You are browsing the archive for wsus.

New CM07 KB 2783466: Software updates are displayed as invalid unexpectedly in the Administrator Console in System Center Configuration Manager 2007

10:41 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, wsus by Kenny Buntinx [MVP]


After a Software Update Point (SUP) synchronization with Windows Software Update Services (WSUS) is complete, software updates that were previously successfully deployed are displayed unexpectedly as invalid in the Administrator Console in Microsoft System Center Configuration Manager 2007. Specifically, the invalid updates icon (a red arrow) appears alongside the updates when you view the updates in the Deployment Management node of the Administrator Console. Additionally, these updates are no longer listed under the Deployment Packages node.

This issue may occur because of changes that were made to the Microsoft Update service in October 2012. These improvements contain metadata updates that affect all WSUS servers. These changes caused some updates to be marked as having a content change, even though the update binaries were not changed. For some administrators, the metadata changes may have been applied automatically when WSUS synchronized with the Microsoft Update servers in October. Other administrators received the changes by applying update 2734608 to their WSUS servers.

More info here :

KB 2783466: Software updates are displayed as invalid unexpectedly in the Administrator Console in System Center Configuration Manager 2007

Hope it helps ,

Kenny Buntinx

Configmgr 2012 SP1 : Installing Multiple Software Update Points per single primary site and use a single shared WSUS database on your SQL Cluster

10:00 am in AdminUi, ConfigMgr 2012, ConfigMgr 2012 SP1, SCCM 2012, SCCM 2012 SP1, SUP, wsus by Kenny Buntinx [MVP]


After installing ConfigMgr 2012 SP1 Beta (you can’t install SP1 in production, unless you have signed a TAP agreement with Microsoft), We wanted to install a new feature/functionality called Multiple SUP. In SP1 they have support for multiple software update points for a site (also for non trusted forests)  to provide automatic redundancy for clients in the same way as you can configure multiple management points.

In Configuration Manager 2012 Service Pack 1, they have added the ability to set multiple SUPs per Primary Site, to :

  • Provide the ability to add SUPs cross-forest
  • Provide fault tolerance without requiring NLB.

Clients will automatically fail over to additional SUPs in the same forest if scan fails , but switching SUP’s has a different network cost involved depending if you are using a shared WSUS database or not. The cheapest  network cost would be if you are sharing the WSUS database. By design , clients will try to scan to the SUP 4 times with a fixed interval of 30 minutes ( it will wait 30 min before it tries again )before switching to another SUP in the SUP list.

NOTE: Be aware that the above defined values or specifications can change any time as this product is still in beta !

However I believe this is a big step forward for Configuration Manager and that this is a nice solution for security and redundancy options, we had some difficulties to get this working with multiple WSUS servers sharing the database on the same SQL cluster / instance.

The product team is aware of the issue and is working at a solution . Until then , if you want to try this in a lab with a SQL cluster , here are the steps on how to work around the issue .

Scenario that failed :

1. Install WSUS-02 server.

2. Choose use existing WSUS-01 SUSDB database (on a remote SQL cluster ), and specify the remote SQL server name + instance.

You will get an error :  “Existing database is not compatible with this version of WSUS 3.0 SP2” . After clicking OK, then the option to use existing DB is greyed out.” When that happens , the remote SUSDB for existing WSUS server goes to single user mode (and doesn’t revert, so it can’t be contacted SUP) . Your WSUS-01 ( first WSUS can’t connect anymore)

3. Run a query to revert SUSDB from single user mode.

4. The assumption is that the required KBs (2720211 and 2734608), which have been applied to WSUS-01 before installing SP1 beta , are required on WSUS-02.  However, they can’t be applied until after WSUS-02 is installed, so we’re stuck adding another WSUS server using a shared database where the existing WSUS server has been patched with the KBs.

Scenario that succeeded:

1. Install WSUS-02 on its own dedicated database (internal) . Human error alert — we accidentally specified the server name and instance of the existing SUSDB, and overwrote it without any notification ! Used System Center Data Protection Manager to recover the SUSDB.  Phew.

2. Then the following steps were required to get the second WSUS (and second SUP) working successfully:

  • Install WSUS with a local DB.
  • Install KB2720211 and KB2734608
  • Stop WSUS Service on both WSUS servers

3. Modify the registry to point WSUS-02 to WSUS-01 SUSDB on remote SQL cluster as well and some other keys (listed below):

  • wYukonInstalled=0
  • SqlServerName= <clustername>\<instanceName>
  • SqlInstanceIsRemote=1

4. Cycle IIS services

5. Restart WSUS service.

6. Validate WSUS console opens.

7. Add SUP role to new WSUS server.

When you have success , go to the WCF.log file and see if he finds your SUP’s successfully :


Go to the monitoring tab and look into the “Software update point synchronization status”. What you maybe have questioned yourself is that there has not been anything about sync source, sync schedule, classification or products during the installation of the role when adding the second SUP. You specified everything already with the installation of the first SUP. When the second SUP has been installed I start a synchronization of the updates again to see what happens. See picture below :


After a few hours, you will see a confirmed number that clients are scanning off of the new SUP (WSUS-02).  Go to reporting and select “ Software Updates – D. Scan “ and use report “ Scan 1 –Last scan states by collection” .


Drill down to “Scan Completed”  . You will see this


If you export in a pivot table you will get excellent results that are more clear :



The feature really works well and I am pleased that the Product Team provide us these new features ! Above graphic proves it really works !

However it is NOT certified and therefore NOT SUPPORTED for Configuration Manager 2012 SP1 by the Product Group in production unless you are TAP. If you already use it in production , don’t expect Premier Support to help you . Certification and support statements will take official 90 days after RTM of Windows 8 . These experiences are being build during a TAP program and may be solved as we move to RTM .

Hope it Helps ,

Kenny Buntinx

SCCM : Software Updates are hanging.

7:34 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, Installation, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Software updates, wsus by Kenny Buntinx [MVP]

Issue :

A XP client keeps failing on 2 updates that are marked as missing , but no errors could be found in the SCCM client logs , neither in the Windows Update Agent.log. You only get this line in the log file :

Update (Site_308CBE75-86C9-4D9D-AC4E-410079CCF8A2/SUM_5bf6aa01-2591-4966-95a6-afa7b5b6ac68) Progress: Status = ciStateError, PercentComplete = 0, DownloadSize = 0, Result = 0x80040656

Solution :

The solution is explained in KB artible :

Method for Windows 2000, Windows XP, or Windows Server 2003

To resolve this issue, register the Softpub.dll, Wintrust.dll, Initpki.dll, and Mssip32.dll files. To register these files, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.

2. At the command prompt, type regsvr32 Softpub.dll /s, and then press ENTER.

3. At the command prompt, type regsvr32 Wintrust.dll /s, and then press ENTER.

4. At the command prompt, type regsvr32 Initpki.dll /s, and then press ENTER.

5. At the command prompt, type regsvr32 Mssip32.dll /s, and then press ENTER.


After you re-register the above dll’s , you perform a software update scan.From than the updates will install normally.


Hope it helps ,

Kenny Buntinx