WSUS 3.0 SP2 will not run after installing update 2720211

Let me clarify that post subject up there. KB2720211 FAILED to install on my server and at the same time absolutely FUBAR'd the entire thing to the point where Update Services wouldn't even start. I had our lead programmer stop by this morning and tell me that his computer kept complaining about not being able to download updates... (Note to self -- add that into Nagios as I appear to have forgotten).

Anway, what a mess. I logged onto the server and along with the MMC not opening, and being greeted with an IIS worker crash warning the event log was chock full of errors:

Event ID 1011: A process serving application pool 'WsusPool' suffered a fatal communication error with the World Wide Web Publishing Service. The process id was '7540'. The data field contains the error number. Event ID 7031: The Update Services service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service. Event ID 18456: Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. [CLIENT: ] Event ID 7032: The WSUS administration console was unable to connect to the WSUS Server via the remote API.

I'm sure you get the point...

Anyway, it appears this was a fairly widespread issue (great QA work MS). I found one solution that worked for me - copied here (just in case): ---> SOURCE <---

Fix the DCOM issue (thanks Ickis99) - Check for DistributedCOM event 10016 in the System Event log for APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} -- I wasn't running 2008 R2 on my WSUS box so skipped

If you have Windows Server 2008 R2, you have to give yourself permission to change the settings of the Component Service by looking for the APPID in the windows Registy under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID. Then change the permissions of the Key by taking ownership of the object and give Full Permissions to the local Administrator-Group. After that you can change the DCOM Permissions in the Component Services. Open Administrative Tools > Component Services Within Component Services, open Computers > My Computer > DCOM Config Find the NAP Agent Service, right-click it, and open Properties. Under the security tab, hit "Edit..." under the Launch and Activation Permissions section. Give the SYSTEM user allow for Local Launch.

Enable Named Pipes for the local SQL Server Express install - Check for MSSQL$MICROSOFT##SSEE event 18456 in the Application event log -- Internal Windows DB so I didn't do this, or maybe I just didn't need to. I don't have this tool installed at any rate.

Open the Sql Server Configuration Manager (Start > Programs > Microsoft SQL Server 2008 R2 > Configuration Tools) SQL Server Network Configuration > Protocols for MICROSOFT##SSEE Open Properties for Named Pipes and set Enabled to Yes.

Put the SUSDB database back into multi-user mode (might not be necessary, but I did it) Yup... did it Open a command prompt as administrator and run "iisreset /stop" Stop the "Update Services" service if running (it usually isn't since it's broken at this point) Open SQL Server Management Studio as Administrator (Start > Programs > Microsoft SQL Server 2008 R2) Under Server type, select "Database Engine", for server name, use "\\.\pipe\MSSQL\(MICROSOFT##SSEE\\sql\\query", and for Authentication use "Windows Authentication". Click Connect. Look at your SUSDB (Databases > SUSDB). If it is in single-user mode, open its properties, go to the Options screen, and set the Restrict Access setting to "MULTI\_USER". Let it reset connections if needed. Reboot your server (might not be necessary, but I figured it was best to play it safe) You might see a lot of MSSQL\)MICROSOFT##SSEE event 33002 in the logs after the reboot, but you can ignore these for now since the patch "should" fix it in a bit.

Extract necessary files from 2720211 installer Did this too Download the KB2720211 installer for your architecture from Microsoft (http://support.microsoft.com/kb/2720211) Extract WUSSetup.msp from the installer by running the installer with the /extract parameter (example: "WSUS-KB2720211-x64.exe /extract") With 7-zip, open WUSSetup.msp and extract "PCW_CAB_SUS". With 7-zip, open "PCW_CAB_SUS" and extract "DbCert", "DbCertDll", and "DbCertSql". Rename those files to "WSUSSignDb.cer", "WSUSSignDb.dll", and "WSUSSignDb.sql", respectively. On your WSUS server, navigate to "C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig" and copy the extracted "WSUSSignDb.cer" and "WSUSSignDb.dll" to it. Make a backup copy of the two existing versions, just in case. On your WSUS server, navigate to "C:\Program Files\Update Services\Database" and copy the extracted "WSUSSignDb.sql" to it. Make a backup copy of any existing versions of the file.

If all goes well, the update will actually install properly and after a (just because) reboot: [caption id="attachment_228" align="aligncenter" width="651"] SUCCESS![/caption]