Data Centers

How to solve WSUS errors on your SCCM 2012 servers

Scott Lowe shares the solution to some WSUS errors you may be seeing. The culprit: changes introduced after the System Center 2012 SP1 update. Here's what you need to check.

In early 2012, Microsoft released a newly combined suite of products under the System Center 2012 name. One of those products, System Center Configuration Manager (SCCM) has greatly matured over the years and is an enterprise grade desktop management tool designed to streamline what can be an onerous task. SCCM 2012 brought with it a number of enhancements intended to make the product more user-centric and more usable.

In January of 2013, Microsoft finally released Service Pack 1 for System Center 2012. Besides adding support for Windows 8 and Windows Server 2012, the SCCM 2012 SP1 update added some new features.

Unfortunately, it also introduces some challenges, particularly if you're using your SCCM environment. Specifically, you may discover that updates have stopped, well, updating. In addition, you may discover that the following error message is being written to SCCM logs: "Site component manager failed to install this component, because it either can't find or can't configure Windows Server Update Services (WSUS). Possible cause, WSUS service is not installed or running". You will also see errors 1016 and 4968 in the SMS_WSUS_CONTROL_MANAGER component.

The culprit: After you upgrade SCCM to SP1, you need to apply two updates to your SCCM servers. Without these patches, you will see errors in your installation and you will be unable to create additional Software Update Points.

The updates are:

I can personally attest to the need for these two patches. I just ran into this very issue at a client site and applying the updates did, in fact, correct the issue.

More changes to WSUS

In addition, there have been some changes in WSUS in Windows Server 2012. In older versions of WSUS, the default communications ports were ports 80 and 443. In Windows Server 2012, the new default ports for WSUS communication are ports 8530 (HTTP) and 8531 (HTTPS). There have been some reports that SCCM, after the application of SP1, may change the WSUS/SUP port configuration. If you're having trouble with WSUS and SCCM 2012, check these settings out, too.


Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

Lawrence Garvin
Lawrence Garvin

Great recap of issues that may be affecting Configuration Manager implementations of WSUS. A few extra notes: It is not necessary to install both updates on the WSUS server. At a minimum KB2720211 is required. This implements new certificate management process, rolls up some hotfixes that ConfigMgr customers might need to have, and deploys a new Windows Update Agent to the WSUS server. KB2734608 is actually an optional update. It includes a full rollup of KB2720211, so you can install KB2734608 *instead of* KB2720211. The other thing that KB2734608 does is modify the SUP database schema to support SHA256 hashes so that Windows 8 and Windows Server 2012 systems can be patched. It's quite likely that SC2012 customers are already running at least a couple Win2012 servers, so this update would be critical. But if Win8/Win2012 systems are not yet in the mix, this update can be deferred. Also worthy of note.. these updates are not unique to the CM2012 enviroment, they also apply to WSUS servers implemented as SUPs in CM2007 enviroments. Finally, a special case scenario for Configuration Manager customers.. installing KB2720211 or KB2734608 on the WSUS server **requires** that the Windows Update Agent on the ConfigMgr clients is updated to v7.6. If you have the WSUS Selfupdate capabilities enabled in your enviroment, this will happen automatically; but many organizations have blocked this capability (as a result of setting Configure Automatic Updates to DISABLED). For these customers, they'll need to find some methodology to update the WUAgent. Sadly, there is no standalone installer, so it cannot be packaged separately and distributed via Software Updates or Software Deployment (as was done with previous versions of the WUAgent). The only methodology currently available to update the WUAgent is to use selfupdate.