WSUS reinstallation and post install configuration fails

Rakesh Kumar 456 Reputation points
2021-09-17T06:54:55.89+00:00

Hi All,

i had issue with synchronization of SCCM SUP with WSUS. after doing all troubleshooting steps nothing has worked. Hence uninstalled the SUP and WSUS. when i did the reinstallation of WSUS below two issue has been observed.

  1. Tools folder not found in c:\programsfile\update service
  2. Post installation fails

any help on resolving this issue would be highly appreciated.

Server OS - windows 2019
SCCM Version - 2107

error in WSUS post installation log file -
2021-09-17 07:33:48 Postinstall started
2021-09-17 07:33:48 Detected role services: UI, WidDatabase, Services
2021-09-17 07:33:48 Start: LoadSettingsFromParameters
2021-09-17 07:33:48 Content local is: True
2021-09-17 07:33:48 Content directory is: H:\WSUS
2021-09-17 07:33:48 SQL instname is:
2021-09-17 07:33:48 End: LoadSettingsFromParameters
2021-09-17 07:33:48 Start: Run
2021-09-17 07:33:48 Fetching WsusAdministratorsSid from registry store
2021-09-17 07:33:48 Value is S-1-5-21-986062108-440580148-1005803637-1001
2021-09-17 07:33:48 Fetching WsusReportersSid from registry store
2021-09-17 07:33:48 Value is S-1-5-21-986062108-440580148-1005803637-1002
2021-09-17 07:33:48 Configuring content directory...
2021-09-17 07:33:48 Configuring groups...
2021-09-17 07:33:48 Starting group configuration for WSUS Administrators...
2021-09-17 07:33:48 Found group in regsitry, attempting to use it...
2021-09-17 07:33:51 Writing group to registry...
2021-09-17 07:33:51 Finished group creation
2021-09-17 07:33:51 Starting group configuration for WSUS Reporters...
2021-09-17 07:33:51 Found group in regsitry, attempting to use it...
2021-09-17 07:33:51 Writing group to registry...
2021-09-17 07:33:51 Finished group creation
2021-09-17 07:33:51 Configuring permissions...
2021-09-17 07:33:51 Fetching content directory...
2021-09-17 07:33:51 Fetching ContentDir from registry store
2021-09-17 07:33:51 Value is H:\WSUS
2021-09-17 07:33:51 Fetching group SIDs...
2021-09-17 07:33:51 Fetching WsusAdministratorsSid from registry store
2021-09-17 07:33:51 Value is S-1-5-21-986062108-440580148-1005803637-1001
2021-09-17 07:33:51 Fetching WsusReportersSid from registry store
2021-09-17 07:33:51 Value is S-1-5-21-986062108-440580148-1005803637-1002
2021-09-17 07:33:51 Creating group principals...
2021-09-17 07:33:51 Granting directory permissions...
2021-09-17 07:33:51 Granting permissions on content directory...
2021-09-17 07:33:51 Granting registry permissions...
2021-09-17 07:33:51 System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)
at Microsoft.Win32.RegistryKey.GetAccessControl(AccessControlSections includeSections)
at Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions(IdentityReference identity, RegistryRights registryRights)
at Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions()
at Microsoft.UpdateServices.Administration.PostInstall.Run()
at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)

Microsoft Configuration Manager
{count} votes

Accepted answer
  1. Rakesh Kumar 456 Reputation points
    2021-09-22T15:08:08.717+00:00

    Hi All,

    So finally we have solved the issue with the help of Microsoft. Below are the steps taken to solve the issue.

    Steps to identify the root cause -

    1. We initiated the WSUS post installation using PowerShell command line postinstall SQL_INSTANCE_NAME="HOSTNAME" CONTENT_DIT=Drive:\WSUS and used Procmon tool to trace down the issue

    ==========================================================
    01:31:23.4171205 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Query Value, Enumerate Sub Keys, Read Control, Access System Security

    01:31:23.4171843 WsusUtil.exe 9920 RegOpenKey HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup ACCESS DENIED Desired Access: Read Control, Access System Security

    1. we enabled the verbose logging to get get more about the access permission issue by doing registry settings thru Powershell

    C:\windows\system32> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t Reg_Dword /d 0x30002 /f

    Based on above steps we were able to identify the issue with installation account that it was not having correct permission on registry key(HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup) due it below error was noticed in WSUSPostinstallation.log(can be found in C:\Users**loggedinuser**\AppData\Local\Temp) file.

    Error -
    ****2021-09-17 07:33:51 Granting registry permissions...
    2021-09-17 07:33:51 System.UnauthorizedAccessException: Attempted to perform an unauthorized operation**.**

    at System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
    at System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
    at System.Security.AccessControl.NativeObjectSecurity..ctor(Boolean isContainer, ResourceType resourceType, SafeHandle handle, AccessControlSections includeSections, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
    at System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)

    To solve this access issue we have given full permission and change the ownership to installation account but didn't work then we checked the group policy on local system and came to know that the "Manage Auditing and Security Log" under "Computer Configuration\Windows Settings\Security Settings\Local Policies\" is only configured for two specific users and managed thru default domain policy. however default configuration should be for Local Administrators group.

    to solve this issue we have changed the group policy from specific user to Local administrators group and after that it worked and we were able to complete the WSUS post installation and configuration by following below steps and now it is working fine.

    1) Open a PowerShell session as Administrator and uninstall WSUS completely with the following command:
    Remove-WindowsFeature –Name UpdateServices,UpdateServices-DB,UpdateServices-RSAT,UpdateServices-API,UpdateServices-UI –IncludeManagementTools
    2) Delete the registry key HKLM\SOFTWARE\Microsoft\Update Services
    3) Delete the WSUS mmc file from %appdata%\Microsoft\MMC
    4) Delete the Folder "%ProgramFiles%\Update Services" along with all of its subfolders and files. in case some files or subfolder left then delete it after reboot of server
    5) *Reboot the server *
    6) Run the System File Checker to find and repair any inconsistencies by typing the command below into the PowerShell prompt. SFC /scannow
    7) *Reboot the server *
    8) Verify IIS is installed and working without errors
    9) Open Server Manager MMC and select Add Roles & features to install WSUS
    10) Once WSUS installation has completed, run PowerShell using Admin rights and change the current working directory to %programfiles%\Update Services\Tools and run the following post-installation commands. in our case we used SQL DB and ran first command

    To use a SQL DB:
    .\wsusutil.exe postinstall SQL_INSTANCE_NAME=”SERVER\Instance” CONTENT_DIR=”<drive>:\WSUS”

    To use WID:
    .\wsusutil.exe postinstall CONTENT_DIR=”<drive>:\WSUS”

    11) Wait for the command to complete successfully.

    12) Open the WSUS console from Server Manager console => Tool => Windows Server Update Services
    and configure as per your requirement and wait for initial sync to happen.

    Below steps are only required if you are using SCCM/EMCM to manage software update deployment. however this steps required for us as we are using SCCM/EMCM

    13) Open the SCCM Console and install the Software Update point role and wait for Sync to happen.

    14) If sync doesn't happen and you see error message in Wsyncmgr.log.

    Found active SUP SRV.abc.com from SCF File. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
    STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:35.568 2021
    ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:35 8376 (0x20B8)
    Sync failed: Class not registered SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
    STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRV.abc.com SITE=TTP PID=8324 TID=8376 GMTDATE=Wed Sep 22 09:17:36.579 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X80040154 SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
    Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
    Setting sync alert to active state on site CTP SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)
    Sync time: 0d00h00m01s SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)

    Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 22/09/2021 10:17:36 8376 (0x20B8)

    then run below command to register wsyncact.dll file which helps to ensure that sync starts.

    A) open command prompt with admin rights
    B) C:\windows\Microsoft.NET\Framework64\v4.0.30319>regasm.exe "<<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\bin\X64\wsyncact.dll"
    C) Restart SMS_EXECUTIVE service
    D) now create a file called "FULL.SYN" in <<SCCM\EMC installation directory>>:\Microsoft Configuration Manager\inboxes\wsyncmgr.box

    Hope this will help to all who are having similar issue with WSUS and SCCM/EMCM.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. AllenLiu-MSFT 43,056 Reputation points Microsoft Vendor
    2021-09-20T06:38:21.21+00:00

    Hi, @Rakesh Kumar
    Thank you for posting in Microsoft Q&A forum.

    Has the windows 2019 server joined the domain? If so, please try to dis-join it from the domain and restart, then try again.

    And according to the log, it seems this is relate to folder permission, try to set permission for the folder WSUS, WSUS\WsusContent, %ProgramFiles%\Update Services\LogFiles follow below article, after setting up above permissions restart the server and try to rerun the post installation wizard.
    https://www.doitfixit.com/blog/2016/11/30/wsus-post-installation-failed-attempted-to-perform-an-unauthorized-operation/
    (Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.