After applying a new GPO disable older tls ciphers, all my 2012r2 servers fails to download windows updates with error 0x80072efe.
My gpo settings is:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
SSL 2 and 3 is disabled.
TLS 1.0, 1.1 and 1.2 is enabled.
DES 56/56, RC2 40/128, RC2 40/128, RC2 56/128, RC2 128/128, RC4 40/128, RC4 64/128, RC4 128/128 = disabled
Triple DES 168, AES 128/128, AES 256/256, MD5, SHA256, SHA384, SHA512, Diffie-Hellman, PKCS, ECDH = enabled
A wireshark do not shows why the remote server denieds the traffic other than it sends a RST, ACK after the client has send it´s Tls v. 1.2 Hello message.
If i install Microsoft Edge (instead of iexplore) the tls communication gets a bit further, but still fails with reply RST from server with ip 52.152.110.14 every time. (only this server).
Any clue why/what causing this? What ciphers am i missing here?
Regards
Robert
And browsing to HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=526&L=en-US&P=&PT=0x7&WUA=7.9.9600.19915
gives me error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.
Found the problem.
The Windows update server supports the following ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
I enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 as this is supported on Windows 2012r2.
The newer ciphers was first added in windows 2016.
/Robert
Hi there,
Different Windows versions support different TLS cipher suites and priority order. You can get them form here
https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
The GPO might have stopped the update service on your 2012r2 servers , try kick starting them .
Click Start and start typing on your keyboard for "services.msc"
In your search results "services.msc" should show up. Open it with a click.
A new windows will open containing all Windows services on your system.Search for "Windows Update"
Right-click the "Windows Update" and then click Start.
--------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
