https://kb.stonegroup.co.

uk

Windows Server Update Services (WSUS) Not Working After May 2016 Windows Update

Problem
A previously working WSUS system stops working
Client PCs connecting to the WSUS system are unable to find any updates
An SCCM system connecting to WSUS doesn't find any updates
The WSUS console may fail to open reliably
WSUS may not complete Update Point Synchronisations
WSUS may report login issues for the SUSDB database in the Windows Application log - "Login failed for user 'NT AUTHORITY\NETWORK
SERVICE'. Reason: Failed to open the explicitly specified database 'SUSDB'. [Client: <named pipe>] - Event ID 18456.
​Example:

Products

© Copyright 2018 Stone Computers Ltd. All Rights Reserved. 1

https://kb.stonegroup.co.uk

WSUS on Windows Server 2012 / Windows Server 2012 R2 with the May 2016 security update installed, KB3159706, or the previous
update KB3148812.

Cause
Microsoft Update 3159706 needs additional steps performed after installation. When KB3159706 has been installed on a WSUS server, it can
cause WSUS to fail as the above.

Solution
Carry out the steps indicated in the Microsoft KB article, and then an additional step for configuring the memory limit on the WSUS Application pool.
Microsoft KB Steps Overview:
Run the Postinstall Servicing command from the Update Services Tools directory, i.e. "C:\Program Files\Update
Services\Tools\wsusutil.exe" postinstall /servicing
In the Add Roles and Features Wizard, add HTTP Activation under Features > .NET Framework 4.5 Features > WCF Services
Take ownership of the web.config file in C:\Program Files\Update Services\WebServices\ClientWebService (so that you can give yourself
permissions to edit the file next)
Grant yourself/Domain Admins Full Control permissions of the web.config file
Search for the following lines in the file:
<services>
<service
name="Microsoft.UpdateServices.Internal.Client"
behaviorConfiguration="ClientWebServiceBehaviour">
Add the following new lines:
<!--
These 4 endpoint bindings are required for supporting both http and https
-->
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="SSL"
contract="Microsoft.UpdateServices.Internal.IClientWebService" />
<endpoint address="secured"
binding="basicHttpBinding"
bindingConfiguration="SSL"
contract="Microsoft.UpdateServices.Internal.IClientWebService" />
The section of the file should now look like this:

Add the text multipleSiteBindingsEnabled="true" after <serviceHostingEnvironment aspNetCompatibilityEnabled="true"

© Copyright 2018 Stone Computers Ltd. All Rights Reserved. 2

https://kb.stonegroup.co.uk

Restart the WSUS Service service.

Additional Recommended Steps Over the Microsoft Instructions
Open Internet Information Services (IIS) Manager, under Administrative Tools.
Expand the tree on the left to find the Application Pools.

Right hand click on the WsusPool and go into Advanced Settings.

Change the Private Memory Limit (KB) setting from its default of just over 1GB, to 4GB (4000000). Please note that your WSUS server should
have a minimum of 8GB of RAM; 12GB recommended (or more, if your server also hosts SCCM and/or WDS).

Stop and then start the WsusPool.

Restart the WSUS Service service again, from Computer Management > Services.

Note: You may still encounter a problem after the above steps with the Wsus Content folder. If you get a Windows Update error 80244017, ensure that
<servername>\Users are given Read Permissions on the Content folder, usually c:\wsus\wsuscontent or d:\wsus\wsuscontent

© Copyright 2018 Stone Computers Ltd. All Rights Reserved. 3

https://kb.stonegroup.co.uk

Finally, also ensure that NETWORK SERVICE has Full Control permissions on the same folder.

How to Test that the Issue is Resolved

1. Open the WSUS console and run a Synchronisation, and make sure it succeeds.

2. If you are using SCCM and WSUS together, check the Software Update point Synchronisations in SCCM.
Open the "Software Update Point Synchronization Status" under Monitoring, and check that it succeeds.

© Copyright 2018 Stone Computers Ltd. All Rights Reserved. 4

https://kb.stonegroup.co.uk

3. Run Windows Update on a client PC that is configured to get its updates from the WSUS server, and check that the process completes
successfully.
4. If you are still having problems, try opening http://fully.qualified.wsusserver.hostname:8530/selfupdate/wuident.cab from a client PC and make sure
you can download the CAB file. If you can't check to see if you need a proxy exception to bypass the proxy for the WSUS server.
Applies to:

WSUS Servers running on Windows Server 2012 or Windows Server 2012 R2

Article ID: 620

Last updated: 25 Jul, 2017
Updated by: Andrew Sharrad
Revision: 14
Third Party Products -> Windows Server -> Troubleshooting -> Windows Server Update Services (WSUS) Not Working After May 2016 Windows Update
https://kb.stonegroup.co.uk/index.php?View=entry&EntryID=620

© Copyright 2018 Stone Computers Ltd. All Rights Reserved. 5