WSUS KB2720211 : Common issues encountered and how to fix them

WSUS KB2720211 : Common issues encountered and how to fix them

  • Comments 33
  • Likes

imageHi everyone, Joao Madureira here. During the course of this week we saw an increase of cases installing Knowledge Base article KB 2720211. What follows are some guidelines we’ve established when facing some problems installing this KB.

 

UPDATE - 9/4/2012: There is a new update available that includes 2720211 plus many other fixes, including those that address some of the issues discussed in this article. You can find information on this new update here.

Before Installing the KB

WSUS Health Checks

As mentioned in the KB article, please follow instructions on how to perform basic health checks on a WSUS Server using the following TechNet websites:

· Reindex the WSUS Database (http://technet.microsoft.com/en-us/library/dd939795(v=ws.10))

· Use the Server Cleanup Wizard

Backup/Restore

You can use the wsusmigrationmigrationimport/Wsusmigrationexport tools to back up the approvals and computer groups. Before installing the KB, copy these files to C:\program files\update services\tools.

- Download the API samples and tools at http://download.microsoft.com/download/5/d/c/5dc98401-bb01-44e7-8533-3e79ae0e0f97/Update%20Services%203.0%20API%20Samples%20and%20Tools.EXE and get the WSUSmigrationexport.exe from it.

- http://wsus.codeplex.com/releases/view/18460 <-compiled version for wsusmigrationimport with http://support.microsoft.com/default.aspx?scid=kb;EN-US;945348

Next, open notepad and copy the following text to it:

mkdir c:\wsusbackup
wsusutil.exe export c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
wsusmigrationexport3.exe c:\wsusbackup\configuration.xml

Save this as backup.bat.

Open notepad and copy the following text to it:

wsusutil.exe import c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
wsusmigrationimport3.exe c:\wsusbackup\configuration.xml all none
wsusutil.exe reset

Save this as restore.bat.

Now, if you encounter a problem installing the KB, you have a valid backup and can use the restore.cmd to get back the metadata and approvals after reinstalling WSUS.

 

After Installing the KB

Four main issues have been encountered as follows:

Issue

Description

Issue caused by patch?

Workaround available?

1

WSUS server stops synchronizing with Microsoft Update

No

Yes

2

The website verifications are not accurate

Yes

No. Recommend disabling.

3

 

 

WSUS server stops working and also fails to reinstall.

No

Yes

 

4

Errors in errorlog for Windows internal database

 

TBD

 

Yes

 

Issue 1 : WSUS server stops synchronizing with Microsoft Update.

Workaround: remove WSUS , leaving the database on the uninstall.

When removing WSUS , the first screen after asking to uninstall will be what are the items you want to remove with the uninstall. Leave all options UNCHECKED.

clip_image001

Proceed with uninstalling. After finishing, install WSUS again.

Add the role again in Server manager (Windows Server 2008 and Windows Server 2008 R2) or download WSUS 3 SP2 from the following location:

http://www.microsoft.com/en-us/download/details.aspx?id=5216

Start the install and choose the options to connect to the database server or Windows Internal database. As in the example, I am connecting to my Windows Internal Database.

image

Then choose “use existing database” and proceed with the install.

clip_image003

 
Issue 2 : Website Verifications are not accurate.

The problem is currently under investigation and the workaround is to temporarily disable the website verification with wsusutil. WSUS is working fine, it synchronizes and updates clients. The mechanism to verify the websites is the one alerting on Event viewer.

Open a command prompt and navigate to C:\program files\update services\tools

You can save the following text below to a batch file or run the following commands to stop verifying the websites:

wsusutil HealthMonitoring CheckSelfUpdate off
wsusutil HealthMonitoring CheckReportingWebService off
wsusutil HealthMonitoring CheckApiRemotingWebService off
wsusutil HealthMonitoring CheckServerSyncWebService off
wsusutil HealthMonitoring CheckClientWebService off
wsusutil HealthMonitoring CheckSimpleAuthWebService off
wsusutil HealthMonitoring CheckDssAuthWebService off

After running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice

Issue 3 : WSUS server stops working and also fails to reinstall.

After installing the fix, WSUS stops working. The console doesn’t open and softwaredistribution.log displays the following messages:

2012-06-15 19:26:36.976 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

and

2012-06-15 19:26:03.778 UTC Warning w3wp.8 SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user NT AUTHORITY\SYSTEM, IP Address fe80::e949:3535:dace:fef4%13, exception System.Data.SqlClient.SqlException: Access to module dbo.spConfiguration is blocked because the signature is not valid.

and

2012-06-15 19:26:03.778 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

When trying to reinstall WSUS it fails. In order to locate what is causing the installation to fail, go to Run > type %temp%. Locate the WSUSCAXXXXX.log ( where XXXXX will be date_time the machine ran the setup). The error will be like in the transcript:

Changed database context to 'SUSDB'.

Executing string: CREATE CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] FROM FILE = 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\wsussigndb.cer'

Warning: The certificate you created is expired.

Executing string: ALTER CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] ATTESTED BY 'C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\WSUSSignDb.dll'

Signing object:[dbo].[spGetComputerSummariesForTargetGroup]

Msg 15299, Level 16, State 1, Server \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query, Line 6

The signature of the public key is invalid.

The solution for reinstalling WSUS will be the following:

Assuming the WSUS is not installed anymore, remove Server Manager > Features > Windows Internal database.

Navigate to C:\windows and locate the folder sysmsi . Rename this folder to sysmsi_old

Try to install WSUS again with the option to install the Windows Internal database.

 

Issue 4 : Errors in errorlog for Windows internal database (updated)

If you are seeing the error below in the SQL Errorlog and the database has been patched, we have verified these instructions:

NOTE Errorlog is located at c:\windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Log

2012-06-14 11:39:40.93 spid53 Access to module dbo.spSetupLogin is blocked because the signature is not valid.

1)      Stop WID using NET STOP MSSQL$MICROSOFT##SSEE

2)      Backup the existing patched database files (file copy will work). Usually this is at C:\WSUS\UpdateServicesDbFiles (this location was chosen by the customer when they initially installed WSUS).

3)      Start WID using NET START MSSQL$MICROSOFT##SSEE

4)      Reinstall WSUS3 SP 2 to a new database  (“Create a new Database”).

5)      Reinstall the patch – IMPORTANT!

6)      Stop WID using NET STOP MSSQL$MICROSOFT##SSEE

7)      Restore the existing patched database by copying the files you backed up to C:\WSUS\UpdateServicesDbFiles

8)      Start WID using NET START MSSQL$MICROSOFT##SSEE

9)     Run the patch again with the following command: – the patch should be able to add the missing signatures automatically. If it fails again,please send us the log files (C:\reinstallpatch.log, mwusca***, wsusca***,mwussetup***, wsussetup***, wsussetupmsi*** in your %temp% or %temp%\.. WSUS-KB2720211-x64.exe C:\reinstallpatch.log

 

Joao Madureira | Senior Support Escalation Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • The KB mentioned in the blog url and the heading is incorrect: WSUS KB272011 : Common issues encountered and how to fix them

    It should be KB2720211.

  • What about the issue with "WSUSSignDb.cer", "WSUSSignDb.dll", and "WSUSSignDb.sql" not being extracted to the correct directories causing patch failure followed by an incomplete roll-back causing WSUS to become completely non function until manual patching is done?

    social.technet.microsoft.com/.../e918a191-ef6d-4c4b-b83a-7a4ae20a5217

  • Is there any progress in investigating the WSUS Health Checks issues?

    After the update wsus seems to still work, eventlog logs alot of error messages and starting up the wsus console can take a considerable time

  • Does this mean I need to reinstall WSUS on master and all downstream servers?

  • Following these instructions I have been unable to get WSUS reinstalled. At this point I don't have WSUS installed after removing it and I have also lost my internal website after removing the internal database.

  • Agree with JGurtZ. Nothing in this artical seem to help fix the problem. In the end it was Chucker2 post in

    social.technet.microsoft.com/.../e918a191-ef6d-4c4b-b83a-7a4ae20a5217 that fixed the problem.

  • There is no "wsusmigrationexport3.exe" in my Windows EBS Management Server. How can I backup my configuration?

  • Sorry - I did not write version of Windows. It is 2008.

  • Does Microsoft plan on releasing a more stable version of this patch?

  • In the backup.bat file that was shown,  What creates the c:\wsusbackup\configuration.xml file?

    mkdir c:\wsusbackup

    wsusutil.exe export c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log

    wsusmigrationexport3.exe c:\wsusbackup\configuration.xml

    The script fails with this error:

    WsusMigration failed with the below exception!

    System.IO.FileNotFoundException: Could not find file 'c:\wsusbackup\configuration.xml'.

    Thanks

  • I'm having the opposite issue... upgraded my WSUS with the KB... desktop clients seems to be auto-updating as well to .256 version. However, I've got a server that flatly refuses to update its client version. I've stopped the Windows Updates service, deleted the SoftwareDistribution folder and restarted the service on the troublesome server.

    I'm just not seeing it state in the WindowsUpdate.log file that the required version is .256 and it won't update from the .226 version.

    Any ideas?

  • AGAIN !

    NOT GOOD ENOUGH MICROSOFT - DO YOU TEST BEFORE RELEASE ???

  • the gist of it (in order) is: backup your DB, uninstall WSUS, reinstall WSUS with blank DB, apply KB2720211, put your DB back, apply KB2720211 again (if need be)

  • I disagree with your statement on Issue #1.  I have a brand new WSUS server (2008r2 x64) that no longer sync's after the KB.  My old WSUS server has the hotfix and has no problems syncing with Microsoft... old server is 2003 x32.

  • So after I installed this hotifx on my Server 2003 WSUS box the MMC would no longer load. Our WSUS server was using a DB hosted on a SQL 2008 server, and we had renamed the DB and changed it in the registry. This machine was a VM so I reverted back to a recent snapshot.  Tried a lot of fixes that I found via the web etc, installed again and it broke it again.  It was very odd.    

    Wound up finally installing a brand new Server 2008 R2 VM and loading WSUS on it, transferring all the content for updates to the new server, intall this hotifx to my the clients that have the new version of the update agent work and BAM console won't load.

    Anyway, I found out that when you run this hotfix apparently it will change you DB name back to the default SUSDB.  So in our case we had moved the DB off of the internal SQL lite to an external SQL server, and renamed the DB to meet our naming conventions for DB's.  We changed the DB name WSUS looked for via this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup and changed the SqlDatabaseName key.  So after we installed this hotfix it automatically reverted our SqlDatabaseName key to SUSDB and that of course stops the console from loading.  Once we changed this key back to point to our DB everything started working fine.  Hope this helps someone else.

    I would like to know however why this update automatically changes registry values, rather than reusing or pulling those values for the update process.  We had NO IDEA this change was being made and only after weeks of troubleshooting figured out what this problem was.