Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Hotfixes, Updates Server 2016 WSUS   Click on the Category button to get more articles regarding that product.

WSUS ImportUpdateToWSUS.ps1, March 2024 security update DC fails SRV 2019 and 2022 how to fix all steps

Posted by admin on 26.03.2024

03/2024, out of Band patches for DC crash KB5037422, KB5037425, KB5037423, KB5037426






We explain how to import the 4-5 manual patches for Server 2012R2, 2016, 2019, 2022 and what to fix if you get an error when you run the script to ImportUpdateToWSUS.ps1 to import the patches into WSUS.

Source of problem:

Following installation of the March 2024 security update, released March 12, 2024 (KB5035857), Local Security Authority Subsystem Service (LSASS) may experience a memory leak on domain controllers (DCs). This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.

Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers (DCs).

What changed or why is this so complicated?

You have to manual import the patches into WSUS which dies not work easy anymore with IMPORT function in WSUS.

Since a few months the WSUS Update from Windows Update Ctaalog solution is not working anymore. The trick with IE/EDGE and Zone Files and ActiveX Plugin does not work anymore.

Unable to import KB Notfall,Interim,Post Microsoft Patchday patch into WSUS-Server running under Microsoft Server 2012 R2 –

The new solution is to import the patches with a Powershell from MS but we have seen problems doing that on SRV 2019 + 2022 out of the box with nothing changed for WSUS Server.


Overview of the patches per 26.03.2024 with 2019 Patch


2012R2, KB5037426


W10 + 2016, KB5037423


W10, X64:

March 25, 2024—KB5037425 (OS Build 17763.5579) Out-of-band – Microsoft Support

2019, KB5037425

2022, KB5037422


The ID of the patches:

2012R2 (KB5037426)

.\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b1831124c

W10 (KB5037423)

.\ImportUpdateToWSUS.ps1 -UpdateId e2d5822a-19f1-4f96-95ad-3974a58f0a00

2016 (KB5037423)

.\ImportUpdateToWSUS.ps1 -UpdateId 0683858a-06db-4f1a-b1eb-6ba0998d83f0


.\ImportUpdateToWSUS.ps1 -UpdateId 69c36f19-90e0-49fb-b0f2-f317be093b59


.\ImportUpdateToWSUS.ps1 -UpdateId 1bc3fe3f-74dc-48da-a3f3-65a6c06f4335


Step by step for 2016/2019/2022 SRV OS.

  1. Download the powershell ImportUpdateToWSUS.ps1 from WSUS and the Microsoft Update Catalog | Microsoft Learn | or
  2. To find out IF you have to change something regarding TLS or SchUseStrongCrypto just download the PS and run following command from Powershell where you downloaded the script. If you have a Server 2016 that may already work as it is.

Try out if you are need to change TLS or SchUseStrongCrypto run this command where you downloaded the PS

.\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b1831124c


If all went fine and NO red error YOU can direct go to the STEP how to import the “IMPORT the out of band patches into WSUS” in this post.


IF you see following error (Probaly on SRV 2019 or 2022 OS) you need to change some TLS or SchUseStrongCrypto in a first step.

PS D:\edv\00_IMPORT> .\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b1831124c

Attempting WSUS Connection using Get-WsusServer… Connection Successful

Attempting WSUS update import for Update ID: f2aaaf6d-b74b-4b64-aa72-535b1831124c… D:\edv\00_IMPORT\ImportUpdateToWSUS.ps1 : Failed. Ausnahme beim Aufrufen von “ImportUpdateFromCatalogSite” mit 2

Argument(en): “Die zugrunde liegende Verbindung wurde geschlossen: Unerwarteter Fehler beim Senden..”

In Zeile:1 Zeichen:1

+ .\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b183112 …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException

+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,ImportUpdateToWSUS.ps1


ONLY: If you see ABOVE error then you need to change SchUseStrongCrypto

for Microsoft .net 4 Framework. Do this with follwing command which will also reboot the server automatic.

Change SchUseStrongCrypto for .net 4 32/64BIT for Server 2019/2022

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord


Or with a Registry patch. Save to “strong.reg” and doubleclick file.

Windows Registry Editor Version 5.00







reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319” /v “SchUseStrongCrypto” /t REG_DWORD /d 1 /f


reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319” /v “SchUseStrongCrypto” /t REG_DWORD /d 1 /f



IMPORT all the out of band patches into WSUS

You have Server 2016 and did see no RED Powershell ERRROR with the try above OR you have SRV2019 and SRV 2022 and did FIX the SchUseStrongCrypto and did the Reboot. Then retry the import of all patches.


.\ImportUpdateToWSUS.ps1 -UpdateId f2aaaf6d-b74b-4b64-aa72-535b1831124c

.\ImportUpdateToWSUS.ps1 -UpdateId e2d5822a-19f1-4f96-95ad-3974a58f0a00

.\ImportUpdateToWSUS.ps1 -UpdateId 0683858a-06db-4f1a-b1eb-6ba0998d83f0

.\ImportUpdateToWSUS.ps1 -UpdateId 1bc3fe3f-74dc-48da-a3f3-65a6c06f4335

.\ImportUpdateToWSUS.ps1 -UpdateId b40feb45-69fa-4ed7-aff2-608a93c9512f

You will see the mentioned Updates in WSUS Server.


You can check with PS on the WSUS if they are there:




If you still have the RED error in PS:



CREATE DATABASE or ALTER DATABASE failed because the resulting cumulative database size would exceed your licensed limit of 10240 MB per database.





 Category published:  Hotfixes, Updates Server 2016 WSUS   Click on the Category button to get more articles regarding that product.