Why we recommend / require to run the Configuration Wizard also for Security fixes

This is a very common question: “I just installed some security fixes for SharePoint – do I have to run the SharePoint Configuration Wizard?”

The simple answer is: You should run the SharePoint Configuration Wizard (psconfigui.exe or psconfig.exe with the correct parameters) after all SharePoint fixes!

The more complex answer is here:

  • SharePoint Configuration Wizard updates the database schema to the latest version
  • SharePoint Configuration Wizard fixes security settings on the file system to match what SharePoint needs
  • SharePoint Configuration Wizard copies required binaries from the install location into the _app_bin directories of the web applications
  • SharePoint Configuration Wizard updates features registrations with SharePoint

Depending on which patch level you were before installing the security fix and depending on what component got fixed each of the above listed actions can be part of the security fix to be applied. E.g. some security fixes might require a modification of some stored procedures in a SharePoint database. Or security settings on the file system need to be updated to remove an attack vector. Or the fix is inside a DLL that usually resides in the _app_bin directory of the web application.

With other words: not running the configuration wizard after installing a SharePoint fix means that the fix is not completely applied and that means that specific security fixes might not be active without running PSCONFIG.

As a result let me repeat my initial answer: You should run the SharePoint Configuration Wizard (psconfigui.exe or psconfig.exe with the correct parameters) after all SharePoint fixes!

114 Comments


  1. Hi Stefan,

    are there any known problems if I install a security fix that is newer than my installed CU?

    Regards,
    Tobias

    Reply

  2. Hi Tobias,
    no there are no known issues.
    That is a fully supported scenario.
    Cheers,
    Stefan

    Reply

  3. Hi Tobias,

    We've noticed that the behavior of SP farm-deployment patches are very problematic. They tend to take an hour or more per patch to deploy, make calls to the SQL Server under the credentials of the administrator (which are denied since we only permit service
    account access), may or may not require reboots, and always take the site down during the duration of the patches. Is this normal behavior for the monthly farm-deploy security patches?

    Thank you.

    Reply

  4. Hi Yen,

    I'm not Tobias, but let me answer the question: the server where the fixes are installed will be affected as you mentioned. We recommend to remove the server where the fix is installed from load balancing. You can add it after the installation back to load balancing. The other servers in the farm will not be affected during installation. So update one server after the other.

    Same later when running PSCONFIG: run psconfig on the central admin server first – that will update the DB schema. Other servers should not be affected (or only for a very short time).
    Then run PSCONFIG on the other machines one after the others – again while removing the server from load balancing while running PSCONFIG.

    Cheers,
    Stefan

    Reply

  5. Sorry, mistyped name. Thank you for your answer, Stefan!

    Reply

  6. Hi Stefan,
    Reading your post I think I already know the answer, but just to double check: Should we do it even when on "Servers on the farm" in CA is showing "no action needed"? Some security patches flag the servers as "upgrade available" (I don't remember a security
    patch flagging any as "upgrade required" but it may be slipping my mind) and others don't, hence the question.

    Cheers
    Marco

    Reply

  7. Hi Marco,
    this information only informs about required db upgrades and is not related to the other operations.
    Cheers,
    Stefan

    Reply

  8. Thanks for the reply Stefan, wasn’t aware.

    Reply

  9. Hi Stefan,
    Do we need to run Configuration wizard for OP security Patches on SharePoint servers?

    Reply

  10. Hi Nani,
    not required for OS fixes. Only for SharePoint fixes.
    Cheers,
    Stefan

    Reply

  11. Hi Stefan,

    I understand your explanation of applying the fix to one server at a time (especially the WFEs after removing one server at a time from the load balancer) and starting the PSCONFIG with the CA server first.

    However I have seen that executing the PSCONFIG on the first CA server with all content DBs still attached to the farm, makes the PSCONFIG take a significantly long time to complete (depending upon the number and the size of each content DB).

    Also if there are missing/incorrectly installed solutions/feature/custom definitions, etc then the PSCONFIG could even fail sometimes after a very long time (e.g. if the content DBs are large). In such a case would it not be better to just detach all the content
    databases from the farm before executing PSCONFIG? You could then complete the PSCONFIG on all server fairly quickly and then manually (or through a script) "Mount" the content DBs to the appropriate web apps. Finally upgrade the content databases (using Upgrade-SpContentDatabase)
    to sync up the content DB versions too. The BIG negative of this is that the farm will have to be down for end users until the "mount" and "upgrade" is complete. However the above approach would become necessary if the farm is replete with missing/incorrectly
    installed solutions/feature/custom definitions and this is the worst nightmare for Farm Admins when deploying fixes/updates.

    Thoughts?

    Cheers
    AG

    Reply

  12. Hi AG,
    there are several ways to prevent these outages.
    You can run Upgrade-SPContentDatabase against the different content databases before running PSConfig, That will have the same effect as detaching / reattaching the databases as the config wizard will not have to upgrade the content databases.
    On top of that you can run Upgrade-SPContentDatabase with the -UseSnapshot option to create a read-only snapshot from before the upgrade which will ensure that the sites can still serve content during the upgrade.
    Or you can use the -NoB2BSiteUpgrade option to only upgrade the DB schema but not the different site collections within. Here you can use Upgrade-SPSite later to upgrade the different site collections in the content database.
    Cheers,
    Stefan

    Reply

    1. Can you elaborate more on “You can run Upgrade-SPContentDatabase against the different content databases before running PSConfig,”? Will this put the content DB at a version level higher than farm? I guess that is supported? Will that trigger any 14 to 15 compatibility mode upgrades (aka visual upgrade)?

      Reply

      1. Hi SPAdmin,
        yes, that is supported. This will not trigger a visual upgrade.
        Cheers,
        Stefan

        Reply

  13. Agreed on the end result of running the Upgrade-SPContentDatabases before running PSConfig. However, wouldn't the PSConfig fail if we have inorrectly installed solutions/features etc?

    Reply

  14. Quick question for you. Is it necessary to reboot the server before or after running config wizard? Do you have an article on what things can go wrong during psconfig and how to recover from those and bring the servers back up again resulting in less downtime?
    I am only worried about our production environment where it is critical to keep them running with minimal impact.

    Reply

  15. Hi Aligo,
    there is no need for a reboot related to the SharePoint config wizard.
    Here is an article with the most common problems:
    https://support.microsoft.com/en-us/kb/944267
    The article talks about MOSS 2007 but these things have not changed in more recent versions.
    Just ensure to use the more accurate PSCONFIG.EXE command listed here:
    http://blogs.technet.com/b/stefan_gossner/archive/2015/08/20/why-i-prefer-psconfigui-exe-over-psconfig-exe.aspx
    Cheers,
    Stefan

    Reply

  16. Hi Stefan, quick question.Are we required to run Configuration Wizard even after having a Patch level that’s post JULY 2015 CU?
    Sunil

    Reply

    1. Hi Sunil,
      all SharePoint fixes need PSConfig – but usually you can schedule a maintenance window one or two weeks later to run it.
      With July you have to run it right after installing the fix.
      Cheers,
      Stefan

      Reply

  17. It’s just a bit confusing(and frustrating) when the KB installation instruction does not contain any steps regarding running the Products and Technologies Wizard. I think that should be documented better. Otherwise it takes a lot of hassle to convince the Infrastructure guys/gals!
    Thanks for this article.

    Reply

  18. Hi Stefan,
    Is it true that upgrading a SharePoint 2013 machine will cause a reset of the distributed cache (thus affecting the newsfeed) ?
    I heard that in a multi-server farm, it is recommended to move the cache to a new server before upgrading.
    Is it true ? What would you recommend and could you please tell me how to stop the distributed cache and move it to a new server ?
    Thanks.
    Andy

    Reply

    1. Hi Andy,
      the distributed cache is not part of SharePoint itself.
      If you are installing it on the same box as SharePoint, then you need to gracefully stop the distributed cache on the SharePoint machine you plan to patch to ensure that it the cached content is sent to the other machines in the cache cluster. After the distributed cache service has been shut down gracefully you can patch the SharePoint machine, do reboots if required and so on.
      To gracefully shut down the distributed cache on a specific machine please use this command:
      Stop-CacheHost -HostName … -CachePort … -Graceful
      See here for details:
      https://technet.microsoft.com/en-us/library/jj219613.aspx#graceful
      Cheers,
      Stefan

      Reply

  19. Hi Stefan,
    Having inherited a SharePoint installation with a patch level of SP1 1st Release is a big challenge, but luckily I’ve found your posts greatly helpful. So after a long and careful research, I tried patching this simple 1x App server/farm and 1x SQL server configuration. After applying SP1 Release 3, Product Config Wizard repeatedly failed with an error related to UserProfileSynchonizationService. I already tried a lot of fixes I can find including STS/UPSS, but still cannot complete the wizard nor via PSCONFIG. I know this may not sound as a good idea, but can I proceed to a desired Cumulative Update (Dec. 2015) and try to rerun the wizard after?
    Regards,
    Trev

    Reply

    1. Hi Trev,
      sure that is ok. PSConfig is only required after all patches have been installed – not inbetween.
      Cheers,
      Stefan

      Reply

      1. Thank you Stefan. I did proceed with the Dec. 2015 Cumulative Update and unfortunately a number of the services became disabled after the restart. I’m now trying to figure out the startup type of these services (i.e. Claims to Windows Token, Document Conversions Launcher…, Document Conversions Load Balancer…, Forefront Identity Manager Synchronization…, IIS Admin Service, SharePoint Search Host Controller, SharePoint Server Search 15, SharePoint Timer Service, and SharePoint User Code Host). I’m tempted to just set them all to Automatic if unsuccessful in my search.
        Regards,
        Roberto

        Reply

  20. Hi Stefan,
    I have a sharepoint farm with 3 front end servers of SP2010 enterprise version, my issue is that the “sharepoint Admin” service is not starting after server restart, when i checked the event viewer it show , the service does not start in timely fashion of 30000 ms, i m banging my head daily , but not able to solve this issue. kindly help

    Reply

    1. Hi AV,
      Have you checked the account the service is running under? Maybe it has been disabled/expired, or the password has expired?
      Otherwise, please check the ULS logs for more details on why the service fails to start.
      Regards,
      Frank-Ove

      Reply

  21. Is it advisable to uninstall security fixes

    Reply

    1. Hi Anil,
      you cannot uninstall SharePoint fixes. Not even Security fixes.
      If you ask in General: Security fixes were released to fix Security vulnerabilities.
      Removing them would open your System for attacks against this Security hole.
      Cheers,
      Stefan

      Reply

  22. Hi Stefan,
    I just installed the November 2016 Security Update KB3118279 and wanted to know if it modifies anything with the SQL database? We do testing in our non-production environments on roll back. We are using VMware and take snapshots before the security update was applied. Once I perform the revert to snapshot and check I no longer see the update in Programs/Features in Windows 2012 but I do see it listed in Central Admin under Check Product and Patch Installation Status. If I do a Get-SPProduct -local it then changes to missing/required. The site functions just fine but I do not understand why it still shows in Central Admin. Also do you have to run psconfig on each server after this security patch KB3118279.
    Thanks,
    Mike

    Reply

      1. Stefan,
        Does it just update certain databases? I am trying to figure out what is needed for a rollback. We would prefer to just install the security updates when they happen versus the CU unless there is something that the CU fixes or adds that we need. Normally when I install a CU then you will see database upgrade required but that does not seem to be the case with this security update.
        Thanks,
        Mike Breeden

        Reply

        1. Hi Mike,
          sorry I don’t have an overview about all changes. In addition it also depends on your previous patch level – in theory all DB changes since RTM in all databases will be applied but depending on your previous patch level some of those might not be new changes.
          Cheers,
          Stefan

          Reply

  23. Hey Stefan,
    What is the difference between “Upgrade Available” vs “Upgrade required” in the server status?
    Do we need to run config in both cases?
    Thanks,
    Abhilash

    Reply

      1. Hi Stefan,

        we are currently having this situation with SharePoint 2016. During the weekend we created 1500 site collections per Powershell. Before the weekend the servers said: “No action required”. Since this action during the weekend the servers say: “Upgrade available”. The farm has no connection to the internet.

        What does this mean?

        Many thanks
        Sven

        Reply

  24. It seems you are answering this thread so I wanted to ask, is a PSCONIFG required between SP2 and a current CU in a SharePoint 2010 farm? Or can I apply all updates and then run PSCONFIG at the end?

    Reply

    1. You only have to run it once at the very end.

      Reply

  25. i have an old sharepoint 2007 WSS running on windows 2008 server. After the holidays, our it team installed a lot of patches and now our site just shows:
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    Date: Thu, 09 Feb 2017 05:33:16 GMT
    Connection: close
    do I need to run the psconfig.exe to fix this is what I understand from your article?
    I am new to sharepoint so I am still not familiar with it and being so old and free version.
    thanks!

    Reply

    1. If these fixes included SharePoint fixes then the Answer is yes.

      Reply

      1. Hi Stefan.
        I just ran the psconfigui.exe but it did not solve the problem.. looking at the error log (upgrade.log) I notice these error… the read only is okay as it’s meant to be read-only unless we should remove that and then make it read only after the upgrade patch.
        SPManager] [ERROR] [2/9/2017 11:36:51 AM]: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
        at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
        at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
        at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
        at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
        at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
        at Microsoft.SharePoint.Utilities.SqlSession.ExecuteNonQuery(SqlCommand command)
        at Microsoft.SharePoint.Upgrade.SPDatabaseSequence.ExecuteDataDefinitionMethodCore(SqlSession sqlSession, ISqlSession isqlSession, String sqlscript, SPSqlCommandFactory sqlcmdFactory, String[] strTables, Int32[] nThroughputs, SPLog logGlobal)
        at Microsoft.SharePoint.Upgrade.SPDatabaseSequence.ExecuteDataDefinitionMethod(SqlSession sqlSession, String sqlscript, SPLog log)
        at Microsoft.SharePoint.Upgrade.SPContentDatabaseSequence.Upgrade()
        at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Administration.SPPersistedUpgradableObject.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Administration.SPContentDatabase.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Upgrade.SPManager.ReflexiveUpgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Administration.SPPersistedUpgradableObject.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Upgrade.SPManager.ReflexiveUpgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Administration.SPPersistedUpgradableObject.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Upgrade.SPManager.ReflexiveUpgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Administration.SPPersistedUpgradableObject.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Upgrade.SPManager.ReflexiveUpgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)
        at Microsoft.SharePoint.Administration.SPPersistedUpgradableObject.Upgrade(Boolean recursively)
        at Microsoft.SharePoint.Upgrade.SPManager.ReflexiveUpgrade(Object o, Boolean bRecurse)
        [SPManager] [ERROR] [2/9/2017 11:36:51 AM]: ReflexiveUpgrade [SPServer Name=OURSRV5 Parent=SPFarm Name=SharePoint_Config_dadf561f-bf7b-4ec8-acc1-6bd2fc6fc269] failed.
        [SPManager] [ERROR] [2/9/2017 11:36:51 AM]: Failed to update database “WSS_Content_Temp” because the database is read-only.
        [SPManager] [INFO] [2/9/2017 11:36:52 AM]: Inplace Upgrade session finishes. root object = SPFarm Name=SharePoint_Config_dadf561f-bf7b-4ec8-acc1-6bd2fc6fc269, recursive = True. 6 errors and 0 warnings encountered.

        Reply

        1. If the DB is read-only then PSConfig cannot update the database schema to the latest level and the upgrade will fail.

          Reply

          1. does it have to upgrade all the databases for it to upgrade properly?


          2. do all tne databases have to be upgraded for it to work properly. the original owner made the database read-only for legacy purposes. should I remove it and try the psconfigui.exe again?
            i try to do different fixes and another errors come up.


          3. Hi Dave,
            you can also detach the databases you don’t want to upgrade, run PSConfig and then re-attach them using Mount-SPContentDatabase with the -NoB2BSiteUpgrade switch.
            Cheers,
            Stefan


      2. So I changed the web,config customerror parameter to show more detailed error and now I get this displayed on the website ..
        Server Error in ‘/’ Application.
        Unknown error (0x80005000)
        Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
        Exception Details: System.Runtime.InteropServices.COMException: Unknown error (0x80005000)
        Source Error:
        An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
        Stack Trace:
        [COMException (0x80005000): Unknown error (0x80005000)]
        System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +557
        System.DirectoryServices.DirectoryEntry.Bind() +44
        System.DirectoryServices.DirectoryEntry.get_IsContainer() +42
        System.DirectoryServices.ChildEnumerator..ctor(DirectoryEntry container) +36
        System.DirectoryServices.DirectoryEntries.GetEnumerator() +36
        Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.System.Web.IHttpModule.Init(HttpApplication app) +704
        System.Web.HttpApplication.InitModulesCommon() +124
        System.Web.HttpApplication.InitInternal(HttpContext context, HttpApplicationState state, MethodInfo[] handlers) +1162
        System.Web.HttpApplicationFactory.GetNormalApplicationInstance(HttpContext context) +312
        System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context) +133
        System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +196
        Version Information: Microsoft .NET Framework Version:2.0.50727.4984; ASP.NET Version:2.0.50727.4971

        Reply

        1. Hi Dave,
          this looks to me more like an IIS issue than a SharePoint issue.
          The initialization of the http modules seems to fail in talking to IIS using the System.DirectoryServices.DirectoryEntries class.
          Cheers,
          Stefan

          Reply

          1. so how do I go about fixing it? I have no idea… the patch created all these problems and now I know why people recommend to stay away from Sharepoint lol


          2. Hi Dave,
            if you need assistance with troubleshooting you should open a support case with Microsoft.
            Cheers,
            Stefan


  26. Hi Stefan,
    I was able to get my 2007 WSS site to a workable state now and ran the configuration wizard this time with success.
    However, I made a small change to the web.config and just in case, I tried to run the configuration wizard again to ensure, everything is still fine when I came across this error..
    Is there a sharepoint configuration wizard log file somewhere where I can find out why this is now happening?
    Thanks
    System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
    at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, Guid& pguidID, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID, Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour, Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl, String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags, DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage)
    at Microsoft.SharePoint.SPWeb.InitWeb()
    at Microsoft.SharePoint.SPWeb.get_WebTemplate()
    at Microsoft.SharePoint.SPEvaluatorModeProvisioning.TryGetIsSiteProvisioned(String template, String relativePath, Nullable`1 port, SPSite& provisionedSite, SPWeb& provisionedWeb, Uri& provisionedUri)
    at Microsoft.SharePoint.PostSetupConfiguration.WelcomeForm.ShowNextFormForServerRoleSingleServer()
    at Microsoft.SharePoint.PostSetupConfiguration.WelcomeForm.PsconfigBaseFormNextButtonClickedEventHandler(Object sender, EventArgs e)
    at System.Windows.Forms.Control.OnClick(EventArgs e)
    at System.Windows.Forms.Button.WndProc(Message& m)
    at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
    ************** Loaded Assemblies **************
    mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4984 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
    —————————————-
    psconfigUI
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6500.5000
    CodeBase: file:///C:/Program%20Files/Common%20Files/Microsoft%20Shared/Web%20Server%20Extensions/12/BIN/psconfigui.exe
    —————————————-
    System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4986 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
    —————————————-
    System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4985 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
    —————————————-
    System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4985 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
    —————————————-
    System.Configuration
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
    —————————————-
    System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
    —————————————-
    Microsoft.SharePoint
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6690.5000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.SharePoint/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.dll
    —————————————-
    Microsoft.SharePoint.SetupConfiguration.Intl
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6500.5000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.SharePoint.SetupConfiguration.intl/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.SetupConfiguration.intl.dll
    —————————————-
    System.ServiceProcess
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.ServiceProcess/2.0.0.0__b03f5f7f11d50a3a/System.ServiceProcess.dll
    —————————————-
    System.Data
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_64/System.Data/2.0.0.0__b77a5c561934e089/System.Data.dll
    —————————————-
    Microsoft.SharePoint.Security
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.4518.1016
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.SharePoint.Security/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.Security.dll
    —————————————-
    System.Transactions
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_64/System.Transactions/2.0.0.0__b77a5c561934e089/System.Transactions.dll
    —————————————-
    Microsoft.SharePoint.Search
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6604.1000
    CodeBase: file:///C:/Windows/assembly/GAC_64/Microsoft.SharePoint.Search/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.Search.dll
    —————————————-
    msvcm80
    Assembly Version: 8.0.50727.6195
    Win32 Version: 8.00.50727.6195
    CodeBase: file:///C:/Windows/WinSxS/amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294/msvcm80.dll
    —————————————-
    System.Web
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4971 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_64/System.Web/2.0.0.0__b03f5f7f11d50a3a/System.Web.dll
    —————————————-
    System.DirectoryServices
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4985 (win7RTMGDR.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.DirectoryServices/2.0.0.0__b03f5f7f11d50a3a/System.DirectoryServices.dll
    —————————————-
    Microsoft.SharePoint.Library
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6672.5000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.SharePoint.Library/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.Library.dll
    —————————————-
    Microsoft.SharePoint.AdministrationOperation
    Assembly Version: 12.0.0.0
    Win32 Version: 12.0.6662.5000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.SharePoint.AdministrationOperation/12.0.0.0__71e9bce111e9429c/Microsoft.SharePoint.AdministrationOperation.dll
    —————————————-
    System.EnterpriseServices
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_64/System.EnterpriseServices/2.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll
    —————————————-
    ************** JIT Debugging **************
    To enable just-in-time (JIT) debugging, the .config file for this
    application or computer (machine.config) must have the
    jitDebugging value set in the system.windows.forms section.
    The application must also be compiled with debugging
    enabled.
    For example:
    When JIT debugging is enabled, any unhandled exception
    will be sent to the JIT debugger registered on the computer
    rather than be handled by this dialog box.

    Reply

    1. You can find the PSCDiagnostics log file in the following folder:
      C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\LOGS

      Reply

  27. Hi Stefan,
    Thank you for Nice article .
    I have Question.
    Is there any Order need to follow to run PS config in SharePoint farm after patching ( like we need to run PS Cfg Wizard on Central Admin Server first and WFEs later)? if yes, Why?
    It took me more than 7 hours to install CU on one of my server in farm using command “OPUtil.vbs /ApplyPatch /SUpdateLocation=”f:\CU\extract, why it is so?
    Thanks

    Reply

    1. This question is for SharePoint 2013 Nov 16 CU on Azure Env.

      Reply

  28. Hi Stefan, do you have any information on the various errors that are generated by SharePoint Config wizard and how to fix them. We are currently dealing with the wizard stopping on Step 8 with the error “Failed to Install the Application Content Files.” Tried various recommended solutions but so far nothing has worked.

    Reply

    1. This step copies files from the sharepoint ISAPI directory to the _app_bin directory of each web application.
      The PCSDiagnostics log should have more info about where the problem occurs.

      Reply

  29. HI Stefan,
    we have installed SharePoint Security Patch update KB3191840 on server environment.
    But we havn’t faced any issues now.
    we will run configuration wizard on servers.Please confirm.
    Thanks
    Selvakumar S

    Reply

    1. Yes, you should run PSConfig.

      Reply

  30. Hi Stefan,
    We have applied SharePoint patches in Aug 2016, we only ran “PSConfig.exe -cmd upgrade -inplace b2b -wait force” in “Node1” (One of our two SharePoint servers).
    Sometime later, we got the following error from CA:
    Title: Product / patch installation or server upgrade required.
    Severity: 1 – Error
    Explanation: All required products must be installed on all servers in the farm, and all products should have the same patching and upgrade level across the farm.
    Upgrade is required on server Node2. Without the upgrade, the server is not in a supported state.
    Remedy: On server Node2, once all required products and/or patches are installed, perform an upgrade by either running PSConfigUI.exe or by executing the command “PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures”. If a former upgrade attempt has failed, you may need to resolve upgrade specific issues before attempting upgrade again. Refer to the upgrade status page (https://node1:2575/_admin/UpgradeStatus.aspx) for information about current and prior upgrade attempts, and to determine issues that may be preventing upgrade from succeeding. For more information about this rule, see “http://go.microsoft.com/fwlink/?LinkID=142700”.
    Could we ran the PSConfig.exe in our Node2 now? It has been running in such situation for a long time….
    Regards,
    Koni

    Reply

    1. Yes you should run PSConfig on node 2.

      Reply

  31. Hi Stefan,
    I made a request to the database
    Use SharePoint_Config
    SELECT Version
    From versions
    WHERE VersionId = ‘00000000-0000-0000-0000-000000000000’
    ORDER BY Id DESC
    Version
    14.0.7155.5000
    14.0.7145.5000
    14.0.7015.1000
    14.0.6120.5000
    14.0.6117.5002
    14.0.6109.5002
    As far as I understand, you need to update PSConfig
    I tried running PSConfig with different parameters,
    But the successful completion stops the error:
    Crash when preparing the SharePoint Central Administration Web application. Exception of type System.Xml.XmlException. More information about the exception: the character ‘[‘, the hexadecimal value 0x5B, can not be included in the name. Line 1, position 1463. System.Xml.XmlException: the character ‘[‘, the hexadecimal value 0x5B, can not be included in the name. Line 1, position 1463. in System.Xml.XmlTextReaderImpl.Throw (e exception) in System.Xml.XmlTextReaderImpl.ParseElement () in System.Xml.XmlTextReaderImpl.ParseDocumentContent () in System.Xml.XmlLoader.ParsePartialContent (XmlNode parentNode, String innerxmltext, XmlNodeType nt) in System.Xml.XmlLoader.LoadInnerXmlElement (XmlElement node, String innerxmltext) in Microsoft.SharePoint.Administration.SPWebConfigFileChanges.ApplyModificationsWebConfigXmlDocument (XmlDocument xdWebConfig, String path to the file) in Microsoft.SharePoint.Administration.SPWebApplication.ApplyWebConfigModifications () In Microsoft.SharePoint.Administration.SPWebApplication.Provision () in Microsoft.SharePoint.Administration.SPAdministrationWebApplication.Provision () in Microsoft.SharePoint.Administration.SPWebServiceInstance.Provision () in Microsoft.SharePoint.PostSetupConfiguration.CentralAdministrationSiteTask.ProvisionAdminVs () In Microsoft .SharePoint.PostSetupConfig Uration.CentralAdministrationSiteTask.Run () in Microsof t.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask ()
    In ULS:
    The database “SharePoint_Config” in the instance of SQL Server “XXXXX” is not empty and does not correspond to the current database schema.

    Reply

    1. Hi Argo,
      I would recommend to open a case. There seem to be mulitple issues here. The first indicates a problem in a web.config file of a web application, the second an issue with your config database.
      Cheers,
      Stefan

      Reply

  32. Hi Stefan, I forgot to gracefully shut down the distributed cache before installing MOSS 2013 SP1. Now the SharePoint Configuration Wizard doesnt run sucessfully. I got ‘Microsoft.SharePoint.Upgrade.SPUpgradeException’ Erro on loading one or more types. Tried to reinstall the appfabric service manually, but not lock. Do you have any further suggestion?

    Reply

    1. Hi Sven,
      these two things should be unrelated. If you are not gracefully shutting down distributed cache you will loose cache content – but you will not run into an upgrade exception.
      If you cannot resolve the SPUpgradeException on your own I would recommend to open a support case with Microsoft.
      Cheers,
      Stefan

      Reply

  33. How do you know if a SharePoint patch modifies the Microsoft.SharePoint.dll prior to running psconfig?

    Reply

    1. The file is not modified by PSConfig but by the installer. So you can check on the file system.

      Reply

  34. Hi stefan,
    My client has SP environment on windows azure with SP 2016 version.
    can i disable the automatic updates?.
    one worry – updates have been installed automatic but no config wizard run since 4 months.What is the
    better approach to come out of this situation?.
    Regards,
    AMK

    Reply

    1. Hi AMK,
      SharePoint fixes are only installed if you are using Microsoft Update – not when using Windows update.
      For SharePoint farms it is recommended to plan ahead of installing the fixes and testing them first in a test environment.
      So it is recommended not to use Microsoft Update but only Windows Update.
      Thanks,
      Stefan

      Reply

  35. Hello Stefan,
    Can I club multiple security update and run psconfig once in every 6 months ? I have sharepoint 2013 environment where we cannot run psconfig every month considering the outage on applications. In order to get excluded to security vulnerabilities, we can install security update every month and run psconfig along with 6th month security update. Will this work or have any impact ?

    Reply

    1. Hi Jollgin,
      from you statement I see that your assumption is that security fixes are only implemented in the dlls we ship. This assumption is not always correct. Some security fixes are implemented by changes in stored procedure or function in the SQL database. By delaying to run PSCONFIG you will delay applying the updates in the SQL database including the implementation of potential security fixes here.
      From a technical perspective you can of course delay it and run PSCONFIG only once but in this case you need to run the Install-SPApplicationContent CmdLet on each SharePoint machine after installing the fixes to ensure that the updated dlls are copied to the right directories.
      Cheers,
      Stefan

      Reply

  36. Hi Stefan,
    I am confused. We have a 2013 farm and the security teams keeps pinging us saying that we did NOT install the May 2018 patches.

    Last week we did maintenance and installed the Nov patches. So this week we downloaded the May 2018 patches and installed them. Everything looked to be ok as we had no errors. So we looked at the file versions and compared them to what is in the KB. The KB says the file version for say Microsoft.sharepoint.portal.dll should now be 15.0.5027.1000. Our file version number is still 15.0.5001.100. I’m lost.. Will PSConfig or InstallApplicationContent fix this file version issue?

    Thank you
    Robert

    Reply

    1. Hi Robert,
      did you install KB 4018390?
      If yes, did you verify the correct file? I ask because the Version number you see is correct for the Microsoft.SharePoint.Portal.intl.dll – not for the Microsoft.SharePoint.Portal.dll
      Cheers,
      Stefan

      Reply

  37. Hi Stefan,
    Might be my typo. the version number we show should be 15.0.5001.1000 (forgot a zero on the end). We do not see a Microsoft.SharePoint.Portal.intl.dll either. The report we get says it is file is …\15\ISAPI\microsoft.sharepoint.portal.dll.
    Im pretty sure we installed KB 4018390 back in May. But since they say it was never installed, we just tried installing KB 4018390 again installed KB 4018390. When I look at CA>Check Product and patch notifications, I see that all the monthly patches up to Nov have been applies and superseded also. Again not sure why the file version number is still showing and old version number… According to the KB info that KB should have changed the version of microsoft.sharepoint.portal.dll to 15.0.5027.1000

    Thanks!

    Reply

    1. In this case I would recommend to open a support case with Microsoft to get this analyzed.

      Reply

  38. Hi Stefan,

    We generally, update the patches 6 months once, The SharePoint 2010 farm contains, SharePoint Server 2010 & Office web apps.

    firstly, install the SharePoint server 2010 CU , run SP configuration Wizard an restart the server
    secondly, install the Office web apps and again run the SP configuration wizard.

    Q1 – Is it ok to run the SP configuration wizard after installation of SP server 2010 & Office web apps?
    Q2 – Do I need to restart the server after SP server 2010 CU installation?
    Q3 – Is Office web apps 2010 security updates from Mar 2018 to till now is all CU updates? If I install latest security patch Jan 2019, it’s not allowing to install previous Office web apps like Dec2018,Nov 2018.

    Q1: after installation of SharePoint server 2010 CU, Do need to run SP Configuration Wizard before installation of Office web apps security patches?

    Reply

    1. Q1: yes
      Q2: usually not. Sometimes files are in used and the fix Installation will tell you that the server has to be restarted.
      Q3: yes
      second Q1: no.

      Reply

  39. Hi Stefan,

    SP f2010 arm contains 2 WFEs & 4 APP server, Is to install SP server 2010 latest patches parallel in all servers or is it mandatory to install patches in all server sequencly

    Reply

    1. Hi Stefan,

      Is it ok to run SP configuration wizard parallel in all the server WFE & APP

      Reply

      1. Hi Prasad,
        you need to run it on one server and wait for it to be completed.
        That will update all the databases.
        Afterwards you can run it in parallel on all other machines.
        Running it in parallel on all machines from the beginning is not supported.
        Cheers,
        Stefan

        Reply

    2. You can install them in parallel.

      Reply

      1. Thanks for your clarification Stefan

        Reply

  40. Hi Stefan

    We are in a plan to upgrade the SQL version from 2008 to 2012 on SharePoint 2010. We have nintex froms and workflows in our application.How can we proceed to upgrade:

    Is it possible for us to upgrade as we have AD syncing to user profiles.
    We have a DB called Identity where SharePoint fetches data from this Identity DB.

    What are the precautions(like cnnection parameters… etc) that has to be taken care of before and after the upgrade.

    Your humble response is appreciated in advance.

    Thanks
    Gowtham

    Reply

    1. Hi Gowtham,
      this is a pretty complex scenario with various different things to consider.
      I would recommend to open an advisory case with Microsoft support for this.
      Cheers,
      Stefan

      Reply

  41. Hi Stefan,

    Is this still the recommend best practice, to run psconfig after each security fix? also for SP2016/SP2019?

    Reply

    1. Yes of course.
      The good thing is that with SP2016 and SP2019 you can run it in the middle of the day without a maintenance window as Psconfig no longer causes a downtime.

      Cheers,
      Stefan

      Reply

    1. Hi Harold,
      thanks for the info!
      Seems during the blog migration this link did not get updated correctly. I have now manually fixed the link.
      Cheers,
      Stefan

      Reply

  42. Hi
    I am in stuck on 9/10 task – for SP confiuration wizard from last 4 hours and i am not sure if it is progressing or do i need to cancel this and restart again. There are logs but not clear and nothing related to somthing wrong. However it captured unknow error ? can you please help

    Reply

    1. Hi Arshpreet,
      sound as if it in the step where database upgrades happen. This can take a while depending on the number and sizes of databases connected to your farm and also depending on the performance of your SQL server.
      If it is still stuck I would suggest to open a support case with Microsoft to get this analyzed.
      Cheers,
      Stefan

      Reply

  43. We are getting untrusted domain issues from our Sharepoint to Database Servers.
    Can we run the config wizzard for this issue ?
    Can anyone pls reply

    Reply

  44. do you think psconfigui.exe need to be run on regular basis ? pls advice
    Recently encounter IIS down intermittently, will run this psconfigui.exe could resolve the issue also ?

    Reply

    1. Hi Ray,
      psconfigui.exe only has to be run after you applied a SharePoint fix.
      Cheers,
      Stefan

      Reply

  45. Hi Stefan,
    We are trying to install SharePoint 2013 CU with Zero Down Time. would it cause any issues if we patch a group of servers first and run the config wizard on them and then proceed with other set of servers in the farm?

    Reply

    1. Hi Amit,

      it is not possible to patch SP2013 with zero downtime. Zero downtime can only be achieved with SP2016 and SP2019.
      After running Psconfig in your scenario the unpatched servers will not be able to connect to the database.

      Cheers,
      Stefan

      Reply

  46. Hi ,
    I have an issue in Sharepoint 2019,Developer added some custom categories to Diagnostic logins,we tried to add new server to the share point farm and tried to run the config wizard,after running config wizard,those custom added logins are getting removed.Do u have any idea,will the config wizard remove the customs things from Diagnostic logins

    Reply

  47. Hi Stefan
    I have recently installed SharePoint 2019 with single server role. There are 2 web applications as of now
    i.e. One if for Central Administration (Created during installation) and 2nd one is created by me.
    I was facing some issue with APP fabric, so I ran some commands to fix it but now I cannot see Central Administration service in the Central Admin.
    I ran install-spservice, but still it is not visible.
    So should I run the product config wizard. And if yes then will it affect my existing 2 web applications and site collections under that?
    Also will new Central Admin Web application created and new url will get generated?

    Reply

    1. Hi Gaurav,
      the sharepoint configuration wizard will not change existing web applications or site collections.
      It will also not create a new Central Admin Web application if not requested.
      Cheers,
      Stefan

      Reply

  48. Hi Stephan I have a SP2013 farm database version 15.0.5249.1001 issue where my two App servers say “Upgrade Blocked” and my four web front ends say “Installation Required” I have tried several things. The last was to install CU for August 2020 on all servers to bring them up to the same install level. We run the configuration wizard every other downtime, it has not been run since June at this point. Can you suggest anything to resolve the issue so I can run the configuration wizard?

    Reply

    1. Hi Gina,
      hard to say by just reading this information. I would recommend to open a support case with Microsoft to get this analyzed in more detail.
      Cheers,
      Stefan

      Reply

  49. Hi Stefan, First thank you for these blogs posts that help me out tremendously. I have a question. We upgraded SP 2010 foundation web apps to SP 2013 foundation using database backup and restore. We have not performed the visual upgrade yet.

    When the 2013 servers are patched and psconfig ran would it cause any issues?

    Also, would the psconfig automatically also execute upgrade-spsite to upgrade the visual look and feel ( we don’t want this yet)?

    Thank you

    Reply

    1. Hi Jem,
      PSConfig should not upgrade the visual look and feel.
      The visual look and feel is not related to the patch level.
      Cheers,
      Stefan

      Reply

  50. Thanks Stefan for helping us out in various issues
    I have SharePoint 2019 server with two front-end and one SQL server linked to it, I came across with one issue which is related to SharePoint search service application.
    When I tried create a new search service in CA, It keep popping with error which says “Error were encountered during the configuration of search service application System.invalidOperationException: Operation is not valid due to the current state of the object……”

    I installed Windows updates after this error started popuping, Do I need to run PSconfiguration wizard?

    Please help….

    Reply

    1. Hi Amit,
      the error is a generic and might require deeper analysis to identify the issue.
      In case that you configured Windows Update to also install updates for other Microsoft products it might be that SharePoint security fixes got installed.
      In addition PSConfig fixes certain configuration issues on your machine like permissions and registered features and services.
      I would recommend to test if running PSConfig fixes the issue and if not, my recommendation would be to open a support case with Microsoft to get this analyzed.
      Cheers,
      Stefan

      Reply

  51. Hi Stefan,
    We have recently been facing sharepoint config cache issue on one of the servers of our farm where also the central admin resides. After running the configuration wizard, it fails mentioning that the access is denied on one of the xml files present in the sharepoint configuration cache location. I was able to observe a couple of. tmp files being generated in the config cache location, I tried to clear the configuration cache after stopping the timer service, but was able to observe that the exact xml file on which the access denied error was observed does not get deleted and I have to delete (shift + delete) it explicitly and after restarting the timer service the explicitly deleted xml file along with its. tmp file (with same guid) gets recreated and the config wizard fails again, also I have observed that the cache. Ini file does get updated which was changed to 1 before restarting the timer service. Could you please help me with this.

    Reply

    1. Hi Fayaz,
      I haven’t seen that.
      What I would suggest is to ensure that the config cache location is excluded in any installed virus scanner.
      If this does not help I would recommend to open a support case with Microsoft.
      Cheers,
      Stefan

      Reply

  52. Hi Stefan,
    I am trying install Security Update for Microsoft SharePoint Server 2019 Core KB5002229 but end up with “The update is already installed on this system”. But i could not find the KB in installed list. Can you please let me as the server is not compliant.

    Reply

    1. Hi Sengu,
      this is the language independent part of July 2022 CU for SharePoint Server 2019.
      You will get this message if either this fix has already been installed or if a later fix for the language independent part of SharePoint Server 2019 has been installed.
      Please verify if a new fix for this component was already installed. As SharePoint fixes are cumulative the newer fix for the language indepdent part will include KB5002229.
      Cheers,
      Stefan

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.