WSUS 2012 R2 KB3159706 manual steps

I’ve been monitoring what’s going on with WSUS updates and Microsoft WSUS team kept us posted on their official blog:

The TLDR version is KB3148812 was a disaster and now KB3159706 replaces it but still requires some manual steps afterward.
I’ve decided to share my recent experience with KB3159706. Please note that I didn’t installed KB3148812 and even if I had I’d have restored my WSUS to a previous state instead of trying to uninstall this KB.

  • Step1: Make a backup of your WSUS server and its Database and be prepared to restore it
  • Step 2: Before doing anything, read the above blog posts and the manual steps documented on the KB3159706 page under the “more info” section.
  • Step 3: install KB3159706, it’s available on Windows Update as a recommended update
  • Step 4: Reboot the WSUS server
  • Step 5: In a DOS command prompt running as local administrator, type:
    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

    NB1: All you should see is a line indicating where the log file is written and 2 lines ‘Post install is starting’ and ‘Post install has successfully completed’

  • NB2: I copied the log file somewhere else under a meaningful name and opened it to check that there isn’t any error mentioned

  • Step 6: Install the ‘HTTP Activation’ feature under .NET Framework 4.5 Features
    I first identified its Name and its state. It appeared mine was ‘Removed’. It means that I’ll have to provide a source to install it.

    Get-WindowsFeature -Name NET-WCF-HTTP-Activation45


    My WSUS server has access to the Internet (it downloads updates from Microsoft), so I used ‘Windows Update’ as a source:

    Get-WindowsFeature -Name NET-WCF-HTTP-Activation45 | 
    Add-WindowsFeature -Restart:$false -Verbose -Source 'Windows Update'


  • Step 7: Restart the WSUS service
    Get-Service -Name WsusService | Restart-Service -Verbose

My WSUS server is running under HTTPS, so I also performed the following steps:

  • Step 8: Copy the web.config file
    dir 'C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config' | 
    Copy-Item -Destination D:\web.config
  • Step 9: Edit the copied web.config file and make the appropriate changes (see KB3159706)
    NB1: Basically you need first to copy the 2 existing endpoints under the services node and change their bindingConfiguration to “SSL”. You’ve now 4 endpoints instead of 2.
    NB2: And you need to add multipleSiteBindingsEnabled=”true” almost at the end of the file.

  • Step 10: Replace the original web.config file with your modified version.
    To achieve that, there’s no need to modify the ACL of the original web.config.
    You can actually use the “restore mode” of robocopy.exe to overwrite a file where the Builtin\Administrators have only read and execute permissions.

    robocopy D:\ "C:\Program Files\Update Services\WebServices\ClientWebService" web.config /R:0 /B

Side notes:
My first attempt wasn’t successful, I forgot to remove bindingConfiguration=”ClientWebServiceBinding” and had 2 bindingConfiguration lines. D’Oh!(My Bad).
When I restarted the WSUS server, I had an error message saying: The Client Web Service is not working.
I fixed the typos I made in my D:\web.config file and restored it again with the “backup mode” of robocopy.exe.
I then checked that my problem was solved by running:

Get-Service -Name WsusService | Restart-Service -Verbose
& "C:\Program Files\Update Services\Tools\wsusutil.exe" checkhealth


Get-winevent -FilterHashtable @{ 
 LogName = 'Application' ; 
 ProviderName = 'Windows Server Update Services' 
} -MaxEvents 10



21 thoughts on “WSUS 2012 R2 KB3159706 manual steps

  1. Couldn’t find any relevant information on my problem with post-installation steps. I did as suggested:

    “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

    Got the following program output:

    Log file is located at C:\Users\regul8or\AppData\Local\Temp\tmpD0AC.tmp
    Post install is starting
    Post install has successfully completed

    The tmpD0AC.tmp file contain the following:

    2016-05-27 16:19:17 Postinstall started
    2016-05-27 16:19:17 Detected role services: Api, UI, WidDatabase, Services
    2016-05-27 16:19:17 Start: LoadSettingsForServicing
    2016-05-27 16:19:17 WID instance name: MICROSOFT##WID
    2016-05-27 16:19:17 End: LoadSettingsForServicing
    2016-05-27 16:19:17 Stopping service WSUSService
    2016-05-27 16:19:18 Stopping service W3SVC
    2016-05-27 16:19:20 Servicing WID database…
    2016-05-27 16:19:20 Servicing the database…
    2016-05-27 16:19:20 Establishing DB connection…
    2016-05-27 16:19:21 Checking to see if database exists…
    2016-05-27 16:19:22 Database exists
    2016-05-27 16:19:22 Switching database to single user mode…
    2016-05-27 16:20:02 Loading install type query…
    2016-05-27 16:20:02 DECLARE @currentDBVersion int
    DECLARE @scriptMajorVersion int = (9600)
    DECLARE @scriptMinorVersion int = (18324)
    DECLARE @databaseMajorVersion int
    DECLARE @databaseMinorVersion int
    DECLARE @databaseBuildNumber nvarchar(10)
    IF NOT EXISTS(SELECT * FROM sys.databases WHERE name=’SUSDB’)
    SELECT 1
    SET @currentDBVersion = (SELECT SchemaVersion FROM SUSDB.dbo.tbSchemaVersion WHERE ComponentName = ‘CoreDB’)
    SET @databaseBuildNumber = (SELECT BuildNumber FROM SUSDB.dbo.tbSchemaVersion WHERE ComponentName = ‘CoreDB’)
    DECLARE @delimiterPosition INT = CHARINDEX(‘.’, @databaseBuildNumber)
    IF (@delimiterPosition = 0)
    RAISERROR(‘Invalid schema version number’, 16, 1) with nowait
    SET @databaseMajorVersion = SUBSTRING(@databaseBuildNumber, 1, @delimiterPosition – 1)
    SET @databaseMinorVersion = SUBSTRING(@databaseBuildNumber, (@delimiterPosition + 1), (10 – @delimiterPosition))
    IF @currentDBVersion @databaseMajorVersion OR
    (@scriptMajorVersion = @databaseMajorVersion AND @scriptMinorVersion > @databaseMinorVersion))
    SELECT 2
    ELSE IF (@scriptMajorVersion = @databaseMajorVersion AND
    @scriptMinorVersion = @databaseMinorVersion)
    SELECT 0
    SELECT 4

    2016-05-27 16:20:02 Install type is: Reinstall
    2016-05-27 16:20:02 Install type is Reinstall, but should be Upgrade. Cannot service the database
    2016-05-27 16:20:02 Swtching DB to multi-user mode……
    2016-05-27 16:20:03 Finished setting multi-user mode
    2016-05-27 16:20:03 Starting service W3SVC
    2016-05-27 16:20:03 Starting service WSUSService
    2016-05-27 16:20:04 Postinstall completed

    Don’t understand if it’s correct behavior or if there’s an error. WSUS is working, workstations receive Windows 7 and other updates. Designated workstations see Windows 10 upgrade package but don’t install it

    • Hi,
      My tmp file contains: “Install type is: Upgrade”
      and then it modifies the database, creates tables, views,…

      Did you install kb3148812 ? perform the manual steps? uninstall kb3148812?

      • And what about that one?

        Any chance you’re in this case?

        Please also note that you should have added .esd MIME type to your IIS:

        if (-not
        Get-WebConfigurationProperty  -PsPath  'IIS:\Sites\WSUS Administration\Content' -Filter "//staticContent/mimeMap[@fileExtension='.esd']" -Name *
        )) {
        Add-WebConfigurationProperty -Filter '//staticContent' -name collection -value @{fileExtension='.esd'; mimeType='application/octet-stream'} -Verbose -PSPath 'IIS:\Sites\WSUS Administration\Content'
  2. Thank you very much for this post. I have spend the most of a week setting up a new WSUS server and was not aware that KB3159706 was requiring manual tasks. Wonder why Microsoft did not make an installer doing all the job instead of just half the job.

    Thank you very much. Your guide work perfectly.

  3. The auto installation of KB3159706 broke my WSUS (apparently it removed 3 tables from the SUSDB while at it). After spending the last 2 days of trying to fix the problem (and recovering the DB), this article was the final fix! Kudos and thanks!

  4. Hi Does this cmd work for both WID Databases and SUSDB (located on a dedicated SQL Server?)

    “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

    • From what i’ve seen online and experienced, there is aproblem with dedicated sql.
      i solved it by changing one of the .sql script files in the wsus folders under program files.

      it seems that someone wrote iDoc instead of idoc in one of the lines, after that it works flawlessly.


  5. Can you upload a screenshot of what your web.config file looks like after adding the bindings, etc.?
    I just want to make sure that I modified mine correctly and want to eliminate it as a possiblity as to why I am still having issues with pushing 1607 to my client systems.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s