WSUS 3.0 SP2 will not run after installing update 2720211

Let me clarify that post subject up there. KB2720211 FAILED to install on my server and at the same time absolutely FUBAR’d the entire thing to the point where Update Services wouldn’t even start. I had our lead programmer stop by this morning and tell me that his computer kept complaining about not being able to download updates… (Note to self — add that into Nagios as I appear to have forgotten).

Anway, what a mess. I logged onto the server and along with the MMC not opening, and being greeted with an IIS worker crash warning the event log was chock full of errors:

Event ID 1011: A process serving application pool ‘WsusPool’ suffered a fatal communication error with the World Wide Web Publishing Service. The process id was ‘7540’. The data field contains the error number.
Event ID 7031: The Update Services service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
Event ID 18456: Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’. [CLIENT: <named pipe>]
Event ID 7032: The WSUS administration console was unable to connect to the WSUS Server via the remote API.

I’m sure you get the point…

Anyway, it appears this was a fairly widespread issue (great QA work MS). I found one solution that worked for me – copied here (just in case):

—> SOURCE <—

Fix the DCOM issue (thanks Ickis99) – Check for DistributedCOM event 10016 in the System Event log for APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1}I wasn’t running 2008 R2 on my WSUS box so skipped

If you have Windows Server 2008 R2, you have to give yourself permission to change the settings of the Component Service by looking for the APPID in the windows Registy under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID. Then change the permissions of the Key by taking ownership of the object and give Full Permissions to the local Administrator-Group. After that you can change the DCOM Permissions in the Component Services.
Open Administrative Tools > Component Services
Within Component Services, open Computers > My Computer > DCOM Config
Find the NAP Agent Service, right-click it, and open Properties.
Under the security tab, hit “Edit…” under the Launch and Activation Permissions section.
Give the SYSTEM user allow for Local Launch.

Enable Named Pipes for the local SQL Server Express install – Check for MSSQL$MICROSOFT##SSEE event 18456 in the Application event logInternal Windows DB so I didn’t do this, or maybe I just didn’t need to. I don’t have this tool installed at any rate.

Open the Sql Server Configuration Manager (Start > Programs > Microsoft SQL Server 2008 R2 > Configuration Tools)
SQL Server Network Configuration > Protocols for MICROSOFT##SSEE
Open Properties for Named Pipes and set Enabled to Yes.

Put the SUSDB database back into multi-user mode (might not be necessary, but I did it)
Yup… did it
Open a command prompt as administrator and run “iisreset /stop”
Stop the “Update Services” service if running (it usually isn’t since it’s broken at this point)
Open SQL Server Management Studio as Administrator (Start > Programs > Microsoft SQL Server 2008 R2)
Under Server type, select “Database Engine”, for server name, use “\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query”, and for Authentication use “Windows Authentication”. Click Connect.
Look at your SUSDB (Databases > SUSDB). If it is in single-user mode, open its properties, go to the Options screen, and set the Restrict Access setting to “MULTI_USER”. Let it reset connections if needed.
Reboot your server (might not be necessary, but I figured it was best to play it safe)
You might see a lot of MSSQL$MICROSOFT##SSEE event 33002 in the logs after the reboot, but you can ignore these for now since the patch “should” fix it in a bit.

Extract necessary files from 2720211 installer
Did this too
Download the KB2720211 installer for your architecture from Microsoft (
Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: “WSUS-KB2720211-x64.exe /extract”)
With 7-zip, open WUSSetup.msp and extract “PCW_CAB_SUS”.
With 7-zip, open “PCW_CAB_SUS” and extract “DbCert”, “DbCertDll”, and “DbCertSql”.
Rename those files to “WSUSSignDb.cer”, “WSUSSignDb.dll”, and “WSUSSignDb.sql”, respectively.
On your WSUS server, navigate to “C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig” and copy the extracted “WSUSSignDb.cer” and “WSUSSignDb.dll” to it. Make a backup copy of the two existing versions, just in case.
On your WSUS server, navigate to “C:\Program Files\Update Services\Database” and copy the extracted “WSUSSignDb.sql” to it. Make a backup copy of any existing versions of the file.

If all goes well, the update will actually install properly and after a (just because) reboot:



15 thoughts on “WSUS 3.0 SP2 will not run after installing update 2720211

  1. Had this problem on 2 2008 R2 WSUS servers. Took me about 3 hours before I found this article. Ran the top fix regarding component services and the bottom fix regarding 7-zip and rebooted. Ran the manual installer, and the update finally went through! Also, WSUS comes up without any “MMC could not load the snap-in errors” as well! Your a life saver, thank you very much!!

  2. Thanks very much for posting this, I am running Windows 2008 64bit, and the option Extract necessary files from 2720211 installer resolved my issue.

  3. BRAVO! Worked like a charm. I only had to do the last set of steps (Extract …) I really wonder why MS does not officially endorse this procedure, since it seems a lot of people have gone into trouble with their WSUS.


    1. I’m curious,how is this problem still occurring so late into September? The patches that caused this problem came out back in early July? I hope there aren’t other Windows updates causing this problem !

      1. I haven’t seen it happen again to our setup after the first occurrence. Could be folks late getting to these – I don’t recall if the update was released as critical or not – assuming it wasn’t many companies only handle critical updates during the regular cycle and leave non-critical for planned maintenance periods.

  4. I have WSUS 3.0 installed on a Windows 2008 R2 Server, and the following directory locations is not located on my WSUS box or the SQL box: On your WSUS server, navigate to “C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig” and copy the extracted “WSUSSignDb.cer” and “WSUSSignDb.dll” to it. Make a backup copy of the two existing versions, just in case.
    On your WSUS server, navigate to “C:\Program Files\Update Services\Database” and copy the extracted “WSUSSignDb.sql” to it.

    Hence, the KB article update did not work, and my WSUS console will not connect to the server…

  5. Genius! Been working on getting this fixed for 3 days. I did from multi-user mode downwards for Server 2003 SP2 and WSUS is now back online and the update applied. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s