The long-term fix for KB3148812 issues

A new update is available for Windows Server 2012 and 2012 R2.  This update requires manual steps in order to complete the installation. While the KB itself covers those steps, this post provides additional details on the release.


What KB3159706 does

Windows 10 feature updates (denoted by the "Upgrades" classification in WSUS) are staged in encrypted packages to Windows Update several days prior to the actual go-live date.  This is to ensure that we can release to all regions simultaneously.  The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this.  Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and error prone.  KB3159706 introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content.  Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms.  Note that Windows Server 2016 will have this functionality at RTM.


How to deploy KB3159706

This update has been released through the WSUS and Catalog channels, so that it may be synched or imported to and subsequently deployed from your WSUS. For those that are currently unable to deploy using WSUS, we’ve also shipped this fix to Windows Update. If multiple WSUS servers in your environment are affected by the previous issue, then you can repair the topmost server using Windows Update, and the rest through WSUS itself.  You'll need to manually select this KB for installation if you get it from Windows Update, as the update is marked Optional.


If you installed KB3148812 or the test package

Both these updates modify the same files as KB3159706; since the latter is newer, it will simply replace the binaries. You can remove KB3148812 (if you don't recognize this KB, then no action is needed), but it is not necessary. In any case, your “For testing purposes only” watermark will disappear after you’ve removed the test package.  Our recommended order for this deployment is:

  1. Uninstall test package
  2. [Optional] uninstall KB3148812
  3. Install KB3159706
  4. Reboot your WSUS server


Still having issues?

This update involves changing some fundamental aspects of WSUS operation, and it may cause friction for some customers.  We're committed to getting you ready for the Anniversary Update (as well as ensuring that you can continue to take monthly updates), and we invite you to visit the WSUS forum if you're having issues deploying KB3159706 after following the KB guidance.

Comments (242)

  1. Can you let us know please when the Server 2016 preview (and/or Windows 2008 R2) gets this ability. There’s not much point in my installing a new WSUS server until this is available, and my current server is Windows 2008 R2.

    1. Windows Server 2016 Technical Preview 5 will have this functionality, which makes the manual steps mentioned in the KB unnecessary for that platform. However, you’ll want to take the May update for TP5 to address the same issue that was discovered in WS12/R2 for KB3148812. It’s less likely to occur in TP5, but still possible.

      1. Jon Zackula says:

        Harry and or Steve, do either of you know if ESDs functionality will be added to srv 2k8 R2? I am in the same boat as Harry for multiple clients that have WSUS on srv 2k8 R2. From what I understand any Win 10 updates after May 1st will require ESDs.

        1. WSUS 3.0 SP2 (which is the latest WSUS version available on WS08R2 SP1) will not be updated to be able to sync and distribute ESDs. This product ends its life cycle in July 2017, and we’ve got more changes planned to help support Windows as a service, so it doesn’t make sense to pull this product along for only the first part of the ride.

          1. Galgamesh-au says:

            Now that the end of life for WSUS 3.0 SP2 has been extended to Jan 2020 ( inline with the end of life of Server 2008R2 will updates become available to enable it to deploy Win 10 Upgrades?

          2. No, WSUS 3.0 SP2 will not become capable of deploying Upgrades. Per life cycle policy, no new features are usually added to a product after it has gone into Extended support, which happened years ago. The additional extension to 2020 was to provide legacy support for those that do not intend to use this functionality, and to support Configuration Manager 2007 that depends on WSUS 3.0 SP2 and does not go out of support until 2019.

  2. Argh says:

    So this apparently still doesn’t work for some people as described in the KB article; toggling the Upgrades category off and on between syncs seems to be required. Additionally – the “value” of encrypting ESDs is something that goes beyond me. Waste of CPU time, useless complexity and breakage.

    1. ale says:

      Did you perform the post-install tasks described in the KB article

      1. Argh says:

        Well yes, obviously 🙂 Still was failing with SoapException on some metadata. Has to disable the upgrades category, sync, re-enable, sync again.

  3. Mark-Blood says:

    I’m still having problems. KB3148812 had been installed and WSUS stopped working, clients unable to check for updates. Uninstalled it. Later installed 3159706 via Windows Update – no restart notification displayed but WSUS still not starting (see a ‘Reset server message’ which did not work). Rebooted, Server Manager flagged WSUS Service as not started on restart, but a refresh showed it was started. Ran WSUS, but saw same message. Copied error and followed recommendation to delete wsus file at %appdata%\Microsoft\MMC\. WSUS now starts, but the server was not listed. Chose to connect to the server but an error message about SQL not running was displayed (port is correct: 8530). All SQL services seem to be running.

    Any suggestions, please?


      1. Looks like this has been answered. Glad you’re up and running again.

  4. Alessandro says:

    Affected server got optional update KB3159706 from Windows Update.
    Install is getting error 80070490.
    Some aditional step needed for those with fail to uninstall previously buggy KB3148812?


  5. mazebaer says:

    unfortunately I deinstalled the WSUS, before I found shese blogs
    Now, I deinstalled the KB3148812 and installed the KB3159706
    I’m not able to reinstall WSUS, I allways get errors at the postinstall
    Event ID 18456, Logon failure, Network Service at opening SUSDB
    Someone any idea

    1. Have you performed the post-install steps detailed in ? If so, then please post your question in the WSUS forum so that we can take a look.

  6. JDA says:

    Again? Manual step on a KB involving editing a file used by your own product??? Really???

  7. I didn’t install KB3148812, but after KB3159706 installation my WSUS was broken and uninstall of this update fix the server.

    1. As noted in this post, the update has manual steps that must be executed, which you can find at

  8. Jim says:

    So I’ve deployed KB3159706 to our Server 2012 R2 WSUS server, and things are working after performing the manual steps.

    However, requiring manual steps for this is the stupidest thing ever. Think of the folks who don’t know ahead of time that manual steps are required (unless I’m missing something, you have to go digging to find those…it isn’t visible in the WSUS GUI that manual steps will be needed), and break WSUS functionality until they find the manual steps. And if a slew of other updates were applied to the server at the same time…have fun chasing down the one that broke things, and THEN finding the manual steps!

    Why, oh why, isn’t it possible to, you know, make the COMPUTER do those steps as part of the update process? Come on, people!

    1. Tom says:

      I concur 100%. Just installed updates on our WSUS server and rebooted for Patch Tuesday, and wouldn’t you know it, WSUS doesn’t work after that. Fortunately after the rigamarole around KB3148812 I knew what to look for this time. But this is ridiculous. Your average admin is not going to have a clue what’s going on when his WSUS breaks and it isn’t easy to find this stuff with a simple Google (errr, Bing) search. Microsoft needs to add some sort of notification about the manual steps, or better yet, do them programmatically.

    2. Brian says:

      This just happened to me. I missed the KB3148812 hassle because I didn’t install optional updates last month. But after today’s patch Tuesday, I found my WSUS server non-functional.

      Some googling led me to KB3148812 which led me to today’s update, which I promptly uninstalled to return WSUS to service. Once my clients have their updates, I’ll return to this issue and perform the manual configuration required.

      But, yes, this is a recipe for trouble. While it would be nice to believe that we all have the time to search for updates, and then thoroughly research each update before applying, I know that this isn’t in the cards for me. And besides, wasn’t Microsoft just recently trying to convince us that detailed information for updates was no longer necessary (at least at the Win10 client end).

      Sorry if this all sounds petty. I mean it constructively. There needs to be *some* sort of notification during the installation process itself for this update that some manual configuration will be required. Especially because failure to perform those manual steps results in a non-functional service! . . . and only some guesswork and googling then leads you to the proper steps!

      1. This thread and other comments are focusing on something that we also noticed when shipping this update. The team is prioritizing an improvement to this deployment scenario, so that WSUS can either alert the admin (via the console, not a KB) to changes that require action, or make those changes automatically. This is an artifact of WSUS previously being serviced as a separate product, not an in-box server role, and we’re going to fix it as soon as we can.

        1. Trammel says:

          Yet again Microsoft is releasing patches that require post task installs through the automated WSUS program. Why? I am sure your team has just wasted over a hundred thousand hours of admins in this country alone scrambling trying to figure out why their patching has broken. Why not simply notify the WSUS community with these updates that need to be applied but should be done when the admin has had time to read and plan the upgrade. I am sure I am not the only one who feels this way.

          1. We could have done this, but it would have been a Catalog-only release, and then only the folks that use Internet Explorer would be able to use it. Additionally, the number of environments consuming the update would be limited to those that read this blog, which is not as many as you’d think (or as I would hope). In that case, we’d have gotten escalations when Anniversary Update failed to be deployed everywhere, which we expected would be a much bigger problem.

          2. Trammel says:

            Couldn’t you have updated the console to include some new section that informed admins about manual task needed to be performed? I am no programer but updating the console with a new section on the left or maybe under options woould of done the trick.
            /shrug .02¢

    3. Paul Salwey says:

      I 100% agree with the statement that this should be done automatically. People that are unaware of this issue (both the previously broken KB and the new “fix” that isn’t really a fix until you perform some manual configuration) are completely hosed until they stumble upon these fixes. Unless they were following this blog (which I really appreciate!) they would have no idea what to do or what KBs to look at. Very unhappy with WSUS lately in general.

      1. You’re unhappy with WSUS because it’s actually taking a change to core operations–which hasn’t happened in years–and finding out that the support mechanism is more fragile than expected. We’re unhappy with this outcome, as well, and unfortunately it’s our starting point on the update experience for this technology. We are prioritizing improvements to WSUS that will ideally eliminate all manual effort in future updates. In the meantime, blogging heavily about it was the best we could do without jeopardizing the timeline for preparing your environments for the Anniversary Update.

  9. Wes says:

    Heads up guys. If your WSUS database is a SQL AG, the manual steps to complete installation of KB3159706 will fail.

    Running “wsusutil.exe postinstall /servicing” returns: “Fatal Error: The operation cannot be performed on database “SUSDB” because it is involved in a database mirroring session or an availability group. Some operations are not allowed on the database that is participating in a database session or in an availability group. ALTER DATABASE statement failed.”

    1. Thanks for pointing this out. We’re investigating how to best navigate this configuration.

      1. Garrett Kelly says:

        Experiencing the same issue as Wes had explained.

        Out of curiosity, for those that have the ability to do so, could this post-install step be done if we temporarily disabled the database from participating in an AG, pointed it directly to the db server, and then reversed the steps to get it back into an AG? I imagine this post task is something that only needs to alter the database, and then won’t matter after?

        1. The post-install task makes WSUS “aware” of the SUSDB/schema changes so that it can effectively marshal data to those new fields. How that will affect the AG scenario, I’m not entirely sure. If you’re willing to try it and report back, I’m sure the community would appreciate it. If not, then I might be able to get someone to try this out.

          1. Lee says:

            This update caused WSUS to stop working for us. Even after running the manual post installing steps. WSUS Service continues to stop. We had to remove the WSUS role. After adding the role we get WSUS Post-Installation Task fails

            Log file is located at C:\Users\seadmin\AppData\Local\Temp\tmp21B7.tmp
            Post install is starting
            Fatal Error: The schema version of the database is from a newer version of WSUS
            than currently installed. You must either patch your WSUS server to at least
            that version or drop the database.

            We have installed KB3095113-v2 , still getting the message

            Any suggestions?


          2. 1) Open the file – and check the version in the file
            2) Check the timestamps (modified, created) of C:\Windows\WID\binn\susdbverify.dll

            Can you share those details, along with the contents of C:\Windows\WID\Logs\Error.log ? It might make more sense to do this via the WSUS forum.

      2. Wes says:

        Thanks, Steve. Has there been progress towards a resolution for WSUS/SQL AG users?

        1. Nothing yet – we haven’t been able to repro the issue internally. If you’ve got an environment that we can debug live, then I can set up a quick meeting; short of that, we’ll keep trying.

          1. Wes says:

            That’d work. Where can I send you my contact info?

          2. Wes says:

            Hey Steve. Just wanted to see if there’s been any progress on the WSUS/SQL error I reported earlier, or if we can setup a quick meeting.

          3. Garrett Kelly says:

            Same here. I wouldn’t mind having you guys debug live in our environment as well – WSUS/SQL AG.

          4. Hi folks, and sorry for the delayed response. We haven’t had luck reproducing the SQL AG scenario on our own, so it’d be great to get access to one of your live environments, if it’s still available. Please reach out to me at ci dot servicing AT outlook dot com, and we’ll see what we can do.

          5. We got to see the “The operation cannot be performed on database “SUSDB” because it is involved in a database mirroring session or an availability group”. Disabling mirroring let us perform the post-install/servicing step.

            One thing that might help: after this the database wasn’t in full recovery mode anymore.
            So an ALTER DATABASE [SUSDB] SET RECOVERY SIMPLE must have been performed as part of the post-install/servicing step. And that would have been the statement incompatible with AG / mirroring.

    2. Hey everyone.
      I’ve successfully installed this update on WSUS with AG setup. Here’s what I’ve done:
      1. Uninstall KB3159706 and reboot
      2. Do full cleanup and full backup of SUSDB in case everything breaks.
      3. Stop IIS Admin Service and WSUS Service
      4. Remove database from AAG
      5. On wsus server change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerName to point to sql server with DB (Primary node in AG)
      6. Start IIS Admin and WSUS services
      7. Open WSUS console to check that it can connect to DB
      8. Install update KB3159706
      9. Reboot and perform postinstall
      “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing
      10. Open WSUS to check if it works again.
      11.Repeat steps 3-6 but add SUSDB back to AAG and change registry back. Delete copies of SUSDB from replicas before adding it back to AAG

      1. Antalya Kreş says:

        Yesss! Thanks Artem. I have just solved with your help

  10. New patch worked here on a Server 2012R2 (installed KB3148812 on the first day available but uninstalled it afterwards without doing the additional postinstall steps). Of course, I made an extra full backup today before trying the new patch 😉

  11. David Weston says:

    What if we later need to install the WSUS role on a 2012 or 2012 R2 server? Will we need to go through the manual configuration steps?

    1. Yes, Windows Server 2012 and 2012 R2 do not support native ESD decryption out of the box, so this update and these manual steps will be required. Windows Server 2016 will require neither at RTM.

  12. Scott says:

    Installing this update broke the WSUS console and created an error on connected devices. Updates had to be run by checking updates online.

    1. Did you follow the guidance detailed in when installing the update?

  13. Mike says:

    I just installed KB3159706 and it has the same problem as KB3148812. After installing and rebooting, WSUS service will not start

    1. Can you post in the WSUS forum the error that you’re seeing?

  14. Matthew Davison says:

    I’ve run into a problem with the SSL configuration for this update, namely, that web.config file is under the control of the component store.

    As soon as we modify it, we’re also editing the hardlinked copy in WinSXS.

    So I ran sfc /scannow, which as I suspected flags the file, and therefore the whole component store, as corrupted.

    If I run dism to repair this, is it going to then reset the web.config file back to the inbox version and thus break the service again?

    1. As other comments have noted, you need to assign ownership of web.config to the administrators group. We’re updating the KB to reflect these changes. Should be live early next week, if not sooner.

      1. Matthew Davison says:

        Hi Steve,

        The issue here isn’t the need to take ownership. That works. The issue is that once you have done this, the windows component store considers the file corrupt. This means that operations such as sfc /scannow will mark the component store as corrupt as a result of this change. It also means that any future update to WSUS will reset this file back to it’s original state.

        It seems unusual to say that in order to have SSL for WSUS, the server must be left with a corrupt component store?

        1. Yes, that’s definitely not an intended outcome, and we can’t leave the machine unable to scan. Can you reproduce this 100% of the time?

          1. Matthew Davison says:

            Yes, I’m afraid this is 100% reproducable. Every time you run sfc /scannow on any server where this file has been modified you get complains of corruption.

          2. Tying up loose ends… Matthew, we’ll be shipping a new version of web.config with each subsequent update to WSUS. It’s now part of the component manifest, so ownership won’t need to change anymore. We considered shipping this file on the initial release of this KB, but didn’t want to clobber anyone’s customized settings in the process.

            Are you able to live with a “corrupt” file according to SFC until the next update? It doesn’t affect any actual operations, does it?

  15. Tobi says:

    Just to make sure, I have to install this update only on my WSUS servers? All other Windows 2012 R2 Servers don’t need it!?

    1. Correct: this update applies only to WSUS for Windows Server 2012 and 2012 R2.

  16. Stephen March says:

    Its worth noting that by default, users have only read access to the “C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config” file. I had to take ownership and change the file security to be able to edit it.
    This should have been mentioned in the KB by Microsoft

    1. Agreed: we’ll make that note in the KB.

  17. Carl says:

    How did you edit web.config? I’m getting access denied and only windows installer has full access. I can’t even owerwrite the file.

    1. Trammel says:

      You must open notepad as administrator.

  18. TD says:

    Sidenote: On my machine (2012 R2) I had to take ownershop of the “Web.Config” file and change the security beforehand, because only the TrustedInstaller had permissions to change this file.

  19. Ted says:

    Having problems with the update on Windows Server 2012. The update installs but after a reboot I get an error message a couple of minutes later in the Application log:
    EventID 507, Source: Windows Server Update Services
    “Update Services failed its initialization and stopped.”
    SQL is a local SQL2014 Express installation. If I do the postintall steps is says successful instantly but doesn’t seem to do what it’s suppesed to do. .NET 4.5 HTTP Activation is already installed. Uninstall gets my WSUS up and running again.
    On another server with Server 2012R2 the installation and postinstall was successful and as far as i tested seems to work.

    1. Please post this in the WSUS forum so that it can be properly investigated. Off the top: have you attempted to manually start the WSUS service?

  20. DE says:

    We have a 2012R2 WSUS Upstream Server that provides Updates and Approvals for several 2008R2 Replica WSUS

    Will this Update brake this Configuration, or will the Upstream Server be able to provide those Updates to Clients that are directly connected, and the Replicas won’t?

    1. The latter is the case. WSUS 3.0 SP2 will never be able to deploy the Upgrades classification (what we’re calling feature updates going forward), but any clients directly connected to your [patched] Windows Server 2012 or 2012 R2 WSUS will be able to leverage this functionality.

  21. jdm says:

    The postinstall procedure failed for with problems connecting to the WID database. Fatal Error: Login failed. The login is from an untrusted domain…… The WID service uses the default account NTSERVICE\MSSQL$MICROSOFT##WID

    1. Have you posted this in the WSUS forum linked in the post above? Debugging via blog comments is relatively difficult.

  22. Jens Ole Kragh says:

    Are you reading the WSUS forum?

    1. I stop in when I can, usually more toward the end of the week. There are plenty of field engineers, MVPs, and other support folks monitoring it on a constant basis, and they’ll have you covered for 95% of the issues. It’s that 5% that I look for, the stuff that reconfiguration and running manual steps can’t solve.

    2. FYI – I saw your thread and have responded. Thanks for using the forum!

  23. Ingo says:

    There are additional steps necessary, since the Web.config is not accessible for Admins. You can use this script for automating a few steps. You only have to add the lines in the Web.config file manually.

    “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing
    takeown /F “C:\Program Files\Update Services\WebServices\ClientWebService\Web.config”
    icacls “C:\Program Files\Update Services\WebServices\ClientWebService\Web.config” /grant YOURDOMAIN\Administrator:(F)
    start /wait notepad “C:\Program Files\Update Services\WebServices\ClientWebService\Web.config”
    net stop wsusservice
    net start wsusservice

  24. Pidzsi says:


    Yesterday I installed some updates on my wsus server (windows server 2012 r2) and it only listed the KB3159706 (with some other updates, but the KB3148812 was not there) update for me. After I installed it, my wsus server won’t work. The same error occured just like with the KB3148812. After I uninstalled KB3159706 and restarted the server it works again.

    1. Please see for details on how to install this update. You’ll need these manual steps to make your WSUS work with the patch.

  25. Ted Bogucki says:

    I am using the internal sql db and after installing the update I get the following in the application log. At which point I am unable to open the wsus console

    Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]

    If I un-install the patch the error goes away and wsus works again


    1. When you say “internal sql db,” do you mean the WID? Did you run the manual steps detailed in after installing the update? It’s not expected to work without them.

  26. John C. Kirk says:

    That worked a lot better than KB3148812, so thanks for that.

    The KB article currently says:
    “1.Open an elevated Command Prompt window, and then run “C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing” (case sensitive, assume C: as the system volume).”

    On my server, that produced an error message:
    “The system cannot find the path specified.”

    I had to do it as a 2 step process: cd to “C:\Program Files\Update Services\Tools”, then run “wsusutil.exe postinstall /servicing” in that folder.

    1. Yes, technically it should be “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

      Without the quotes around the image path, it’ll think you want to access “C:\Program”, which is not usually a valid path. We’ll get that tweaked in the KB to avoid confusion.

  27. The web.config file that you need to edit if you use SSL is owned by TrustedInstaller and users/admins have read only access. You might want to update your instructions to reflect that the user needs to take ownership and modify permissions before they will be able to edit the file, and then restore the owner/permissions after editing.

  28. M. says:

    It´s not working.
    This Update damaged WSUS too, same Error like KB3148812!
    Only uninstall of KB3159706 solved the Problem. (Server 2012 R2)

    1. Did you run the manual steps detailed in If not, then you’ll see the same issues as KB3148812.

  29. Brian says:

    Just FYI, I’m running a very “plain” WSUS on a Windows Server 2012 R2 virtual machine via Hyper-V. It is stand-alone. Member of a Windows 2012 R2 domain. Set it up in December of 2015. The only thing even slightly out of the ordinary on this WSUS server is that I installed KB3095113 while it was still a hotfix. Since then, I have only installed Important and Optional updates directly from Windows Update on this WSUS server.

    And yet, after installing KB3159706 on this WSUS server, I was unable to connect to the server via its local Management Console (or in any other way).

    Could this possibly be related to the KB3095113 hotfix installation? Because that’s the only thing causing this server to be anything but “pure vanilla.”

    1. Brian says:

      *sigh*. . . Sorry, I was under the impression that this newer update (KB3159706) didn’t require the manual steps any longer (because I assumed those manual steps were only introduced due to the problems in the prior update).

      1. Does that mean running the manual steps fixed your issue?

  30. Tom says:

    Are you aware that the web.config file that you need to edit if using SSL, only allows administrators RX access and is owned by TrustedInstaller? So you have to take ownership of the file (takeown /f web.config /a) and then grant administrators full control (icacls web.config /grant administrators:f) before it can be edited. This needs to be in the KB.

    1. Alex Souza says:

      Anybody were able to deploy update to win 10 using WSUS ?
      Even after the update I’m still getting the error “Windows 7 and 8.1 upgrade to Windows 10 Pro, version 1511, 10586 – en-us, Retail” on my Windows 7 PC’s.
      Thank you

      1. What you describe is the title of an Upgrade, not an error. Can you post your issue in the forum for proper analysis?

    2. Thanks for the note. A few folks have pointed this out, and we’ll get it added to the KB.

      1. PepperdotNet says:

        Not sure why taking ownership of web.config is necessary. Here’s what I did:
        – edit the file with Notepad
        – save changes – this said access was denied, so I saved it to the desktop
        – copy the file from the desktop back where it belongs
        – confirm the prompt that admin permission is required to replace the file

  31. Sick of your failures says:

    Since few years ago, Microsoft’s failures have been increasing and increasing. To increase profit, Microsoft has fired all their elite programmers and support engineers and moved their support and development to the developing world, and gave them manuals like chimps to solve cases and issues. I have no problem with developing countries, I come from one of them! To increase profit, you fire off engineers and give chimps manuals to save costs. Since then, and since they have less serious people to develop the code AND TEST IT, they only develop with very little testing, and release their buggy code to everyone, and it is US, the final users who have to test it and then beg Microsoft for fixes and guess what? We still have to do loads of manual work and refer to blogs and smart guys. And by the way, I AM A MICROSOFT FTE!

    1. An FTE? Then perhaps your name could be “Sick of our failures”, no? =]

      More seriously, I’m open to a frank discussion about this if you want to look me up in the GAL.

      1. Alessandro says:

        I´m not aware of MS Work conditions, but as a MS Partner that was with upgrade to win 10 project running while Master WSUS server Died by this poorly tested patch make things clear that internal test scripts are not expected from Microsoft. Another user reported problems with AG, this also show another error with same source. Lack of testing.
        Due to this lack of responses to affected people, we are forced to rebuild our entire WSUS structure from scratch.
        Download All of win10 flavours in 5 languages again… And pray for everything work again. Now in 3% of 200Gb of downloads.
        Thanks for all Microsoft!!

  32. Christian_K says:

    For network security related reasons, my WSUS server is not allowed to download and install patches from public Internet sources, such as Microsoft Update. Is there any way for an individual download of KB3159706 to install it manually on my WSUS server?

    1. KB3159706 was also published to WSUS and Microsoft Update Catalog. The latter offers an opportunity to directly download the update, and then move it to your WSUS server via trusted file shares after performing the appropriate virus scans and such.

  33. Adam Baxter says:

    I installed KB3159706 last night but have found today that this update has caused issues with WSUS on windows server 2012 r2

    WSUS will not start after installing KB3159706 and I am also seeing ‘MSSQL$NICROSOFT##WID’ error 18456 is this a known bug?

  34. Adam Baxter says:

    Sorry I should seen that even after installing the newer update (KB3159706) you are still required to run the manual steps:

    I can confirm that running the manual steps after installing KB315970 does fix WSUS

    1. Glad it works for you, Adam. We’re looking at not requiring manual steps to finalize future updates, since this caused an unnecessary amount of confusion. WSUS servicing can and should be simpler than that.

  35. Jermell Howard says:

    My WSUS is still have issues; none of the none of the clients seem to be reporting back to WSUS. I’ve removed the WSUS role and added it back but the issue persist since KB3148812. Everything is good on the client side, they are pointing to the correct location. The strangest thing, all of the clients are continuing to be updated via the one WSUS. The status in WSUS just aren’t updating.

    1. Have you run all the post-install tasks specified by KB3159706? If so, then please post your issue in the WSUS forum, so that we can properly troubleshoot.

  36. Netgurus says:

    How long until there is a KB that automates these manual steps?

    As I understand the KB this will only affect WSUS ability to provide Windows 10 feature updates after 5/1.

    1. We’re not planning a KB to automate these steps specifically; however, we will be making improvements to the update experience for WSUS overall.

  37. Malty Timber says:

    after installing KB3159706 (and post install steps) some of (but not all) my WSUS 4.0 servers have trouble to rollup data to a WSUS 3.0 SP2 master server. They report only partly data, last contact date and last sync date of pc are shown correctly but list of installed updates will not be updated to master server anymore.

  38. Malcolmo says:

    After installing KB3159706 and going through the manual changes afterwards WSUS runs OK and Syncs to my upstream server. However I now have the following error reported in the Application Event Log:-
    Source System.ServiceModel Event ID 3 Task Category WebHost

    WebHost failed to process a request.
    Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/6044116
    Exception: System.ServiceModel.ServiceActivationException: The service ‘/ClientWebService/Client.asmx’ cannot be activated due to an exception during compilation

    We are using SSL for WSUS, let me know if you want the complete error message posted.

    1. Malcolmo says:

      PS Client machines can no longer connect to the server either.

    2. Sounds like you might have a typo in your web.config file. Can you double-check the edits that you made to it?

  39. Malty Timber says:

    just tested to sync affected wsus 4 to another wsus 4 both with KB3159706 + post steps
    Problem still exists. Patch data will not rollup. So root cause is not wsus 3 master.

  40. Jim Sutton says:

    This update caused same issue as KB3148812. Had to in-install it (KB3159706) to get WSUS to work again.

    1. What issue did you run into? Had you already run the manual steps after installing KB3159706?

  41. Juneau79 says:

    My Windows Server 2012 R1 WSUS Servers are still having trouble after this fix. My 2012 R2 WSUS servers seem fine. I can connect to the console after installing the KB3159706 and performing the manual post-install steps on 2012 R1 WSUS, but clients are unable to connect to the WSUS server with error code 80244019 or 80244008 for my cloud clients.

    1. Please post your client logs for these scan failures in the WSUS forum. With the limited information in this comment, we cannot identify root cause.

  42. Tom says:

    After the update is installed there should be some kind of notification for admins that further steps are needed or update the patch to do the changes automatically. I foresee issues down the road if someone needs to setup a wsus server and are just patching it to get it current, they may not realize that there happen to be manual steps required.

    1. Ideally, the necessary steps will happen automatically. Short of that, WSUS should alert the admin via the console that action needs to be taken. We appreciate your feedback, and are looking at ways to provide this experience going forward.

  43. Tom says:

    Steve, this is an unrelated issue but I don’t know of any other way to let the appropriate people know, and I suspect you could pass it along.

    I just went to download an update using Microsoft Update Catalog for the first time in a while, and discovered that the ActiveX control used by the site causes an ASR exception in scrrun.dll which gets terminated by EMET 5.5. So in order to use the site, I had to disable the ASR mitigation (not easy as we enforce with Group Policy) for iexplore.exe. After that, the site worked fine.

    Could a developer take a look and fix the DLL so it doesn’t trigger the ASR mitigation in EMET 5.5?

    Thank you.

    Event log entry:

    EMET version 5.5.5871.31892
    EMET detected ASR mitigation in IEXPLORE.EXE

    ASR check failed:
    Application : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    User Name : Redacted
    Session ID : 1
    PID : 0x910 (2320)
    TID : 0x2C80 (11392)
    Module : scrrun.dll

    1. Argh says:

      This ActiveX disaster has been extensively discussed under previous blogpost. The ActiveX just needs to vanish from there for the site to be usable. “Fixing” it is a complete waste of time.

      1. Yes, ActiveX has been around for long enough, and it’s time to bring Catalog into 2016.

  44. Angelo Cosenza says:

    I am running WSUS Svr2012 R2 with Win7.1, 8.1 and 10 clients.
    On the 12th May I approved and installed all available updates including KB3159706,
    KB3148812 is not in my list of installed updates nor is available for install.
    I was not aware of the “wsusutil.exe postinstall /servicing” and had NOT run it.
    I un-installed KB3159706.
    I am still getting Error Event ID 8 “Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. Reason: Failed to open the explicitly specified database ‘SUSDB’. [CLIENT: ]”
    After running Win Update again, KB3159706 is NOT available to re-install.
    How can i download KB3159706 as it is NOT offered in WinUpdates.
    What course of action can/should i take.
    Please help Urgent.

    1. You can download KB3159706 directly from – search for the KB.

  45. Joe says:

    Can someone tell me whether this update is needed on a SCOM 2012 R2 server, given that it uses WSUS under the covers for the Software Update distribution? And if so are there any differences in how you complete the post-install, given that you’re not normally supposed to run wsusutil.exe against a SCOM server?

    1. Depends on whether you plan to use the in-place upgrade functionality provided through WSUS. If you plan to use task- or media-based installation, then you can use Configuration Manager to perform your feature update deployments.

  46. J Mac says:

    OK, we have deinstalled KB3148812 and WSUS on 2012 R2 was running fine till next update and restart. Then we had to search for the new issue and found KB3159706. Now we have performed the manual steps and WSUS is running again.
    Sorry guys, this took us about 2 hours to solve this issue including to search for what had happened again. We do not have the manpower to run for such issues. WSUS needs to be reliable without manuel installation steps. We have a small idea about the complexity of the system and have great respect for your work. Please keep it simple for us Admins. Thanks

    1. Thanks for the feedback. We are taking it into account for future WSUS experiences.

  47. thomas says:

    KB3159706 did not work for me.

    I have done all post-installation steps.
    I did not get any error message running “wsusutil postinstall /servicing“.
    As result the clients cannot communicate with WSUS and the WSUS mmc console is not working.
    I noticed that KB3159706 places SUSDB in a “recovery pending“ state. (using SQL Server Management Studio).
    Uninstallation of KB3159706 solves the problem.

    1. What is the error reported by the WSUS console after installing KB3159706?

      1. thomas says:

        Finally i manage to get the update work.
        I made some change in the installation process this time.
        1. Install the update
        2. restart the server (i’m not sure if i did this last time)
        3. SQL Server Management Studio show that the database in a “recovery pending” state.
        4. I stop the WSUS service (I did not do this last time)
        5. Run wsusutil.exe postinstall /servicing (this time it seems to take a little longer (about 1-2min)
        6. The wsus service has started automatically
        (HTTP Activation and changing Web.config I already had done last time)

        Hope it will work now.
        Are there any long term issues?

        1. If it’s still working for you today, then you’re likely in the clear. Shutting down the service shouldn’t be necessary, but it’s not a bad precaution to take.

  48. Don says:

    I have completed the install, including the changes to the Web.config file and adding the Roles and Features for .NET Framework 4.5 Feature…WCF Services…HTTP Activation. The latter also had a prerequisite to add Window Process Activation Service….Process Model, which I did. To change the ownership of the Web.config file and selected Properties->Security Tab->Advanced->Change owner->Apply->OK and the open Advanced->Selected Administrators(new owner)->Edit->Full Control->OK then on Advanced Setting->Apply->OK and opened the file with Notepad and did edit on the file.

    When I attempted to open WSUS, I had an error message to RESET SERVER NODE. In doing so, nothing happened, went to updates list and removed KB3159706 and restarted in order to access WSUS again.

    For now have hidden the update KB3159706, until some resolution is found.

    1. What happened when you ran “wsusutil postinstall /servicing” as specified in the KB?

  49. Argh says:

    Any progress here with the full SQL server scenario?

  50. Dave H says:

    So my WSUS instance was originally setup using WID, but the DB was migrated to full SQL Server a year or two ago. Now when I run the postinstall /servicing bit, it seems to detect that the system had the WID role and tries to mess w/ that DB, which isn’t present/used:
    2016-05-15 18:58:07 Detected role services: Api, UI, WidDatabase, Services
    2016-05-15 18:58:07 Start: LoadSettingsForServicing
    2016-05-15 18:58:07 WID instance name: MICROSOFT##WID
    2016-05-15 18:58:07 End: LoadSettingsForServicing
    2016-05-15 18:58:07 Servicing WID database…
    2016-05-15 18:58:07 Servicing the database…
    2016-05-15 18:58:07 Install type is: Fresh
    2016-05-15 18:58:07 Install type is Fresh, but should be Upgrade. Cannot service the database

    Any way to either run the DB upgrade scripts manually or to convince wsusutil to service the actual DB instance?

    1. Wsusutil.exe is capable of detecting by itself whether WSUS is using WID, or SQL Server.

      Notice that the log says –‘Detected role services: API, UI, WidDatabase, Services’. Also, once WID is installed, WSUS cannot be configured to use SQL Server. Can you confirm:
      1) The value of SqlServerName in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
      2) The values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services

      Also, how did you migrate from WID to SQL? Was it a clean install and subsequent migration, or did you reuse the SUSDB created by WID?

      1. JimO says:

        Steve H: We migrated our WUS from WID to SQL only a week before these updates were applied. Both updates break WUS. Why do you say “once WID is installed, WSUS cannot be configured to use SQL Server”. That is not true. I migrated the database using this technet article: . As with the other posters, I spent most of a day trying everything to restore WUS. The only thing that worked was restoring from backup and declining the two KBs from installing.

        1. My statement was not properly qualified: migration from WID to SQL is supported for WSUS 3.0 SP2 on Windows Server 2008 R2 and earlier platforms, but the registry keys described in that article do not accurately call out the Windows Server 2012 keys, since the document was written before that platform was released. For instance,

          This key – HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup\wYukonInstalled – doesn’t exist on Server 2012 and above. Also, the post-install relies on other values
          under – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services – but they’re not mentioned in the article.

          We will update the guidance to include Windows Server 2012 and R2 registry keys, so that the migration can be completed on those platforms, as well.

          1. Adam says:

            Hello – We’re still having troubles getting WSUS working after applying the new patch and performing the manual steps. We too are running on 2012 R2 and have migrated off of WID and to a remote SQL server. I see the WID entry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services key you mentioned above. Should I delete that key and try again?

          2. There’s a little more to it than that. Removing the WID also removes several folders that WSUS needs to function, which could be why you’re hitting this issue. Can you try reinstalling the WID role on your server? If you don’t want it installed ultimately, then you can copy the folders it creates, remove the role again, and then copy them back. It’s extra effort, but you can get there if the WID bothers you.

  51. Michael says:

    Is there any change to be made on the LTSB of Windows 10? As my test client can’t download patches from wsus after the update.

    1. There’s nothing special about LTSB as a Windows Update client: it should be able to scan WSUS like any other client does. What errors are you seeing in the WU client log?

      1. Michael says:

        The Client does see the updates, but can’t download them. Error is as follows:

        Fehlerbucket 126314101138, Typ 5
        Ereignisname: WindowsUpdateFailure3
        Antwort: Nicht verfügbar
        CAB-Datei-ID: 0

        P1: 10.0.10240.16724
        P2: 80244018
        P3: DE4BA286-5558-4A98-A138-E36A609F6A6D
        P4: Download
        P5: 200
        P6: 0
        P7: 0
        P8: UpdateOrchestrator
        P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
        P10: 0

        All non Windows 10 Clients have no problems downloading them.

  52. Squuiid says:

    After so MANY tweaks, patches, registry edits, you name it, we’re still having problems with using WSUS for Windows 10 upgrades.
    We have spent days and days trying to resolve this.
    .esd MIME change, hotfix, new patch, long term fix with manual steps required (really?!), changing registry entries for clients AllowOSUpgrade 1, DisasableOSUpgrade 0, deleting old upgrade content, and more. All this and this process still does not work!

    Microsoft, you’re setting a deadline for the free upgrades yet have not even finished creating the tools required for deployment!
    This is a sick joke:

    (Unable to Find Resource:) ReportingEvent.Client.181; Parameters: Windows 7 and 8.1 upgrade to Windows 10 Pro, version 1511, 10586 – en-us, Volume

    1. Sorry to hear that your upgrade experience via WSUS is subpar. We definitely have some growing pains in this area, and I think the solution for your case could be helpful for others. Have you posted it in the WSUS forum?

  53. M Alto says:

    This went poorly for us. Our WSUS was initially installed with the WID and we migrated to SQL Express at some point. After the update for KB3159706, I went to run the command line step and got an error saying it could not connect to SQL Server. In the log file I noticed this: “Detected role services: Api, UI, WidDatabase, Services”, and “WID instance name: MICROSOFT##WID” which pointed to it thinking I was still using the WID. I ended up removing the WID Database feature from the Windows Roles/Features Wizard and adding the “Database” feature under WSUS. Post-configuration seemed to be required for that, which didn’t seem to work. Running the command line now succeeded but did nothing as it wasn’t attempting to upgrade any database at all since it didn’t think I had that role installed. After a reboot, the command line seemed to work but the log file said “Install type is Reinstall, but should be Upgrade. Cannot service the database”. Clients can now connect to the WSUS and I can open the Admin GUI for WSUS. I’m hoping this means adding the feature magically did whatever needed to be done to the SQL Database and everything is fine, or that the “install type is reinstall” actually did what it needed to do, but who knows? Is there a particular column in the DB we should look for to indicate everything is fine?

  54. Bernd Rosenkranz says:

    After a few hours, the errors and console crashes stopped – hope it stays this way ^^

  55. CS says:

    I’d like to thank you for bringing my WSUS server down with both of these updates. Cheers.

    1. Sorry for the service interruption. Is your WSUS still down?

  56. Kenneth Froehlke says:

    This updated update STILL broke my WSUS. Had to remove it, again.

    1. We need details in order to understand how you were broken, since skipping the update is not a valid option if you want this functionality.

  57. BOB says:

    I successfully followed the steps and got my WSUS server working, and the next week it broke again, and just last week I restored the WID database, and got it going , and it worked from Friday to Sunday, come Monday it refused to open the database (marked as Suspect” when running the WSUSUTIL postinstall /servicing. The only solution I’ve found is to restore the Database from backup.

    Thoughts welcome.

    1. This is odd behavior. When you say “it broke,” what failures were you seeing? How many times did you run the wsusutil command line? Did you ever run it without the /servicing flag?

      Finally, if you apply KB3159706 and run the necessary manual steps after restoring from backup, does the issue recur?

      1. OSO says:

        I have exact same problem wsus working for few hours and crash. I cannot update my infrastructure, I have SCCM with wsus on same machine db is on another machine. event log give me this errors

        Source: Windows Server Update Services
        The Reporting Web Service is not working.

        Source: Windows Server Update Services
        The API Remoting Web Service is not working.

        Source: Windows Server Update Services
        The Server Synchronization Web Service is not working.

        Source: Windows Server Update Services
        The Client Web Service is not working.

        Source: Windows Server Update Services
        The SimpleAuth Web Service is not working.

        Source: Windows Server Update Services
        The DSS Authentication Web Service is not working.

        Source: Windows Server Update Services
        The WSUS administration console was unable to connect to the WSUS Server via the remote API.

        System.IO.IOException — The handshake failed due to an unexpected packet format.

        thats all event logs, solution is to reboot machine and it’s start working again for few hours 🙂 bravo microsoft great patch

        1. Have you already run the manual steps detailed at ? It sounds like the postinstall task would address the behavior you’re seeing.

  58. Michael S says:

    I’m still having issues after installing KB3159706, performed restart, ran postinstall, and add new Features for HTTP Activation. However I didn’t perform the web.config changes because I am currently not using SSL. which shouldn’t be an issue correct? I can open WSUS Manager Fine, however no clients can connect, or the WSUS server itself.

    1. Yes, you shouldn’t need the web.config changes unless using SSL. Can you share what errors your clients are seeing when they attempt to scan your WSUS?

  59. sk8er88 says:

    KB3159706 still is breaking my WSUS. Starting to wonder about this whole WSUS thing, I’ve now had it running for a few weeks, and each time I’ve done updates to the local WSUS it breaks the server. The irony is not lost on me. When I open the console it says it cannot connect to the DB. The service is in a stopped state. I try to manually start the service, and that does not work. I uninstalled KB3159706, rebooted, and everything came right back up.

    1. Sounds like you haven’t run the manual steps (specifically postinstall /servicing) described at Can you try [or confirm] that and check again?

  60. Test_home says:

    I must say that I would hate to do a new install and put WSUS on the server. This update has manual steps that I will have to remember. I imagine most new people would never know to look at these post install notes when you are offered 200+ updates on 2012R2 (and you would have to click and open each and every update to find it).
    Then the previous update was a manual fix as well where I had to find mime types and add it in for windows 10 machines.
    Changes of a successful install for most people is running near 0%

  61. Bert Kersting says:

    I have done the steps in this article and also the steps in KB3159706. After running the command “C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing” and rebooting the server, the console opens correctly. However, the next time I go to open the console (a day or two later) I get the same message Error: Connection Error Reset Server Node. I have continually had to execute the above command line every few days since May 1st. Any suggestions?

    1. This is not feasible long term. Can you paste the output of the console error that is reported (should be able to copy to clipboard) after the 1-2 days of working properly?

  62. Steeve SCHWAB says:

    I didn’t install KB3148812 on my WSUS server (windows 2012 R2 french) but i did KB3159706.
    After reboot WSUS was no more available.
    I then find Microsoft article wich explane the problem & solution related to KB3148812 installation.
    But for my case i had to uninstall KB3159706, reboot server, for WSUS to work again.

    Hope you will find a solution until the Anniversary release of Windows 10.

    1. This is the solution. If it doesn’t work for you, then please let us know so that we can help you troubleshoot as needed.

      1. Nathan says:

        Has this issue been fixed?

        1. Nathan says:

          I also have French enabled on this server. I wonder if that is a coincidence?

  63. No idea why my name is shown as GUID, but here goes:
    did the KB3159706 including post install steps. WSUS Console is opening and everything but clients are not getting updates.
    The post install steps are poorly clarified (and even poorer auto translated …), several things remain unclear to me:

    PS: I’m using SSL

    Question 1: Am I supposed to enter something at endpoint address =”” ? (was mentioned in the original web.config file)
    NOTE: To configure for both http and https, use full paths for endpoint addresses:

    Question 2: Am I supposed to change the permission/ownerships back after editing the file? was mentioned somewhere below in the comments?

    I’m getting these errors:
    – Error on WSUS Server in the Eventlog: ID 12022 – The Client Web Service is not working.
    – Errors on 2 different clients (already Win10 1511): 0x80240017 and on a different Win10 1511 Client: 0x8024401f

    1. Please check the KB again: we blocked the translation, which might make the steps clearer for you. Thanks for bringing that to our attention!

      It sounds like you’ve got a typo in the web.config file. Once you’ve fixed it, don’t worry about reassigning ownership: the Trusted Installer will take it back when WSUS gets updated in the future.

  64. Antoine says:

    HI guys

    I uninstalled KB3148812, installed KB3159706, followed the step in

    WSUS service is still crashing all the time, can’t make it stay up more than 5 minutes.
    it’s already 2 weeks I’m fighting with my WSUS / SCCM update point down, starts to be really urgent


    1. How is the WSUS service crashing? Is it under load (either from local processing or client scans) when it crashes? Can you provide any logged errors that describe the crash?

      Suspicion is that your IIS memory for the WsusPool is running low, which can cause process termination. If that’s the case, then you can raise the memory limit temporarily. Once your clients finish performing their full scans (again, guessing here), the traffic will calm down, and then you can lower the memory limit back to its original value.

  65. Deepak Mallick says:

    Clients still getting error after applying the fix (

    Error: (“WindowsUpdate_80244008” “WindowsUpdate_dt000”

    1. Please read and let us know if the steps (which may require slight modification to apply to non-Windows 7 machines) resolve your issue.

  66. John Parsons says:

    I’ve been having issues with WSUS recently and I’ve tracked it down to this KB3159706 update which I’ve just uninstalled having rebuilt my LAB WSUS server and installing this update after everything was working fine. My server does not have the KB3148812 update since its newly built and that update was removed a little while back.

    1. John Parsons says:

      I lied!!! When I follow the instructions properly….well, fully!!!!! It works with the update installed.

  67. Karen Finstad says:

    Followed the instructions to manually repair the issues around this KB. Console comes up but clients fail update with 8024401F error.

    1. Karen Finstad says:

      am unable to uninstall/change from Programs or re-run the WSUS installer -am well and truly screwed now.

      1. Sorry for the delayed response, Karen. Did you post your issue in the support forums for Windows Server? If you haven’t found resolution there, then please share the link of your post, and we’ll ensure it gets attention.

  68. Steve says:

    On my WSUS server 2012 R2, the service was continually failing. KB3148812 was not installed, however KB3159706 was. Uninstalling this fix resolved the problem and was able to receive updates to domain computers again. It seem that this fix only fixes if KB3148812 is installed. If not it causes the same problem.

    1. I didn’t see anywhere that you executed the manual steps required to make KB3159706 work. If you don’t do those, then the symptoms will certainly be the same between the two updates. Please go to for these details.

  69. Glenn Barnas says:

    What a PITA this has been – we auto-installed the update and lost WSUS last month. Found the KB info, removed the update. Rebooted, reapplied the update and followed the manual steps, first without and then with the SSL options in web.config (we don’t use SSL internally). Still no WSUS in our environment. Separate SQL, if that matters. Really don’t relish the thought of reinstalling WSUS.

    We’re a mid-sized dev shop and most of us wear a couple of hats. There’s rarely time to examine every update, but we do have a “dev on week 1 and prod on week 3” plan – didn’t help when there’s only 1 WSUS server and that’s what broke.

    IMPORTANT NOTE TO MICROSOFT – this could have been made MUCH LESS painful if the standard “do you accept the license” dialog had been used to display a “CRITICAL – Manual steps required – see [this KB article]” message. They pop up when approving in WSUS, and this might have alerted many admins to either defer the update or at least be aware that this update is unusual, special, different, whatever…

    1. Thanks for the feedback, Glenn. We underestimated the size of the wake that would be caused by this release strategy, and will certainly be more careful going forward. I’m not sure that we can reuse the EULA prompt (with different EULA text), but it’s something to consider.

  70. Robert says:


    I’ve setup my WSUS with SSL this weekend again, because my client pc get an WSUS Error 8024401f … yesterday it worked well, because it was not fully patched – now fully patched – my pc’s get that error.

    I installed the fix and did the manual steps as descriped in KB3159706 – My WSUS console is accessable again … but no pc can check for updates or download any …

    I am not amused …

    any hint for my problem?


    1. Apologies for the delayed response. Is this still happening, Robert? If so, then please share the link to your post in the Windows Server support forum, and we’ll make sure it gets attention.

  71. Jason says:

    I’m experiencing the symptoms of this issue, but I don’t have KB3148812 installed. I’m current w/ all Windows Updates from Microsoft on the WSUS server itself — so now what?

    1. What symptoms are you talking about? If you’ve installed KB3159706 and followed the manual steps described in the KB article, then you shouldn’t have any issues. Please post in the Windows Server support forums if this is not the case.

  72. Daniel B says:

    Solved it for me!
    :Did not have the KB3148812 installed, but had KB3159706 installed on my 2012R2 SCCM, Had problem with SUSDB not working. “Cannot open database “SUSDB”, login failed. After check apppool memory, I did follow *1 in this post-install of KB3159706, and now its working.

  73. WGreenTX says:

    Installed optional KB3159706 on my WSUS server the 25th. Discovered I could not open WSUS this morning. After several hours and much googling I was led here to find this BLOG and ‘This update requires manual steps in order to complete the installation’. I must agree with all the negative comments. This is ridiculous and inexcusable. I wasted the entire morning to get WSUS up again.

  74. Nathan says:

    WSUS crashes with this update. I followed the instructions (no using SSL), but it still breaks with the update applied. What gives?

    1. Netgurus says:

      So initially I caught the fact that KB3159706 breaks a functioning WSUS server. (KB 3148812 was already uninstalled) It did mine. I uninstalled the update and my WSUS server begins functioning again.

      So I decided to try the KB3159706 update again, several weeks later, because I know eventually I will need ESD decrypt capabilities on my WSUS.

      I am now about three hours into this evolution. KB3159706 did not work. The manual steps left me with a non functional WSUS server. I following the steps exactly, but something went wrong somewhere. Uninstalled KB3159706 again. Did not return my functional WSUS server. Eventually uninstalled WSUS, tried to reinstall. WID database was still there. Uninstalled WID and deleted database. Reinstalled WSUS and proceeded to reconfigure to attempt to get back to the initial configuration and functionality. Lesson learned. Wait until the issue surrounding KB3159706 have been resolved. They obviously haven’t been resolved.

      At one point I would up with a database that couldn’t be read.

      2016-08-25 10:51:12 Microsoft.UpdateServices.Administration.CommandException: The schema version of the database is from a newer version of WSUS than currently installed. You must either patch your WSUS server to at least

  75. AndySpecial says:

    I read most of this post and see one person reports the same problem as myself…. last status report is not updating in the console.
    Nor is the Needed Count value.
    running wuauclt /reportnow on a computer is not updating the console values 🙁

    -installed SQL Mgmt studio on WSUS 2012 Std server and ran t-sql to get the database out of single user mode.
    – approved and installed KB3159706…reboot…ran post installation steps and console appeared to work fine.

    I am stuck and would greatly appreciate advice.

    1. AndySpecial says:

      Update: finally after 3 hours the status updated in WSUS. Will post again if this continues to be a problem.

  76. David Weston says:

    OK, so we have gone through all of this pain so that the Windows 10 Anniversary Update can be published through WSUS. When might that happen?

    1. tester_02 says:

      Seems all these great fixes all blew up when the actual anniversary update rolled out.
      1607 clients all fail on downloading updates on 1607. Another WSUS fail.

      1. Not actually a WSUS fail: the Windows Update client has a bug in 1607 that causes it to fail to download from WSUS. This has been fixed in the September monthly update; if you are unable to get the patch through WSUS (because of the issue that the patch fixes), then you can download it directly from the Microsoft Update Catalog or Windows Update itself.

  77. Steven Stuart says:

    I can’t believe how much time I’ve spend looking at this one update.

    I’m using an external SQL database. Installed, ran the post install steps, and can’t get into the console. Through various articles, I found I still had the internal WID installed, so I removed that, removed the database files, uninstalled, and reinstalled…. Same issues.

    Found an article of specifying the paths for postinstall, and get lots more info the the 5 line
    “successful” logs just using the command in the KB article.

    If I enter:
    wsusutil postinstall SQL_INSTANCE_NAME=localhost CONTENT_DIR=D:\WSUS

    I get a lot of info in the log, that looks great until the end part where it’s generating keys (see below). I’ve see other references to this, but nothing works. Uninstalling the patch gets me working again, but obviously I’ll need to get this loaded to support our Windows 10 machines..


    Thanks in advance.


    2016-08-11 13:25:13 Generating encryption key to write to the registry…
    2016-08-11 13:25:13 Generating encryption key to write to the database…
    2016-08-11 13:25:13 Generation of encryption key to save to the database failed. Error=System.IndexOutOfRangeException: Index was outside the bounds of the array.
    at Microsoft.UpdateServices.Internal.DatabaseAccess.GenericReadableRow.GetInt32(Int32 index)
    at Microsoft.UpdateServices.Internal.ConfigurationTableRow.ReadRow(IDataRecord record)
    at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccess.ExecuteSPGetConfiguration()
    at Microsoft.UpdateServices.Internal.BaseApi.UpdateServerConfiguration.Load()
    at Microsoft.UpdateServices.Setup.StartServer.StartServer.GenerateNewDatabaseEncryptionKey()
    2016-08-11 13:25:13 StartServer encountered errors. Exception=Index was outside the bounds of the array.
    2016-08-11 13:25:13 Microsoft.UpdateServices.Administration.CommandException: Failed to start and configure the WSUS service
    at Microsoft.UpdateServices.Administration.PostInstall.Run()
    at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)

  78. Thomas says:

    Hi all!
    We have a strange Problem.
    We are running a WSUS Server on Server 2012 (not R2), patched it with everything neccessary to deliver Windows 10 Upgrades and it worked until a few days ago(time 1607 was released?). We were able to update about 150 of our 200 Windows 10 Build 10240 boxes of our customers to 1511 before, but now, no 10240 machine get´s the 1511 (May Edition) offered by WSUS.
    Then i started searhing and came across KB3159706.
    First I thought, that it can´t be because it describes 1607 Upgrade and future ones and other packages using ESD. But I gave it a try and followed the Instructions. It worked perfectly as described, but does not resolve the Issue, that 1511 will not be offerred any more.
    Now I tried to install a new 2016TP5 based WSUS, to ensure it is not a issue with 2012 WSUS 3.0 SP2 (and Patches), but 2016TP5 WSUS does the same Thing. Then i stumbled over a comment, that 2016 Server WSUS will have KB3159706 Features when it goes RTM, so there is the possibility, that it does not have KB3159706 yet in TP5.
    Here our configuration:
    * WSUS 3.0 SP2, all Patches on 2012 Server (in Azure)
    * Configured to not deliver packages directly, Clients have to download them from Microsoft (this could be important, because ESD Packages will only be downloaded by CLients not by the WSUS – So what could KB3159706 do on the Server without the ESDs to look in?
    What I found interesting so far:
    * WSUS marks the previously already working 1511 Upgrade Updates now as “Not Applicable” to the 10240 Clients – thats strange
    * When  I Change Test Clients Windows Update Agent to Microsoft Windows Update directly, the 1511 is ovvered instantly, so there is no issue withe the Clients!
    * The WSUS Update ID of the correct 1511 Upgrade Update is other than this offered by Windows Update
       WSUS knows the March Version with ID:d08ff53d-ce46-4ad1-8abe-538fd192e38f
       WSUS knows the May Version we approved, but is not offered anymore with ID: 1105b447-525e-4192-ba5e-437cbd6c01aa
       Windows Update offers a new (!) Update ID: Upgrade auf Windows 10 Pro, Version 1511, 10586 | 468e4ed0-ee60-4827-9e45-370e77dec143
    So, what is going on here? Is it all because of a bug or because we are only Control our Clients with the WSUS, but they have to download directly? Does it have anything to do with 1607 release or KB3159706?
    Help please – I invested days already to hunt this down…
    Thanks a lot

    1. Without digging too deeply, I can tell you that WSUS 3.0 SP2 in the mix is not recommended for any ESD distribution. It’s not only the download that’s the problem: it’s also the metadata. If WSUS 3.0 SP2 syncs any Upgrades from Windows Update or another WSUS, then that content will be corrupted regardless of whether the client downloads the actual payload from Windows Update. Our recommendation is not to use WSUS 3.0 SP2 in any distribution chain that involves ESDs.

  79. Steve says:

    I thought I posted this yesterday, but don’t see it, so sorry if it’s a duplicate.

    Had issues with the older 3148812 patch, so uninstalled and held off for update. Tried the new 3159706 yesterday, and having the same issues – can’t connect to console.

    Did all the post install steps, and found a few things along the way.

    Had migrated to an external SQL database, and still had WID checked in features. Removed that, and ZIP’d the database. Posted a bunch of updates on forum at:

    At this point, stuck. I uninstalled the patch, leaving the web.config changes intact, and it seems to be working.

    Any assistance would be appreciated.


    1. I’ll be making a post this week for those that migrated from WID to SQL–it’s more common than we anticipated, and it turns out there are a few steps that need to be followed in order for it to work properly. Stay tuned!

      1. Alan says:

        Any more news on the Blog regarding installations using SQL for the database



        1. Thanks for the ping, Alan. Haven’t forgotten about you.

  80. Ray Lillback says:

    KB3159706 broke WSUS for us. Is anyone else having these issues?

  81. I approved the 1607 upgrades on WSUS this morning before applying KB3159706, I was getting install error messages on the clients. I declined the updates and ran the server cleanup wizard. I then applied KB3159706, I re-approved the upgrades and I’m still getting the same error messages on the clients.

    Will downloading 1607 upgrades before installing KB3159706 give me these issues? Please help.

    1. Thanks for your post in the TechNet forum on this, as well. A new blog post is available regarding what we believe is causing the symptoms you describe. Please let us know whether it helps:

  82. Can someone help me to find out the collection of patches related to 2012 which are having problem or bugs.

  83. Jon Larson says:

    I’m running WSUS with an external SQL db, not WID for WSUS. I did all of the post install steps required and WSUS still crashes upon loading. I am at a standstill with deploying 1607 to my organization because this AND the upgrade TS are jacked because of your bugs.
    Here’s the link to my technet forum:

    1. Jon, did you happen to migrate from WID to external SQL, or was it set up external from the beginning? If the former, then I think we might have your remedy.

    2. Shachaf Goldstein says:

      I have experienced an error while using a dedicated sql server (2014).
      for me it was the fact that in one of the sql script files someone wrote iDoc instead of idoc, once i changed it and followed manual steps everything was amazing.

  84. Netgurus says:

    So initially I caught the fact that KB3159706 breaks a functioning WSUS server. (KB 3148812 was already uninstalled) It did mine. I uninstalled the update and my WSUS server begins functioning again.

    So I decided to try the KB3159706 update again, several weeks later, because I know eventually I will need ESD decrypt capabilities on my WSUS.

    I am now about three hours into this evolution. KB3159706 did not work. The manual steps left me with a non functional WSUS server. I following the steps exactly, but something went wrong somewhere. Uninstalled KB3159706 again. Did not return my functional WSUS server. Eventually uninstalled WSUS, tried to reinstall. WID database was still there. Uninstalled WID and deleted database. Reinstalled WSUS and proceeded to reconfigure to attempt to get back to the initial configuration and functionality. Lesson learned. Wait until the issue surrounding KB3159706 have been resolved. They obviously haven’t been resolved.

    At one point I would up with a database that couldn’t be read.

    2016-08-25 10:51:12 Microsoft.UpdateServices.Administration.CommandException: The schema version of the database is from a newer version of WSUS than currently installed. You must either patch your WSUS server to at least

  85. George Terplan says:

    These settings resolve my problems:

    1. Add .esd and .msu mime types to IIS server.

    2. Change DeliveryOptimization mode!

    REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization” /v DODownloadMode /t REG_DWORD /d 100 /f

  86. Steve says:

    Curious why I put comments out there on 8/11 and 8/12 that apparently still haven’t been published as they’re “Awaiting moderation”?

    1. I keep up on here as best I can, but there’s room for improvement on keeping the discussion flowing. I believe that once you’ve been approved once, your future comments should automatically go through, but I haven’t fully understood the new system yet. As to why we have this system in the first place, it’s to prevent “spammy” comments from polluting our blogs. The ratio of legitimate to illegitimate comments is about 1:4, so I tend to think it’s worth the hassle to keep things clean.

  87. Dave Pitman says:

    I’m a few weeks into half hourly alert emails from a failed WSUS installation.
    Yes, 48 times a day I’m reminded that not only is the WSUS install broken, because the attempts to fix it have removed the console. I can’t stop them…filters? I’m on the road. Push email ensures I get them all.
    I manage the site remotely, not that it makes much difference these days.

    I’ve read literally dozens of articles on how to fix WSUS. I’ve tried so many, my documentation has come adrift. Whilst I’m encouraged to be in such numerous company, like a good many of us here, I’m not exactly keen on re-building this server. It’s a time/billing thing.

    Here’s the rub: There aren’t any Windows 10 clients on the network, so this is all a bit frustrating.

    I hate criticism unless it’s constructive. So here’s an idea…

    Microsoft, having immensely more resources than we, the users, might look into creating a *solution.

    How about building a cut down VM based WSUS only server afflicted customers could install on existing single instance or physical servers? Do it for us time poor customers, eh Microsoft?

    1. Dave, have you posted this in our TechNet forum? If so, then please provide the link to your thread, and ensure that your contact information is accessible either in the post or your forum profile. We’ll reach out to you directly, since what you’re experiencing does not seem to be by design, and can’t be remedied in a few blog comments.

      1. Dave Pitman says:

        No Steve, I haven’t.

        Before I do, I suppose I should scour the forums and see what others have discovered.


  88. Jon Glenn says:

    All end user computers are still failing to install 1607 updates after I ran through all of this. When they update from Microsoft, they succeed. I just rechecked and I’ve done:

    1) Set .esd – application/octet-stream in IIS
    2) Checked and 8812 is not installed
    3) KB3159706 has been installed since 5/18 (date it’s listed as installed in Control Panel, Installed Updates)

    What am I missing? I don’t see where to “uninstall test package” as in step 1.
    Any help would be greatly appreciated! Thanks

    1. Please post the errors that you are seeing in our TechNet forums, so that your issue can be troubleshot properly. Off the top, I couldn’t tell you what’s happening.

  89. FDisk101 says:

    Does anyone have a example of the modified web.config file, I must be putting the updated elements in the wrong area as I still cant get the client service up and running, many thanks in advance. The actual wsus server is back up showing patches, an added complication for me is my whole network is air gapped..

  90. David R. says:

    I don’t understand why the update cannot simply do the post-install and HTTP Activation itself, this has not been explained above. Can you explain please?

    1. Simply put, WSUS was never designed to automatically perform those steps. It was always serviced as an out-of-box component, which meant shipping new versions (service packs) every time we wanted to update it. Adding functionality as a servicing update instead of a service pack does not offer the same capabilities. We’re going to have to ship something to patch WSUS itself to change this behavior; rest assured that you will not see any updates requiring manual intervention being pushed automatically to your WSUS until it can automatically execute post-install tasks as needed.

      1. FDisk101 says:

        Steve, your effort is most valued.. can I ask as posted above, could a sample of the web.config be posted with corrections, have taken a stupid tablet and cant for the life of me get this working, ergo my clients still cant connect to my sus server, ta

  91. g says:

    I have a windows 8.1 desktop computer and when i do “check for windows updates”, it just sits there forever. to get it to stop, i need to run windows update troubleshooter. then, when i look at the windowsUpdate.log file (which i can email you if you want), i see

    2016-11-04 13:03:40:679 1064 1e58 IdleTmr WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation # 169) stopped; does use network; is at background priority

    as the last log when i first start “windows update” and then i see the below log (20 min later) when i run the troubleshooter:

    2016-11-04 13:25:52:482 1064 17d8 AU ########### AU: Uninitializing Automatic Updates ###########
    2016-11-04 13:25:52:482 1064 1e58 Agent * WARNING: Failed to filter search results, error = 0x8024000B
    2016-11-04 13:25:52:482 1064 17d8 WuTask Uninit WU Task Manager

    so it seems to get stuck in “WARNING: Failed to filter search results, error = 0x8024000B”. i would think it should timeout if it cannot do something.

    again, this is windows 8.1 desktop computer, not a server. is this related to this wsus decrpyt thing? what to do?

    1. This is an unrelated symptom. If you haven’t already, then I’d recommend seeking help at the Windows Update support forums.

  92. Don says:

    Could you address why the upgrade cannot be installed via script (using a modified version of this script: ) directly from Windows Update (not WSUS) ?

    WindowsUpdate.log shows:

    “DownloadManager Update A18B4DD2-E36B-4A33-8619-DA422B8438E0.200 is missing decryption information”

    It would seem based on everything you said that the issue is specific to WSUS and that Windows 10 has built-in decryption information when using Windows Update directly. Why then does a scripted installation fail with the above error when using Windows Update and not WSUS?


    1. I’d expect this to work, as you do. The Windows 10 client scanning directly against Windows Update has everything it needs to be able to sync and install feature updates; perhaps you already downloaded incomplete data from WSUS, and your client is unable to replace it with the content from Windows Update? If that’s the case, then you can try clearing your client datastore and scanning WU again.

  93. Jeff Vansteenburgh says:

    Does this apply to Server 2016 WSUS servers? I have having issues with many of my Windows 10 machines not reporting to my Server 2016 WSUS server (only about 20% work correctly). All of my Windows 7 and the few Windows 8 machines all work with out issue.

    1. No, the fix that is contained in 3148812 (now 3159706) shipped with Server 2016 RTM, so you shouldn’t have this issue on that platform. Any scan failures you’re seeing are likely unrelated, but might still be worth looking at. Can you post your issue in the WSUS support forum for assistance?

  94. Admond Teoh says:

    Dear support,
    Recently my wsus 3.0 sp2, having issue on all the clients unable to report to server
    only windows 10 pc. able to show updates/report to wsus
    Windows 7 workstation, all show “Not yet reported” even I perform all the following command:
    gpupdate/ force
    wuauclt.exe /resetauthorization /detectnow
    wuauclt.exe /reportnow
    restart pc
    3x weeks I perform the same thing continuously, then some windows pc may appear, after 1 weeks, but some still unable to show at wsus

    I did delete the softwaredistribution folder as well,
    re-install my wsus servers, and reformat my windows 2008 servers r2, which wsus is installing inside

    may I know is it wsus 3.0 sp2 no longer support for windows 7 ?
    kindly reply
    I had use 3x weeks time for the troubleshooting still no result
    thanks a lot

    1. WSUS 3.0 SP2 still supports Windows 7. Please post this in the WSUS support forums for troubleshooting help.

  95. Roman Tomchinskiy says:

    After running windows updates last night I found that my WSUS for Windows 10 PC is not working any more. The service has started, however when I open WSUS console I am receiving a message: “Error connecting to the server”. The error comes from the server with WSUS installed. After uninstalling KB3159706, WSSUS works normally. It is my understanding that I need KB3159706 in order to upgrade Windows 10 PC to a new revision.

    1. Yes, Windows 10 feature updates can only be distributed through a WSUS server on WS12/R2 that has previously installed KB3159706 and run all necessary post-install steps as covered in the KB. If you want to deploy anything in the Upgrades classification (i.e., feature updates) from your WSUS, then skipping this KB is not an option.

  96. Roman Tomchinskiy says:

    Just FYI. I do not use SSL as it shown in manual instructions for WSUS, therefore I do not have KB3148812 installed and uninstalling KB3159706 restored connectivity to WSUS but I cannot push Windows 10 revision 1703 to windows 10 PC

    1. You need to follow many of the post-install instructions listed in KB3159706 regardless of whether you use SSL. Your error connecting to the WSUS server comes from not having run the postinstall command.

      1. Roman says:

        I did, and now WSUS works, however PC are not reporting. I can see PC in WSUS but it shows under “Operating System” tab “Windows0.0” Under “last status Report” tab “Not yet reported” and it has been the same way for the last 24 hours

        1. Does deleting datastore.edb from the client refresh the connection?

          1. Roman says:

            No, connection have not refreshed. It is still showing “Windows0.0” and “Not ye reported”

  97. Andrew Watson says:

    Its been over a year since this post was published and yet people all over the world are still plagued by these horrible WSUS issues. I have spent the last 2 weeks trying to get 1607 clients updating. This includes working on it all weekend when I should have been enjoying time with my family. I have been defeated by WSUS.

    I challenge you Steve Henry – Spin up a fresh VM with Server 2012R2 and see if you can get the dam thing to work. Maybe in all your wisdom you could write up a guide outlining the actual steps required to build a WSUS box that’s capable of updating Windows 7 through to Windows 10 all versions.

    Today I have spun up a whole new WSUS Server fully updated with Windows Update (online) and its not even pulling in any WSUS specific updates including the KB3159706.

    Has something changed? is KB3159706 still relevant? has it been replaced by a cumulative update or something?

    1. Sorry to hear it’s not working well for you, Andrew. Have you shared your specific stumbling blocks on the WSUS support forum? I spin up VMs to test various scenarios all the time, so I’m not sure which area is causing the most confusion: I’d be happy to clarify that area, once identified.

      KB3159706 is still relevant, and it has been rolled into a cumulative update. If you install any CU from May onward on your WS12+ WSUS servers, then you will need to run the manual post-install tasks to activate the functionality in that release. However, we’ve made it so that even if you don’t run these manual steps, the update should no longer cause existing WSUS operations to fail.

      Moreover, we are investigating not encrypting feature updates going forward. If that comes to pass, then WSUS 4.0 and newer will be able to sync and distribute feature updates without any of this activity.

      1. Evan T. says:

        About 80% of our 1511 to 1703 upgrades are failing. I ran the SQL query, and WSUS is not in a bad state. Computers get 0xc1800118 errors until I run a script that clears catroot2, SoftwareDistribution, and $WINDOWS.~BT. They then begin receiving error 0x80240031, and will not successfully install the Creators Update unless I manually select the option on them to check for updates from Microsoft Update instead. What is the DEAL?! I have made multiple forum posts to no avail. I just posted on TechNet here:

        1. Thanks for the post, Evan. After reading through your forum thread, it appears you’ve found a workaround in bypassing Delivery Optimization on the WU client. Ideally, DO would work just fine with WSUS, so we’re going to look into whether there might be a bug preventing effective interoperability here.

  98. michael says:

    Still no decryption keys all mentioned updates installed followed the guidance and cleaned susdb *.esd and resynced i can still get no keys

    1. Can you share the link to your forum post describing this troubleshooting effort? We might be able to dig deeper if we’ve got more context.

  99. Phillip Lötter says:

    Good day
    I looked at this entire issue…
    I do believe this update is still applicable, but noticed it has been incorporated\superseded by cumulative updates? Is this accurate? If so, does someone have a list of these cumulative updates?
    For a SCCM environment, this will then be required on each server hosting a WSUS\SUP point?

    1. If you’re coming to this now, then you’ll want to review the fix covered in this post instead of trying to find or apply 3148812, 3159706, or 3095113. The August update includes all the functionality contained in these fixes, and is all that you need to deploy to stay up to date. Or, if you miss that, then September and any future cumulative update offer the same. Note that the manual steps may still be required to finalize installation for any package involving these changes to WSUS.

Skip to main content