After previous issues with KB3148812, Microsoft has re-released the fix that allows WSUS to decrypt Windows 10 Upgrade content. The new fix is released under KB3159706. Unlike most Windows Updates, this one does require manual steps to be taken after it is installed. These steps are documented in the KB3159706 article. The manual steps involve enabling HTTP Activation in .NET Framework 4.5 and additional steps if your WSUS uses HTTPS. You must also have KB2919355 already installed on the server.
The WSUS Team published another blog post (after having an upgrade to their blogging platform in the midst of this issue) to explain the update and how to move on past the previous update or test package.
Windows 10 feature updates (denoted by the “Upgrades” classification in WSUS) are staged in encrypted packages to Windows Update several days prior to the actual go-live date. This is to ensure that we can release to all regions simultaneously. The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this. Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and error prone. KB3159706introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content. Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms. Note that Windows Server 2016 will have this functionality at RTM.
Unfortunately, comments on the article indicate that individuals are still experiencing issues with the latest update, KB3159706.