Skip links

Microsoft fixes Windows TLS handshake failures in out-of-band updates



Microsoft has issued an out-of-band (OOB) non-security update to address an issue triggering SSL/TLS handshake failures on client and server platforms.

On affected devices, users will see SEC_E_ILLEGAL_MESSAGE errors in applications when connections to servers experience issues. 

“We address an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures,” Microsoft explains.

“For developers, the affected connections are likely to receive one or more records followed by a partial record with a size of less than 5 bytes within a single input buffer.”

The known issue addressed in today’s OOB updates affects multiple Windows releases and editions, including:

​Client: Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
​Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1

Available via the Microsoft Update Catalog

The updates can’t be deployed via Windows Update, Windows Update for Business, or Windows Server Update Services (WSUS).

You can install them by downloading from the Microsoft Update Catalog and manually importing them into WSUS and Microsoft Endpoint Configuration Manager.

Microsoft has released both standalone packages and cumulative updates:

Cumulative updates:
Windows 11, version 21H2: KB5020387
Windows Server 2022: KB5020436
Windows 10, version 20H2; Windows 10, version 21H1; Windows 10, version 22H1; Windows 10 Enterprise LTSC 2021: KB5020435
Windows 10 Enterprise LTSC 2019; Windows Server 2019: KB5020438

Standalone Updates:

The company is still working on a fix for Windows 10 2016 LTSB, Windows Server 2016, and Windows 10 2015 LTSB.

After deploying the update, the Cluster Service might fail to start because a Cluster Network Driver is not found due to an update to the PnP class drivers used by the service.

Last month, Microsoft said that it accidentally listed the September Windows preview update in Windows Server Update Services (WSUS).

Redmond added that until the update was removed from WSUS, it could still lead to security update install problems in some managed environments.

Adblock test (Why?)