WSUS KB2720211 : Common issues encountered and how to fix them

Article
06/20/2012

Hi everyone, Joao Madureira here. During the course of this week we saw an increase of cases installing Knowledge Base article KB 2720211. What follows are some guidelines we’ve established when facing some problems installing this KB.

UPDATE - 9/4/2012: There is a new update available that includes 2720211 plus many other fixes, including those that address some of the issues discussed in this article. You can find information on this new update here.

Before Installing the KB

WSUS Health Checks

As mentioned in the KB article, please follow instructions on how to perform basic health checks on a WSUS Server using the following TechNet websites:

· Reindex the WSUS Database (https://technet.microsoft.com/en-us/library/dd939795(v=ws.10))

· Use the Server Cleanup Wizard

Backup/Restore

You can use the wsusmigrationmigrationimport/Wsusmigrationexport tools to back up the approvals and computer groups. Before installing the KB, copy these files to C:\program files\update services\tools.

- Download the API samples and tools at https://download.microsoft.com/download/5/d/c/5dc98401-bb01-44e7-8533-3e79ae0e0f97/Update%20Services%203.0%20API%20Samples%20and%20Tools.EXE and get the WSUSmigrationexport.exe from it.

- https://wsus.codeplex.com/releases/view/18460 <-compiled version for wsusmigrationimport with https://support.microsoft.com/default.aspx?scid=kb;EN-US;945348

Next, open notepad and copy the following text to it:

mkdir c:\wsusbackup
wsusutil.exe export c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
wsusmigrationexport3.exe c:\wsusbackup\configuration.xml

Save this as backup.bat.

Open notepad and copy the following text to it:

wsusutil.exe import c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
wsusmigrationimport3.exe c:\wsusbackup\configuration.xml all none
wsusutil.exe reset

Save this as restore.bat.

Now, if you encounter a problem installing the KB, you have a valid backup and can use the restore.cmd to get back the metadata and approvals after reinstalling WSUS.

After Installing the KB

Four main issues have been encountered as follows:

Issue	Description	Issue caused by patch?	Workaround available?
1	WSUS server stops synchronizing with Microsoft Update	No	Yes
2	The website verifications are not accurate	Yes	No. Recommend disabling.
3	WSUS server stops working and also fails to reinstall.	No	Yes
4	Errors in errorlog for Windows internal database	TBD	Yes

Issue 1 : WSUS server stops synchronizing with Microsoft Update.

Workaround: remove WSUS , leaving the database on the uninstall.

When removing WSUS , the first screen after asking to uninstall will be what are the items you want to remove with the uninstall. Leave all options UNCHECKED.

Proceed with uninstalling. After finishing, install WSUS again.

Add the role again in Server manager (Windows Server 2008 and Windows Server 2008 R2) or download WSUS 3 SP2 from the following location:

https://www.microsoft.com/en-us/download/details.aspx?id=5216

Start the install and choose the options to connect to the database server or Windows Internal database. As in the example, I am connecting to my Windows Internal Database.

Then choose “use existing database” and proceed with the install.

Issue 2 : Website Verifications are not accurate.

The problem is currently under investigation and the workaround is to temporarily disable the website verification with wsusutil. WSUS is working fine, it synchronizes and updates clients. The mechanism to verify the websites is the one alerting on Event viewer.

Open a command prompt and navigate to C:\program files\update services\tools

You can save the following text below to a batch file or run the following commands to stop verifying the websites:

wsusutil HealthMonitoring CheckSelfUpdate off
wsusutil HealthMonitoring CheckReportingWebService off
wsusutil HealthMonitoring CheckApiRemotingWebService off
wsusutil HealthMonitoring CheckServerSyncWebService off
wsusutil HealthMonitoring CheckClientWebService off
wsusutil HealthMonitoring CheckSimpleAuthWebService off
wsusutil HealthMonitoring CheckDssAuthWebService off

After running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice

Issue 3 : WSUS server stops working and also fails to reinstall.

After installing the fix, WSUS stops working. The console doesn’t open and softwaredistribution.log displays the following messages:

2012-06-15 19:26:36.976 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

and

2012-06-15 19:26:03.778 UTC Warning w3wp.8 SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user NT AUTHORITY\SYSTEM, IP Address fe80::e949:3535:dace:fef4%13, exception System.Data.SqlClient.SqlException: Access to module dbo.spConfiguration is blocked because the signature is not valid.

and

2012-06-15 19:26:03.778 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

When trying to reinstall WSUS it fails. In order to locate what is causing the installation to fail, go to Run > type %temp%. Locate the WSUSCAXXXXX.log ( where XXXXX will be date_time the machine ran the setup). The error will be like in the transcript:

Changed database context to 'SUSDB'.

Executing string: CREATE CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] FROM FILE = 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\wsussigndb.cer'

Warning: The certificate you created is expired.

Executing string: ALTER CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] ATTESTED BY 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\WSUSSignDb.dll'

Signing object:[dbo].[spGetComputerSummariesForTargetGroup]

Msg 15299, Level 16, State 1, Server \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query, Line 6

The signature of the public key is invalid.

The solution for reinstalling WSUS will be the following:

Assuming the WSUS is not installed anymore, remove Server Manager > Features > Windows Internal database.

Navigate to C:\windows and locate the folder sysmsi . Rename this folder to sysmsi_old

Try to install WSUS again with the option to install the Windows Internal database.

Issue 4 : Errors in errorlog for Windows internal database (updated)

If you are seeing the error below in the SQL Errorlog and the database has been patched, we have verified these instructions:

NOTE Errorlog is located at c:\windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Log

2012-06-14 11:39:40.93 spid53 Access to module dbo.spSetupLogin is blocked because the signature is not valid.

1) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE

2) Backup the existing patched database files (file copy will work). Usually this is at C:\WSUS\UpdateServicesDbFiles (this location was chosen by the customer when they initially installed WSUS).

3) Start WID using NET START MSSQL$MICROSOFT##SSEE

4) Reinstall WSUS3 SP 2 to a new database (“Create a new Database”).

5) Reinstall the patch – IMPORTANT!

6) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE

7) Restore the existing patched database by copying the files you backed up to C:\WSUS\UpdateServicesDbFiles

8) Start WID using NET START MSSQL$MICROSOFT##SSEE

9) Run the patch again with the following command: – the patch should be able to add the missing signatures automatically. If it fails again,please send us the log files (C:\reinstallpatch.log, mwusca***, wsusca***,mwussetup***, wsussetup***, wsussetupmsi*** in your %temp% or %temp%\.. WSUS-KB2720211-x64.exe C:\reinstallpatch.log

Joao Madureira | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter :

The Forefront Server Protection blog: https://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : https://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : https://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: https://blogs.technet.com/b/isablog/
The Forefront UAG blog: https://blogs.technet.com/b/edgeaccessblog/

Comments

Anonymous
January 01, 2003
In the backup.bat file that was shown, What creates the c:wsusbackupconfiguration.xml file?mkdir c:wsusbackupwsusutil.exe export c:wsusbackupmetadata.cab c:wsusbackupmetadata.logwsusmigrationexport3.exe c:wsusbackupconfiguration.xmlThe script fails with this error:WsusMigration failed with the below exception!System.IO.FileNotFoundException: Could not find file 'c:wsusbackupconfiguration.xml'.Thanks
Anonymous
January 01, 2003
I am using SERVER 2003 R2 and have a snap-in issue after installing KB2720211 on a update.The Popup window says:Window Server Update Services 3.0 SP2MMC has detected an error in a snap-in and will unload it.Option 1: Report this error to Microsoft, and then shut down MMC.Option 2: Unload the snap-in and continue runningTried option 2 and got same error but with:MMC could not create the snap-in. The snap-in might not have been installed correctly.Name: Update ServicesCLSID:FX:{8b6499ed-0241-e032-6508-da4b1c879d7e}My WSUS is down and any help would be great - step by step of how to fix would be even better.Thanks
Anonymous
January 01, 2003
Almost the same problem as Joseph only with the new KB2734608 and I am using SERVER 2008 R2Snap-in issue after installing KB2734608 on WSUSThe Popup window says:Window Server Update Services 3.0 SP2MMC has detected an error in a snap-in and will unload it.Option 1: Report this error to Microsoft, and then shut down MMC.Option 2: Unload the snap-in and continue runningTried option 2 and got same error but with:MMC could not create the snap-in. The snap-in might not have been installed correctly.Name: Update ServicesCLSID:FX:{8b6499ed-0241-e032-6508-da4b1c879d7e}
Anonymous
January 01, 2003
Hi i found an resolution for the Console error after installing KB2720211 and a fix for error 800b0001 on clients connecting to WSUS . (Thanx to some info byronwright.blogspot.nl/.../kb-2720211-kills-wsus.html)Extract WUSSetup.msp from WSUS-KB2720211-x64.exe with 7-Zip (free utility). Once done just run WUSSetup.msp (a simple double click will do the job). You'll get a few error messages. Just click ignore. When the program has finished installing, reboot server and start your WSUS Console. All should be up and running beautifully.After above still error 800b0001 on clients connecting to WSUS . Resolved that by ; Download the KB2720211 installer for your architecture from Microsoft (support.microsoft.com/.../2720211). Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: "WSUS-KB2720211-x64.exe /extract") With 7-zip, open WUSSetup.msp and extract "PCW_CAB_SUS". With 7-zip, open "PCW_CAB_SUS" and extract "DbCert", "DbCertDll", and "DbCertSql". Rename those files to "WSUSSignDb.cer", "WSUSSignDb.dll", and "WSUSSignDb.sql", respectively. On your WSUS server, navigate to "C:WindowsSYSMSISSEEMSSQL.2005MSSQLSchemaSig" and copy the extracted "WSUSSignDb.cer" and "WSUSSignDb.dll" to it. Make a backup copy of the two existing versions, just in case. On your WSUS server, navigate to "C:Program FilesUpdate ServicesDatabase" and copy the extracted "WSUSSignDb.sql" to it. Make a backup copy of any existing versions of the file. Reinstall KB (WSUS-KB2720211-x86.exe /q C:MySetup.log) First i did above with KB2734608 (= updated KB2720211) but that did not work.
Anonymous
January 01, 2003
Is there any progress in investigating the WSUS Health Checks issues?After the update wsus seems to still work, eventlog logs alot of error messages and starting up the wsus console can take a considerable time
Anonymous
January 01, 2003
Do NOT use the backup batch file! It completely jacked up my WSUS and I had to do a reset and start over. You can back up easy enough just using this;technet.microsoft.com/.../cc720441(v=ws.10).aspx
Anonymous
June 21, 2012
The KB mentioned in the blog url and the heading is incorrect: WSUS KB272011 : Common issues encountered and how to fix themIt should be KB2720211.
Anonymous
June 22, 2012
What about the issue with "WSUSSignDb.cer", "WSUSSignDb.dll", and "WSUSSignDb.sql" not being extracted to the correct directories causing patch failure followed by an incomplete roll-back causing WSUS to become completely non function until manual patching is done?social.technet.microsoft.com/.../e918a191-ef6d-4c4b-b83a-7a4ae20a5217
Anonymous
June 29, 2012
Does this mean I need to reinstall WSUS on master and all downstream servers?
Anonymous
July 03, 2012
Following these instructions I have been unable to get WSUS reinstalled. At this point I don't have WSUS installed after removing it and I have also lost my internal website after removing the internal database.
Anonymous
July 05, 2012
Agree with JGurtZ. Nothing in this artical seem to help fix the problem. In the end it was Chucker2 post insocial.technet.microsoft.com/.../e918a191-ef6d-4c4b-b83a-7a4ae20a5217 that fixed the problem.
Anonymous
July 11, 2012
There is no "wsusmigrationexport3.exe" in my Windows EBS Management Server. How can I backup my configuration?
Anonymous
July 11, 2012
Sorry - I did not write version of Windows. It is 2008.
Anonymous
July 11, 2012
Does Microsoft plan on releasing a more stable version of this patch?
Anonymous
July 19, 2012
I'm having the opposite issue... upgraded my WSUS with the KB... desktop clients seems to be auto-updating as well to .256 version. However, I've got a server that flatly refuses to update its client version. I've stopped the Windows Updates service, deleted the SoftwareDistribution folder and restarted the service on the troublesome server.I'm just not seeing it state in the WindowsUpdate.log file that the required version is .256 and it won't update from the .226 version.Any ideas?
Anonymous
August 01, 2012
AGAIN !NOT GOOD ENOUGH MICROSOFT - DO YOU TEST BEFORE RELEASE ???
Anonymous
August 03, 2012
the gist of it (in order) is: backup your DB, uninstall WSUS, reinstall WSUS with blank DB, apply KB2720211, put your DB back, apply KB2720211 again (if need be)
Anonymous
August 17, 2012
I disagree with your statement on Issue #1. I have a brand new WSUS server (2008r2 x64) that no longer sync's after the KB. My old WSUS server has the hotfix and has no problems syncing with Microsoft... old server is 2003 x32.
Anonymous
August 28, 2012
The comment has been removed
Anonymous
September 04, 2012
An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2734608), support.microsoft.com/.../2734608
Anonymous
September 20, 2012
The comment has been removed
Anonymous
September 20, 2012
whatever is slowing down the browser making this page virtually unreadable (facebook links?) - get it fixed. useless
Anonymous
September 20, 2012
The comment has been removed
Anonymous
September 26, 2012
Thanks for the article. It saved my week. If you could update the article with some of Event Viewer ID's and descriptions encountered, it would benefit those searching on them, It would be especially helpful for Issue #2 because it made no mention of the "Self-update not working." event ID; most persons will not equate to "Website Verifications are not accurate". I did not put guessed it was the closet description to my problem.I listed the two event ID's I was encountering below. My issues was that none of the computers were reporting in. EVENT VIEWER ERROR:Event Type: WarningEvent Source: Windows Server Update ServicesEvent ID: 13031Description:Some client computers have not reported back to the server in the last 30 days. 11 have been detected so far.REMEDY:Installing the new patch resolved this issueEVENT VIEWER ERROR: (Still happened after installing new patch):Event Type: ErrorEvent Source: Windows Server Update ServicesEvent ID:13042Description:Self-update is not working.REMEDY:Followed remedy J.C. listed under Issue 2 : Website Verifications are not accurate....."You can save the following text below to a batch file or run the following commands to stop verifying the websites:wsusutil HealthMonitoring CheckSelfUpdate offwsusutil HealthMonitoring CheckReportingWebService offwsusutil HealthMonitoring CheckApiRemotingWebService offwsusutil HealthMonitoring CheckServerSyncWebService offwsusutil HealthMonitoring CheckClientWebService offwsusutil HealthMonitoring CheckSimpleAuthWebService offwsusutil HealthMonitoring CheckDssAuthWebService offAfter running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice"
Anonymous
December 17, 2012
The comment has been removed
Anonymous
December 17, 2012
Honestly:2012-12-17 16:14:47 Success CustomActions.Dll CopyADMFile:The system locale ENG is not supported. Using English...2012-12-17 16:15:16 Error MWUSSetup InstallWsus: MWUS Installation Failed (Error 0x80070643: Fatal error during installation.)2012-12-17 16:15:16 Error MWUSSetup CInstallDriver::PerformSetup: WSUS installation failed (Error 0x80070643: Fatal error during installation.)2012-12-17 16:15:16 Error MWUSSetup CSetupDriver::LaunchSetup: Setup failed (Error 0x80070643: Fatal error during installation.)This is extremely annoying
Anonymous
January 04, 2013
so reading between the lines.This KB may fix a certain problem with clients not reporting to the WSUS serverBUT (big but)It may break your WSUS installation.Which means that a reinstall may be required.Is there any guidance as to what to do if its a SBS2011 installation that gets mucked up? there are a number of things coexisting on an SBS setup and its not as simple to reinstall anything on one.
Anonymous
April 28, 2013
My system has had a re-install of WSUS SP2 in the past. I get an error about the update note having permission to access the Language Key at /Software/Microsoft/CurrentVersion/Unistall/Windows Server Update Service 3.0 SP2 i press ignore
Anonymous
December 03, 2013
The comment has been removed
Anonymous
December 05, 2013
Navigate to C:windows and locate the folder sysmsi . Rename this folder to sysmsi_oldThis solution solve my nagging issue.ThanksJon
Anonymous
March 26, 2014
when we are working suddenly electric power is switched off then our tally server stop working and no sharing of data. how we can fix the server
Anonymous
April 21, 2014
Hello,

I am trying to complete the WSUS install and no matter what I try I am getting the following error:

WSUS Post install Access to the path 'Update Services' is denied

The complete error is here:

http://pastebin.com/tKFFw8fK

If anyone can give me a hand please email me at wolson AT gmail DOT com

Thank you.
Anonymous
June 25, 2014
WSUS fails to install itself fully. "..Update ServicesWebServicesRoot" still empty. Clients still with error 80244019. re-install, postinstall, healthcheck, event logs etc. fail to help. Now have >65GB of downloaded updates that cannot be used ie. waste of time & money.

Partager via