This is the Windows Server Update Services support team blog. We cover all things relating to WSUS and Windows Update.
Hi everyone, Joao Madureira here. During the course of this week we saw an increase of cases installing Knowledge Base article KB 2720211. What follows are some guidelines we’ve established when facing some problems installing this KB.
UPDATE - 9/4/2012: There is a new update available that includes 2720211 plus many other fixes, including those that address some of the issues discussed in this article. You can find information on this new update here.
As mentioned in the KB article, please follow instructions on how to perform basic health checks on a WSUS Server using the following TechNet websites:
· Reindex the WSUS Database (http://technet.microsoft.com/en-us/library/dd939795(v=ws.10)) · Use the Server Cleanup Wizard
· Reindex the WSUS Database (http://technet.microsoft.com/en-us/library/dd939795(v=ws.10))
· Use the Server Cleanup Wizard
You can use the wsusmigrationmigrationimport/Wsusmigrationexport tools to back up the approvals and computer groups. Before installing the KB, copy these files to C:\program files\update services\tools.
- Download the API samples and tools at http://download.microsoft.com/download/5/d/c/5dc98401-bb01-44e7-8533-3e79ae0e0f97/Update%20Services%203.0%20API%20Samples%20and%20Tools.EXE and get the WSUSmigrationexport.exe from it.
- http://wsus.codeplex.com/releases/view/18460 <-compiled version for wsusmigrationimport with http://support.microsoft.com/default.aspx?scid=kb;EN-US;945348
Next, open notepad and copy the following text to it:
mkdir c:\wsusbackup wsusutil.exe export c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log wsusmigrationexport3.exe c:\wsusbackup\configuration.xml
Save this as backup.bat.
Open notepad and copy the following text to it:
wsusutil.exe import c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log wsusmigrationimport3.exe c:\wsusbackup\configuration.xml all none wsusutil.exe reset
Save this as restore.bat.
Now, if you encounter a problem installing the KB, you have a valid backup and can use the restore.cmd to get back the metadata and approvals after reinstalling WSUS.
Four main issues have been encountered as follows:
Issue
Description
Issue caused by patch?
Workaround available?
1
WSUS server stops synchronizing with Microsoft Update
No
Yes
2
The website verifications are not accurate
No. Recommend disabling.
3
WSUS server stops working and also fails to reinstall.
4
Errors in errorlog for Windows internal database
TBD
Workaround: remove WSUS , leaving the database on the uninstall.
When removing WSUS , the first screen after asking to uninstall will be what are the items you want to remove with the uninstall. Leave all options UNCHECKED.
Proceed with uninstalling. After finishing, install WSUS again.
Add the role again in Server manager (Windows Server 2008 and Windows Server 2008 R2) or download WSUS 3 SP2 from the following location:
http://www.microsoft.com/en-us/download/details.aspx?id=5216
Start the install and choose the options to connect to the database server or Windows Internal database. As in the example, I am connecting to my Windows Internal Database.
Then choose “use existing database” and proceed with the install.
The problem is currently under investigation and the workaround is to temporarily disable the website verification with wsusutil. WSUS is working fine, it synchronizes and updates clients. The mechanism to verify the websites is the one alerting on Event viewer.
Open a command prompt and navigate to C:\program files\update services\tools
You can save the following text below to a batch file or run the following commands to stop verifying the websites:
wsusutil HealthMonitoring CheckSelfUpdate off wsusutil HealthMonitoring CheckReportingWebService off wsusutil HealthMonitoring CheckApiRemotingWebService off wsusutil HealthMonitoring CheckServerSyncWebService off wsusutil HealthMonitoring CheckClientWebService off wsusutil HealthMonitoring CheckSimpleAuthWebService off wsusutil HealthMonitoring CheckDssAuthWebService off
After running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice
After installing the fix, WSUS stops working. The console doesn’t open and softwaredistribution.log displays the following messages:
2012-06-15 19:26:36.976 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.
and
2012-06-15 19:26:03.778 UTC Warning w3wp.8 SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user NT AUTHORITY\SYSTEM, IP Address fe80::e949:3535:dace:fef4%13, exception System.Data.SqlClient.SqlException: Access to module dbo.spConfiguration is blocked because the signature is not valid.
2012-06-15 19:26:03.778 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.
When trying to reinstall WSUS it fails. In order to locate what is causing the installation to fail, go to Run > type %temp%. Locate the WSUSCAXXXXX.log ( where XXXXX will be date_time the machine ran the setup). The error will be like in the transcript:
Changed database context to 'SUSDB'.
Executing string: CREATE CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] FROM FILE = 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\wsussigndb.cer'
Warning: The certificate you created is expired.
Executing string: ALTER CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] ATTESTED BY 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\WSUSSignDb.dll'
Signing object:[dbo].[spGetComputerSummariesForTargetGroup]
Msg 15299, Level 16, State 1, Server \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query, Line 6
The signature of the public key is invalid.
The solution for reinstalling WSUS will be the following:
Assuming the WSUS is not installed anymore, remove Server Manager > Features > Windows Internal database.
Navigate to C:\windows and locate the folder sysmsi . Rename this folder to sysmsi_old
Try to install WSUS again with the option to install the Windows Internal database.
If you are seeing the error below in the SQL Errorlog and the database has been patched, we have verified these instructions:
NOTE Errorlog is located at c:\windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Log
2012-06-14 11:39:40.93 spid53 Access to module dbo.spSetupLogin is blocked because the signature is not valid.
1) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE
2) Backup the existing patched database files (file copy will work). Usually this is at C:\WSUS\UpdateServicesDbFiles (this location was chosen by the customer when they initially installed WSUS).
3) Start WID using NET START MSSQL$MICROSOFT##SSEE
4) Reinstall WSUS3 SP 2 to a new database (“Create a new Database”).
5) Reinstall the patch – IMPORTANT!
6) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE
7) Restore the existing patched database by copying the files you backed up to C:\WSUS\UpdateServicesDbFiles
8) Start WID using NET START MSSQL$MICROSOFT##SSEE
9) Run the patch again with the following command: – the patch should be able to add the missing signatures automatically. If it fails again,please send us the log files (C:\reinstallpatch.log, mwusca***, wsusca***,mwussetup***, wsussetup***, wsussetupmsi*** in your %temp% or %temp%\.. WSUS-KB2720211-x64.exe C:\reinstallpatch.log
Joao Madureira | Senior Support Escalation Engineer
Get the latest System Center news on Facebook and Twitter:
App-V Team blog: http://blogs.technet.com/appv/ ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ Operations Manager Team blog: http://blogs.technet.com/momteam/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/ The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2734608), support.microsoft.com/.../2734608
great Job guys, like all the other's our WSUS is not working anymore after installation of the latest KBs. Nice way to fix security issues, just make the product stop working at all.
Jesus ....
whatever is slowing down the browser making this page virtually unreadable (facebook links?) - get it fixed. useless
To all who are interested, we managed to solve the issues with WSUS not coming up since the latest windows update by doing the following:
- opened SQL Management Studio, had a look at SUSDB
the status was "Single-User" and access was not possible
- opened a new query and entered the following command:
use susdb
EXEC sp_dboption 'SUSDB', 'single user', 'false'
- when executing the command, I received an error, so I restarted the windows service "Windows Internal Database" several times and
tried to execute the above command in SQL Management Studio several times. If you get the right time window (just after the service
has restarted) it will execute successful and your DB should be out of single user mode again (thus accessible for everyone)
- Then in Event log I found hundreds of errors like
"Access to module xxxx is blocked because the signature is not valid."
So I went ahead and installed KB2734608
- finally, issue was solved
Thanks for the article. It saved my week. If you could update the article with some of Event Viewer ID's and descriptions encountered, it would benefit those searching on them, It would be especially helpful for Issue #2 because it made no mention of the "Self-update not working." event ID; most persons will not equate to "Website Verifications are not accurate". I did not put guessed it was the closet description to my problem.
I listed the two event ID's I was encountering below. My issues was that none of the computers were reporting in.
EVENT VIEWER ERROR:
-----------------------------
Event Type: Warning
Event Source: Windows Server Update Services
Event ID: 13031
Description:
Some client computers have not reported back to the server in the last 30 days. 11 have been detected so far.
REMEDY:
-----------
Installing the new patch resolved this issue
****************
EVENT VIEWER ERROR: (Still happened after installing new patch):
------------------------------
Event Type: Error
Event ID:13042
Self-update is not working.
Followed remedy J.C. listed under Issue 2 : Website Verifications are not accurate.....
"You can save the following text below to a batch file or run the following commands to stop verifying the websites:
wsusutil HealthMonitoring CheckSelfUpdate off
wsusutil HealthMonitoring CheckReportingWebService off
wsusutil HealthMonitoring CheckApiRemotingWebService off
wsusutil HealthMonitoring CheckServerSyncWebService off
wsusutil HealthMonitoring CheckClientWebService off
wsusutil HealthMonitoring CheckSimpleAuthWebService off
wsusutil HealthMonitoring CheckDssAuthWebService off
After running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice"
I am using SERVER 2003 R2 and have a snap-in issue after installing KB2720211 on a update.
The Popup window says:
Window Server Update Services 3.0 SP2
MMC has detected an error in a snap-in and will unload it.
Option 1: Report this error to Microsoft, and then shut down MMC.
Option 2: Unload the snap-in and continue running
Tried option 2 and got same error but with:
MMC could not create the snap-in. The snap-in might not have been installed correctly.
Name: Update Services
CLSID:FX:{8b6499ed-0241-e032-6508-da4b1c879d7e}
My WSUS is down and any help would be great - step by step of how to fix would be even better.
Thanks
Almost the same problem as Joseph only with the new KB2734608 and I am using SERVER 2008 R2
Snap-in issue after installing KB2734608 on WSUS
Hi i found an resolution for the Console error after installing KB2720211 and a fix for error 800b0001 on clients connecting to WSUS . (Thanx to some info byronwright.blogspot.nl/.../kb-2720211-kills-wsus.html)
Extract WUSSetup.msp from WSUS-KB2720211-x64.exe with 7-Zip (free utility). Once done just run WUSSetup.msp (a simple double click will do the job). You'll get a few error messages. Just click ignore. When the program has finished installing, reboot server and start your WSUS Console. All should be up and running beautifully.
After above still error 800b0001 on clients connecting to WSUS . Resolved that by ;
1. Download the KB2720211 installer for your architecture from Microsoft (support.microsoft.com/.../2720211).
2. Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: "WSUS-KB2720211-x64.exe /extract")
3. With 7-zip, open WUSSetup.msp and extract "PCW_CAB_SUS".
4. With 7-zip, open "PCW_CAB_SUS" and extract "DbCert", "DbCertDll", and "DbCertSql".
5. Rename those files to "WSUSSignDb.cer", "WSUSSignDb.dll", and "WSUSSignDb.sql", respectively.
6. On your WSUS server, navigate to "C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig" and copy the extracted "WSUSSignDb.cer" and "WSUSSignDb.dll" to it. Make a backup copy of the two existing versions, just in case.
7. On your WSUS server, navigate to "C:\Program Files\Update Services\Database" and copy the extracted "WSUSSignDb.sql" to it. Make a backup copy of any existing versions of the file.
8. Reinstall KB (WSUS-KB2720211-x86.exe /q C:\MySetup.log)
First i did above with KB2734608 (= updated KB2720211) but that did not work.
I had the issue after the patch and after I thought it was fixed I noted that only a small percent of servers were reporting updated status for patches. Am now trying to re-install WSUS SP2 from scratch after having to perform multiple out of date manual removal instructions, get really jacked off as it stands I cannot get it to re-install been at it seven straight hours. Thanks a lot for this FUBAR of a patch, are you actually going to provide a half decent fix for this issue?
Honestly:
2012-12-17 16:14:47 Success CustomActions.Dll CopyADMFile:The system locale ENG is not supported. Using English...
2012-12-17 16:15:16 Error MWUSSetup InstallWsus: MWUS Installation Failed (Error 0x80070643: Fatal error during installation.)
2012-12-17 16:15:16 Error MWUSSetup CInstallDriver::PerformSetup: WSUS installation failed (Error 0x80070643: Fatal error during installation.)
2012-12-17 16:15:16 Error MWUSSetup CSetupDriver::LaunchSetup: Setup failed (Error 0x80070643: Fatal error during installation.)
This is extremely annoying
so reading between the lines.
This KB may fix a certain problem with clients not reporting to the WSUS server
BUT (big but)
It may break your WSUS installation.
Which means that a reinstall may be required.
Is there any guidance as to what to do if its a SBS2011 installation that gets mucked up? there are a number of things coexisting on an SBS setup and its not as simple to reinstall anything on one.
Do NOT use the backup batch file! It completely jacked up my WSUS and I had to do a reset and start over. You can back up easy enough just using this; technet.microsoft.com/.../cc720441(v=ws.10).aspx
My system has had a re-install of WSUS SP2 in the past. I get an error about the update note having permission to access the Language Key at /Software/Microsoft/CurrentVersion/Unistall/Windows Server Update Service 3.0 SP2 i press ignore