Thanks to Peter Kirschner (https://www.cubido.at/blog/windows-server-update-oktober-2019-und-tls-error), the real solution is as simple as reasoned: The Active-X plugin or any other subsequent component involved in importing updates from the Microsoft update catalog utilizes .NET4.
Simply enforce "strong" ciphers for .NET 4.0:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1