1 Reply Latest reply on Jan 18, 2013 10:01 AM by Lawrence Garvin

    Beware KB2661254!

    Lawrence Garvin

      Microsoft has been discussing this update for a couple of months, and we've been adding to that discussion over in PatchZone, but we've seen an increase in the impact of this update on Patch Manager customers. KB2661254 is an update that invalidates all RSA-based certificates that have key-lengths of less than 1024-bits. If you're running any version of Patch Manager earlier than v1.73 (July 2012), or any version of WSUS that does not have KB2720211 or KB2734608, both of those products will be adversely affected by the installation of KB2661254.


      For the WSUS server, it will prevent clients from being able to download or install third-party updates. For details on the necessary steps for the WSUS server please refer to this PatchZone blog post.


      For Patch Manager customers, it will prevent any communication from remote consoles to the application server, or between patch manager servers. For details on the necessary steps for Patch Manager please refer to this SolarWinds Knowledge Base article:


      Message was edited by: Lawrence Garvin - Corrected broken hyperlink for PatchZone blog post.

        • Re: Beware KB2661254!

          I have to comment, this went very smooth for me, despite my anxiety about the situation.  My only trouble was tracking down all the different information, and organizing it in a step by step process.  Below are my (rough) notes from when I did this project last week:


          KB2718704 - clients and servers - disables certain unauthorized certs (flame response)

          • Should already be installed on all computers (was)

          KB2720211 - wsus server - (outdated by KB2734608) confirm is installed to all of your WSUS servers

          • Probably already installed on your WSUS server (was)

          KB2734608 - wsus server - enable on w8 and ws12 updates, updates windows agent (replaces KB2720211)

          • Requires a manual download from Microsoft

          KB2661254 - clients and servers - mandates 2048 certs

          • Just let loose by Microsoft this week


          1. Upgrade to PM 1.8
          2. Delete all Third Party published packages from WSUS via PM.
          3. Ensure KB2718704 is installed on all systems.
          4. Update WSUS server with KB2734608.
          5. Generate the new publishing certificate(s)
            1. In the left pane of the Patch Manager console, expand Administration and Reporting, and then select Software Publishing.
            2. In the Actions pane (right), click Server Publishing Setup Wizard.
            3. In the WSUS Server menu, select the WSUS server.
            4. Select Create self-signed certificate, and then click Next.
            5. If the wizard returns a Confirm dialog, click Yes to continue. This dialog states that you will have to re-publish any existing packages and re-provision your client systems after generating a new certificate on a WSUS server that already has one provision. Step 2 in the general procedure at the top of this article addresses this issue.
            6. Select the Patch Manager servers, publishing servers, and downstream servers to which you want to distribute the publishing certificate, and then click Next.
            7. Review the summary screen for any errors, and then click Finish.
            8. On the dialog that instructs you to configure your managed clients, click OK. Step 2 in the general procedure at the top of this article addresses this step.
          6. Re-provision all systems with the new certificate. This includes both Patch Manager and WSUS servers/consoles, along with all managed clients.
            1. I find doing this via GPO is the most effective. You can use PM to “refresh group policy’ for the entire domain after.  Done in 30-90 minutes.
          7. Be sure KB2661254 is installed on all systems.
          8. Publish any Third Party Packages you need out there.
            1. Be sure to verify packages if they were existing.
            2. I found it easier to just create new custom packages, and avoided any problems
          9. If you have Windows 8 or Windows Server 2012 clients that synchronized with WSUS 3SP2 before you applied KB2734608, wait for the update to be applied to the WSUS servers, and then follow these steps:
            1. On the affected client, open cmd.exe in elevated mode
            2. Type the following commands. Make sure that you press Enter after you type each commands:

          Net stop wuauserv

                    rd /s %windir%\softwaredistribution\

                    Net start wuauserv