Udostępnij za pośrednictwem


The long-term fix for KB3148812 issues

A new update is available for Windows Server 2012 and 2012 R2.  This update requires manual steps in order to complete the installation. While the KB itself covers those steps, this post provides additional details on the release.

 

What KB3159706 does

Windows 10 feature updates (denoted by the "Upgrades" classification in WSUS) are staged in encrypted packages to Windows Update several days prior to the actual go-live date.  This is to ensure that we can release to all regions simultaneously.  The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this.  Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and error prone.  KB3159706 introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content.  Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms.  Note that Windows Server 2016 will have this functionality at RTM.

 

How to deploy KB3159706

This update has been released through the WSUS and Catalog channels, so that it may be synched or imported to and subsequently deployed from your WSUS. For those that are currently unable to deploy using WSUS, we’ve also shipped this fix to Windows Update. If multiple WSUS servers in your environment are affected by the previous issue, then you can repair the topmost server using Windows Update, and the rest through WSUS itself.  You'll need to manually select this KB for installation if you get it from Windows Update, as the update is marked Optional.

 

If you installed KB3148812 or the test package

Both these updates modify the same files as KB3159706; since the latter is newer, it will simply replace the binaries. You can remove KB3148812 (if you don't recognize this KB, then no action is needed), but it is not necessary. In any case, your “For testing purposes only” watermark will disappear after you’ve removed the test package.  Our recommended order for this deployment is:

  1. Uninstall test package
  2. [Optional] uninstall KB3148812
  3. Install KB3159706
  4. Reboot your WSUS server

 

Still having issues?

This update involves changing some fundamental aspects of WSUS operation, and it may cause friction for some customers.  We're committed to getting you ready for the Anniversary Update (as well as ensuring that you can continue to take monthly updates), and we invite you to visit the WSUS forum if you're having issues deploying KB3159706 after following the KB guidance.

Comments

  • Anonymous
    May 05, 2016
    Can you let us know please when the Server 2016 preview (and/or Windows 2008 R2) gets this ability. There's not much point in my installing a new WSUS server until this is available, and my current server is Windows 2008 R2.
    • Anonymous
      May 06, 2016
      Windows Server 2016 Technical Preview 5 will have this functionality, which makes the manual steps mentioned in the KB unnecessary for that platform. However, you'll want to take the May update for TP5 to address the same issue that was discovered in WS12/R2 for KB3148812. It's less likely to occur in TP5, but still possible.
      • Anonymous
        June 10, 2016
        Harry and or Steve, do either of you know if ESDs functionality will be added to srv 2k8 R2? I am in the same boat as Harry for multiple clients that have WSUS on srv 2k8 R2. From what I understand any Win 10 updates after May 1st will require ESDs.
        • Anonymous
          August 03, 2016
          WSUS 3.0 SP2 (which is the latest WSUS version available on WS08R2 SP1) will not be updated to be able to sync and distribute ESDs. This product ends its life cycle in July 2017, and we've got more changes planned to help support Windows as a service, so it doesn't make sense to pull this product along for only the first part of the ride.
          • Anonymous
            December 10, 2016
            Now that the end of life for WSUS 3.0 SP2 has been extended to Jan 2020 (https://blogs.technet.microsoft.com/wsus/2016/09/15/update-on-wsus-3-0-sp2-end-of-life/) inline with the end of life of Server 2008R2 will updates become available to enable it to deploy Win 10 Upgrades?
            • Anonymous
              May 05, 2017
              No, WSUS 3.0 SP2 will not become capable of deploying Upgrades. Per life cycle policy, no new features are usually added to a product after it has gone into Extended support, which happened years ago. The additional extension to 2020 was to provide legacy support for those that do not intend to use this functionality, and to support Configuration Manager 2007 that depends on WSUS 3.0 SP2 and does not go out of support until 2019.
  • Anonymous
    May 06, 2016
    So this apparently still doesn't work for some people as described in the KB article; toggling the Upgrades category off and on between syncs seems to be required. Additionally - the "value" of encrypting ESDs is something that goes beyond me. Waste of CPU time, useless complexity and breakage.
    • Anonymous
      May 06, 2016
      Did you perform the post-install tasks described in the KB article https://support.microsoft.com/en-us/kb/3159706?
      • Anonymous
        May 07, 2016
        Well yes, obviously :) Still was failing with SoapException on some metadata. Has to disable the upgrades category, sync, re-enable, sync again.
  • Anonymous
    May 06, 2016
    I'm still having problems. KB3148812 had been installed and WSUS stopped working, clients unable to check for updates. Uninstalled it. Later installed 3159706 via Windows Update - no restart notification displayed but WSUS still not starting (see a 'Reset server message' which did not work). Rebooted, Server Manager flagged WSUS Service as not started on restart, but a refresh showed it was started. Ran WSUS, but saw same message. Copied error and followed recommendation to delete wsus file at %appdata%\Microsoft\MMC. WSUS now starts, but the server was not listed. Chose to connect to the server but an error message about SQL not running was displayed (port is correct: 8530). All SQL services seem to be running. Any suggestions, please?Thanks
  • Anonymous
    May 06, 2016
    Affected server got optional update KB3159706 from Windows Update.Install is getting error 80070490.Some aditional step needed for those with fail to uninstall previously buggy KB3148812?Regards
  • Anonymous
    May 06, 2016
    unfortunately I deinstalled the WSUS, before I found shese blogsNow, I deinstalled the KB3148812 and installed the KB3159706I'm not able to reinstall WSUS, I allways get errors at the postinstallEvent ID 18456, Logon failure, Network Service at opening SUSDBSomeone any idea
    • Anonymous
      May 10, 2016
      Have you performed the post-install steps detailed in http://support.microsoft.com/kb/3159706 ? If so, then please post your question in the WSUS forum so that we can take a look.
  • Anonymous
    May 06, 2016
    Again? Manual step on a KB involving editing a file used by your own product??? Really???
  • Anonymous
    May 06, 2016
    I didn't install KB3148812, but after KB3159706 installation my WSUS was broken and uninstall of this update fix the server.
  • Anonymous
    May 06, 2016
    So I've deployed KB3159706 to our Server 2012 R2 WSUS server, and things are working after performing the manual steps.However, requiring manual steps for this is the stupidest thing ever. Think of the folks who don't know ahead of time that manual steps are required (unless I'm missing something, you have to go digging to find those...it isn't visible in the WSUS GUI that manual steps will be needed), and break WSUS functionality until they find the manual steps. And if a slew of other updates were applied to the server at the same time...have fun chasing down the one that broke things, and THEN finding the manual steps!Why, oh why, isn't it possible to, you know, make the COMPUTER do those steps as part of the update process? Come on, people!
    • Anonymous
      May 10, 2016
      I concur 100%. Just installed updates on our WSUS server and rebooted for Patch Tuesday, and wouldn't you know it, WSUS doesn't work after that. Fortunately after the rigamarole around KB3148812 I knew what to look for this time. But this is ridiculous. Your average admin is not going to have a clue what's going on when his WSUS breaks and it isn't easy to find this stuff with a simple Google (errr, Bing) search. Microsoft needs to add some sort of notification about the manual steps, or better yet, do them programmatically.
    • Anonymous
      May 10, 2016
      This just happened to me. I missed the KB3148812 hassle because I didn't install optional updates last month. But after today's patch Tuesday, I found my WSUS server non-functional.Some googling led me to KB3148812 which led me to today's update, which I promptly uninstalled to return WSUS to service. Once my clients have their updates, I'll return to this issue and perform the manual configuration required.But, yes, this is a recipe for trouble. While it would be nice to believe that we all have the time to search for updates, and then thoroughly research each update before applying, I know that this isn't in the cards for me. And besides, wasn't Microsoft just recently trying to convince us that detailed information for updates was no longer necessary (at least at the Win10 client end).Sorry if this all sounds petty. I mean it constructively. There needs to be some sort of notification during the installation process itself for this update that some manual configuration will be required. Especially because failure to perform those manual steps results in a non-functional service! . . . and only some guesswork and googling then leads you to the proper steps!
      • Anonymous
        May 10, 2016
        The comment has been removed
        • Anonymous
          May 13, 2016
          The comment has been removed
          • Anonymous
            May 19, 2016
            We could have done this, but it would have been a Catalog-only release, and then only the folks that use Internet Explorer would be able to use it. Additionally, the number of environments consuming the update would be limited to those that read this blog, which is not as many as you'd think (or as I would hope). In that case, we'd have gotten escalations when Anniversary Update failed to be deployed everywhere, which we expected would be a much bigger problem.
          • Anonymous
            June 14, 2016
            Couldn't you have updated the console to include some new section that informed admins about manual task needed to be performed? I am no programer but updating the console with a new section on the left or maybe under options woould of done the trick./shrug .02¢
    • Anonymous
      May 16, 2016
      I 100% agree with the statement that this should be done automatically. People that are unaware of this issue (both the previously broken KB and the new "fix" that isn't really a fix until you perform some manual configuration) are completely hosed until they stumble upon these fixes. Unless they were following this blog (which I really appreciate!) they would have no idea what to do or what KBs to look at. Very unhappy with WSUS lately in general.
      • Anonymous
        May 19, 2016
        You're unhappy with WSUS because it's actually taking a change to core operations--which hasn't happened in years--and finding out that the support mechanism is more fragile than expected. We're unhappy with this outcome, as well, and unfortunately it's our starting point on the update experience for this technology. We are prioritizing improvements to WSUS that will ideally eliminate all manual effort in future updates. In the meantime, blogging heavily about it was the best we could do without jeopardizing the timeline for preparing your environments for the Anniversary Update.
  • Anonymous
    May 06, 2016
    Heads up guys. If your WSUS database is a SQL AG, the manual steps to complete installation of KB3159706 will fail.https://support.microsoft.com/en-us/kb/3159706Running "wsusutil.exe postinstall /servicing" returns: "Fatal Error: The operation cannot be performed on database "SUSDB" because it is involved in a database mirroring session or an availability group. Some operations are not allowed on the database that is participating in a database session or in an availability group. ALTER DATABASE statement failed."
    • Anonymous
      May 06, 2016
      Thanks for pointing this out. We're investigating how to best navigate this configuration.
      • Anonymous
        May 09, 2016
        Experiencing the same issue as Wes had explained.Out of curiosity, for those that have the ability to do so, could this post-install step be done if we temporarily disabled the database from participating in an AG, pointed it directly to the db server, and then reversed the steps to get it back into an AG? I imagine this post task is something that only needs to alter the database, and then won't matter after?
        • Anonymous
          May 10, 2016
          The post-install task makes WSUS "aware" of the SUSDB/schema changes so that it can effectively marshal data to those new fields. How that will affect the AG scenario, I'm not entirely sure. If you're willing to try it and report back, I'm sure the community would appreciate it. If not, then I might be able to get someone to try this out.
          • Anonymous
            May 16, 2016
            This update caused WSUS to stop working for us. Even after running the manual post installing steps. WSUS Service continues to stop. We had to remove the WSUS role. After adding the role we get WSUS Post-Installation Task failsLog file is located at C:\Users\seadmin\AppData\Local\Temp\tmp21B7.tmpPost install is startingFatal Error: The schema version of the database is from a newer version of WSUS than currently installed. You must either patch your WSUS server to at least that version or drop the database.We have installed KB3095113-v2 , still getting the message Any suggestions? Thanks
            • Anonymous
              May 19, 2016
            1. Open the file - and check the version in the file2) Check the timestamps (modified, created) of C:\Windows\WID\binn\susdbverify.dll Can you share those details, along with the contents of C:\Windows\WID\Logs\Error.log ? It might make more sense to do this via the WSUS forum.
      • Anonymous
        May 23, 2016
        Thanks, Steve. Has there been progress towards a resolution for WSUS/SQL AG users?
        • Anonymous
          May 23, 2016
          Nothing yet - we haven't been able to repro the issue internally. If you've got an environment that we can debug live, then I can set up a quick meeting; short of that, we'll keep trying.
          • Anonymous
            May 25, 2016
            That'd work. Where can I send you my contact info?
          • Anonymous
            June 15, 2016
            Hey Steve. Just wanted to see if there's been any progress on the WSUS/SQL error I reported earlier, or if we can setup a quick meeting.
          • Anonymous
            June 20, 2016
            Same here. I wouldn't mind having you guys debug live in our environment as well - WSUS/SQL AG.
          • Anonymous
            August 03, 2016
            Hi folks, and sorry for the delayed response. We haven't had luck reproducing the SQL AG scenario on our own, so it'd be great to get access to one of your live environments, if it's still available. Please reach out to me at ci dot servicing AT outlook dot com, and we'll see what we can do.
          • Anonymous
            August 16, 2016
            We got to see the "The operation cannot be performed on database “SUSDB” because it is involved in a database mirroring session or an availability group". Disabling mirroring let us perform the post-install/servicing step.One thing that might help: after this the database wasn't in full recovery mode anymore.So an ALTER DATABASE [SUSDB] SET RECOVERY SIMPLE must have been performed as part of the post-install/servicing step. And that would have been the statement incompatible with AG / mirroring.
    • Anonymous
      August 18, 2016
      Hey everyone.I've successfully installed this update on WSUS with AG setup. Here's what I've done: 1. Uninstall KB3159706 and reboot 2. Do full cleanup and full backup of SUSDB in case everything breaks. 3. Stop IIS Admin Service and WSUS Service 4. Remove database from AAG 5. On wsus server change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerName to point to sql server with DB (Primary node in AG) 6. Start IIS Admin and WSUS services 7. Open WSUS console to check that it can connect to DB 8. Install update KB3159706 9. Reboot and perform postinstall "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing 10. Open WSUS to check if it works again. 11.Repeat steps 3-6 but add SUSDB back to AAG and change registry back. Delete copies of SUSDB from replicas before adding it back to AAG
      • Anonymous
        October 13, 2016
        Yesss! Thanks Artem. I have just solved with your help
  • Anonymous
    May 06, 2016
    New patch worked here on a Server 2012R2 (installed KB3148812 on the first day available but uninstalled it afterwards without doing the additional postinstall steps). Of course, I made an extra full backup today before trying the new patch ;)
  • Anonymous
    May 06, 2016
    What if we later need to install the WSUS role on a 2012 or 2012 R2 server? Will we need to go through the manual configuration steps?
    • Anonymous
      May 06, 2016
      The comment has been removed
  • Anonymous
    May 06, 2016
    Installing this update broke the WSUS console and created an error on connected devices. Updates had to be run by checking updates online.
  • Anonymous
    May 06, 2016
    I just installed KB3159706 and it has the same problem as KB3148812. After installing and rebooting, WSUS service will not start
    • Anonymous
      May 10, 2016
      Can you post in the WSUS forum the error that you're seeing?
  • Anonymous
    May 07, 2016
    The comment has been removed
    • Anonymous
      May 11, 2016
      As other comments have noted, you need to assign ownership of web.config to the administrators group. We're updating the KB to reflect these changes. Should be live early next week, if not sooner.
      • Anonymous
        May 12, 2016
        The comment has been removed
        • Anonymous
          May 19, 2016
          Yes, that's definitely not an intended outcome, and we can't leave the machine unable to scan. Can you reproduce this 100% of the time?
          • Anonymous
            May 24, 2016
            Yes, I'm afraid this is 100% reproducable. Every time you run sfc /scannow on any server where this file has been modified you get complains of corruption.
          • Anonymous
            August 03, 2016
            The comment has been removed
  • Anonymous
    May 07, 2016
    Just to make sure, I have to install this update only on my WSUS servers? All other Windows 2012 R2 Servers don't need it!?
    • Anonymous
      May 10, 2016
      Correct: this update applies only to WSUS for Windows Server 2012 and 2012 R2.
  • Anonymous
    May 07, 2016
    Its worth noting that by default, users have only read access to the "C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config" file. I had to take ownership and change the file security to be able to edit it.This should have been mentioned in the KB by Microsoft
    • Anonymous
      May 10, 2016
      Agreed: we'll make that note in the KB.
  • Anonymous
    May 09, 2016
    How did you edit web.config? I'm getting access denied and only windows installer has full access. I can't even owerwrite the file.
    • Anonymous
      May 13, 2016
      You must open notepad as administrator.
  • Anonymous
    May 09, 2016
    Sidenote: On my machine (2012 R2) I had to take ownershop of the "Web.Config" file and change the security beforehand, because only the TrustedInstaller had permissions to change this file.
  • Anonymous
    May 09, 2016
    Having problems with the update on Windows Server 2012. The update installs but after a reboot I get an error message a couple of minutes later in the Application log:EventID 507, Source: Windows Server Update Services"Update Services failed its initialization and stopped."SQL is a local SQL2014 Express installation. If I do the postintall steps is says successful instantly but doesn't seem to do what it's suppesed to do. .NET 4.5 HTTP Activation is already installed. Uninstall gets my WSUS up and running again.On another server with Server 2012R2 the installation and postinstall was successful and as far as i tested seems to work.
    • Anonymous
      May 10, 2016
      Please post this in the WSUS forum so that it can be properly investigated. Off the top: have you attempted to manually start the WSUS service?
  • Anonymous
    May 09, 2016
    We have a 2012R2 WSUS Upstream Server that provides Updates and Approvals for several 2008R2 Replica WSUSWill this Update brake this Configuration, or will the Upstream Server be able to provide those Updates to Clients that are directly connected, and the Replicas won't?
    • Anonymous
      May 10, 2016
      The latter is the case. WSUS 3.0 SP2 will never be able to deploy the Upgrades classification (what we're calling feature updates going forward), but any clients directly connected to your [patched] Windows Server 2012 or 2012 R2 WSUS will be able to leverage this functionality.
  • Anonymous
    May 09, 2016
    The postinstall procedure failed for with problems connecting to the WID database. Fatal Error: Login failed. The login is from an untrusted domain...... The WID service uses the default account NTSERVICE\MSSQL$MICROSOFT##WID
    • Anonymous
      May 10, 2016
      Have you posted this in the WSUS forum linked in the post above? Debugging via blog comments is relatively difficult.
  • Anonymous
    May 09, 2016
    Are you reading the WSUS forum?
    • Anonymous
      May 10, 2016
      I stop in when I can, usually more toward the end of the week. There are plenty of field engineers, MVPs, and other support folks monitoring it on a constant basis, and they'll have you covered for 95% of the issues. It's that 5% that I look for, the stuff that reconfiguration and running manual steps can't solve.
    • Anonymous
      May 10, 2016
      FYI - I saw your thread and have responded. Thanks for using the forum!
  • Anonymous
    May 10, 2016
    There are additional steps necessary, since the Web.config is not accessible for Admins. You can use this script for automating a few steps. You only have to add the lines in the Web.config file manually. @ECHO OFF"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingtakeown /F "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config"icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant YOURDOMAIN\Administrator:(F)start /wait notepad "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config"net stop wsusservicenet start wsusservice
  • Anonymous
    May 10, 2016
    Hello.Yesterday I installed some updates on my wsus server (windows server 2012 r2) and it only listed the KB3159706 (with some other updates, but the KB3148812 was not there) update for me. After I installed it, my wsus server won't work. The same error occured just like with the KB3148812. After I uninstalled KB3159706 and restarted the server it works again.
  • Anonymous
    May 10, 2016
    I am using the internal sql db and after installing the update I get the following in the application log. At which point I am unable to open the wsus consoleLogin failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database 'SUSDB'. [CLIENT: ]If I un-install the patch the error goes away and wsus works againted
    • Anonymous
      May 10, 2016
      When you say "internal sql db," do you mean the WID? Did you run the manual steps detailed in http://support.microsoft.com/kb/3159706 after installing the update? It's not expected to work without them.
  • Anonymous
    May 10, 2016
    That worked a lot better than KB3148812, so thanks for that.The KB article currently says:"1.Open an elevated Command Prompt window, and then run "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing" (case sensitive, assume C: as the system volume)."On my server, that produced an error message:"The system cannot find the path specified."I had to do it as a 2 step process: cd to "C:\Program Files\Update Services\Tools", then run "wsusutil.exe postinstall /servicing" in that folder.
    • Anonymous
      May 10, 2016
      Yes, technically it should be "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicingWithout the quotes around the image path, it'll think you want to access "C:\Program", which is not usually a valid path. We'll get that tweaked in the KB to avoid confusion.
  • Anonymous
    May 10, 2016
    The web.config file that you need to edit if you use SSL is owned by TrustedInstaller and users/admins have read only access. You might want to update your instructions to reflect that the user needs to take ownership and modify permissions before they will be able to edit the file, and then restore the owner/permissions after editing.
  • Anonymous
    May 10, 2016
    It´s not working.This Update damaged WSUS too, same Error like KB3148812!Only uninstall of KB3159706 solved the Problem. (Server 2012 R2)
  • Anonymous
    May 10, 2016
    Just FYI, I'm running a very "plain" WSUS on a Windows Server 2012 R2 virtual machine via Hyper-V. It is stand-alone. Member of a Windows 2012 R2 domain. Set it up in December of 2015. The only thing even slightly out of the ordinary on this WSUS server is that I installed KB3095113 while it was still a hotfix. Since then, I have only installed Important and Optional updates directly from Windows Update on this WSUS server.And yet, after installing KB3159706 on this WSUS server, I was unable to connect to the server via its local Management Console (or in any other way).Could this possibly be related to the KB3095113 hotfix installation? Because that's the only thing causing this server to be anything but "pure vanilla."
    • Anonymous
      May 10, 2016
      sigh. . . Sorry, I was under the impression that this newer update (KB3159706) didn't require the manual steps any longer (because I assumed those manual steps were only introduced due to the problems in the prior update).
      • Anonymous
        May 10, 2016
        Does that mean running the manual steps fixed your issue?
  • Anonymous
    May 10, 2016
    Are you aware that the web.config file that you need to edit if using SSL, only allows administrators RX access and is owned by TrustedInstaller? So you have to take ownership of the file (takeown /f web.config /a) and then grant administrators full control (icacls web.config /grant administrators:f) before it can be edited. This needs to be in the KB.
    • Anonymous
      May 10, 2016
      Anybody were able to deploy update to win 10 using WSUS ?Even after the update I'm still getting the error "Windows 7 and 8.1 upgrade to Windows 10 Pro, version 1511, 10586 - en-us, Retail" on my Windows 7 PC's.Thank you
      • Anonymous
        May 10, 2016
        What you describe is the title of an Upgrade, not an error. Can you post your issue in the forum for proper analysis?
    • Anonymous
      May 10, 2016
      Thanks for the note. A few folks have pointed this out, and we'll get it added to the KB.
      • Anonymous
        May 18, 2016
        Not sure why taking ownership of web.config is necessary. Here's what I did:- edit the file with Notepad- save changes - this said access was denied, so I saved it to the desktop- copy the file from the desktop back where it belongs- confirm the prompt that admin permission is required to replace the file
  • Anonymous
    May 11, 2016
    The comment has been removed
    • Anonymous
      May 11, 2016
      An FTE? Then perhaps your name could be "Sick of our failures", no? =]More seriously, I'm open to a frank discussion about this if you want to look me up in the GAL.
      • Anonymous
        May 13, 2016
        I´m not aware of MS Work conditions, but as a MS Partner that was with upgrade to win 10 project running while Master WSUS server Died by this poorly tested patch make things clear that internal test scripts are not expected from Microsoft. Another user reported problems with AG, this also show another error with same source. Lack of testing.Due to this lack of responses to affected people, we are forced to rebuild our entire WSUS structure from scratch.Download All of win10 flavours in 5 languages again... And pray for everything work again. Now in 3% of 200Gb of downloads.Thanks for all Microsoft!!
  • Anonymous
    May 11, 2016
    For network security related reasons, my WSUS server is not allowed to download and install patches from public Internet sources, such as Microsoft Update. Is there any way for an individual download of KB3159706 to install it manually on my WSUS server?
    • Anonymous
      May 11, 2016
      The comment has been removed
  • Anonymous
    May 11, 2016
    I installed KB3159706 last night but have found today that this update has caused issues with WSUS on windows server 2012 r2WSUS will not start after installing KB3159706 and I am also seeing 'MSSQL$NICROSOFT##WID' error 18456 is this a known bug?
  • Anonymous
    May 11, 2016
    Sorry I should seen that even after installing the newer update (KB3159706) you are still required to run the manual steps:https://support.microsoft.com/en-gb/kb/3159706I can confirm that running the manual steps after installing KB315970 does fix WSUS
    • Anonymous
      May 11, 2016
      Glad it works for you, Adam. We're looking at not requiring manual steps to finalize future updates, since this caused an unnecessary amount of confusion. WSUS servicing can and should be simpler than that.
  • Anonymous
    May 11, 2016
    My WSUS is still have issues; none of the none of the clients seem to be reporting back to WSUS. I've removed the WSUS role and added it back but the issue persist since KB3148812. Everything is good on the client side, they are pointing to the correct location. The strangest thing, all of the clients are continuing to be updated via the one WSUS. The status in WSUS just aren't updating.
    • Anonymous
      May 19, 2016
      Have you run all the post-install tasks specified by KB3159706? If so, then please post your issue in the WSUS forum, so that we can properly troubleshoot.
  • Anonymous
    May 11, 2016
    How long until there is a KB that automates these manual steps? As I understand the KB this will only affect WSUS ability to provide Windows 10 feature updates after 5/1.
    • Anonymous
      May 19, 2016
      We're not planning a KB to automate these steps specifically; however, we will be making improvements to the update experience for WSUS overall.
  • Anonymous
    May 12, 2016
    after installing KB3159706 (and post install steps) some of (but not all) my WSUS 4.0 servers have trouble to rollup data to a WSUS 3.0 SP2 master server. They report only partly data, last contact date and last sync date of pc are shown correctly but list of installed updates will not be updated to master server anymore.
  • Anonymous
    May 12, 2016
    After installing KB3159706 and going through the manual changes afterwards WSUS runs OK and Syncs to my upstream server. However I now have the following error reported in the Application Event Log:-Source System.ServiceModel 4.0.0.0 Event ID 3 Task Category WebHostWebHost failed to process a request. Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/6044116 Exception: System.ServiceModel.ServiceActivationException: The service '/ClientWebService/Client.asmx' cannot be activated due to an exception during compilationWe are using SSL for WSUS, let me know if you want the complete error message posted.
    • Anonymous
      May 12, 2016
      PS Client machines can no longer connect to the server either.
    • Anonymous
      May 19, 2016
      Sounds like you might have a typo in your web.config file. Can you double-check the edits that you made to it?
  • Anonymous
    May 12, 2016
    just tested to sync affected wsus 4 to another wsus 4 both with KB3159706 + post stepsProblem still exists. Patch data will not rollup. So root cause is not wsus 3 master.
  • Anonymous
    May 12, 2016
    This update caused same issue as KB3148812. Had to in-install it (KB3159706) to get WSUS to work again.
    • Anonymous
      May 19, 2016
      What issue did you run into? Had you already run the manual steps after installing KB3159706?
  • Anonymous
    May 12, 2016
    My Windows Server 2012 R1 WSUS Servers are still having trouble after this fix. My 2012 R2 WSUS servers seem fine. I can connect to the console after installing the KB3159706 and performing the manual post-install steps on 2012 R1 WSUS, but clients are unable to connect to the WSUS server with error code 80244019 or 80244008 for my cloud clients.
    • Anonymous
      May 19, 2016
      Please post your client logs for these scan failures in the WSUS forum. With the limited information in this comment, we cannot identify root cause.
  • Anonymous
    May 12, 2016
    After the update is installed there should be some kind of notification for admins that further steps are needed or update the patch to do the changes automatically. I foresee issues down the road if someone needs to setup a wsus server and are just patching it to get it current, they may not realize that there happen to be manual steps required.
    • Anonymous
      May 19, 2016
      Ideally, the necessary steps will happen automatically. Short of that, WSUS should alert the admin via the console that action needs to be taken. We appreciate your feedback, and are looking at ways to provide this experience going forward.
  • Anonymous
    May 12, 2016
    Steve, this is an unrelated issue but I don't know of any other way to let the appropriate people know, and I suspect you could pass it along.I just went to download an update using Microsoft Update Catalog for the first time in a while, and discovered that the ActiveX control used by the site causes an ASR exception in scrrun.dll which gets terminated by EMET 5.5. So in order to use the site, I had to disable the ASR mitigation (not easy as we enforce with Group Policy) for iexplore.exe. After that, the site worked fine.Could a developer take a look and fix the DLL so it doesn't trigger the ASR mitigation in EMET 5.5?Thank you.Event log entry:EMET version 5.5.5871.31892EMET detected ASR mitigation in IEXPLORE.EXEASR check failed: Application : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE User Name : Redacted Session ID : 1 PID : 0x910 (2320) TID : 0x2C80 (11392) Module : scrrun.dll
    • Anonymous
      May 15, 2016
      This ActiveX disaster has been extensively discussed under previous blogpost. The ActiveX just needs to vanish from there for the site to be usable. "Fixing" it is a complete waste of time.
      • Anonymous
        May 19, 2016
        Yes, ActiveX has been around for long enough, and it's time to bring Catalog into 2016.
  • Anonymous
    May 12, 2016
    I am running WSUS Svr2012 R2 with Win7.1, 8.1 and 10 clients.On the 12th May I approved and installed all available updates including KB3159706,KB3148812 is not in my list of installed updates nor is available for install.I was not aware of the “wsusutil.exe postinstall /servicing” and had NOT run it.I un-installed KB3159706.I am still getting Error Event ID 8 “Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]”After running Win Update again, KB3159706 is NOT available to re-install.How can i download KB3159706 as it is NOT offered in WinUpdates.What course of action can/should i take.Please help Urgent.
  • Anonymous
    May 12, 2016
    Can someone tell me whether this update is needed on a SCOM 2012 R2 server, given that it uses WSUS under the covers for the Software Update distribution? And if so are there any differences in how you complete the post-install, given that you're not normally supposed to run wsusutil.exe against a SCOM server?
    • Anonymous
      May 19, 2016
      Depends on whether you plan to use the in-place upgrade functionality provided through WSUS. If you plan to use task- or media-based installation, then you can use Configuration Manager to perform your feature update deployments.
  • Anonymous
    May 13, 2016
    OK, we have deinstalled KB3148812 and WSUS on 2012 R2 was running fine till next update and restart. Then we had to search for the new issue and found KB3159706. Now we have performed the manual steps and WSUS is running again. Sorry guys, this took us about 2 hours to solve this issue including to search for what had happened again. We do not have the manpower to run for such issues. WSUS needs to be reliable without manuel installation steps. We have a small idea about the complexity of the system and have great respect for your work. Please keep it simple for us Admins. Thanks
    • Anonymous
      May 19, 2016
      Thanks for the feedback. We are taking it into account for future WSUS experiences.
  • Anonymous
    May 13, 2016
    KB3159706 did not work for me.I have done all post-installation steps. I did not get any error message running “wsusutil postinstall /servicing“.As result the clients cannot communicate with WSUS and the WSUS mmc console is not working.I noticed that KB3159706 places SUSDB in a “recovery pending“ state. (using SQL Server Management Studio).Uninstallation of KB3159706 solves the problem.
    • Anonymous
      May 19, 2016
      What is the error reported by the WSUS console after installing KB3159706?
      • Anonymous
        May 26, 2016
        Finally i manage to get the update work.I made some change in the installation process this time.1. Install the update2. restart the server (i'm not sure if i did this last time)3. SQL Server Management Studio show that the database in a "recovery pending" state.4. I stop the WSUS service (I did not do this last time)5. Run wsusutil.exe postinstall /servicing (this time it seems to take a little longer (about 1-2min)6. The wsus service has started automatically----(HTTP Activation and changing Web.config I already had done last time)Hope it will work now. Are there any long term issues?
        • Anonymous
          June 09, 2016
          If it's still working for you today, then you're likely in the clear. Shutting down the service shouldn't be necessary, but it's not a bad precaution to take.
  • Anonymous
    May 14, 2016
    I have completed the install, including the changes to the Web.config file and adding the Roles and Features for .NET Framework 4.5 Feature...WCF Services...HTTP Activation. The latter also had a prerequisite to add Window Process Activation Service....Process Model, which I did. To change the ownership of the Web.config file and selected Properties->Security Tab->Advanced->Change owner->Apply->OK and the open Advanced->Selected Administrators(new owner)->Edit->Full Control->OK then on Advanced Setting->Apply->OK and opened the file with Notepad and did edit on the file.When I attempted to open WSUS, I had an error message to RESET SERVER NODE. In doing so, nothing happened, went to updates list and removed KB3159706 and restarted in order to access WSUS again.For now have hidden the update KB3159706, until some resolution is found.
    • Anonymous
      May 19, 2016
      What happened when you ran "wsusutil postinstall /servicing" as specified in the KB?
  • Anonymous
    May 15, 2016
    Any progress here with the full SQL server scenario?
  • Anonymous
    May 15, 2016
    So my WSUS instance was originally setup using WID, but the DB was migrated to full SQL Server a year or two ago. Now when I run the postinstall /servicing bit, it seems to detect that the system had the WID role and tries to mess w/ that DB, which isn't present/used:2016-05-15 18:58:07 Detected role services: Api, UI, WidDatabase, Services2016-05-15 18:58:07 Start: LoadSettingsForServicing2016-05-15 18:58:07 WID instance name: MICROSOFT##WID2016-05-15 18:58:07 End: LoadSettingsForServicing2016-05-15 18:58:07 Servicing WID database...2016-05-15 18:58:07 Servicing the database.......2016-05-15 18:58:07 Install type is: Fresh2016-05-15 18:58:07 Install type is Fresh, but should be Upgrade. Cannot service the databaseAny way to either run the DB upgrade scripts manually or to convince wsusutil to service the actual DB instance?
    • Anonymous
      May 19, 2016
      Wsusutil.exe is capable of detecting by itself whether WSUS is using WID, or SQL Server. Notice that the log says –‘Detected role services: API, UI, WidDatabase, Services’. Also, once WID is installed, WSUS cannot be configured to use SQL Server. Can you confirm:1) The value of SqlServerName in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup2) The values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role ServicesAlso, how did you migrate from WID to SQL? Was it a clean install and subsequent migration, or did you reuse the SUSDB created by WID?
      • Anonymous
        May 25, 2016
        Steve H: We migrated our WUS from WID to SQL only a week before these updates were applied. Both updates break WUS. Why do you say "once WID is installed, WSUS cannot be configured to use SQL Server". That is not true. I migrated the database using this technet article: https://technet.microsoft.com/en-us/library/dd939918(v=ws.10).aspx . As with the other posters, I spent most of a day trying everything to restore WUS. The only thing that worked was restoring from backup and declining the two KBs from installing.
        • Anonymous
          June 09, 2016
          My statement was not properly qualified: migration from WID to SQL is supported for WSUS 3.0 SP2 on Windows Server 2008 R2 and earlier platforms, but the registry keys described in that article do not accurately call out the Windows Server 2012 keys, since the document was written before that platform was released. For instance, This key - HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\wYukonInstalled – doesn’t exist on Server 2012 and above. Also, the post-install relies on other values under - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services – but they’re not mentioned in the article.We will update the guidance to include Windows Server 2012 and R2 registry keys, so that the migration can be completed on those platforms, as well.
          • Anonymous
            July 05, 2016
            Hello - We're still having troubles getting WSUS working after applying the new patch and performing the manual steps. We too are running on 2012 R2 and have migrated off of WID and to a remote SQL server. I see the WID entry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services key you mentioned above. Should I delete that key and try again?
            • Anonymous
              August 03, 2016
              There's a little more to it than that. Removing the WID also removes several folders that WSUS needs to function, which could be why you're hitting this issue. Can you try reinstalling the WID role on your server? If you don't want it installed ultimately, then you can copy the folders it creates, remove the role again, and then copy them back. It's extra effort, but you can get there if the WID bothers you.
  • Anonymous
    May 16, 2016
    Is there any change to be made on the LTSB of Windows 10? As my test client can't download patches from wsus after the update.
    • Anonymous
      May 19, 2016
      There's nothing special about LTSB as a Windows Update client: it should be able to scan WSUS like any other client does. What errors are you seeing in the WU client log?
      • Anonymous
        May 19, 2016
        The comment has been removed
  • Anonymous
    May 17, 2016
    After so MANY tweaks, patches, registry edits, you name it, we're still having problems with using WSUS for Windows 10 upgrades.We have spent days and days trying to resolve this..esd MIME change, hotfix, new patch, long term fix with manual steps required (really?!), changing registry entries for clients AllowOSUpgrade 1, DisasableOSUpgrade 0, deleting old upgrade content, and more. All this and this process still does not work!Microsoft, you're setting a deadline for the free upgrades yet have not even finished creating the tools required for deployment!This is a sick joke:(Unable to Find Resource:) ReportingEvent.Client.181; Parameters: Windows 7 and 8.1 upgrade to Windows 10 Pro, version 1511, 10586 - en-us, Volume
    • Anonymous
      May 19, 2016
      Sorry to hear that your upgrade experience via WSUS is subpar. We definitely have some growing pains in this area, and I think the solution for your case could be helpful for others. Have you posted it in the WSUS forum?
  • Anonymous
    May 17, 2016
    The comment has been removed
  • Anonymous
    May 18, 2016
    After a few hours, the errors and console crashes stopped - hope it stays this way ^^
  • Anonymous
    May 19, 2016
    I'd like to thank you for bringing my WSUS server down with both of these updates. Cheers.
    • Anonymous
      May 23, 2016
      Sorry for the service interruption. Is your WSUS still down?
  • Anonymous
    May 24, 2016
    This updated update STILL broke my WSUS. Had to remove it, again.
    • Anonymous
      May 25, 2016
      We need details in order to understand how you were broken, since skipping the update is not a valid option if you want this functionality.
  • Anonymous
    May 24, 2016
    I successfully followed the steps and got my WSUS server working, and the next week it broke again, and just last week I restored the WID database, and got it going , and it worked from Friday to Sunday, come Monday it refused to open the database (marked as Suspect" when running the WSUSUTIL postinstall /servicing. The only solution I've found is to restore the Database from backup.Thoughts welcome.
    • Anonymous
      May 25, 2016
      The comment has been removed
      • Anonymous
        May 26, 2016
        I have exact same problem wsus working for few hours and crash. I cannot update my infrastructure, I have SCCM with wsus on same machine db is on another machine. event log give me this errors Source: Windows Server Update ServicesDescription:The Reporting Web Service is not working.Source: Windows Server Update ServicesDescription:The API Remoting Web Service is not working.Source: Windows Server Update ServicesDescription:The Server Synchronization Web Service is not working.Source: Windows Server Update ServicesDescription:The Client Web Service is not working.Source: Windows Server Update ServicesDescription:The SimpleAuth Web Service is not working.Source: Windows Server Update ServicesDescription:The DSS Authentication Web Service is not working.Source: Windows Server Update ServicesDescription:The WSUS administration console was unable to connect to the WSUS Server via the remote API. System.IO.IOException -- The handshake failed due to an unexpected packet format.thats all event logs, solution is to reboot machine and it's start working again for few hours :) bravo microsoft great patch
  • Anonymous
    May 26, 2016
    I'm still having issues after installing KB3159706, performed restart, ran postinstall, and add new Features for HTTP Activation. However I didn't perform the web.config changes because I am currently not using SSL. which shouldn't be an issue correct? I can open WSUS Manager Fine, however no clients can connect, or the WSUS server itself.
    • Anonymous
      June 09, 2016
      Yes, you shouldn't need the web.config changes unless using SSL. Can you share what errors your clients are seeing when they attempt to scan your WSUS?
  • Anonymous
    May 27, 2016
    KB3159706 still is breaking my WSUS. Starting to wonder about this whole WSUS thing, I've now had it running for a few weeks, and each time I've done updates to the local WSUS it breaks the server. The irony is not lost on me. When I open the console it says it cannot connect to the DB. The service is in a stopped state. I try to manually start the service, and that does not work. I uninstalled KB3159706, rebooted, and everything came right back up.
  • Anonymous
    May 30, 2016
    I must say that I would hate to do a new install and put WSUS on the server. This update has manual steps that I will have to remember. I imagine most new people would never know to look at these post install notes when you are offered 200+ updates on 2012R2 (and you would have to click and open each and every update to find it).Then the previous update was a manual fix as well where I had to find mime types and add it in for windows 10 machines.Changes of a successful install for most people is running near 0%
  • Anonymous
    May 31, 2016
    The comment has been removed
    • Anonymous
      June 09, 2016
      This is not feasible long term. Can you paste the output of the console error that is reported (should be able to copy to clipboard) after the 1-2 days of working properly?
  • Anonymous
    June 01, 2016
    Hi,I didn't install KB3148812 on my WSUS server (windows 2012 R2 french) but i did KB3159706.After reboot WSUS was no more available. I then find Microsoft article wich explane the problem & solution related to KB3148812 installation.But for my case i had to uninstall KB3159706, reboot server, for WSUS to work again.Hope you will find a solution until the Anniversary release of Windows 10.
    • Anonymous
      June 09, 2016
      This is the solution. If it doesn't work for you, then please let us know so that we can help you troubleshoot as needed.
      • Anonymous
        July 08, 2016
        Has this issue been fixed?
        • Anonymous
          July 11, 2016
          I also have French enabled on this server. I wonder if that is a coincidence?
  • Anonymous
    June 02, 2016
    No idea why my name is shown as GUID, but here goes:did the KB3159706 including post install steps. WSUS Console is opening and everything but clients are not getting updates.The post install steps are poorly clarified (and even poorer auto translated ...), several things remain unclear to me:PS: I'm using SSLQuestion 1: Am I supposed to enter something at endpoint address ="" ? (was mentioned in the original web.config file) <!-- NOTE: To configure for both http and https, use full paths for endpoint addresses: e.g. Question 2: Am I supposed to change the permission/ownerships back after editing the file? was mentioned somewhere below in the comments?I'm getting these errors:- Error on WSUS Server in the Eventlog: ID 12022 - The Client Web Service is not working.- Errors on 2 different clients (already Win10 1511): 0x80240017 and on a different Win10 1511 Client: 0x8024401f
    • Anonymous
      June 09, 2016
      Please check the KB again: we blocked the translation, which might make the steps clearer for you. Thanks for bringing that to our attention!It sounds like you've got a typo in the web.config file. Once you've fixed it, don't worry about reassigning ownership: the Trusted Installer will take it back when WSUS gets updated in the future.
  • Anonymous
    June 05, 2016
    HI guysI uninstalled KB3148812, installed KB3159706, followed the step in https://support.microsoft.com/en-gb/kb/3159706WSUS service is still crashing all the time, can't make it stay up more than 5 minutes.it's already 2 weeks I'm fighting with my WSUS / SCCM update point down, starts to be really urgentThanks
    • Anonymous
      June 09, 2016
      How is the WSUS service crashing? Is it under load (either from local processing or client scans) when it crashes? Can you provide any logged errors that describe the crash?Suspicion is that your IIS memory for the WsusPool is running low, which can cause process termination. If that's the case, then you can raise the memory limit temporarily. Once your clients finish performing their full scans (again, guessing here), the traffic will calm down, and then you can lower the memory limit back to its original value.
  • Anonymous
    June 07, 2016
    Clients still getting error after applying the fix (https://support.microsoft.com/en-us/kb/3159706)Error: ("WindowsUpdate_80244008" "WindowsUpdate_dt000"
  • Anonymous
    June 09, 2016
    I've been having issues with WSUS recently and I've tracked it down to this KB3159706 update which I've just uninstalled having rebuilt my LAB WSUS server and installing this update after everything was working fine. My server does not have the KB3148812 update since its newly built and that update was removed a little while back.
    • Anonymous
      June 09, 2016
      I lied!!! When I follow the instructions properly....well, fully!!!!! It works with the update installed.
  • Anonymous
    June 13, 2016
    Followed the instructions to manually repair the issues around this KB. Console comes up but clients fail update with 8024401F error.
    • Anonymous
      June 13, 2016
      The comment has been removed
      • Anonymous
        August 03, 2016
        Sorry for the delayed response, Karen. Did you post your issue in the support forums for Windows Server? If you haven't found resolution there, then please share the link of your post, and we'll ensure it gets attention.
  • Anonymous
    June 13, 2016
    On my WSUS server 2012 R2, the service was continually failing. KB3148812 was not installed, however KB3159706 was. Uninstalling this fix resolved the problem and was able to receive updates to domain computers again. It seem that this fix only fixes if KB3148812 is installed. If not it causes the same problem.
    • Anonymous
      August 03, 2016
      I didn't see anywhere that you executed the manual steps required to make KB3159706 work. If you don't do those, then the symptoms will certainly be the same between the two updates. Please go to http://support.microsoft.com/kb/3159706 for these details.
  • Anonymous
    June 17, 2016
    The comment has been removed
    • Anonymous
      August 03, 2016
      Thanks for the feedback, Glenn. We underestimated the size of the wake that would be caused by this release strategy, and will certainly be more careful going forward. I'm not sure that we can reuse the EULA prompt (with different EULA text), but it's something to consider.
  • Anonymous
    June 19, 2016
    Hi,I've setup my WSUS with SSL this weekend again, because my client pc get an WSUS Error 8024401f ... yesterday it worked well, because it was not fully patched - now fully patched - my pc's get that error.I installed the fix and did the manual steps as descriped in KB3159706 - My WSUS console is accessable again ... but no pc can check for updates or download any ...I am not amused ...any hint for my problem?regards Robert
    • Anonymous
      August 03, 2016
      Apologies for the delayed response. Is this still happening, Robert? If so, then please share the link to your post in the Windows Server support forum, and we'll make sure it gets attention.
  • Anonymous
    June 20, 2016
    I'm experiencing the symptoms of this issue, but I don't have KB3148812 installed. I'm current w/ all Windows Updates from Microsoft on the WSUS server itself --- so now what?
    • Anonymous
      August 03, 2016
      What symptoms are you talking about? If you've installed KB3159706 and followed the manual steps described in the KB article, then you shouldn't have any issues. Please post in the Windows Server support forums if this is not the case.
  • Anonymous
    June 22, 2016
    Solved it for me! :Did not have the KB3148812 installed, but had KB3159706 installed on my 2012R2 SCCM, Had problem with SUSDB not working. "Cannot open database "SUSDB", login failed. After check apppool memory, I did follow *1 in this post-install of KB3159706, and now its working.https://support.microsoft.com/en-us/kb/3159706?
  • Anonymous
    June 29, 2016
    Installed optional KB3159706 on my WSUS server the 25th. Discovered I could not open WSUS this morning. After several hours and much googling I was led here to find this BLOG and 'This update requires manual steps in order to complete the installation'. I must agree with all the negative comments. This is ridiculous and inexcusable. I wasted the entire morning to get WSUS up again.
  • Anonymous
    July 07, 2016
    WSUS crashes with this update. I followed the instructions (no using SSL), but it still breaks with the update applied. What gives?
    • Anonymous
      August 25, 2016
      So initially I caught the fact that KB3159706 breaks a functioning WSUS server. (KB 3148812 was already uninstalled) It did mine. I uninstalled the update and my WSUS server begins functioning again. So I decided to try the KB3159706 update again, several weeks later, because I know eventually I will need ESD decrypt capabilities on my WSUS.I am now about three hours into this evolution. KB3159706 did not work. The manual steps left me with a non functional WSUS server. I following the steps exactly, but something went wrong somewhere. Uninstalled KB3159706 again. Did not return my functional WSUS server. Eventually uninstalled WSUS, tried to reinstall. WID database was still there. Uninstalled WID and deleted database. Reinstalled WSUS and proceeded to reconfigure to attempt to get back to the initial configuration and functionality. Lesson learned. Wait until the issue surrounding KB3159706 have been resolved. They obviously haven't been resolved.At one point I would up with a database that couldn't be read. 2016-08-25 10:51:12 Microsoft.UpdateServices.Administration.CommandException: The schema version of the database is from a newer version of WSUS than currently installed. You must either patch your WSUS server to at least
  • Anonymous
    July 14, 2016
    I read most of this post and see one person reports the same problem as myself.... last status report is not updating in the console.Nor is the Needed Count value.running wuauclt /reportnow on a computer is not updating the console values :(History: -installed SQL Mgmt studio on WSUS 2012 Std server and ran t-sql to get the database out of single user mode.- approved and installed KB3159706...reboot...ran post installation steps and console appeared to work fine.I am stuck and would greatly appreciate advice.
    • Anonymous
      July 14, 2016
      Update: finally after 3 hours the status updated in WSUS. Will post again if this continues to be a problem.
  • Anonymous
    August 06, 2016
    OK, so we have gone through all of this pain so that the Windows 10 Anniversary Update can be published through WSUS. When might that happen?
    • Anonymous
      August 24, 2016
      Seems all these great fixes all blew up when the actual anniversary update rolled out.1607 clients all fail on downloading updates on 1607. Another WSUS fail.
      • Anonymous
        September 20, 2016
        The comment has been removed
  • Anonymous
    August 11, 2016
    The comment has been removed
  • Anonymous
    August 12, 2016
    Hi all!We have a strange Problem.We are running a WSUS Server on Server 2012 (not R2), patched it with everything neccessary to deliver Windows 10 Upgrades and it worked until a few days ago(time 1607 was released?). We were able to update about 150 of our 200 Windows 10 Build 10240 boxes of our customers to 1511 before, but now, no 10240 machine get´s the 1511 (May Edition) offered by WSUS.Then i started searhing and came across KB3159706.First I thought, that it can´t be because it describes 1607 Upgrade and future ones and other packages using ESD. But I gave it a try and followed the Instructions. It worked perfectly as described, but does not resolve the Issue, that 1511 will not be offerred any more.Now I tried to install a new 2016TP5 based WSUS, to ensure it is not a issue with 2012 WSUS 3.0 SP2 (and Patches), but 2016TP5 WSUS does the same Thing. Then i stumbled over a comment, that 2016 Server WSUS will have KB3159706 Features when it goes RTM, so there is the possibility, that it does not have KB3159706 yet in TP5.Here our configuration:* WSUS 3.0 SP2, all Patches on 2012 Server (in Azure)* Configured to not deliver packages directly, Clients have to download them from Microsoft (this could be important, because ESD Packages will only be downloaded by CLients not by the WSUS - So what could KB3159706 do on the Server without the ESDs to look in?What I found interesting so far:* WSUS marks the previously already working 1511 Upgrade Updates now as "Not Applicable" to the 10240 Clients - thats strange* When  I Change Test Clients Windows Update Agent to Microsoft Windows Update directly, the 1511 is ovvered instantly, so there is no issue withe the Clients!* The WSUS Update ID of the correct 1511 Upgrade Update is other than this offered by Windows Update   WSUS knows the March Version with ID:d08ff53d-ce46-4ad1-8abe-538fd192e38f   WSUS knows the May Version we approved, but is not offered anymore with ID: 1105b447-525e-4192-ba5e-437cbd6c01aa   Windows Update offers a new (!) Update ID: Upgrade auf Windows 10 Pro, Version 1511, 10586 | 468e4ed0-ee60-4827-9e45-370e77dec143So, what is going on here? Is it all because of a bug or because we are only Control our Clients with the WSUS, but they have to download directly? Does it have anything to do with 1607 release or KB3159706?Help please - I invested days already to hunt this down...Thanks a lotThomas 
    • Anonymous
      September 20, 2016
      Without digging too deeply, I can tell you that WSUS 3.0 SP2 in the mix is not recommended for any ESD distribution. It's not only the download that's the problem: it's also the metadata. If WSUS 3.0 SP2 syncs any Upgrades from Windows Update or another WSUS, then that content will be corrupted regardless of whether the client downloads the actual payload from Windows Update. Our recommendation is not to use WSUS 3.0 SP2 in any distribution chain that involves ESDs.
  • Anonymous
    August 12, 2016
    I thought I posted this yesterday, but don't see it, so sorry if it's a duplicate. Had issues with the older 3148812 patch, so uninstalled and held off for update. Tried the new 3159706 yesterday, and having the same issues - can't connect to console. Did all the post install steps, and found a few things along the way. Had migrated to an external SQL database, and still had WID checked in features. Removed that, and ZIP'd the database. Posted a bunch of updates on forum at: https://social.technet.microsoft.com/Forums/windowsserver/en-US/c74df64d-665d-49b1-99ce-b4a532d4706f/still-having-problems-after-installing-3159706?forum=winserverwsus&prof=requiredAt this point, stuck. I uninstalled the patch, leaving the web.config changes intact, and it seems to be working. Any assistance would be appreciated. Steve
  • Anonymous
    August 16, 2016
    KB3159706 broke WSUS for us. Is anyone else having these issues?
    • Anonymous
      September 20, 2016
      Which issues are you having?
  • Anonymous
    August 17, 2016
    I approved the 1607 upgrades on WSUS this morning before applying KB3159706, I was getting install error messages on the clients. I declined the updates and ran the server cleanup wizard. I then applied KB3159706, I re-approved the upgrades and I'm still getting the same error messages on the clients. Will downloading 1607 upgrades before installing KB3159706 give me these issues? Please help.
  • Anonymous
    August 18, 2016
    Can someone help me to find out the collection of patches related to 2012 which are having problem or bugs.
  • Anonymous
    August 23, 2016
    I'm running WSUS with an external SQL db, not WID for WSUS. I did all of the post install steps required and WSUS still crashes upon loading. I am at a standstill with deploying 1607 to my organization because this AND the upgrade TS are jacked because of your bugs. Here's the link to my technet forum: https://social.technet.microsoft.com/Forums/windows/en-US/768b8fec-163e-4620-94c2-5769f8ec23fd/kb3159706-breaks-wsus-even-after-postinstall-steps?forum=winserverwsus
    • Anonymous
      September 20, 2016
      Jon, did you happen to migrate from WID to external SQL, or was it set up external from the beginning? If the former, then I think we might have your remedy.
    • Anonymous
      November 07, 2016
      I have experienced an error while using a dedicated sql server (2014).for me it was the fact that in one of the sql script files someone wrote iDoc instead of idoc, once i changed it and followed manual steps everything was amazing.
  • Anonymous
    August 25, 2016
    So initially I caught the fact that KB3159706 breaks a functioning WSUS server. (KB 3148812 was already uninstalled) It did mine. I uninstalled the update and my WSUS server begins functioning again.So I decided to try the KB3159706 update again, several weeks later, because I know eventually I will need ESD decrypt capabilities on my WSUS.I am now about three hours into this evolution. KB3159706 did not work. The manual steps left me with a non functional WSUS server. I following the steps exactly, but something went wrong somewhere. Uninstalled KB3159706 again. Did not return my functional WSUS server. Eventually uninstalled WSUS, tried to reinstall. WID database was still there. Uninstalled WID and deleted database. Reinstalled WSUS and proceeded to reconfigure to attempt to get back to the initial configuration and functionality. Lesson learned. Wait until the issue surrounding KB3159706 have been resolved. They obviously haven’t been resolved.At one point I would up with a database that couldn’t be read.2016-08-25 10:51:12 Microsoft.UpdateServices.Administration.CommandException: The schema version of the database is from a newer version of WSUS than currently installed. You must either patch your WSUS server to at least
  • Anonymous
    September 07, 2016
    These settings resolve my problems:1. Add .esd and .msu mime types to IIS server.2. Change DeliveryOptimization mode!REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DODownloadMode /t REG_DWORD /d 100 /f
  • Anonymous
    September 08, 2016
    Curious why I put comments out there on 8/11 and 8/12 that apparently still haven't been published as they're "Awaiting moderation"?
    • Anonymous
      September 20, 2016
      I keep up on here as best I can, but there's room for improvement on keeping the discussion flowing. I believe that once you've been approved once, your future comments should automatically go through, but I haven't fully understood the new system yet. As to why we have this system in the first place, it's to prevent "spammy" comments from polluting our blogs. The ratio of legitimate to illegitimate comments is about 1:4, so I tend to think it's worth the hassle to keep things clean.
  • Anonymous
    September 17, 2016
    I'm a few weeks into half hourly alert emails from a failed WSUS installation.Yes, 48 times a day I'm reminded that not only is the WSUS install broken, because the attempts to fix it have removed the console. I can't stop them...filters? I'm on the road. Push email ensures I get them all.I manage the site remotely, not that it makes much difference these days.I've read literally dozens of articles on how to fix WSUS. I've tried so many, my documentation has come adrift. Whilst I'm encouraged to be in such numerous company, like a good many of us here, I'm not exactly keen on re-building this server. It's a time/billing thing.Here's the rub: There aren't any Windows 10 clients on the network, so this is all a bit frustrating.I hate criticism unless it's constructive. So here's an idea...Microsoft, having immensely more resources than we, the users, might look into creating a *solution.How about building a cut down VM based WSUS only server afflicted customers could install on existing single instance or physical servers? Do it for us time poor customers, eh Microsoft?
    • Anonymous
      September 20, 2016
      Dave, have you posted this in our TechNet forum? If so, then please provide the link to your thread, and ensure that your contact information is accessible either in the post or your forum profile. We'll reach out to you directly, since what you're experiencing does not seem to be by design, and can't be remedied in a few blog comments.
      • Anonymous
        September 22, 2016
        No Steve, I haven't. Before I do, I suppose I should scour the forums and see what others have discovered. Cheers!
  • Anonymous
    September 29, 2016
    All end user computers are still failing to install 1607 updates after I ran through all of this. When they update from Microsoft, they succeed. I just rechecked and I've done:1) Set .esd - application/octet-stream in IIS2) Checked and 8812 is not installed3) KB3159706 has been installed since 5/18 (date it's listed as installed in Control Panel, Installed Updates)What am I missing? I don't see where to "uninstall test package" as in step 1. Any help would be greatly appreciated! Thanks
    • Anonymous
      October 07, 2016
      Please post the errors that you are seeing in our TechNet forums, so that your issue can be troubleshot properly. Off the top, I couldn't tell you what's happening.
  • Anonymous
    September 29, 2016
    The comment has been removed
  • Anonymous
    October 01, 2016
    I don't understand why the update cannot simply do the post-install and HTTP Activation itself, this has not been explained above. Can you explain please?
    • Anonymous
      October 07, 2016
      The comment has been removed
      • Anonymous
        October 13, 2016
        The comment has been removed
  • Anonymous
    October 06, 2016
    Post install steps worked for me. https://support.microsoft.com/en-us/kb/3159706
  • Anonymous
    November 04, 2016
    I have a windows 8.1 desktop computer and when i do "check for windows updates", it just sits there forever. to get it to stop, i need to run windows update troubleshooter. then, when i look at the windowsUpdate.log file (which i can email you if you want), i see2016-11-04 13:03:40:679 1064 1e58 IdleTmr WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation # 169) stopped; does use network; is at background priorityas the last log when i first start "windows update" and then i see the below log (20 min later) when i run the troubleshooter:2016-11-04 13:25:52:482 1064 17d8 AU ########### AU: Uninitializing Automatic Updates ###########2016-11-04 13:25:52:482 1064 1e58 Agent * WARNING: Failed to filter search results, error = 0x8024000B2016-11-04 13:25:52:482 1064 17d8 WuTask Uninit WU Task Managerso it seems to get stuck in "WARNING: Failed to filter search results, error = 0x8024000B". i would think it should timeout if it cannot do something.again, this is windows 8.1 desktop computer, not a server. is this related to this wsus decrpyt thing? what to do?
    • Anonymous
      May 05, 2017
      This is an unrelated symptom. If you haven't already, then I'd recommend seeking help at the Windows Update support forums.
  • Anonymous
    December 09, 2016
    Could you address why the upgrade cannot be installed via script (using a modified version of this script: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387102(v=vs.85).aspx ) directly from Windows Update (not WSUS) ? WindowsUpdate.log shows: "DownloadManager Update A18B4DD2-E36B-4A33-8619-DA422B8438E0.200 is missing decryption information"It would seem based on everything you said that the issue is specific to WSUS and that Windows 10 has built-in decryption information when using Windows Update directly. Why then does a scripted installation fail with the above error when using Windows Update and not WSUS?Thanks.
    • Anonymous
      May 05, 2017
      I'd expect this to work, as you do. The Windows 10 client scanning directly against Windows Update has everything it needs to be able to sync and install feature updates; perhaps you already downloaded incomplete data from WSUS, and your client is unable to replace it with the content from Windows Update? If that's the case, then you can try clearing your client datastore and scanning WU again.
  • Anonymous
    February 15, 2017
    Does this apply to Server 2016 WSUS servers? I have having issues with many of my Windows 10 machines not reporting to my Server 2016 WSUS server (only about 20% work correctly). All of my Windows 7 and the few Windows 8 machines all work with out issue.
    • Anonymous
      May 05, 2017
      No, the fix that is contained in 3148812 (now 3159706) shipped with Server 2016 RTM, so you shouldn't have this issue on that platform. Any scan failures you're seeing are likely unrelated, but might still be worth looking at. Can you post your issue in the WSUS support forum for assistance?
  • Anonymous
    April 13, 2017
    Dear support,Recently my wsus 3.0 sp2, having issue on all the clients unable to report to serveronly windows 10 pc. able to show updates/report to wsusWindows 7 workstation, all show "Not yet reported" even I perform all the following command:gpupdate/ forcewuauclt.exe /resetauthorization /detectnowwuauclt.exe /reportnowrestart pc3x weeks I perform the same thing continuously, then some windows pc may appear, after 1 weeks, but some still unable to show at wsusI did delete the softwaredistribution folder as well,re-install my wsus servers, and reformat my windows 2008 servers r2, which wsus is installing insidemay I know is it wsus 3.0 sp2 no longer support for windows 7 ? kindly replyI had use 3x weeks time for the troubleshooting still no resultthanks a lot
    • Anonymous
      May 05, 2017
      WSUS 3.0 SP2 still supports Windows 7. Please post this in the WSUS support forums for troubleshooting help.
  • Anonymous
    May 21, 2017
    After running windows updates last night I found that my WSUS for Windows 10 PC is not working any more. The service has started, however when I open WSUS console I am receiving a message: "Error connecting to the server". The error comes from the server with WSUS installed. After uninstalling KB3159706, WSSUS works normally. It is my understanding that I need KB3159706 in order to upgrade Windows 10 PC to a new revision.
    • Anonymous
      May 24, 2017
      Yes, Windows 10 feature updates can only be distributed through a WSUS server on WS12/R2 that has previously installed KB3159706 and run all necessary post-install steps as covered in the KB. If you want to deploy anything in the Upgrades classification (i.e., feature updates) from your WSUS, then skipping this KB is not an option.
  • Anonymous
    May 21, 2017
    Just FYI. I do not use SSL as it shown in manual instructions for WSUS, therefore I do not have KB3148812 installed and uninstalling KB3159706 restored connectivity to WSUS but I cannot push Windows 10 revision 1703 to windows 10 PC
    • Anonymous
      May 24, 2017
      You need to follow many of the post-install instructions listed in KB3159706 regardless of whether you use SSL. Your error connecting to the WSUS server comes from not having run the postinstall command.
      • Anonymous
        May 25, 2017
        I did, and now WSUS works, however PC are not reporting. I can see PC in WSUS but it shows under "Operating System" tab "Windows0.0" Under "last status Report" tab "Not yet reported" and it has been the same way for the last 24 hours
        • Anonymous
          May 25, 2017
          Does deleting datastore.edb from the client refresh the connection?
          • Anonymous
            May 25, 2017
            No, connection have not refreshed. It is still showing "Windows0.0" and "Not ye reported"
  • Anonymous
    July 04, 2017
    The comment has been removed
    • Anonymous
      July 13, 2017
      Sorry to hear it's not working well for you, Andrew. Have you shared your specific stumbling blocks on the WSUS support forum? I spin up VMs to test various scenarios all the time, so I'm not sure which area is causing the most confusion: I'd be happy to clarify that area, once identified.KB3159706 is still relevant, and it has been rolled into a cumulative update. If you install any CU from May onward on your WS12+ WSUS servers, then you will need to run the manual post-install tasks to activate the functionality in that release. However, we've made it so that even if you don't run these manual steps, the update should no longer cause existing WSUS operations to fail.Moreover, we are investigating not encrypting feature updates going forward. If that comes to pass, then WSUS 4.0 and newer will be able to sync and distribute feature updates without any of this activity.
      • Anonymous
        July 20, 2017
        About 80% of our 1511 to 1703 upgrades are failing. I ran the SQL query, and WSUS is not in a bad state. Computers get 0xc1800118 errors until I run a script that clears catroot2, SoftwareDistribution, and $WINDOWS.~BT. They then begin receiving error 0x80240031, and will not successfully install the Creators Update unless I manually select the option on them to check for updates from Microsoft Update instead. What is the DEAL?! I have made multiple forum posts to no avail. I just posted on TechNet here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/60342a99-34be-4b51-9d74-f3ab7210de95/issues-upgrading-1511-to-1703-via-wsus?forum=winserverwsus
        • Anonymous
          July 26, 2017
          Thanks for the post, Evan. After reading through your forum thread, it appears you've found a workaround in bypassing Delivery Optimization on the WU client. Ideally, DO would work just fine with WSUS, so we're going to look into whether there might be a bug preventing effective interoperability here.
  • Anonymous
    August 01, 2017
    Still no decryption keys all mentioned updates installed followed the guidance and cleaned susdb *.esd and resynced i can still get no keys
    • Anonymous
      August 03, 2017
      Can you share the link to your forum post describing this troubleshooting effort? We might be able to dig deeper if we've got more context.
  • Anonymous
    September 11, 2017
    Good dayI looked at this entire issue...I do believe this update is still applicable, but noticed it has been incorporated\superseded by cumulative updates? Is this accurate? If so, does someone have a list of these cumulative updates?For a SCCM environment, this will then be required on each server hosting a WSUS\SUP point?
    • Anonymous
      September 12, 2017
      If you're coming to this now, then you'll want to review the fix covered in this post instead of trying to find or apply 3148812, 3159706, or 3095113. The August update includes all the functionality contained in these fixes, and is all that you need to deploy to stay up to date. Or, if you miss that, then September and any future cumulative update offer the same. Note that the manual steps may still be required to finalize installation for any package involving these changes to WSUS.