I have to comment, this went very smooth for me, despite my anxiety about the situation. My only trouble was tracking down all the different information, and organizing it in a step by step process. Below are my (rough) notes from when I did this project last week:
KB2718704 - clients and servers - disables certain unauthorized certs (flame response)
- Should already be installed on all computers (was)
KB2720211 - wsus server - (outdated by KB2734608) confirm is installed to all of your WSUS servers
- Probably already installed on your WSUS server (was)
KB2734608 - wsus server - enable on w8 and ws12 updates, updates windows agent (replaces KB2720211)
- Requires a manual download from Microsoft
KB2661254 - clients and servers - mandates 2048 certs
- Just let loose by Microsoft this week
- Upgrade to PM 1.8
- Delete all Third Party published packages from WSUS via PM.
- Ensure KB2718704 is installed on all systems.
- Update WSUS server with KB2734608.
- Generate the new publishing certificate(s)
- In the left pane of the Patch Manager console, expand Administration and Reporting, and then select Software Publishing.
- In the Actions pane (right), click Server Publishing Setup Wizard.
- In the WSUS Server menu, select the WSUS server.
- Select Create self-signed certificate, and then click Next.
- If the wizard returns a Confirm dialog, click Yes to continue. This dialog states that you will have to re-publish any existing packages and re-provision your client systems after generating a new certificate on a WSUS server that already has one provision. Step 2 in the general procedure at the top of this article addresses this issue.
- Select the Patch Manager servers, publishing servers, and downstream servers to which you want to distribute the publishing certificate, and then click Next.
- Review the summary screen for any errors, and then click Finish.
- On the dialog that instructs you to configure your managed clients, click OK. Step 2 in the general procedure at the top of this article addresses this step.
- Re-provision all systems with the new certificate. This includes both Patch Manager and WSUS servers/consoles, along with all managed clients.
- I find doing this via GPO is the most effective. You can use PM to “refresh group policy’ for the entire domain after. Done in 30-90 minutes.
- Be sure KB2661254 is installed on all systems.
- Publish any Third Party Packages you need out there.
- Be sure to verify packages if they were existing.
- I found it easier to just create new custom packages, and avoided any problems
- If you have Windows 8 or Windows Server 2012 clients that synchronized with WSUS 3SP2 before you applied KB2734608, wait for the update to be applied to the WSUS servers, and then follow these steps:
- On the affected client, open cmd.exe in elevated mode
- Type the following commands. Make sure that you press Enter after you type each commands:
Net stop wuauserv
rd /s %windir%\softwaredistribution\
Net start wuauserv