbh MVP, same here
KB5037422, KB5037425, KB5037423, KB5037426 DC crash fixes (You may end UP here also on this page....)
We have just been struggling with the PowerShell error on SRV 2019 and 2022 for the Out-of-band post 03/2024 Windows Updates to fix DC crash.
I don't like to fast/urgent switch and change TLS or chUseStrongCrypto we do that enough on Exchange and DAG all day long since we have to update endless on-premises
A strange situation where you have a fresh new script to import and you have a 2022 OS WSUS Server and you have to force something. Punish on-premises customers or how do you call it again?
Quick steps for the DC fix patches:
Re-Download the .\ImportUpdateToWSUS.ps1
Try one .\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b1831124c
If it works > Your good to import the others
If you get a red PowerShell You will FIRST have to change SchUseStrongCrypto 32/64BIT and reboot)
SRV 2016 (Will work without change of Crypto)
SRV 2019 + 2022 (You will FIRST have to change SchUseStrongCrypto 32/64BIT and reboot)
For the SchUseStrongCrypto:
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord
Restart-Computer
OR
eg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319” /v “SchUseStrongCrypto” /t REG_DWORD /d 1 /f
reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319” /v “SchUseStrongCrypto” /t REG_DWORD /d 1 /f
* Don't use: IIScrypto.exe you don't need it
* Don't change too much
* Don't enable the SchUseStrongCrypto settings via GPO quick and dirty for all servers if you have enterprise and clusters, DAG, Load Balancers etc.
* If you are SQL Express based check if you don't' hit LIMIT of your SQL Express just that day you need an urgent patch (Events 1827 or 1101) (If you do so then contact Adam Marshall MVP and invest in his tools)
We tried to get all together in a blog post:
English
https://www.butsch.ch/post/wsus-importupdatetowsus-ps1-march-2024-security-update-dc-fails-srv-2019-and-2022-how-to-fix-all-steps/
German
https://www.butsch.ch/post/windows-update-server-import-fehler-powershell-kb5037422-kb5037425-kb5037423-kb5037426/
The Learn Documentation has been getting very good almost excellent. Sadly such info is skipped which is so urgent at that point.
Maybe we missed the change to import was fall 2023 but since then we did not need any Out of the Box and Import from Windows Update Catalog was so nice.
You can always download and install the patch from Windows Update catalog.
Quiz-question: Since there is a Windows 10 Re-release. Does the effect happen NOT only in Domain controllers? Is it GOOD or BAD to install the patch on any member server through the band?
Greetings from Switzerland/Basel