Managing WSUS: TLSv1.0 needed to import from the Windows Update Catalogue

Importing updates to WSUS from the Windows Update Catalogue requires TLS v1.0 client and SHA.

Managing WSUS: TLSv1.0 needed to import from the Windows Update Catalogue

As you might have gathered from a previous troubleshooting post in relation to Windows Server Update Services (WSUS), one of my tasks is to manage our WSUS environment.  Sometimes it's necessary to import updates from the Microsoft Windows Update Catalogue and I ran in to another problem with this recently.

While attempting to import some updates outside of our usual set of classifications I was repeatedly told the import had failed.  I tried an update I'd expect to work too and got the same error:

"Some updates could not be imported" message, showing the import has failed.

Clicking the failed links didn't provide much in the way of useful information:

Some updates could not be imported.
[Error number: 80131509]
The following are common causes and solutions for this issue:
If you use a proxy, be sure that it is the same proxy being used by your Windows Server Update Services (WSUS) server. Your WSUS server might not be configured correctly. Contact your WSUS administrator.

I always love "contact your administrator" type messages - usually I'm at least one of (if not the only) the administrators!

After a lot of searching online it transpired that WSUS still needs TLSv1.0, even on Windows Server 2012r2.  In the organisation's bid to harden the environment we've disabled TLSv1.0 server practically everywhere, and in some places client too.

Turns out that TLSv1.0 with SHA client is required for the update import to work.  Note that SHA needs to be specified in addition to TLSv1.0, both are required.

Successfully importing updates after enabling TLSv1.0 client with SHA.

If you need to adjust SSL / TLS  settings on a Windows device I recommend the Nartac Software IISCrypto tool.  IISCrypto presents a very easy to use graphical interface allowing you to change protocols, ciphers, hashes etc.  Note that to apply the settings the Windows device needs to be restarted.

Nartac IISCrypto GUI, showing a working configuration for importing updates.

Banner image a screenshot of the error message I was receiving.

Disclosure: Nartac do not sponsor this post, their tool is recommended following extensive usage and peer recommendation.