Microsoft has issued an out-of-band (OOB) non-security update to address an issue caused by the October 2022 Windows security updates that triggers SSL/TLS handshake failures on client and server platforms.
On affected devices, users will see SEC_E_ILLEGAL_MESSAGE errors in applications when connections to servers experience issues.
"We address an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures," Microsoft explains.
"For developers, the affected connections are likely to receive one or more records followed by a partial record with a size of less than 5 bytes within a single input buffer."
The known issue addressed in today's OOB updates affects multiple Windows releases and editions, including:
- Client: Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Available via the Microsoft Update Catalog
The updates can't be deployed via Windows Update, Windows Update for Business, or Windows Server Update Services (WSUS).
You can install them by downloading from the Microsoft Update Catalog and manually importing them into WSUS and Microsoft Endpoint Configuration Manager.
Microsoft has released both standalone packages and cumulative updates:
- Cumulative updates:
- Windows 11, version 21H2: KB5020387
- Windows Server 2022: KB5020436
- Windows 10, version 20H2; Windows 10, version 21H1; Windows 10, version 22H1; Windows 10 Enterprise LTSC 2021: KB5020435
- Windows 10 Enterprise LTSC 2019; Windows Server 2019: KB5020438
- Windows 10 2016 LTSB; Windows Server 2016: KB5020439
- Windows 10 2015 LTSB; KB5020440
- Standalone Updates:
After deploying the update, the Cluster Service might fail to start because a Cluster Network Driver is not found due to an update to the PnP class drivers used by the service.
Last month, Microsoft said that it accidentally listed the September Windows preview update in Windows Server Update Services (WSUS).
Redmond added that until the update was removed from WSUS, it could still lead to security update install problems in some managed environments.
Update: Added download links to more OOB updates released by Microsoft since the article was published.
Comments
cyberwolfe - 1 year ago
Probably best to avoid this one.
noelprg4 - 1 year ago
not me. I'm getting these out-of-band updates (NOT avoiding them) as I do use a few old apps that use certain SSL/TLS connections that will need these fixes.
btw, note to Sergiu: KB5020439 update for Win10 LTSB 2016 v1607 and KB5020440 for Win10 LTSB 2015 v1507 have been released Tuesday afternoon Oct. 18 to resolve the SSL/TLS connection problems
edit - users with Citrix based apps should download & install these out-of-band updates for affected Windows versions as noted from these blogs:
https://borncity.com/win/2022/10/18/sonderupdates-fr-windows-fixen-ssl-tls-verbindungsproblem-auch-bei-citrix-17-oktober-2022/
https://borncity.com/win/2022/10/18/citrix-verbindungen-nach-windows-update-kb5018410-oktober-2022-gestrt-tls-problem/
serghei - 1 year ago
Thank you, updated the article.
JustinFlynn - 1 year ago
I have a few computers running Citrix. Thanks for the heads up.
cyberwolfe - 1 year ago
Now I'm getting this update. But not manually as there is a new one specifically for 22H2. This update is now available via Windows Update: KB5018496 (Windows 11 22H2)
noelprg4 - 1 year ago
the KB5018496 Win11 22H2 update was released to non-insiders Tuesday afternoon 10/25 (as build 22621.755), which includes the TLS handshake bugfix