LS Data MCU error on Lync 201x & SfB 2015 after May 2017 OS patching

Update 12/12/2017 12:05 - SfB CU out taking the version to 6.0.9319.510 has a fix for this. Nothing expected for Lync Server 2013 or 2010.

Update 23/05/2017 23:12 - Official confirmation should appear under https://support.microsoft.com/en-gb/help/4023993 within 24 hours. Product Group have Development Resource assigned so looks like a CU will be coming to fix this.

Seeing multiple customers on Lync 2010, Lync 2013 and Skype for Business server 2015 front ends:

Front End event log every minute, Event ID 41026 followed by 41025:




"No connectivity with any of Web Conferencing Edge Server, External Skype for Business clients cannot use Web Conferencing modality

On the Edge server seeing the following:


"Web Conferencing Server connection failed to establish

Over the past 3 minutes Skype for Business Server has experienced incoming TLS connection failures 1 times(s). The error code of the last failure is 0x80072746 and the last connection was from the host ""."

After trying disabling IP 6 on FE and Edge:

and “On FE you can change IIS Web sites bindings to IPv4 IP address instead of all unassigned.”


The fix so far was to uninstall the May Security and Quality rollup for the .Net Framework 4.5.2, reading the release notes this hardens TLS communications for EKU so seems to fit with the error messages being shown

Server 2012: https://support.microsoft.com/en-gb/help/4014513

Server 2012 r2: https://support.microsoft.com/en-gb/help/4014597

Logged with Microsoft as ticket 117051115723411

Update 21:54 (changed title as well):

Confirmed by Microsoft as known issue and public KB is being prepared:

"This update adds an additional check on Enhanced Key Usage (EKU), since all Lync/ SfB Server usually use the Web Server template they will only have the Server Authentication in the EKU."

Issue has been reproduced on Lync 2010, Lync 2013 and Skype for Business 2015 on all supported server versions (2008r2, 2012, 2012r2).

Current Workarounds:

1 - Request new Edge Internal certificate with the Client and Server Authentication.

OR

2 - On the Front Ends disable the check for the Web Conferencing Service. Please note that these registry keys are for the default install locations.

Lync Server 2010:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

Note: Lync Server 2010 still uses the .NET 3.5 this is why we have the v2.0.50727.

Lync Server 2013:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

Skype for Business Server 2015:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v "C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe" /t REG_DWORD /d 0 /f

After adding the registry key simply restart the Web Conferencing service

Thanks to David Paulino (Twitter) at Microsoft for the update.

Update 22nd May 2017 11:07
Seeing different items broken in different environments from the following list: Q and A, Screen Share, Whiteboard, PowerPoint sharing via OWAS/WAK/OOS (Thanks Py7h0n and others for reporting).

Windows Server 2012 Windows Update taking ages

Update: 23rd May 2019:

This old chestnut has raised its head again with the May 2019 updates.
If Windows Updates are taking and age.
  1.  Stop the Windows Update Service
  2. Download the correct Flash Player update from https://www.catalog.update.microsoft.com/Search.aspx?q=4497932 
  3. Install
  4. Check for updates
  5. Relax ;-)
--------------------------------------------------------------------------------------------


Original post:

There's a known issue at the moment with server patching when you have the Desktop Experience feature installed (which means Lync/Skype for Business FE's).

Running check now results in the never ending progress bar:



and looking in the WindowsUpdate.log file we never see any progress.

Speaking to Microsoft support this is due to a bug in Adobe Flash and its interaction with the WU client. If you look at your processor usage you can see that the Windows Update process is running, it's just that you are getting no feedback.

On one server I started this process running on 23rd April and it finally finished with patches available on the 6th May:


So if you have the time to wait then this does work (no need to try to kick it by deleting stuff, re-registering DLL's, or performing any of the voodoo that you can find suggested in the TechNet forums!).

If you don't have this time then the advice I had from Microsoft was:
  1. Install MS17-005: Security update for Adobe Flash Player: February 21, 2017 (Use the Microsoft Update Catalog) :-
    https://support.microsoft.com/en-us/help/4010250
    Reboot
  2. Install MS17-023: Security update for Adobe Flash Player: March 14, 2017 (Use the Microsoft Update Catalog) :-
    https://support.microsoft.com/en-us/help/4014329
    Reboot
  3. Check for updates (should be back to normal speed).
If that doesn't work then:

Remove the Desktop experience feature and then check for updates. To remove do the following:

  1. Open Server Manager on the machine.
  2. Click on Manage>> Remove Roles and Features.
  3. We have to then be on the features tab and then under "User Interfaces and Infrastructure" uncheck "Desktop Experience" and the click next and finish