Windows Server Update Services (WSUS) Not Working After May 2016 Windows Update

Problem

• A previously working WSUS system stops working
• Client PCs connecting to the WSUS system are unable to find any updates
• An SCCM system connecting to WSUS doesn't find any updates
• The WSUS console may fail to open reliably
• WSUS may not complete Update Point Synchronisations
• WSUS may report login issues for the SUSDB database in the Windows Application log - "Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database 'SUSDB'. [Client: <named pipe>] - Event ID 18456.

​​Example:

Products

• WSUS on Windows Server 2012 / Windows Server 2012 R2 with the May 2016 security update installed, KB3159706, or the previous update KB3148812.

Cause

• Microsoft Update 3159706 needs additional steps performed after installation. When KB3159706 has been installed on a WSUS server, it can cause WSUS to fail as the above.

Solution

Carry out the steps indicated in the Microsoft KB article, and then an additional step for configuring the memory limit on the WSUS Application pool.

Microsoft KB Steps Overview:

• Run the Postinstall Servicing command from the Update Services Tools directory, i.e. "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
• In the Add Roles and Features Wizard, add HTTP Activation under Features > .NET Framework 4.5 Features > WCF Services
• Take ownership of the web.config file in C:\Program Files\Update Services\WebServices\ClientWebService (so that you can give yourself permissions to edit the file next)
• Grant yourself/Domain Admins Full Control permissions of the web.config file
• Search for the following lines in the file:

<services>
          <service
                name="Microsoft.UpdateServices.Internal.Client"
                behaviorConfiguration="ClientWebServiceBehaviour">

• Add the following new lines:

               <!-- 
                  These 4 endpoint bindings are required for supporting both http and https
                -->
                <endpoint address=""
                        binding="basicHttpBinding"
                        bindingConfiguration="SSL"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                <endpoint address="secured"
                        binding="basicHttpBinding"
                        bindingConfiguration="SSL"
                        contract="Microsoft.UpdateServices.Internal.IClientWebService" />

• The section of the file should now look like this:

• Add the text multipleSiteBindingsEnabled="true" after <serviceHostingEnvironment aspNetCompatibilityEnabled="true"

• Restart the WSUS Service service.

Additional Recommended Steps Over the Microsoft Instructions

• Open Internet Information Services (IIS) Manager, under Administrative Tools.
• Expand the tree on the left to find the Application Pools.

• Right hand click on the WsusPool and go into Advanced Settings.
• Change the Private Memory Limit (KB) setting from its default of just over 1GB, to 4GB (4000000). Please note that your WSUS server should have a minimum of 8GB of RAM; 12GB recommended (or more, if your server also hosts SCCM and/or WDS).

• Stop and then start the WsusPool.
• Restart the WSUS Service service again, from Computer Management > Services.

Note: You may still encounter a problem after the above steps with the Wsus Content folder. If you get a Windows Update error 80244017, ensure that <servername>\Users are given Read Permissions on the Content folder, usually c:\wsus\wsuscontent or d:\wsus\wsuscontent

Finally, also ensure that NETWORK SERVICE has Full Control permissions on the same folder.

How to Test that the Issue is Resolved

1. Open the WSUS console and run a Synchronisation, and make sure it succeeds.

2. If you are using SCCM and WSUS together, check the Software Update point Synchronisations in SCCM.

Open the "Software Update Point Synchronization Status" under Monitoring, and check that it succeeds.

3. Run Windows Update on a client PC that is configured to get its updates from the WSUS server, and check that the process completes successfully.

4. If you are still having problems, try opening http://fully.qualified.wsusserver.hostname:8530/selfupdate/wuident.cab from a client PC and make sure you can download the CAB file. If you can't check to see if you need a proxy exception to bypass the proxy for the WSUS server.

Applies to:

• WSUS Servers running on Windows Server 2012 or Windows Server 2012 R2