none
Clients failing to connect to WSUS - 80244008 RRS feed

  • Question

  • WSUS on Server 2012 R2.

    Was working OK yesterday, 28 June 2017.
    This morning, 29th June, large number of clients (possibly all) are failing to communicate correctly, eg when attempting to do a manual "Check for Updates". Windows 7 (x86) and Server 2008r2 come up with 80244008. A windows 10 client (x64) and 2012r2 gave error 8024401f. The WSUS management console opens without any issues.

    Last status report of any client into WSUS is 630am this morning, which appears to be about 10 minutes after a restart of the WSUS Server to install 2 MS Updates this morning. 4022720 (preview of monthly rollup) and 4037282 (update for Internet explorer).

    I suspect one of those updates is the issue. I've checked the details of 4022720 and can't see anything obvious that would affect IIS or WSUS, nor guidance to run any post install steps. If necessary I can uninstall, but would prefer not to, as that would only delay the issue until middle of next month when the general release of what is in 4022720 is pushed out. I have, though re-run the steps from the update that came out a year ago.

    Our server is configured to use port 80, so no SSL involved, but I'm wondering if something in one of the above updates has done something to affect this.  

    There are a few messages in Application log and other logs that may prove useful...

    EventID 3, Source: System.ServiceModel 4.0.0.0, Task Category WebHost, Level Error, user: Network Service.

    WebHost failed to process a request.

    System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064

    Exception: System.ServiceModel.ServiceActivationException: The service '/ClientWebService/client.asmx' cannot be activated due to an exception during compilation.  The exception message is: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].. ---> System.InvalidOperationException: Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http].

       at System.ServiceModel.ServiceHostBase.MakeAbsoluteUri(Uri relativeOrAbsoluteUri, Binding binding, UriSchemeKeyedCollection baseAddresses)

       at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)

       at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)

       at System.ServiceModel.ServiceHost.ApplyConfiguration()

       at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)

       at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)

       at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses)

       at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses)

       at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)

       at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)

       at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)

       --- End of inner exception stack trace ---

       at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)

       at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)

    Process Name: w3wp

    Process ID: 2140

    I can provide other logs later (eg WSUS logs, and logs off couple of the client systems too).

    Thanks in advance

    Matt W.

    Thursday, June 29, 2017 11:11 AM

Answers

  • Hi Matt,

    i found 2 ways to repair it (KB4025336 broke it for me)

    1. modify

    "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config"

    (This file was new after the updates.)

    take ownership:

    takeown /f web.config /a
    icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

    and remove/comment this lines for SSL binding with <!-- and -->:

    <services>
                <service
                    name="Microsoft.UpdateServices.Internal.Client"
                    behaviorConfiguration="ClientWebServiceBehaviour">
                    <!-- 
                      These 4 endpoint bindings are required for supporting both http and https
                    -->
                    <!-- endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" /-->
                    <!--endpoint address="secured"
                            binding="basicHttpBinding" 
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" /-->
                    <endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            binding="basicHttpBinding" 
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
       </service>
            </services>

    then restart WUSService and IIS it works again.

    2. add https binding in IIS

    c:\windows\system32\inetsrv\appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

    then it works again, even with no SSL certificate selected.

    i will open a support case with Microsoft next week for advisory.

    I am in favor with solution 1 because i do not need to reconfigure firewalls etc. since we only use http port 80 in the past.

    best regards

    Thomas



    • Edited by RS-Thomas Friday, July 14, 2017 9:14 PM
    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    • Marked as answer by mpw1 Tuesday, August 15, 2017 10:14 AM
    Friday, July 14, 2017 9:06 PM

All replies

  • fixed It by uninstalling KB4022720.

    but question still remains why that broke it, and will it break again when the regular Security & quality monthly rollups for July 2017 are made available in a couple of weeks time.

    Thursday, June 29, 2017 2:56 PM
  • Exactly same problem and same solution for me!

    His someone have a other solution than uninstall KB4022720 ??

    Thank you.

    Thursday, June 29, 2017 3:27 PM
  • Hi mpw1,

    Thanks for feeding back the information, we'll keep eyes on this topic and try to report this behavior to our Product Team for further confirmation. If there is any news, we'll feedback as soon as possible.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 8:49 AM
    Moderator
  • I have found that KB4022720 has broken WSUS on my Network.

    Uninstalling has got WSUS Working again but is not a great fix.

    Tuesday, July 4, 2017 10:25 AM
  • Hi mpw1

    I had this problem but today it has been solved by changing the WSUS port to 8530 (default port for WSUS in Windows server 2012) and also I changed the port in GP, to be deployed on clients. The details are written in this link 

    https://technet.microsoft.com/en-us/library/cc708604(v=ws.10).aspx

    • Proposed as answer by Nadine-K Wednesday, July 26, 2017 6:26 AM
    Thursday, July 6, 2017 3:38 PM
  • For me, i was already using default port 8530 on server side and on GPO client side and i still have the problem.

    Thank you.

    Thursday, July 6, 2017 8:01 PM
  • Seriously Microsoft do you even test updates any more? We patch our environments religiously but it seems every month since late last year the quality of Microsoft updates has taken a huge dive. Something or the other breaks every month. 

    This month Wsus broke and we are lucky to have a semi production Wsus environment. 

    Sunday, July 9, 2017 2:53 PM
  • fixed It by uninstalling KB4022720.

    but question still remains why that broke it, and will it break again when the regular Security & quality monthly rollups for July 2017 are made available in a couple of weeks time.

    Ok, so why on earth are you installing PREVIEW updates?

    June 27, 2017—KB4022720 (Preview of Monthly Rollup)

    Previews are known to have issues.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 3:20 AM
  • Seriously Microsoft do you even test updates any more? We patch our environments religiously but it seems every month since late last year the quality of Microsoft updates has taken a huge dive. Something or the other breaks every month. 

    This month Wsus broke and we are lucky to have a semi production Wsus environment. 

    If you're installing the same patch, why are you installing PREVIEW patches? These are known to have issues and are not the final CU.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 3:21 AM
  • On another note, Keep your WSUS server operating at it's best by using my script.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 3:22 AM
  • This script may be a good solution to optimized WSUS and save space but it's not solving the big problem the lastest Microsoft update give to us...

    We are still waiting for a patch or a solution from Microsoft before tomorrow... The next monthly update is tomorrow ! What are you doing Microsoft !?

    Monday, July 10, 2017 12:55 PM
  • This script may be a good solution to optimized WSUS and save space but it's not solving the big problem the lastest Microsoft update give to us...

    We are still waiting for a patch or a solution from Microsoft before tomorrow... The next monthly update is tomorrow ! What are you doing Microsoft !?

    Maybe not, but the bigger question you haven't answered is why are you installing preview updates that are KNOWN to have issues - they are preview to the next CU. It's easier to place the blame somewhere else, but unless you have a SPECIFIC reason to install a preview update (I've had 1 since they started releasing them, and it did fix my issue), you should be denying all preview updates.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 1:53 PM
  • I install this preview update because Microsoft tag it like critical. And if the problem is present in the preview update, i'm pretty sure that the "final update" of tommorow are going to have the same problem...

    Monday, July 10, 2017 1:58 PM
  • I install this preview update because Microsoft tag it like critical. And if the problem is present in the preview update, i'm pretty sure that the "final update" of tommorow are going to have the same problem...

    Microsoft tagged it as an "Update" - NOT a "Critical Update" or a "Security Update", but just a plain old "Update". If you have auto-approvals on, make sure it's not approving everything that comes through for "Updates". Only Critical and Security Updates should be auto-approved, if you're going to use auto-approvals.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 6:12 PM
  • KB4025336 is now available. This update is the final version of the Preview update KB4022720 who is giving us problem with WSUS. I first install the preview update KB4022720, detect the WSUS problem, uninstall KB4022720, problem solve.

    I just install KB4025336 without reinstalling KB4022720 on my WSUS Server. I test WSUS after the installation and i have the same problem : 8024401F error code on all client when trying to search for new update from WSUS Server!

    So Microsoft need to fix the KB4025336 update fastlly!

    • Edited by Champac Tuesday, July 11, 2017 6:47 PM
    Tuesday, July 11, 2017 6:43 PM
  • Just come into work this morning, and found that my WSUS server is broken (again) after it installed 4025336 & 4025333 last night automatically.

    In response to people asking why install "preview" updates... someone has to, otherwise issues like this don't get spotted in time. Now that the proper update is out, I've going to have 2 broken WSUS Servers now, rather than just the 1 for when the preview came out.

    Just checked MS page for the update, and no special post install instructions for WSUS.
    https://support.microsoft.com/en-us/help/4025336/windows-8-update-kb4025336

    Matt W.

    Wednesday, July 12, 2017 7:05 AM
  • Hi! For me the same: after installing KB4025336 WSUS is broken. Clients doesn't connect to wsus - no recent reports can be transfered from clients to WSUS.

    Many Errors in Application Log:

    Source:        System.ServiceModel 4.0.0.0
    Event-ID:   3
    Description: WebHost could not process a requirement. Service '/ClientWebService/client.asmx' could not be activated due an exception while compiling. There is no basic adress that fits with scheme "https" for endpoint with binding "BasicHttpBinding". (translated from german)

    After uninstalling KB4025336 and restarting WSUS everything is fine.

    Bye

    Jan
    Wednesday, July 12, 2017 11:09 AM
  • KB4025333 is not broke WSUS. I install it on my WSUS Server without any problem. Only KB4025336 is giving us problems.

    Thank you.

    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    Wednesday, July 12, 2017 12:14 PM
  • Champac, thanks that is useful to know.

    So its not one of the security updates but one of the additional features you get in the Security Quality Monthly Rollup causing the issue. I had only mentioned both, as both had installed overnight onto our server.

    Wednesday, July 12, 2017 12:25 PM
  • We have the same issue - installing KB4025336 prevents clients from reconnecting to our WSUS server (uninstall fixes it again). So we cannot install the July roll-up, and presumable won't be able to install any subsequent roll ups until this is fixed :-(
    Wednesday, July 12, 2017 2:36 PM
  • I've now uninstalled 4025336, and my WSUS is working again.

    I've left 4025333 installed, which is the important Security fixes that are also included in the above update.

    I'm hoping to get a proper support call logged with Microsoft, but having to wait for one of the IT managers here to dig out the details so I can do so.

    regards

    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    Wednesday, July 12, 2017 3:05 PM
  • I had the same WSUS issue with KB4022720 (I could open the MMC, but got no new updates; clients could not connect). Uninstalling has (temporarily) corrected the WSUS issue.
    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    Wednesday, July 12, 2017 5:36 PM
  • Probably because it got pushed out to the WSUS server as an update and I personally don't have time to review every single one of the hundreds of Microsoft updates my WSUS server gets per month.
    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:15 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    Wednesday, July 12, 2017 5:40 PM
  • We have had the same issue with the latest batch of updates. I tried updating the patches in different orders, but KB4025336 always causes the clients to fail. All other patches are installed, so it's still working. Hopefully, MS will have a fix for this fix out pretty soon.


    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:14 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    Wednesday, July 12, 2017 10:02 PM
  • My Wsus runs in Windows Server 2012 R1. Same problem here but different KB: 4025331.

    Uninstalling solved the problem.

    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:14 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    Thursday, July 13, 2017 7:35 PM
  • We just had the same issue. After uninstalling KB4025336 WSUS is working again, but this is not a "real" solution. Please provide a new fix.

    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:14 PM
    • Unproposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    Friday, July 14, 2017 5:17 AM
  • Hi Matt,

    i found 2 ways to repair it (KB4025336 broke it for me)

    1. modify

    "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config"

    (This file was new after the updates.)

    take ownership:

    takeown /f web.config /a
    icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

    and remove/comment this lines for SSL binding with <!-- and -->:

    <services>
                <service
                    name="Microsoft.UpdateServices.Internal.Client"
                    behaviorConfiguration="ClientWebServiceBehaviour">
                    <!-- 
                      These 4 endpoint bindings are required for supporting both http and https
                    -->
                    <!-- endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" /-->
                    <!--endpoint address="secured"
                            binding="basicHttpBinding" 
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" /-->
                    <endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            binding="basicHttpBinding" 
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
       </service>
            </services>

    then restart WUSService and IIS it works again.

    2. add https binding in IIS

    c:\windows\system32\inetsrv\appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

    then it works again, even with no SSL certificate selected.

    i will open a support case with Microsoft next week for advisory.

    I am in favor with solution 1 because i do not need to reconfigure firewalls etc. since we only use http port 80 in the past.

    best regards

    Thomas



    • Edited by RS-Thomas Friday, July 14, 2017 9:14 PM
    • Proposed as answer by RS-Thomas Friday, July 14, 2017 9:16 PM
    • Marked as answer by mpw1 Tuesday, August 15, 2017 10:14 AM
    Friday, July 14, 2017 9:06 PM
  • Thanks Thomas,

    Using option 1, I found that I didn't need to restart WSUS and IIS.  Just commenting the SSL entries in web.config "fixed" it.

    Sunday, July 16, 2017 3:56 AM
  • The best solution we have found is to generate a certificate, and then activate HTTPS access with this certificate into "ClientWebSite" application bindings.

    Hope it will help you.

    Monday, July 17, 2017 5:13 AM
  • That's because modifying the web.config triggers an app pool recycle in IIS.
    Monday, July 17, 2017 9:08 AM
  • Can you give me a detail tutorial of how to do this ?

    Thank you.

    Monday, July 17, 2017 6:48 PM
  • I try option 1 and option 2 and no one work for me...

    I use WSUS Non-SSL on port 8530.

    Thank you.

    Monday, July 17, 2017 6:48 PM
  • If you're installing the same patch, why are you installing PREVIEW patches? These are known to have issues and are not the final CU.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Adam, Microsoft can be happy, that people are willing to install the Preview Updates, to have them find possible issues early. It is a shame that MS didn't react on the early complaints with the Preview Updates and released the final Monthly Rollups with the same glitches. Even today they do not even acknowledge the issue, see both KB4025331 (Server 2012) and KB4025336 (Server 2012 R2), not mentioning anything about WSUS trouble. Wondering if, how and when they will deal with that issue...

    https://support.microsoft.com/en-us/help/4025331/windows-server-2012-update-kb4025331

    https://support.microsoft.com/en-us/help/4025336/windows-8-update-kb4025336

    Tuesday, July 18, 2017 7:04 AM
  • You are absolutly right!

    I'm still waiting news from Microsoft...

    Thank you.

    Tuesday, July 18, 2017 11:56 AM
  • I installed the patch tonight. I rebooted my WSUS server. I used my client to check for updates and it was successful. It even reported in properly afterwards.

    Have you tried to 'delay' updates through GPO or anything?

    See proof screenshots below.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, July 19, 2017 12:28 AM
  • I installed the patch tonight. I rebooted my WSUS server.

    On which OS platform do you run your WSUS Server?
    Wednesday, July 19, 2017 7:36 AM
  • WSUS is running on Server 2012 R2. I did NOT install the preview update prior.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, July 19, 2017 10:46 AM
  • Is your WSUS is in SSL or not ? Which port Do you use?

    I think problem is only in non-ssl on port 8530.

    Thank you.

    Wednesday, July 19, 2017 11:05 AM
  • Is your WSUS is in SSL or not ? Which port Do you use?

    I think problem is only in non-ssl on port 8530.

    Thank you.

    Hey!

    We Have WSUS 2012 without r2 and on port 80 and the same Problem with KB4025336

    Wednesday, July 19, 2017 11:15 AM
  • I DO use SSL as it's a Microsoft Best Practice. My cert is one from my Internal CA.

    I follow a really smart guy named Emin Atac (he was the one who helped me develop part of my WSUS Script) and he posted something that was enlightening in all regards with regards to WSUS and MITM attacks and how relatively easy it would be to compromise a network.

    Black Hat USA 2015 - WSUSpect Compromising The Windows Enterprise Via Windows Update

    https://p0w3rsh3ll.wordpress.com/2015/11/24/switch-wsus-to-https/

    Video here: https://www.youtube.com/watch?v=mU8vw4gRaGs

    It is worth the watch as they explain exactly how to take over a network by just having access to it

    Please, everyone, mitigate this risk and switch to SSL.

    Official MS TechNet article for SSL for WSUS

    https://technet.microsoft.com/library/hh852346.aspx#bkmk_3.5.ConfigSSL


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, July 19, 2017 12:06 PM
  • Adam, i want to use SSL with my WSUS but i have a error after trying to switch from port 8530 non-ssl to port 8531 SSL : I have a error message telling me that the ssl certificat of this server can't be validated when im trying to open my WSUS console.

    I also have Code 80072F8F when trying to search for Update with clients.

    Maybe it's beacause of this : https://blogs.technet.microsoft.com/wsus/2013/08/15/wsus-no-longer-issues-self-signed-certificates/

    Can you help me with this? Thank you.



    • Edited by Champac Wednesday, July 19, 2017 3:30 PM
    Wednesday, July 19, 2017 3:24 PM
  • I'm not sure if this would help - saw it on another forum for another issue, but may be prudent here.

    Try toggling the usecustomwebsite attribute.

    Turn it off and on again:

    wsusutil.exe usecustomwebsite false

    wsusutil.exe usecustomwebsite true

    Does that help?

    If not, do you have an Internal CA?


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by SvetPaperov Friday, July 28, 2017 3:24 PM
    Wednesday, July 19, 2017 3:44 PM
  • I would like to return to the original subject of the thread which was issues introduced by KB4022720 & KB4025336.  After doing a fair amount of testing I have come to the conclusion that Microsoft have incorporated KB3159706 into the July 2017 rollup for 2012 R2 with one major exception; they have added the updates to the ClientWebService web.config listed at item 3 in the article into the rollup.  This is borne by the fact that the file information for the web.config contained in each update has a different date (KB3159706 has a modification date of 8-Mar-2016 whereas KB4025336 by comparison is 10-May-2017).

    I discovered this by accident when I applied KB4025336 to a WSUS server which I'd forgotten to apply KB3159706 to.  In order to get WSUS working again I had to run the postinstall /servicing and enable .NET4.5 WCF HTTP Activation.

    My research also leads me to believe that if you have previously installed KB3159706 to your WSUS server and are using the custom website WSUS will continue to function without any issues after the application of KB4025336 regardless of whether you use SSL or not.  This is because a https binding to 8531 looks to be automatically created for the WSUS website in this scenario.  If you run WSUS using the default website and do not use SSL WSUS will run into issues.  This is because the changes to the web.config add support for SSL, but the default website does not appear to have a binding for https to port 443 by default.  This can be fixed in 1 of 3 ways:

    1. Remove the SSL entries from the web.config as originally posted by R S Thomas on Friday (see higher up the thread).  My concern with this solution is that the next rollup might reapply the updated web.config
    2. Add https binding for 443 manually as also posted by R S Thomas on Friday
    3. Run wsusutil.exe usecustomwebsite true followed by wsusutil usecustomwebsite false.  This also adds the required https binding to the default website.
    • Proposed as answer by AJTek.caMVP Thursday, July 20, 2017 2:42 PM
    Wednesday, July 19, 2017 4:55 PM
  • Seriously Microsoft do you even test updates any more? We patch our environments religiously but it seems every month since late last year the quality of Microsoft updates has taken a huge dive. Something or the other breaks every month. 

    This month Wsus broke and we are lucky to have a semi production Wsus environment. 

    If you're installing the same patch, why are you installing PREVIEW patches? These are known to have issues and are not the final CU.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    I am glad I stopped installing preview issues about 2 months ago. Whew!
    Wednesday, July 19, 2017 8:13 PM
  • No one of this solutions works for me.

    I just uninstall KB4022720 & KB4025336 and all is working good now.

    And watch out, the new release from Microsoft of yesterday KB4025335 have the same problem for me... It's break WSUS also. So do not install...

    Thursday, July 20, 2017 7:23 PM
  • @ Champac  - Do you have an internal CA that you can use to generate the Certificate?

    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Thursday, July 20, 2017 8:23 PM
    Thursday, July 20, 2017 8:22 PM
  • Yes, i create a domain certificat with my WSUS serveur Who is also CA.

    I now use WSUS on SSL port 8531 with my own Domain certificat on Windows Server 2012 R2. Evrything is working great until i install KB4025336. After that, i can open my WSUS console but all my client can't connect anymore to check for update. Evrything is going back to normal after i unstall KB4025336...

    I try all the solutions proposed on this page and nothing work for me.

    • Edited by Champac Friday, July 21, 2017 1:02 AM
    Thursday, July 20, 2017 9:51 PM
  • Yes, i create a domain certificat with my WSUS serveur Who is also CA.

    I now use WSUS on SSL port 8531 with my own Domain certificat on Windows Server 2012 R2. Evrything is working great until i install KB4025336. After that, i can open my WSUS console but all my client can't connect anymore to check for update. Evrything is going back to normal after i unstall KB4025336...

    I try all the solutions proposed on this page and nothing work for me.

    Have you previously installed KB3159706?  If not then you will also need to install WCF HTTP Activation for .Net45 and run wsusutil postinstall /servicing after the KB4025336 has been installed.  Both of these steps are documented within KB3159706, but not in KB4025336.  I had similar issues with one of my WSUS servers after installing KB4025336; clients could detect patches and download them, but they were unable to report their status to WSUS.  I am not using SSL so the symptoms could be different on a system with SSL implemented.
    Monday, July 24, 2017 9:11 AM
  • This link's ^ solution worked for me.
    Tuesday, July 25, 2017 5:17 PM
  • For me this worked. I do not had set any port explitcit in GPO, so mine was set to http://mywsusserver instead of now http://mywsusserver:8530.

    Of cource i had to restart Windows Update Service after changing that.

    Thanks a Million for that!

    Wednesday, July 26, 2017 6:29 AM
  • Solution 3 worked for me. But since I was already using the custom 8530 port I had to switch back to true.

    Thanks


    Svet Paperov, MCTIP-EA

    Friday, July 28, 2017 3:22 PM
  • Just another observation that may be helpful to someone reading this thread.  I also encountered the issue in an environment that I support and uninstalled the update to resolve.  However, I had a downstream/replica WSUS server that could no longer service its clients after I had resolved the issue on the primary.

    I tried iisreset and did some research into the errors that I was seeing.  Before trying more advanced repairs, I ended up requesting a maintenance period on the machine just to perform a simple REBOOT and that resolved the issue.

    So, if you have a bunch of downstream servers that exhibit issues after you fix this botched update on your primary, reboot your downstream servers.

    Thanks again Microsoft...


    Syst3m32 https://www.sysadminsoup.com

    Monday, July 31, 2017 9:22 PM
  • FYI, the issue is reproduced again :( after installing the update KB4039871 (Update for Preview of Monthly Rollup August 28, 2017) on the WSUS servers. 

    Intially, the preview update main to be installed to fix the CPU / memory issue as described in this MS blog below. 

    Link: High CPU/High Memory in WSUS following Update Tuesdays| https://blogs.technet.microsoft.com/askcore/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/

    I have logged a support call with Microsoft. 

    By rerun the commands below has stopped the System.ServiceModel 4.0.0.0 Error - WebHost failed to process a request (Event 3). 

    %programfiles%\update services\tools\wsustil.exe usecustomwebsite true

    %programfiles%\update services\tools\wsustil.exe usecustomwebsite false




    • Proposed as answer by Kwang Whee Tuesday, October 3, 2017 4:04 AM
    • Edited by Kwang Whee Wednesday, October 11, 2017 4:12 AM
    Tuesday, October 3, 2017 4:04 AM
  • Fond a simple fix that will allow WSUS to continue and let clients still connect to port 80.

    switch back to usecustomwebsite true
    change port from Default Web Site from 80 to 81
    add 80 to "WSUS Administration"

    now everything is working again for me and Updates do not break the WSUS (btw if you tried using WSUS 2016 usecustomwebsite false will break it too, also just add port 80)

    Tuesday, October 3, 2017 6:11 AM
  • Thanks Thomas, 

    i had the same issue, and also used no 1 to fix. I believe this becomes a problem when you don't use the default port on wsus 2012 r2 (5830), and instead you switch to 80,443.

    Regards,

    Tuesday, October 3, 2017 8:23 AM
  • Hi there,

    I get the WSUS to work again by simply changing back to Port 80:

    WSUSutil usecustomwebsite false (under Program Files/Updates Services/Tools)

    But because it would be difficult to change it on all clients (infrastructure fragmented and not possible to do this via GPO) I had to change it back to 5830:

    WSUSutil usecustomwebsite true

    And magic: It is still working on the old port 5830! All clients get their updates now.

    So it looks like the update broke something with the binding of the IIS Website which could be simply be fixed by switching to the default website and back to the custom website (which is the default by installation under Windows Server 2012 and above).

    Let's give it a try.

    Wednesday, October 4, 2017 10:32 AM
  • Did not fix it for me. 
    Tuesday, March 13, 2018 7:14 PM
  • Thanks for your valuable solution. First way worked for me too.

    Best Regard, Babak Ramak

    Monday, December 17, 2018 8:37 AM