question

RakeshKumar-2842 avatar image
0 Votes"
RakeshKumar-2842 asked AllenLiu-MSFT commented

WSUS reinstallation and post install configuration fails

Hi All,

i had issue with synchronization of SCCM SUP with WSUS. after doing all troubleshooting steps nothing has worked. Hence uninstalled the SUP and WSUS. when i did the reinstallation of WSUS below two issue has been observed.

  1. Tools folder not found in c:\programsfile\update service

  2. Post installation fails

any help on resolving this issue would be highly appreciated.

Server OS - windows 2019
SCCM Version - 2107

error in WSUS post installation log file -
2021-09-17 07:33:48 Postinstall started
2021-09-17 07:33:48 Detected role services: UI, WidDatabase, Services
2021-09-17 07:33:48 Start: LoadSettingsFromParameters
2021-09-17 07:33:48 Content local is: True
2021-09-17 07:33:48 Content directory is: H:\WSUS
2021-09-17 07:33:48 SQL instname is:
2021-09-17 07:33:48 End: LoadSettingsFromParameters
2021-09-17 07:33:48 Start: Run
2021-09-17 07:33:48 Fetching WsusAdministratorsSid from registry store
2021-09-17 07:33:48 Value is S-1-5-21-986062108-440580148-1005803637-1001
2021-09-17 07:33:48 Fetching WsusReportersSid from registry store
2021-09-17 07:33:48 Value is S-1-5-21-986062108-440580148-1005803637-1002
2021-09-17 07:33:48 Configuring content directory...
2021-09-17 07:33:48 Configuring groups...
2021-09-17 07:33:48 Starting group configuration for WSUS Administrators...
2021-09-17 07:33:48 Found group in regsitry, attempting to use it...
2021-09-17 07:33:51 Writing group to registry...
2021-09-17 07:33:51 Finished group creation
2021-09-17 07:33:51 Starting group configuration for WSUS Reporters...
2021-09-17 07:33:51 Found group in regsitry, attempting to use it...
2021-09-17 07:33:51 Writing group to registry...
2021-09-17 07:33:51 Finished group creation
2021-09-17 07:33:51 Configuring permissions...
2021-09-17 07:33:51 Fetching content directory...
2021-09-17 07:33:51 Fetching ContentDir from registry store
2021-09-17 07:33:51 Value is H:\WSUS
2021-09-17 07:33:51 Fetching group SIDs...
2021-09-17 07:33:51 Fetching WsusAdministratorsSid from registry store
2021-09-17 07:33:51 Value is S-1-5-21-986062108-440580148-1005803637-1001
2021-09-17 07:33:51 Fetching WsusReportersSid from registry store
2021-09-17 07:33:51 Value is S-1-5-21-986062108-440580148-1005803637-1002
2021-09-17 07:33:51 Creating group principals...
2021-09-17 07:33:51 Granting directory permissions...
2021-09-17 07:33:51 Granting permissions on content directory...
2021-09-17 07:33:51 Granting registry permissions...
2021-09-17 07:33:51 System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)
at Microsoft.Win32.RegistryKey.GetAccessControl(AccessControlSections includeSections)
at Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions(IdentityReference identity, RegistryRights registryRights)
at Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions()
at Microsoft.UpdateServices.Administration.PostInstall.Run()
at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)



mem-cm-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Also i'm unable to find SUSDB on any drive.

0 Votes 0 ·

I did check with fresh installation on one of windows 2019 server and getting the same issue.

0 Votes 0 ·
RakeshKumar-2842 avatar image
0 Votes"
RakeshKumar-2842 answered AllenLiu-MSFT commented

Hi All,

So finally we have solved the issue with the help of Microsoft. Below are the steps taken to solve the issue.

Steps to identify the root cause -

  1. We initiated the WSUS post installation using PowerShell command line postinstall SQL_INSTANCE_NAME="HOSTNAME" CONTENT_DIT=Drive:\WSUS and used Procmon tool to trace down the issue



==========================================================
01:31:23.4171205 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Query Value, Enumerate Sub Keys, Read Control, Access System Security
01:31:23.4171843 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Read Control, Access System Security
==========================================================

  1. we enabled the verbose logging to get get more about the access permission issue by doing registry settings thru Powershell



C:\windows\system32> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t Reg_Dword /d 0x30002 /f

Based on above steps we were able to identify the issue with installation account that it was not having correct permission on registry key(HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup) due it below error was noticed in WSUSPostinstallation.log(can be found in C:\Users*loggedinuser*\AppData\Local\Temp) file.

Error -
2021-09-17 07:33:51 Granting registry permissions...
2021-09-17 07:33:51 System.UnauthorizedAccessException: Attempted to perform an unauthorized operation
.

at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)

To solve this access issue we have given full permission and change the ownership to installation account but didn't work then we checked the group policy on local system and came to know that the "Manage Auditing and Security Log" under "Computer Configuration\Windows Settings\Security Settings\Local Policies\" is only configured for two specific users and managed thru default domain policy. however default configuration should be for Local Administrators group.

to solve this issue we have changed the group policy from specific user to Local administrators group and after that it worked and we were able to complete the WSUS post installation and configuration by following below steps and now it is working fine.

1) Open a PowerShell session as Administrator and uninstall WSUS completely with the following command:
Remove-WindowsFeature –Name UpdateServices,UpdateServices-DB,UpdateServices-RSAT,UpdateServices-API,UpdateServices-UI –IncludeManagementTools
2) Delete the registry key HKLM\SOFTWARE\Microsoft\Update Services
3) Delete the WSUS mmc file from %appdata%\Microsoft\MMC
4) Delete the Folder "%ProgramFiles%\Update Services" along with all of its subfolders and files. in case some files or subfolder left then delete it after reboot of server
5) Reboot the server
6) Run the System File Checker to find and repair any inconsistencies by typing the command below into the PowerShell prompt. SFC /scannow
7) Reboot the server
8) Verify IIS is installed and working without errors
9) Open Server Manager MMC and select Add Roles & features to install WSUS
10) Once WSUS installation has completed, run PowerShell using Admin rights and change the current working directory to %programfiles%\Update Services\Tools and run the following post-installation commands. in our case we used SQL DB and ran first command

To use a SQL DB:
.\wsusutil.exe postinstall SQL_INSTANCE_NAME=”SERVER\Instance” CONTENT_DIR=”<drive>:\WSUS”

To use WID:
.\wsusutil.exe postinstall CONTENT_DIR=”<drive>:\WSUS”

11) Wait for the command to complete successfully.

12) Open the WSUS console from Server Manager console => Tool => Windows Server Update Services
and configure as per your requirement and wait for initial sync to happen.

Below steps are only required if you are using SCCM/EMCM to manage software update deployment. however this steps required for us as we are using SCCM/EMCM

13) Open the SCCM Console and install the Software Update point role and wait for Sync to happen.
14) If sync doesn't happen and you see error message in Wsyncmgr.log.
======================================================
Found active SUP SRV.abc.com from SCF File. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:35.568 2021
ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
Sync failed: Class not registered SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:36.579 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X80040154 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Setting sync alert to active state on site CTP SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Sync time: 0d00h00m01s SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
======================================================

then run below command to register wsyncact.dll file which helps to ensure that sync starts.

A) open command prompt with admin rights
B) C:\windows\Microsoft.NET\Framework64\v4.0.30319>regasm.exe "<<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\bin\X64\wsyncact.dll"
C) Restart SMS_EXECUTIVE service
D) now create a file called "FULL.SYN" in <<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\inboxes\wsyncmgr.box


Hope this will help to all who are having similar issue with WSUS and SCCM/EMCM.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear that the issue has fixed and thank you so much for your selfless sharing.

0 Votes 0 ·
AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered RakeshKumar-2842 commented

Hi, @RakeshKumar-2842
Thank you for posting in Microsoft Q&A forum.

Has the windows 2019 server joined the domain? If so, please try to dis-join it from the domain and restart, then try again.

And according to the log, it seems this is relate to folder permission, try to set permission for the folder WSUS, WSUS\WsusContent, %ProgramFiles%\Update Services\LogFiles follow below article, after setting up above permissions restart the server and try to rerun the post installation wizard.
https://www.doitfixit.com/blog/2016/11/30/wsus-post-installation-failed-attempted-to-perform-an-unauthorized-operation/
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AllenLiu-MSFT

We have SCCM(primary site) installed on same server and if we disjoin from domain and re-join then i think it will impact the SCCM functionality as well.

I have given permission to said folders as per https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939790(v=ws.10)?redirectedfrom=MSDN but still have same issue.

0 Votes 0 ·

Hi, @RakeshKumar-2842

You said you did check with fresh installation on one of windows 2019 server and getting the same issue, is that server also joined to domain, if so I think you may try to disjoin from domain for that server and test if it can pass the post installation.

And here is an article about how to remove WSUS completely and reinstall it:
https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/

0 Votes 0 ·

Hi @AllenLiu-MSFT ,

Yes that is also domain joined and it has other products like 1E tachyon and Endpoint protection server role.

Yes i did follow the steps mentioned on https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/ which i did find thru https://community.spiceworks.com/topic/2172900-wsus-post-installation-tasks-failed-susdb-not-being-created. also there are multiple TechNet forum questions where it is mentioned. I did log the P2(27540705) case with Microsoft on Friday but still waiting for them to respond and assign an engineer.

0 Votes 0 ·

Thanks for the feedback, if you have fixed the issue with the support case, hope you can share the solution here, we believe this will be very beneficial for other community members who have similar questions.

0 Votes 0 ·