ESD Decryption Update KB3159706 Breaks WSUS on Server 2012 R2

Chiyo OdikaConfigMgr, SCCM4 Comments

Microsoft recently released an update KB3159706 that enables WSUS for Windows Server 2012/R2 to natively decrypt certain feature updates which are staged in encrypted packages. This is great, especially because this update supposedly fixes an issue with a previous update KB3148812. This update has however been found to break WSUS in Server 2012 R2. I was able to replicate this behavior in my lab environment.

My lab environment features a simple WSUS installation integrate with ConfigMgr Software Update Point (SUP). As seen below, after the update is installed the WSUS service crashes and fails to restart, and this adversely affects the SUP role in ConfigMgr.

 

image

 

image

 

I also determined that uninstalling the update addressed the issue, but a better fix, recommended by Microsoft, is to complete required manual steps in order to complete the update installation. The required manual steps are as follows:

    1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume “C” as the system volume):

“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing

 

image

Ensure that successful post install is confirmed.

 

 

image

  1. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard, as seen above.
  2. Restart the WSUS Service.

 

IF SSL is enabled on the WSUS Server, additional steps are required.

  • Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
    takeown /f web.config /a
    icacls “C:\Program Files\Update Services\WebServices\ClientWebService\Web.config” /grant administrators:f
  • Locate the Web.Config file in the following path:
    C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config
  • Make the following changes in the file (shown in bold):
    <services>
    <service
    name=”Microsoft.UpdateServices.Internal.Client”
    behaviorConfiguration=”ClientWebServiceBehaviour”>
    <!–
    These 4 endpoint bindings are required for supporting both http and https
    –>
    <endpoint address=””
    binding=”basicHttpBinding”
    bindingConfiguration=”SSL”
    contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
    <endpoint address=”secured”
    binding=”basicHttpBinding”
    bindingConfiguration=”SSL”
    contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
    <endpoint address=””
    binding=”basicHttpBinding”
    bindingConfiguration=”ClientWebServiceBinding”
    contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
    <endpoint address=”secured”
    binding=”basicHttpBinding”
    bindingConfiguration=”ClientWebServiceBinding”
    contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
    </service>
    </services>
  • Add the following attribute (shown in bold) to the bottom of the Web.Config file:
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled=”true”multipleSiteBindingsEnabled=”true” />
    </system.serviceModel>

 

cheers!

The following two tabs change content below.
Chiyo's expertise spans multiple platforms. He holds Microsoft Private Cloud, and Server Infrastructure certifications, and avidly enjoys working on deployments of Microsoft's Server and Cloud Platforms, including Microsoft Systems Center, Windows Server, and Microsoft Azure.

Latest posts by Chiyo Odika (see all)

Chiyo OdikaESD Decryption Update KB3159706 Breaks WSUS on Server 2012 R2