Known Issues with KB3148812


UPDATE: A newer post regarding KB3148812 is published at http://blogs.technet.com/b/wsus/archive/2016/04/22/what-you-need-to-know-about-kb3148812-part-two.aspx.

Hi WSUS admins, just a quick post to let you know that we've received word of some issues happening (e.g., WSUS admin console is inaccessible, clients can't contact WSUS) in the wild after installing KB3148812.  It is critical functionality; however, you don't lose anything by skipping installation until we publish media that leverages this scenario, which will not be happening this month.  For now, feel free to remove the patch if it's causing you problems, and we'll get to the bottom of the issues that have been reported.  If you'd like to assist in resolving this, then please Email Blog Author and we'll follow up with you. 

We appreciate your patience while we get this sorted.


Comments (74)

  1. W. Jack Kessler says:

    Thanks, uninstalling this fixed my borked 2012 R2 update server.

  2. Update: We’ve identified the root cause, and the good news is that this is not an issue of code quality. The package is good as is, but it requires some additional manual steps to be taken afterward in order to realign the moving parts of the system. More
    information on that will be available via the KB article and this blog later this week.

  3. George says:

    Thank you, i was struggling with this issue for two hours.

  4. TD says:

    Is there an issue with
    Cumulative Update for Windows 10 Insider Preview (Build 14295): April 18, 2016 / KB3154879 ?
    My WSUS won’t download this update:

    Content file download failed.
    Reason: File cert verification failure.
    Source File: /d/msdownload/update/software/crup/2016/04/windows10.0-kb3154879-x86_f2c8538631162c1c3c168a9b88a95813bb3f8bfc.psf

    This is the only update that won’t download, all older and newer work fine.
    And the x64 Version also downloaded fine.

  5. DaddyPig says:

    Having the same issue below, file came down on the 14/04/2016 – seems signed with the wrong cert (developer).

    Content file download failed.
    Reason: File cert verification failure.
    Source File: /d/msdownload/update/software/crup/2016/04/windows10.0-kb3154879-x86_f2c8538631162c1c3c168a9b88a95813bb3f8bfc.psf

  6. DaddyPig says:

    also this one.. same KB3154879

    Content file download failed.
    Reason: File cert verification failure.
    Source File: /d/msdownload/update/software/crup/2016/04/windows10.0-kb3154879-x86_c7b4d1ac4829121785ae79b2df7550004eca089f.cab

    Destination File: w:wsusWsusContent9FC7B4D1AC4829121785AE79B2DF7550004ECA089F.cab

  7. Eugene says:

    Uninstall of this update fixed my WSUS that was not starting.

  8. Ilya says:

    The issue is that patch does not create required columns in SUSDB:
    dbo.tbFile.IsSecure.sys.bit(1)
    dbo.tbFile.DecryptionKey.sys.varbinary(-1)
    dbo.tbFile.IsEncrypted.sys.bit(1)
    however the schema validation DLL (SUSDBVerify.dll) is checking for them thus at times of DB startup it stays in Recovery Pending state…

  9. None says:

    best thing in the world… install linux, microsoft has never be trustworth or reliable. so much time wasted fixing problems they caused, they should get a bill from every business that wastes time fixing problems like this that they cause

  10. anonymouscommenter says:

    L’équipe WSUS a publié un billet pour alerter d’un problème pouvant survenir sur un Serveur WSUS après l’application de la KB3148812 . Dans ce cas, la console d’administration WSUS devient inaccessi

  11. BooBoo says:

    First of all it wouldn’t be a true comment section without some Linux fanboy touting how amazing his OS is…amazing..

    Second of all, I am getting the same error on a Windows 2008 R2 server for the same windows 10 download so there may also be something wrong with that patch..

    Content file download failed. Reason: File cert verification failure. Source File: /d/msdownload/update/software/crup/2016/04/windows10.0-kb3154879-x86_c7b4d1ac4829121785ae79b2df7550004eca089f.cab

  12. Bill_Tunney says:

    What can you do when uninstalling it doesn’t work?

  13. Dave Smith says:

    Uninstalled the update. WSUS still won’t connect. Server 2012R2. Looks like I’ll be restoring from backups.

  14. Solvetech says:

    Uninstalling the update worked for me too

  15. Bad Dos says:

    How can you possibly say this was good code that needed a manual update. Failing to upgrade the databases is bad code!

  16. David Weston says:

    Our 2012 R2 server needed to be rebooted twice after installing the update to get things working properly again.

  17. David Weston says:

    Uninstalling I mean!

  18. jim says:

    Where to I send a bill to recoup for my lost day spent on this?

  19. russell says:

    I don’t see this patch for Windows Server 2012 in our WSUS list, only for Win 8.1. Did it get pulled?

  20. Tom-Rune says:

    Russel, Yeah, looks like it got pulled. Can’t see it anymore when I sync/update my servers at work. Have to do another sync on my wsus-server at home to be sure though as it is the only system I got that downloaded the patch in the first place..

    Unistalling the offending patch and rebooting my (home)wsus-server got it working again.

  21. Bernskov RMIG says:

    Hi Steve – I have this problem and restored my WSUS server yester day only to find it inoperable again this morning.
    Removing KB3148812 restored service.
    Should I block this update and then not be able to receive updates for W10 after 1.May?
    What is the best action going forward?

    Feel free to email me if you need debug information.

  22. Newadmin says:

    I don’t understand why you say "that this is not an issue of code quality".
    IF there are needed additional steps after installing, why we don’t see these needed steps at 1st start of WSUS console?
    To me it’s caused by not perfect code quality.
    Nevertheless, uninstalling makes WSUS work again (Svr2012R2)

  23. Newadmin says:

    Sorry, my comment was related to the 2nd post of Steve Henry. I forget to mention that in the beginning

  24. Eat-17 says:

    The update completely broke my WSUS and SCCM SUP…
    😐

  25. Andrew Williamson says:

    @Steve Henry – can you confirm if it’s ONLY WSUS that this is breaking?
    It broke our 3 servers – what else can/will it break?

  26. Hakan says:

    What about kb3154879? Like the posters on the first page I’m also getting:

    Content file download failed. Reason: File cert verification failure. Source File: /d/msdownload/update/software/crup/2016/04/windows10.0-kb3154879-x86_c7b4d1ac4829121785ae79b2df7550004eca089f.cab Destination File: e:WSUSWsusContent9FC7B4D1AC4829121785AE79B2DF7550004ECA089F.cab.

  27. Don Webb says:

    KB3148812 caused our WSUS server to crash. We removed WSUS role from the server, rebooted, and then reinstalled WSUS role. After initial WSUS setup the service would start but no clients could contact the server until the following was performed on each
    client: stop wuauserv and bits; rd windowssystemdistribution; start wuauserv and bits; perform update check. After that the client OS level and status would be shown properly on WSUS console.

  28. SteveMat says:

    After April round of patches, the WSUS server would fail to start and the Application Log had these error messages

    all over the place:

    Log Name: Application
    Source: MSSQL$MICROSOFT##WID
    Event ID: 18456
    Task Category: Logon
    Level: Information
    Keywords: Classic,Audit Failure
    User: NETWORK SERVICE
    Description:
    Login failed for user ‘NT AUTHORITYNETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]

    I uninstalled KB3148812 and rebooted the WSUS server, now WSUS Service Starts, I can connect to the WSUS admin page and clients can pull.

  29. TD says:

    @BooBoo: The update that won’t download has a certificate from
    "Microsoft Development Root Certificate Authority 2014" which is usually NOT in the trusted root store of a WSUS Server (or any other Computer).

    Someone over here
    https://social.technet.microsoft.com/Forums/windows/de-DE/156707fb-cb1b-4b81-9480-f3370257c25b/wsus-patches-in-netzlaufwerk-legen?forum=windowsserver8de
    extracted it and added it to the root store, but I wouldn’t recommend that.

  30. Greg Howard says:

    Steve Henry, to say that this is not an issue of code quality is ridiculous. The Windows patch caused WSUS to stop functioning properly, at least on Server 2012 R2. Therefore, it most certainly is an issue of code quality somewhere. The need for manual
    steps to rectify the issue after applying the patch indicates that the patch was missing something, which is, by definition, an issue of code quality. This is the second time in the past 3 months I’ve spent hours chasing my tail to figure out which Windows
    update broke key functionality in my organization. I and my colleagues are not amused by the lack of QA that goes into these patches.

  31. AD says:

    I have to agree with Greg H on how you are trying to spin this as not a code quality issue. I’m sorry but someone in your QA dept needs to be replaced and steps need to be taken to prevent this from occurring on a regular basis.
    PR at it’s finest = BS all the way!

  32. DaddyPig says:

    TD – found the same page at the time, did try installing the Development Root CA – made no difference. we could do with the WSUS guys starting a new blog for kb3154879-x86.

  33. jim says:

    I also agree with Greg H – it is absolutely unacceptable for a WSUS update to break WSUS itself. Come on, people!

    I came in to work yesterday to a broken server that needed remediation, and it wasn’t clear which update broke it, and event log messages implied it was a WID authentication problem. I chased my tail all day yesterday in troubleshooting and rebuilding things,
    to finally zero in on which update was the root cause of the problem, and THEN discover via a Google search that this problem was known. Very frustrating.

  34. Unknown says:

    Uninstalling this update saved my bacon – thanks

  35. Nate says:

    mmm…bacon.

  36. S.Musser says:

    I feel good that I only needed to spend an hour troubleshooting this. That is however, an hour of my life that is lost for no good reason. As far as I am concerned, this update will remain hidden and never be installed. If resolved, Microsoft can release
    under a different KB#. What a waste of time. Don’t Break My WSUS Server For No Good Reason Please!

  37. Al D. says:

    I had to troubleshoot our main wsus server today, Wsus admin told me about a reboot after applying updates, so, I read each KB description until I found KB3148812, was the only update related to WSUS, so I uninstalled, rebooted the server and WSUS start
    working again. Then, a bing search brought me here

  38. Nate says:

    Thanks for the tip Steve, the uninstall worked fine. However for those of you who are so upset…. give me a break. A simple google (bing) search found me this blog post. Are you really saying that you spent "hours" rebuilding a silly wsus server without
    a little googling to see if anybody else experienced similar issues?! Spare your tears. If everything always worked perfectly, you’d be out of a job. Deal with it.

  39. blah says:

    Uninstalling KB3148812 resolved the problem we were having with our WSUS server too. Same problem as described above.

  40. Whew, quite a few comments! Let’s start at the top…

    TD/DaddyPig: Checking with the release team, who said that this update will be superseded by one that is correctly signed. Should happen this or next week.

    Bill_Tunney/Dave Smith/Bernskov: Try reinstalling the update and following the steps described in the new blog post. If you’re still having issues, then please Email Blog Author.

    Bad Dos/Newadmin: Fair point. There is a post-install sequence that we can configure to trigger on WSUS launch, but unfortunately it does not use the "servicing" flag, which is what we need in this case. With that said, we’ll be looking at ways to pop a notification
    in WSUS if manual effort is required to complete an installation.

    Andrew Williamson: Yes, this is scoped to WSUS alone. Nothing else on your server or client is affected by these changes.

    Greg Howard and others: We apologize for any frustration caused by the missing documentation, and we got the post up as soon as we heard there was an issue. Regarding spin, perhaps "code quality" is the wrong topic. What I intended to convey was that KB3148812
    is fine to deploy as is, provided the necessary steps are performed afterward. In other words, we aren’t releasing a revision or another update to supersede this one because it does what it’s supposed to do–with that said, the fact that we left out some important
    release information cannot be ignored.

    S.Musser: As noted above, we are not releasing another update to replace this one. This is the only update that will enable you to deploy the Windows 10 Anniversary Update and subsequent feature updates.

    Nate: Thanks for the support. =]

    Thanks for the feedback on this release. We hold ourselves to a high standard when it comes to WSUS releases, specifically because it is such a crucial piece of the enterprise today, and will redouble our effort to ensure that any special instructions are communicated
    in conjunction with, or in advance of, future releases that require them.

    Please do reach out if you’re still seeing issues–we want to get everyone ready for the Anniversary Update!

    1. Donna grady says:

      We were having the issue of the console not being able to connect to the server-we uninstalled the KB and restarted the services which corrected the issue for a time but we are now experiencing the same issue. -the application event log shows 18456
      -the system event log shows The WSUS Service service terminated unexpectedly. It has done this 105 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
      The KB is not listed in the installed updates list- it does not seem to still be installed but we are continuing to have this issue. any ideas?

    2. Donna grady says:

      now after restarting the service is still will not connect and we are getting this in the event log
      Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]

      1. Please read https://blogs.technet.microsoft.com/wsus/2016/05/05/the-long-term-fix-for-kb3148812-issues/ and follow all guidance specified there and in the KB article linked from it. My guess is that you are skipping required steps, and thus experiencing undefined behavior.

  41. Dionysoos says:

    Thank for your post, I removed this KS solved my problem.

  42. Craig Brand says:

    Thanks for the post, this helped fix our WSUS servers.

  43. DaddyPig says:

    Thanks for the update Steve, will hold fire and wait for the release of the newer file

  44. Daron B says:

    Agreed on all the above, ended up declining the update and restoring the 2012R2 WSUS server from a backup. I too look forward to a new incarnation of the patch that works.

  45. Paul T says:

    After some testing it appears that even when you reinstall WSUS on 2012 R2 (having deleted the WID database files) The WSUS console does then load. However, when you have finished configuring all the options your client PC’s/server’s will not talk to the
    update server. Error Code 80244007 on a Windows 2012 R2 server when trying to update. Error Code 80244008 for a Windows 7 client PC.

  46. Mazen Msouty says:

    We have WSUS running on Windows Server 2012 R2. After installing KB3148812, I got WSUS down. WSUS Service was getting stopped automatically, and the reason behind it is that SUSDB was set to (Recovery Pending Mode) and wasn’t coming up with error "Schema
    Verification Failed". After removing the update, all OK.

  47. MarkusM says:

    Still the same. Client not talking to server. Error Code 80244007 on a Windows 2012 R2 server. Error Code 80244008 for a Windows 7 client PC

  48. As noted earlier, please run the steps at
    http://blogs.technet.com/b/wsus/archive/2016/04/22/what-you-need-to-know-about-kb3148812.aspx before reporting your results. The update is not expected to work without having taken the actions listed in that post.

    For those that are seeing client scan issues even after taking those actions, look forward to an update to that post later today, and feel free to Email Blog Author if you’re unable to wait for resolution.

  49. dimitris says:

    First step works. brings console up online. second step doesn’t work. clients never wsus again.
    by the way the link to the WSUS blog has stopped working. results in an endless loop to login to microsoft account.

  50. Klaus Hahn says:

    Thanks for letting us now! Important post!

  51. johnredd says:

    uninstalling this fixed my broken 2012 R2 WSUS console issue.

    Thank you

  52. For those wondering where the original "what you need to know" post went, it contained manual steps that made you unable to simply uninstall KB3148812 to resolve the reported issues. To minimize the number of people in an irreversible situation, we pulled
    that post (and the KB), so these steps are no longer available. Feel free to watch

    http://blogs.technet.com/b/wsus/archive/2016/04/22/what-you-need-to-know-about-kb3148812-part-two.aspx for the latest on this issue.

  53. DaddyPig says:

    Hi Steve, Can now see kb3154879 as been declined, have also declined kb3148812. – cheers

  54. Scott Roby says:

    Ditto…uninstalling the KB fixed our 2012R@ WSUS issue as well.

  55. Edward Ray says:

    Thanks for taking lead on this. It happens sometimes…glad you were able to get word out quickly!

  56. Rune Goksør says:

    Seems like same issue happenes to KB 3159706 on our server. Microsoft mentiones that you need to do manual steps on server to make the this update work (why do they even publish it on wupdate then?)

    https://support.microsoft.com/en-us/kb/3159706

    1. It was published on Windows Update to allow the WSUS servers that could not distribute updates to sync and apply the update directly. The Microsoft Update Catalog requires IE, and not everyone has that installed.

    2. nicj says:

      cheers for that was scratching my head wondering what was going on

  57. Abraham Wilson says:

    Uninstall did fix. Before I uninstall, the SUSDB was showing as Restore Pending. Once unistalled, the DB came backup ok and WSUS started to work.

    1. Glad to hear it. Now you’ll need to deploy the new KB, which you can learn about at https://blogs.technet.microsoft.com/wsus/2016/05/05/the-long-term-fix-for-kb3148812-issues/, in order to enable this functionality as we’d originally intended.

      1. Abraham Wilson says:

        The update KB3159706 is installed. But again my DB is recovery pending state and I see these errors in the Event Viewer.
        Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]

        What should I do next.

        1. Is this a SQL or a WID database? Have you run the manual steps detailed in https://support.microsoft.com/en-gb/kb/3159706 ?

          1. Abraham Wilson says:

            Thanks .. for now its working..

        2. Javier Martínez says:

          After making the post installation steps in https://support.microsoft.com/en-us/kb/3159706 it worked for me. Thank you all!

  58. nicj says:

    just installed a load of updates and WSUS is broken and KB3148812 is not installed so which one is it!

  59. Yousuf Shahzad says:

    Hello Steve

    I tried whatever you instructed but the same result that is WSUS service keeps stopping. Kindly assist me as soon as possible because all the computers of my company cannot be updated through WSUS server.

    Thanks & regards

    1. Please refer to the new blog post for the latest on fixing this issue, and let us know if you continue to have problems.

Skip to main content