locked
Unable to install TLS 1.1 and 1.2 on Windows Server 2008 SP2 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    1
    Sign in to vote
    I have a Windows Server 2008 VM that I'm trying to harden. I'm trying to install KB4019276 but I get the error "The update does not apply to your system" with nothing of note in the Event Log. The server is 64bit and running SP2 and Exchange 2007. The server is otherwise fully patched and in good health. I've tried all three versions for the x64 platform in the Windows Update Catalog and all do the same. Any ideas out there on how to resolve this?
    Friday, November 17, 2017 3:16 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi ,

    Please run the command of sfc /scannow to repair system files.

    You might try to create a new local account and login with it to check if the error still occurs.

    Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message.

    In addition ,Please check whether you have downloaded the right version:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

    Best Regards,

    Candy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Gaven Saturday, November 18, 2017 3:45 AM
    Friday, November 17, 2017 9:54 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi ,

    Please run the command of sfc /scannow to repair system files.

    You might try to create a new local account and login with it to check if the error still occurs.

    Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message.

    In addition ,Please check whether you have downloaded the right version:

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

    Best Regards,

    Candy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Gaven Saturday, November 18, 2017 3:45 AM
    Friday, November 17, 2017 9:54 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Gaven,

    I ran into the exact same problem and found this solution.

    Your Schannel.dll file version might have already been updated to a newer version than this patch.

    However the TLS 1.1 and TLS 1.2 protocols are disabled by default, unless/until you enable them via custom registry settings. Simply installing/updating this patch or a newer version does not enable TLS 1.1 or 1.2!

    Read the fine print on this MS KB article and make sure to setup the necessary DisabledByDefault = 0 DWORD.

    https://support.microsoft.com/en-sg/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows

    Finally reboot Windows to take effect. Problem solved!

    • Proposed as answer by MattChristian Friday, February 23, 2018 11:03 PM
    Friday, February 23, 2018 11:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Gaven,

    Did you ever get this working?  I am also running into the same problem: "The update does not apply to your system".

    Tuesday, June 26, 2018 2:44 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I am also having the same problem. I am trying to install it in windows server 2008 SP2 Spanish version. Used command of sfc /scannow. But no progress.
    Tuesday, July 10, 2018 12:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Same issue. I see that KB4019276 has been superceded, etc... up to KB4056564 but that has the same issue. 

    sfc /scannow

    finds nothing, does nothing, doesn't help. 

    Wednesday, September 19, 2018 6:55 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The point about the registry settings is probably true, but that doesn't address the OP problem of not being able to apply the update. Were you able to get TLS 1.2 working without applying the patch? 
    Wednesday, September 19, 2018 7:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Had this issue as well. Server 2008 SP2 VM would not take either update packages (KB4019276 and KB4056564) and sysinfo.exe did not show them installed. I took a chance that they may have been part of a larger update to schannel.dll so I added the proper Registry keys and rebooted the server. TLS1.2 for my IIS7 hosted intranet site was then working with TLS1.2.

    Procedure

    1. Browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    2. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder. Rename this folder to TLS 1.2.

    3. Right click on the TLS 1.2 key and add two new keys underneath it.

    4. Rename the two new keys as: Client Server

    5. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.

    6. Rename the DWORD to DisabledByDefault.

    7. Right-click the name DisabledByDefault and select Modify... from the drop-down menu.

    8. Ensure that the Value data field is set to 0 and the Base is Hexadecimal. Click on OK.

    9. Create another DWORD for the Client key as you did in Step 7.

    10. Rename this second DWORD to Enabled.

    11. Right-click the name Enabled and select Modify... from the drop-down menu.

    12. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.

    1. Repeat steps 5 to 12 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).

    2. Reboot the server.

    Monday, January 13, 2020 3:00 PM