What you need to know about KB3148812, Part Two


Here are the facts:

  • KB3148812 requires some manual steps to complete its installation
  • Failure to perform these steps leads to two issues: loss of WSUS console and client scans against WSUS
  • Performing these steps (as listed today) fully resolves the WSUS console issue
  • There is a chance that you will see client scan failures even after performing the steps

This update contains critical functionality that needs to be in place before the Anniversary Update, but it does not need to be installed this week (e.g., there is no security fix that patches a known vulnerability).  Therefore, here are our recommendations:

  1. Until further notice, if you have not already installed this update, do not install KB3148812.
  2. If you have installed it and not yet performed the "wsusutil postinstall" step, then uninstall KB3148812.  If you're still seeing issues, then please Email Blog Author.
  3. If you have installed it and have already performed the manual steps recommended in a previous post, then please Email Blog Author so that we can work directly with you.

UPDATE 5/5

The official repair for this issue (KB3159706) has been released.  A new blog post covers the details of this update.


Comments (105)

  1. dukeofdarkness says:

    I’ve already ran the "wsusutil postinstall" step – this did enable the Console UI to function – albeit it had deleted some views and reset all their settings/columns.
    I have subsequently installed the WCF Http activation and rebooted twice – but this has failed to allow the clients to reconnect – they’re all receiving a Code 80244007 Error. There’s nothing obvious showing up in the event log on the clients or WSUS. The WSUS
    server hasn’t synchronised since the install yet.

  2. MLamczyk says:

    for the record, deleting the "softwaredistribution" folder on the clients will resolve the code 80244007 Error… however, it is not realistic to expect us to manually delete that folder on every single client…..

  3. susan says:

    Dude – or anyone else still experiencing the issue, either email me at susan-at-msmvps.com (change the -at to @) or in the upper right of this blog, click the "email author" to get further investigation of the issue.

  4. susan says:

    Sorry that should have been "Duke" not "Dude"

  5. Argh says:

    "This issue was unfortunately not observed in our testing, so we are in a live debugging situation today." – What kind of testing? It installs, ship it? Microsoft’s QA is pretty much non-existent lately. And still absolutely no mention of this SNAFU on
    KB3148812. Fail.

  6. Good one, Argh. I can’t speak for the rest of Microsoft, but I agree that this experience highlighted a gap in our WSUS testing, one which I intend to fill before our next release. If you’d like to be a part of the external group that ensures we’ve got
    realistic coverage, then feel free to Email Blog Author so that we can make those connections.

    KB3148812 is being pulled later today to minimize further impact.

  7. dukeofdarkness says:

    What caught me out was that it didn’t appear in the WSUS update view in the console, as if it hadn’t been tagged/classified correctly when released.

  8. Daniel Correa says:

    Hello Steve, would be good if Microsoft removes this updated from Update catalog since you guys knows that is something wrong if it.

  9. anonymouscommenter says:

    UPDATE: A newer post regarding KB3148812 is published at
    http://blogs.technet.com/b/wsus/archive/2016

  10. Argh says:

    @Steve: I feel like I’m already being a beta-tester for MS, getting much worse lately. Extremely useless KB articles, missing KB articles when hotfixes are released and many days after, articles missing known issues with the hotfix (such as this WSUS one),
    serious bugs in the patches over and over again.

    Hotfix descriptions in WSUS are completely useless, I’m forced to click one link after another to find out what’s the patch about, and even then, the KB descriptions are often very lacking, recently there’s even been a KB article with no description whatsoever.
    Patches released many many many times every months, any scheduling/maintenance windows completely lost. Add to that that incessant, disgusting push of those infamous "compatibility" and "telemetry" hotfixes for W7/8.1 which are basically nothing but W10 spam.

    Overall, not a happy camper. 🙁

  11. Mark B says:

    Meh, if it was easy, anybody could do it. WSUS team is working hard on it, and takes no pleasure in the misery this caused. WSUS Team – thanks for working on this, looking forward to a fix. [tag:FirstWorldProblems]

  12. Marko says:

    HI ! Just removed KB3148812, my WSUS server is working again…

  13. norbert says:

    I’m getting 0x80244019 after installing and performing the steps in your (now pulled) blog entry. Any help would be appreciated.

  14. GurliGebis says:

    Also got the 0x80244019 error.
    Had to uninstall WSUS; drop the SUSDB database, reinstall WSUS and reconfigure it to get it back working (since I had already ran the update command, there was no other way than dropping the database).

    I can see now, that the KB3148812 has been expired in WSUS, which I’m happy to see.

    I’m a bit affraid that the 0x80244019 error isn’t being addressed, and we will be back with a broken setup when the patch is released again, since it seems like very few people are being hit by that one.

  15. GurliGebis says:

    Here is the snippet of the WindowsUpdate.log file, with the 0x80244019 error (with anonymized hostnames):

    2016-04-22 13:35:03:692 848 ac4 EP Got WSUS Client/Server URL: "https://wsus.network.lan:8531/ClientWebService/client.asmx"
    2016-04-22 13:35:03:708 848 ac4 PT WARNING: Cached cookie has expired or new PID is available
    2016-04-22 13:35:03:708 848 ac4 EP Got WSUS SimpleTargeting URL: "https://wsus.network.lan:8531"
    2016-04-22 13:35:03:708 848 ac4 IdleTmr WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie) started; operation # 96; does use network; is at background priority
    2016-04-22 13:35:03:708 848 ac4 PT Initializing simple targeting cookie, clientId = 449bbdb8-08e6-4b6c-9156-9b6b797cb2e2, target group = , DNS name = server.network.lan
    2016-04-22 13:35:03:708 848 ac4 PT Server URL =
    https://wsus.network.lan:8531/SimpleAuthWebService/SimpleAuth.asmx
    2016-04-22 13:35:03:864 848 ac4 IdleTmr WU operation (CAuthorizationCookieWrapper::InitializeSimpleTargetingCookie, operation # 96) stopped; does use network; is at background priority
    2016-04-22 13:35:03:864 848 ac4 IdleTmr WU operation (CAgentProtocolTalker::GetCookie_WithRecovery) started; operation # 97; does use network; is at background priority
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: Nws Failure: errorCode=0x803d000d
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: There was an error communicating with the endpoint at ‘https://wsus.network.lan:8531/ClientWebService/client.asmx‘.
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: The server returned HTTP status code ‘404 (0x194)’ with text ‘Not Found’.
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: The requested resource was not found.
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: MapToSusHResult mapped Nws error 0x803d000d to 0x80244019
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: Web service call failed with hr = 80244019.
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: Current service auth scheme=’None’.
    2016-04-22 13:35:04:005 848 ac4 WS WARNING: Proxy List used: ‘(null)’, Bypass List used: ‘(null)’, Last Proxy used: ‘(null)’, Last auth Schemes used: ‘None’.
    2016-04-22 13:35:04:005 848 ac4 WS FATAL: OnCallFailure failed with hr=0X80244019
    2016-04-22 13:35:04:005 848 ac4 IdleTmr WU operation (CAgentProtocolTalker::GetCookie_WithRecovery, operation # 97) stopped; does use network; is at background priority
    2016-04-22 13:35:04:005 848 ac4 PT WARNING: PTError: 0x80244019
    2016-04-22 13:35:04:005 848 ac4 PT WARNING: GetCookie_WithRecovery failed : 0x80244019
    2016-04-22 13:35:04:005 848 ac4 PT WARNING: RefreshCookie failed: 0x80244019
    2016-04-22 13:35:04:005 848 ac4 PT WARNING: RefreshPTState failed: 0x80244019
    2016-04-22 13:35:04:005 848 ac4 PT WARNING: PTError: 0x80244019
    2016-04-22 13:35:04:005 848 ac4 Report WARNING: Reporter failed to upload events with hr = 80244019.

    1. David B says:

      GurliGebis, did you get this fixed yet? I was getting the exact same errors as you in the update log. I realized that I had followed the manual instruction of editing the Web.config file. I mistakenly REPLACED the lines in the config file instead of ADDING what’s bolded.

  16. Pepper says:

    While we’ve got your attention:
    1. The KB article itself still has no notation that extra steps are required or that the update has been pulled.
    2. Can we please get better descriptions for the actual updates? It is so frustrating to get that email notification that WSUS has synchronized a couple hundred new updates and all of them have the same description "Install this update to resolve issues in
    Windows." All that means is I have to open all of the KB articles one by one to find out what they are.

  17. Argh: We appreciate the feedback. We can only control your WSUS updating experience, and we’re committed to improving that going forward. I’ll look into providing KB descriptions in the WSUS pane itself–typically, the assumption was that everyone clicks
    the KB link, so it’s nice to hear otherwise.

    Pepper: The request to pull the KB is being processed; agreed that it’s a confusing situation. We didn’t publish the manual steps to the KB because those were getting folks into a situation where the update couldn’t be rolled back, and we wanted to minimize
    that scenario.

    Mark B: Thanks for the support. =]

    As you might have seen from the update to the blog post, we have a [server-side] fix that restores client scanning capability. Much to my chagrin, it was not as simply resolved as I’d expected. We’ll have to ship another update to address this, for which we’ll
    share timelines next week. If you can’t wait for the official update, then feel free to Email Blog Author so that we can get you operational in the interim.

    Thanks to everyone that’s reached out so far. This was an unpleasant outcome, and much of the community was willing to provide logs, traces, and other information that’s really above and beyond. We can and will get better at doing it right the first time, and
    we appreciate your help with restoring order in this chaotic situation.

  18. Argh says:

    @Steve: Appreciate that someone’s listening here, at least for the moment. (Whether it will eventually produce some real outcome beneficial to users and admins and improve the much damaged MS’s reputation, that’s a completely different question yet waiting
    for the jury.)

    The whole thing started to go downhill fast with the appearance of W10. KB articles getting useless, WSUS/WU descriptions getting useless. This has been widely noticed back last August, see e.g.

    http://www.extremetech.com/computing/212724-microsoft-kills-patch-notes-will-no-longer-explain-most-windows-10-updates

    Even with very small scope of products to maintain for a small business setup, there are hundreds of hotfixes every month. Clicking the links to get at least a vague idea of what’s the patch about gets annoying *very* fast. Really. Before, people would click
    that link in case something caught their attention in the patch description {something about an issue they were experiencing themselves, or some odd feeling that the patch might cause big trouble eventually, or whatever). If all was clear, no need to dig into
    the KBs.

    But, with descriptions limited to "Install this update to resolve issues in Windows", or "This update provides the latest fixes to %SOMEPRODUCT%", there’s absolutely no way to tell. Stuck with clicking, clicking, clicking, and hoping the KB would contain at
    least some muddy clues. And you get disappointed pretty often, then you are stuck with a list of files that changed, and guessing what’s that all about. People are not happy with this. It’s not just me for sure.

    Regarding the WSUS kaboom. I did not uninstall the hotfix. I did not follow any of the steps previously suggested to complete the job. Reason? I had a pretty good idea that simple uninstall might not revert things (read, the database) to a previous working
    state, and – as you properly noted – that following the manual steps would get us to the point of no return, with non-standard state extremely difficult to fix eventually. We simply got the 2012 R2 WSUS server out of the view and pointed clients back the 2008
    R2 WSUS server (recently just decomissioned – following the
    http://blogs.technet.com/b/wsus/archive/2016/01/22/what-to-do-if-you-re-on-wsus-3-0-sp2-or-sbs-2011.aspx blogpost here). That one seems unaffected by this hotfix and – thanks god – working properly.

    Hoping for a fix that will sort out this mess, instead of us going through the migration once again. We have better things to do that such exercise every couple of months. :-/

  19. Argh says:

    Oh, and one more thing, while discussing how unhappy people are with hotfixes documentation and distribution. Just yesterday, I saw this:

    http://www.askwoody.com/2016/future-windows-patches-only-available-in-the-update-catalog/

    Instead of providing links to hotfix downloads, you are pointing people to a badly buggy, unmaintained IE-only (!!!) site relying on ActiveX, with broken HTTPS. Really, this is the way to go now? You should know better.

  20. Hauke says:

    I sent you guys a mail yesterday but didn’t hear back. So do I get an invitation on monday?

  21. Garry Trinder says:

    Also installed the KB and ran the post install task here. We tried the delete of SoftwareDistribution folder but it worked on some win10 and win 8.1 machines the other versions did not succeed.

  22. Klaus Hahn says:

    Thank you. Uninstalling KB3148812 was working for me.

  23. home tester says:

    Sadly it seems that MS is heading this way for updates. We are to blindly approve all the updates as we are not supposed to know what they are and just install them. Then they do updates like this and they expect us to know that there are post-install
    items. Information on updates is terrible, and I agree with the above complaint that we cant see the information in WSUS on the updates, and we have to open each item up one by one (and most of the time, the KB articles are lackluster and don’t say much).
    I see this heading to W10 type update rollups with everything. I can see the future of getting an update rollup with updates like this KB and we end up in messes in the future.
    Things are really going downhill.

    And I am actually really sad about it, as I am a MS fan, and am strictly in the MS world at home and work.

  24. JDAnderson says:

    Second time in a couple month that an WSUS update break himself, it’s really not reassuring to see the team responsible of maintaining the update tool is not able to update correctly they own tool.
    If the patch need post installation step, it SHOULD never be deployed this way. Make it like SharePoint, the KB installing binaries in a temporary folder, and when you lunch the console you have a message explaining what to do next, why, how and when you should
    do it.

    From now on we will not patch WSUS server automatically anymore and rely on this blog to see if we need to install something

  25. NikChrist says:

    Can we just have the steps that needs to be in place in order to bring my WSUS back. We have 6 of them in the environment, not all of them are patched, thanks god, but anyway. This is unacceptable for god sake!!!!

  26. CO says:

    On friday i have performed the descripted manual steps recommended in your previous post, so I can´t uninstall the KB3148812.
    Uninstall failed because of the implemented task "wsusutil postinstall"!

    Please post a general solution for this issue!

  27. Mark says:

    In the same boat as most people here. Had the issue, came here to find a fix, implemented the fix, now it cant be fixed bu uninstalling the effected KB.

    Email Blog author in the hope that something can be fixed…

  28. Andy says:

    It’s still bad that this whole episode has been handled as "you shouldn’t have installed this so quickly – there was manual steps you know!".

    Almost feels like us users are being blamed for our prompt attention in patching cycles.

  29. technonath says:

    Steve Henry Wrote:- [MSFT] 23 Apr 2016 4:01 AM
    Argh: We appreciate the feedback. We can only control your WSUS updating experience, and we’re committed to improving that going forward. I’ll look into providing KB descriptions in the WSUS pane itself–typically, the assumption was that everyone clicks the
    KB link, so it’s nice to hear otherwise.
    ————–
    A) I want to second that proposal for better descriptions without having to click multiple links.

    B) While you are listening to us and we are on this topic, please can we have an improvement to the categories?
    For example here are some that I would love to automatically approve :-
    Windows Daylight saving Time zone updates
    The monthly Malicious software scanning tool

    Maybe categorise all .net updates as ".Net" so we can just automatically push these to workstations if we want.
    I could go on, but I think you get the general idea.

    C) Also please, please, please stop rolling up other non-security-related fixes inside "security " patches, like
    https://support.microsoft.com/en-us/kb/3087039
    I want to be able to choose whether I want to test those fixes individually!

    D) Why do you keep pushing updates to Windows Servers that are described as "improving the update experience to windows 10" ? such as
    https://support.microsoft.com/en-us/kb/3112336

    The description says:- "This update enables support for additional upgrade scenarios from Windows 8.1 to Windows 10, and provides a smoother experience when you have to retry an operating system upgrade because of certain failure conditions. This update also
    improves the ability of Microsoft to monitor the quality of the upgrade experience."
    – shouldn’t these patches should be marked as applicable to Client OS’s only ?
    Why do I need that update on a Windows 2012 R2 server that is never going to be "Upgraded" to Windows 10?

    E) As for the subject of windows 10 updates with no detailed descriptions, please don’t expect enterprise to ever adopt windows 10 until you change that!

    Steve I would love you feedback on some of these points.

  30. technonath says:

    Additional example to point D:-

    https://support.microsoft.com/en-us/kb/2990214
    Update that enables you to upgrade from Windows 7 to a later version of Windows
    This article describes an update that enables you to upgrade your computer from Windows 7 Service Pack 1 (SP1) to a later version of Windows.

    then later on it says "Note: This update for Windows Server 2008 R2 does not support you to upgrade to a later version of Windows"

    So why not filter it in WSUS from applying to Server 2008 R2 servers!

  31. Steve Pearson says:

    @Steve, we have the same issue as "dukeofdarkness", so any help that can get our clients running again would be appreciated!!!

  32. Alesberta1 says:

    I am also interested in a fix. We have applied the updated and the first published "workaround" but now we are seeing that the computers are not reporting it’s status back 😐 When can we expect a real fix for the situation ?

  33. Gustke says:

    Dead in the water right now with SCCM SCUP/WSUS. Uninstalled KB3148812 and still cannot connect SCUP to WSUS. Two reboots completed.

    TestConnection: Failed to connect to the update server using the configuration data provided. [System.IndexOutOfRangeException: Index was outside the bounds of the array.].

    Everything was working perfectly fine before this update.

    Help?

  34. agressiv says:

    I’ll echo many of Argh’s comments regarding lack of QA lately and the vagueness of updates "Install this update to resolve issues in Windows".

    Take Server 2012 R2 and 8.1 – these operating systems used to have monthly cumulative rollups of non-security updates. Now? Just this month, there are *36* non-security updates, all with the vague "Install this update to resolve issues in Windows" – I dont
    have time to investigate 36 KB articles. Why move away from the rollup? Windows 10 is (more or less) doing it right, why did 2012R2/8.1 regress?

  35. sd_dave_619 says:

    Very frustrating dealing with these issues, trying to troubleshoot everything to figure out why my WSUS server is broken and i’m unable to update my clients and came to this. My WSUS server is currently down so getting a fix ASAP would be appreciated.
    At this point if I can be sent the proposed fix i’d be more than happy to beta test. I attempted to uninstall KB 3148812 but now I’m unable to connect to my console. I get an error saying I need to patch my WSUS server to at least the version of the database.

  36. MLamczyk says:

    I just wanted to report that I received the beta hotfix to resolve the client connectivity issues after running the post installation procedures. I am happy to report that the hotfix did resolve the problems and clients are once again able to connect to
    my WSUS server with KB3148812 installed.

  37. gustke says:

    @mlamczyk – Did you have to install this hotfix on clients? Or just on the server?

    1. Hennie says:

      Like mlamczyk I installed the hotfix and my WSUS is working again 🙂

      It is just a server side install.

  38. Argh: Have you seen
    http://windows.microsoft.com/en-us/windows-10/update-history-windows-10 ? What do you think of it? It’s not an exhaustive list of coverage, but it appears to be a step in the direction you mention. Still, I understand the desire to be able to see at a glance
    what is in a given update, and the WSUS team will ensure that any releases containing WSUS content are described accordingly. As for your cautious approach to deploying fixes, I think you’re aligned–best practice is to always create a restore point before
    applying patches to critical infrastructure, specifically because things like this can strike without warning. Finally, we aren’t going to leave you hanging, we just want to make extra sure that the next update is solid before we share it out more broadly.

    Argh Part the Second: I looked into this, and it turns out the ActiveX control is the bulk of what is keeping us in IE territory on the Catalog. I’ve heard whispers about breaking this dependency, which might lead to the many-browser future that you envision.

    home tester: The ideal servicing model is that you deploy what we ship, and you don’t have to bother with checking the contents or worrying about what will break because it’s all high quality and solid on your systems. One benefit of a cumulative servicing
    model is that it homogenizes the ecosystem and reduces our test matrix–in other words, we can actually test what you have deployed because you didn’t choose hotfixes 3 and 40, while someone else chose hotfixes 31 and 35, for a given release. I stress the
    "ideal" aspect here because this is the vision, and there are growing pains as we move toward it. Does that excuse the quality issue in this release? Certainly not, but we’re working as quickly as we can to address it without causing other issues in the process.

    JDA: That’s not a bad approach. We’re planning to evolve WSUS to support Windows as a service going forward, which is going to mean more changes down the road, and this will be the place to find out about them. As for automatic post-install deployment, we’re
    already looking at how we can make this a smoother operation. Might not make this release, since we need to get it out quickly, but it’s a worthy improvement to the deployment experience.

    Hristozkov69/CO/Alesberta/Gustke/sd_dave_619: There aren’t a series of steps that you can use to bring back your WSUS. If you need relief from Scenario #3 described in this post, then please Email Blog Author so that we can get you running again.

    1. home_tester says:

      I fully understand what you are saying and the rollup model can make sense. What I am saying is that we see hundreds of updates in WSUS that are rollups, or just “security fixes” and the only way to see anything about them is to click on the link to open a browser. If we are lucky, there might be some information on a fix that actually has some information.
      Then add to this mix, something like the WSUS update, where there is a manual step needed. How would you actually expect admins to know this (this is new in the history of all updates to me)?
      So what happens now if all departments start adding in manual steps to the updates (say an outlook update). That means you expect us to go through the hundreds of KB aticles before we actually approve them. This is counter to the update rollup method that seems to be coming up.
      I am not going after anyone, just trying to make a point, and make you see what the end user sees. I see from this blog that all us MS people are starting to get frustrated. Something that has been working smoothly for years is starting to fall apart.

      1. I looked into this after some previous comments on the topic. That section is the same text that a client will see when it views the update in Windows Update, and it needs to be localized into all the applicable languages. Custom text adds more localization cost or introduces errors in the communication for certain languages, and we weren’t seeing heavy usage of these descriptions, so the publishing team opted to go boilerplate for all this text.

        However, I’ve shared the enterprise pain around this model with them, and there is room for modification in the future. It won’t happen tomorrow, but I’m hoping we can work toward a more informative reality for businesses that doesn’t require clicking through to a KB. We appreciate the feedback, and I’m happy to champion the cause.

  39. Andy: Quite the opposite–I’m lamenting the fact that the early adopters, those enthusiasts who trusted the updates from the WSUS team inherently, are the ones in pain here. The saving grace is that it’s a smart community that can fix issues quickly. Had
    this happened on a consumer level, we’d be in a very different world right now. The missing documentation was an oversight that we couldn’t even pretend is your fault, and it won’t happen again. Arranging a prompt patching cycle is a two-way street, and we
    know we have to do our part to make that happen.

    technonath: I’m flattered that you think the WSUS team controls all these things! I’ll pass along the feedback, but unless it deals directly with WSUS release documentation, quality, or deployment experience, I can’t guarantee any specific result. As for the
    filter question, we actually looked into that, and it was unfortunately too expensive from an engineering perspective to implement safely.

    agressiv: Windows 10 showcases the new cumulative model that hopefully addresses many of your concerns. It’ll take a while for the other platforms (which have done things differently for a very long time) to catch up, if they’re going to.

    mlamczyk: Thanks for reporting your success on this thread. We’ve been able to get your environment, along with many others, running smoothly again until the official fix can provide long-term relief, and that’s really the whole point of this post.

    gustke: Email Blog Author, and all your deployment questions will be answered. =]

  40. norbert says:

    Hi, just want to say, that the problem is resolved here after installing the provided hotfix and do some manual editing as provided by Steve. Thanks for the fix and fast response..

  41. JDAnderson says:

    Any ETA on the official hotfix? Our staging server is still affected but we can wait a couple of week for the fix.

  42. jeroen says:

    We received the testing-hotfix and i can tell it has fixed our problems. W7 and W8.1 clients are now updating successfully again. They are on to finding a solution for this. Good work, guys.

  43. MarkusM says:

    I can confirm, the provided hotfix brings back the client connectivity on 2012 R2. Thanks for support.

  44. Argh says:

    @Stave:
    1/ We are avoiding W10 (and will continue doing so for at least another year or so.) LTSB might be a viable option eventually, however, no reason here to upgrade just yet, and too many reasons to not to upgrade. So, I do not have many reasons to go to that
    site, however – as you note – yeah, that is a step in the proper direction. Now, since someone obviously needs to write these, these should be mirrored everywhere (be it the KB articles, or the WSUS descriptions.) Now, having a similar "no technoblurb BS"
    kind of changelog is fine, however, there are other officially supported Windows versions out there (and will remain there for many years.) These are in fact predominant in business, which is the place where you normally use things like WSUS. The issue is
    that there’s nothing similar for those other Windows versions, which used to have useful hotfix descriptions before. Another thing – WSUS is much more that Windows patches. Office being the second major part which suffers from extremely useless descriptions.

    2/ The Catalog. That thing has been abandoned for years. Broken site with broken ActiveX dependency, bad usability, looks extremely dated overall, HTTPS using ciphers rejected by modern browsers. Pretty much noone had any reason to use that relic site except
    for very rare occasions where you needed to import a hotfix unreleased on WSUS into WSUS for deployment. Hearing: " whispers about breaking this [ActiveX/IE] dependency" *after* announcing (http://seclists.org/microsoft/2016/q2/6)
    that all future hotfix downloads will be available from the Catalog *only*? Sounds like doing things very much backwards, no? Heck, IE is not even a default browser in W10 any more. So, that site is not even supporting your own default browser (Edge) on your
    own latest system, while you are producing an *extremely* campaign to push pretty much everyone to W10. Sigh. Not good, at all.

    P.S. No worries about leaving people hanging, it’s obvious that the next update needs *thorough* testing to work properly both on machines that were not hit the broken KB3148812 and those that have that one installed and are left in broken state.

  45. rjwb says:

    Have uninstalled (and hidden) KB3148812. Still no joy, so uninstalled and reinstalled the WSUS role. Now on the WSUS role post-installation tasks it says:
    Log file is located at C:UsersrbadminAppDataLocalTemptmpBB6D.tmp
    Post install is starting
    Fatal Error: The schema version of the database is from a newer version of WSUS
    than currently installed. You must either patch your WSUS server to at least
    that version or drop the database.

    Ideas anyone?

  46. Mtro says:

    @Norbert – As the hotfix did not solve our problem, can you please outline what "some manual editing as provided by Steve." was? Waiting for one person at Microsoft is not the way to get the apropriate attention to this issue.

  47. FZB says:

    the offer to contact the author of the post and the hotfix provided that way did solve the issue of Clients not able to scan wsus for us (we had done the "wsusutil postinstall" step already before) without further manual steps. Thanks

  48. John C. Kirk says:

    rjwb: I had exactly the same issue on my server. I’m swapping emails with Steve at the moment to test the hotfix; we haven’t sorted it out yet, but I’m optimistic. I recommend contacting him (via the "Email the blog author" link in the top-right corner
    of this page) so that you can get hold of the new file. The only other option I can see is to start from scratch, i.e. uninstall WSUS and delete the database, then re-install WSUS and create a new database.

  49. norbert says:

    Hi Mtro, I had to edit an .config file additional to installing the provided patch, because our wsus is using ssl. I do not post the solution here, as I leave that to the author Steve. Just email him.

  50. Gustke says:

    Blog author e-mailed. Hope to be back up and running soon.

  51. RaymondKn says:

    My fear is this mandatory update for WSUS that is required for Windows 10 clients is going to further force domain users to update Windows 10 Clients without being able to stop the updates! Even Apple doesn’t require you to install the next update, you
    just don’t get any support until you do, they let you wait as long as you want!!! I sure hope that I am wrong about this, my WSUS is still on Server 2008r2 so this update hasn’t been suggested to me, but I was getting ready to start shifting to server 2012
    for that server, I’m glad I haven’t yet!!

  52. MLamczyk says:

    @gustke, the hotfix just needed to be installed on the WSUS server itself. Once installed, all the agents were once again able to connect and check in for updates.

  53. Quick note, folks: We’ve gotten a lot of requests for immediate relief (thanks for reaching out!), so there’s a bit of a backlog. I’m getting to people as fast as I can, but it’s not a one-click operation to share the files, and we’re also troubleshooting
    some environments that might have special considerations. I’ll get to everyone today that has sent me a mail before now (13:47 PDT) guaranteed, it just might take a while. Your patience is appreciated!

  54. First of all, thanks to those that have posted their success stories in the comments section. I think it’s helpful to have a balance of active issues and positive results, so that the outlook doesn’t appear too bleak. For those that haven’t contacted us
    (and who desperately need to), Email Blog Author awaits you. With that said, if you can comfortably wait a week or two for official relief, then you’re welcome to do that.

    JDA: We aim to have this patched before your next Patch Tuesday in May. More specifics are planned for later this week.

    Argh: If the cumulative model catches on, and the technology supports it, then I could see it being used even in down-level servicing. Good to know that we’re moving in the right direction with the Win10 documentation. As you point out, the fact is that WSUS
    serves content from all first-party providers, including Office. If their product teams are not providing adequate transparency, then I encourage you to talk to them about it. We can improve the Windows side of things, and specifically the WSUS update content
    and descriptions, and will be happy to work with the community on doing so.

    Argh Part the Second: Windows 10 will use Windows Update for all its needs. As you point out, Catalog has a very limited scope, mostly confined to the manual WSUS Import function, and even that could be rendered unnecessary, depending on how we choose to service
    going forward. I’d echo your design principle of "break dependencies first," and I would guess that a different approach was taken for Catalog specifically because it is used so rarely these days.

    rjwb: Unfortunately, there is no amount of forum conversation that will restore operation because you need a small patch to your WSUS server. Well, I suppose you could uninstall the KB and restore your SUSDB from backup; if you would rather not do that, then
    Email Blog Author, and we’ll get you set up.

    RaymondKn: If control is what matters most to you, then WSUS will continue to provide that going forward. Our support model for Windows is changing, but you are still completely able to hold off approving updates in your environment. Just be aware that doing
    so could leave you in an insecure state. Feel free to reach out to us if you’ve got other concerns around migrating to a newer WSUS. We’ll likely be starting a separate dialogue on the topic of migration in a couple months. At this point, I’d recommend waiting
    for Windows Server 2016, and then making your move.

  55. bill says:

    I would like to echo Argh’s comments completely.

  56. Eugene says:

    What if "Automatically approve updates to WSUS product itself" is checked?

  57. Mark says:

    Patch put in place on a Server 2012 Standard, but still having issues with WIn 10, Win 7 and accessing the Admin panel. Author of this Blog has been e-mailed errors to hopefully remedy this.

  58. Alesberta1 says:

    After received email from blog author with a new patch we are back to Up and RUNNING… 🙂

  59. Mark says:

    Ignore previous comment. MSSQL service failed to start. Manually started now eveything is working as intended.

    Good work 😉

  60. Ben JohnsonWY says:

    I also noticed the WSUS Service would start and then stop in a minute or two.

    MicroShaft does it again, releasing a patch that wasn’t properly tested. Recall about 2 months ago when they sent out a patch that broke every Outlook 2010 client in the world?

    This time at least Steve Henry is being open about it. Usually we get a Wall of Silence from MicroShaft.

  61. klaus says:

    after removal of KB3148812 WSUS was working for 1 day. After the next reboot I have the same error again. KB3148812 is still uninstalled, I did not perpeform postinstall.
    I think I need to setup a NEW WSUS!!!!
    How can I do arepair????

  62. hello I can assist in testing the hotfix, I am stuck at step 3

  63. NCTIM says:

    Looks like we need this fix ASAP as well. I cant seem to find the “email Author” link was it removed?

  64. If you’re wondering where your comments on this post went, the answer is that I have no idea. I’m looking into how this data was lost when the blog was [silently] converted to its new format. I’m hoping we can recover the information, for posterity’s sake if nothing else. Anyway, stay tuned…

    1. Argh says:

      Yeah, I have been wondering. Sigh.

      1. Michael says:

        Probably because people are complaining about a corporate strategy that causes nightmares for admins?

        Experienced admins know that there are and there will be updates several times per year that cause (sometimes huge) problems and MS pushes more and more to a service model and tries to take away control from admins.
        Like no easy way of controlling Updates for Office Click to Run, Office 365, remove a lot of control for Win 10 non-Enterprise-LTSB.
        Microsoft provided great products and got rich even without pushing and forcing people into something which is not good for their business (remember: your customers still pay for your software!).
        If I was MS I’d try to make these comments disappear, too 😉 (kidding, not suggesting!)
        Anyway, still selling MS products to my customers b/c they are still better than the rest and hey… if e. g. an Outlook update breaks Outlook again because there was no chance to hold back the update because of C2R – no worries – customers will shout at me, not at MS.
        So… since this is a WSUS blog: PLEEEEASE make ALL products updates fully controllable via WSUS again, including all Office 365, all Office home and business, all Windows 10 Updates/Upgrades (not just Enterprise LTSB). Don’t hide updates only made to collect PC/usage data (telemetry) in “Critical Updates”. Don’t hijack security updates (like KB3139929) with adware (like KB3146449).
        There is a reason why MS has nearly 100% market share at businesses. Make sure it stays that way!

        1. Thanks for the feedback. Bear in mind that WSUS has a limited sphere of control, but we’ll pass on whatever we can’t directly affect.

          We in the WSUS team don’t believe in censoring critical commentary. If positioned correctly, it’s delivered with the intention of improving our overall offering. I like to believe that you all *want* to love WSUS, and perhaps one or more behavioral details get in the way of that objective. =]

          Joking aside, the blog migration has completed, and we’ve got our comments back!

          1. Argh says:

            Please, forward my greetings to your Office team. Releasing stuff like this: https://support.microsoft.com/en-us/kb/3085486 is exactly what drives admins and users mad, “This article describes update KB3085486 for Microsoft Office 2013, which was released on May 3, 2016. This update also applies to Office Home and Student 2013 RT. This update has a prerequisite.” – Looks like that someone forgot to post the description.

          2. home_tester says:

            I love that KB article. So useful. Now if it had a manual step like editing a registry manual and the only way to know would be to click on the article to find out.

  65. Hung Le says:

    Hello,
    Please help to fix our WSUS running on W2012 R2 server. After delete the folder C:\Windows\SoftwareDistribution, only W 2012 R2 client can communicate with WSUS, W7 and W208 R2 can’t.

    Thanks
    Hung Le

  66. 153ht says:

    Hi, any news about the fix ?
    Our WSUS is still broken :/

  67. Tom says:

    Steve, I can’t imagine it is related to KB3148812, but none of our WSUS servers can synchronize with Microsoft today. They were all working fine yesterday, and today — “Pre-Patch Tuesday for Office” — they all report this error. Is something wrong with the system?

    SoapException: Fault occurred

    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message,
    WebResponse response, Stream responseStream, Boolean asyncCall)
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
    at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetUpdateData(Cookie cookie, UpdateIdentity[] updateIds)
    at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[] updateIds, List`1 allMetadata, List`1 allFileUrls, Boolean isForConfig)
    at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1 neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
    at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

  68. samy says:

    so, are there any updates?

  69. Marco Lanata says:

    We have uninstalled the patch, and most of our WSUS server are now running, but the clients cannot connect to it due to 80244007 errors. I’d like to test the patch you developed. Thank you.

  70. Chris J says:

    Is there any update as to when to expect the new KB/hotfix to be posted?

  71. Alessandro says:

    Hi there!!
    Some News on this case once none of given solutions worked for us.
    Restore from backup is not an option once wsus servers also share other roles in each server or replica.

    1. Yes, sync was broken from yesterday 19:00 MESZ until today late morning. Obviously because of some broken Office updates. Now everything back to normal, was repaired on MS side.

    2. I believe this issue has been resolved as of this morning. It was a service-side issue, not anything to do with WSUS. Please let us know if you’re still seeing server/server sync problems of this nature.

  72. Straver says:

    Still no permanent fix? I’m in scenario 3 and following this blog hoping for a fix, but now wondering why this takes so long?! Am I missing something here? Especially I’m concerned about my clients not receiving their defender updates for more that a week… regards, Peter

    1. Fixing the issue isn’t difficult or time-consuming: it’s making sure that we didn’t break anything else in the process. The last thing we want is for the repair to break something else.

      1. Straver says:

        The fix is succesfully applied, thx!

  73. Test_home says:

    If there are post install steps, then it should not be part of an automatic update. Many admins don’t go through each of the KB articles looking for post install steps (a new concept that seems to only apply to WSUS). In fact, MS seems to discourage looking at KB articles, as we have to open each one up manually only to find that they say it’s a rollup of changes with no detail. This seems to be a step backwards for MS. And we are mostly here, as we are MS people.

    1. The only reason this one is shipped via Windows Update is that WSUS might be managing itself, and therefore unable to consume the fix. We considered Catalog as the only alternative, but from the discussion about how it is IE only, which some folks may not have installed, it seemed more convenient to have this be available through Windows Update itself.

      As for looking at documentation before deploying fixes, I think we’re trending toward less coverage on cumulative content, but isolated updates should (in my mind) be accompanied by at least a basic description of what’s inside, especially when the contents are somehow special or require additional effort to deploy. Unfortunately, those that don’t read KBs will have a rough time with the next update, but that would be true even if we’d only shipped to the WSUS channel.

      Assuming WSUS is managing itself, it requires manual effort to scan Windows Update instead of WSUS in order to get the update, so I’m expecting only those that read this blog will go that route.

  74. manny mcknight says:

    Uninstalling this update fixed my issue as well…

  75. Jason Plows says:

    I didn´t have the KB3148812, but after i removed the KB3159706 and restart Server 2012R2 WSUS was fully working again.

    1. If you never intend to deploy the Anniversary Update via WSUS, then this is fine. Otherwise, you’ll want to go through the steps to get KB3159706 working.

      1. Greg says:

        So it was only after I made my first post did I see Jason Plows post suggesting to remove KB3159706! Having completed that, now WSUS console appears to be working and I am not throwing the errors related to NY Authority failing to connect to the SUSDB! That much is great! BUT…. Now I have the question that I am sure many users have for Steve Henry: How do I get my WSUS installation such that it WILL be able to handle Windows 10 Anniversary and other encrypted updates etc??? We do have an ever growing base of Window 10 installs and I want all of our environment to be serviced by WSUS seamlessly!! What is the deal and how do I get WSUS capable of servicing the entire MS install base? Isn’t that what it was for in the first place??

        1. The answer is to install KB3159706, or deploy Windows Server 2016. One of these is required in order to consume future feature updates, starting with the Anniversary Update. If you have issues when installing this KB, then please post on our WSUS forum to get it resolved.

  76. Tom says:

    Really? Another WSUS update that breaks WSUS on W2K12R2? Really? (I’m referring to KB 3159706 of course.) Pushing out updates that break WSUS is really bad form, come on guys, knock it off. Three major WSUS/Windows Update problems in just a couple of weeks is bad.

    1. mlamczyk says:

      I have installed the KB3159706 update on several of my WSUS servers and so far have not had any problems with the update. Yes, there are some manual post installation tasks that must be performed and that is very annoying. However, with the post installation tasks performed successfully, I have not had any problems accessing the WSUS server with the Admin console and the agents are able to check in successfully. It would be nice if Microsoft could script those post installation tasks as part of the installation or system restart process (and I don’t see why that couldn’t be done)…. That being said, I do not have any WSUS servers running in high availability groups and from what I understand, that causes some issues.

  77. Angelo Cosenza says:

    I am running WSUS Svr2012 R2 with Win7.1, 8.1 and 10 clients.
    On the 12th May I approved and installed all available updates including KB3159706,
    KB3148812 is not in my list of installed updates nor is available for install.
    I was not aware of the “wsusutil.exe postinstall /servicing” and had NOT run it.
    I un-installed KB3159706.
    I am still getting Error Event ID 8 “Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]”
    After running Win Update again, KB3159706 is NOT available to re-install.
    Can KB3159706 be downloaded independent of WinUpdates.
    What course of action can/should i take.
    Please help Urgent.
    Thanks
    Angelo…

  78. Greg says:

    I have been seeing errors trying to connect to the WSUS console and have been searching forums etc with the error message that I receive. Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’.
    The part that has me steamed is that to the best of my knowledge I do not have KB3148812 installed! I DO have KB3159706 installed, but still cannot open my WSUS console! Any input or guidance from this dark place in which I find myself and back to the light would be greatly appreciated!

  79. Leonardo Torres says:

    KB3148812 installed the update on the 15th of May, discovered could not open the console, performed the steps outlined on the KB…. console opens BUT clients cannot talk to the server….
    SoftwareDistribution.log:
    Warning w3wp.51 SoapUtilities.CreateException ThrowException: actor = https://servername.com/ClientWebService/client.asmx

    1. Please read https://blogs.technet.microsoft.com/wsus/2016/05/05/the-long-term-fix-for-kb3148812-issues/ and install the KB mentioned there, and then follow the manual steps to finalize that installation. KB3148812 is no longer needed on any system.

  80. MT says:

    I have SSL enabled and tried to make the manual changes to the config file but I am not seeing the below stated on the blog.

    If SSL is enabled on the WSUS server

    Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):

    Add the following attribute (shown in bold) to the bottom of the Web.Config file:

    1. Sorry, what’s your question? The steps in the KB article aren’t showing up correctly for you?

  81. Andrew says:

    Hi gents I need help on ID 507 but I believe it ha do to with error ID 7032 though I did delete the wsus file from appdata etc but the problem persist.

  82. We are having a problem with our WSUS server as all clients and the server itself don’t run Windows update failing with the error 80244007. Can you help ?

    1. Please refer to the new blog post for remediation here. KB3148812 is no longer recommended as a solution to this issue.

      1. Yousuf Shahzad says:

        Hello Steve

        We have been facing the following problem for more than two months.

        KB3148812 installed automatically and I uninstalled it and did not perform the post instructions. Then installed KB3159706 and I added the feature “HTTP Activation” and rebooted the server but still no success.

        Kindly assist me in this matter because this problem made our work miserable.

        Thanks & regards

Skip to main content