Is WSUS 3.2 without TLS 1.0 possible? RRS feed

  • Question

  • On a Server 2008 R2 SP1 with WSUS 3.0 SP2, after disabling TLS 1.0, the synchronizations fail with Microsoft Update Servers. The error message is long, but basically says: “The client and server cannot communicate, because they do not possess a common algorithm”. Event Viewer shows Event ID 10022 for WSUS and Event ID 36871 for Schannel (both vague).

    TLS 1.1 and 1.2 are enabled in the registry. I have tried various .net updates/solutions. I tried to install KB3154518 - Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 but that update says it is not applicable to the OS (and not even sure if it affects .net 2). I did add the registry keys associated with KB3154518 and I added the registry keys for SchUseStrongCrypto.

    I can check for updates via Windows Updates through the Control Panel, and that works. If I approve an update that had been previously synced the download does complete. Workstation clients work as expected (HTTP port 80). The only problem is synchronizations with Microsoft Update servers within WSUS console. WSUS build is 3.2.7600.283.

    Is it possible, and if so, what steps are required to have WSUS 3.0 SP2 work properly with TLS 1.0 disabled on a 2008 R2 server?

    Tuesday, January 23, 2018 10:04 PM

All replies

  • Hi,

    So far , I haven't seen a successful case with TLS 1.0 disabled on WSUS 3.0 .

    I have also seen a more detailed operation and analyze within following thread:


    If it possible , I'd suggest you to open a case with Microsoft to see if it possible :



    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 24, 2018 7:29 AM
  • HI, have now the same problem. did you have got any solution for?
    Thursday, August 9, 2018 3:21 PM