UPDATED: Windows Server 2012 – WSUS Post-Install Tasks Fail Immediately

UPDATE:  The Original post was done on May 1, 2014. I’ve added script code at the bottom of the post to accommodate issues that may be encountered with WID conflicts in Server 2012/ 2012R2. The PS Script code also works with Server 2016.

Not long ago, I was trying to re-install WSUS on a server that would not generate the ‘WSUS Administration’ website.

Post-installation tasks would also fail without giving me much to go on. After some time researching, I found several posts on message boards that all said to do different things to resolve the issue. Some of them even said to either reload the OS on the server (not always an option in a production environment), or call Microsoft for help (which as we all know costs $$$).

Here’s what I found…

In the installation log located in the %temp% folder there should be a log file with the .TMP file extension. (EXAMPLE: tmp56B7.tmp)

When looking at this file, it told me that a file it was looking for was not found, or corrupt.

When I ran the WSUS Console I saw the following:


The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

System.NullReferenceException — Object reference not set to an instance of an object.



Stack Trace:

at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetLocalInstallDir()

at Microsoft.UpdateServices.UI.AdminApiAccess.Constants..cctor()

** this exception was nested inside of the following exception **

System.TypeInitializationException — The type initializer for ‘Microsoft.UpdateServices.UI.AdminApiAccess.Constants’ threw an exception.



Stack Trace:

at Microsoft.UpdateServices.UI.SnapIn.Scope.RootScopeNode.GetComputerTargetFromCmdLine()

at Microsoft.UpdateServices.UI.SnapIn.Scope.RootScopeNode.AddServerScopeNodeFromCmdLine()

at Microsoft.UpdateServices.UI.SnapIn.Common.SnapInManager.OnLoadCustomData(AsyncStatus status, Byte[] persistenceData)


To resolve the issue, I performed the following steps (in order):

1) Open a PowerShell session as Administrator and uninstall WSUS completely with the following command:

Remove-WindowsFeature –Name UpdateServices,UpdateServices-DB,UpdateServices-RSAT,UpdateServices-API,UpdateServices-UI –IncludeManagementTools

2) Delete the registry key HKLM\SOFTWARE\Microsoft\Update Services

3) Delete the WSUS file from %appdata%\Microsoft\MMC

4) Delete the Folder %ProgramFiles%\Update Services along with all of its subfolders and files.

5) Reboot the server

6) Run the System File Checker to find and repair any inconsistencies by typing the command below into the PowerShell prompt.

SFC /scannow

7) Reboot the server

8) Verify IIS is installed and working without errors

9) Open a Powershell session as Administrator an install WSUS with the following command:

To use a SQL DB:

Install-WindowsFeature –Name UpdateServices,UpdateServices-DB -IncludeManagementTools

To use WID:

Install-WindowsFeature –Name UpdateServices –IncludeManagementTools

10) Once WSUS installation has completed, change the current working directory to %programfiles%\Update Services\Tools and run one of the following post-installation commands:

To use a SQL DB:

.\wsusutil.exe postinstall SQL_INSTANCE_NAME=”SERVER\Instance” CONTENT_DIR=”:\WSUS”

To use WID:

.\wsusutil.exe postinstall CONTENT_DIR=”:\WSUS”

11) Wait for the command to complete successfully.

12) If you are using this WSUS instance as part of a farm, then open the Admin Console and configure your updates.

13) If you are using this instance as part of the roles within an SCCM Implementation, open the SCCM Console and install the Software Update point role.

Here is my PowerShell Script code to perform the WSUS Installation and Post-Installation tasks. Copy the code and save it as a .PS1 script file and run it on the intended Server.

For use with SQL Server:


For use with Windows Internal Database:

Configure WSUS as needed and happy patching!

SCCM 2012 R2 – OS Deployment with PKI (HTTPS)

More and more organizations are implementing Configuration Manager with PKI (HTTPS) enabled. Recently, I worked with a customer who planned to do just that.

Initially we set up the site without any certificates installed because the PKI Implementation within the domain was not yet completed. Once it was complete, we changed the site and client communication to be HTTPS only. This presented us with issues in regard to Operating System Deployment.

Once the mode was changed, none of our boot disks or Task Sequences would work. After we finished scratching our head, reading blogs, and flipping through TechNet doc and articles we were able to get it working again.

Here are the steps that we went through to get OSD back up and running again…assuming that your site is already in HTTPS and you have a healthy/ functional PKI environment.

  1. Create a ConfigMgr Workgroup Client Certificate.
  2. Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority.
  3. Export the ConfigMgr Workgroup Client Certificate.
  4. Modify the MDT Toolkit Package so that our new certificate is available when building the image and deploying it.
    • Alternatively you could create a new package that contains the exported certificate and the answer file created in step 5 below.
  5. Create a new answer file for our OS Installation Package used in our Build task sequence.
  6. Create a package for the new answer file.
  7. Modified our Build task sequence to include the answer file and tell the ConfigMgr Client Package to install for PKI.
  8. Recreate our Boot disk ISO to include the exported certificate.
  9. Build and Capture our new OS Image.

Create the ConfigMgr Workgroup Client Certificate

These are modified steps from TechNet for “Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name that will be used, such as ConfigMgr Workgroup Client Certificate.
  5. Click the Request Handling tab, ensure that “Allow private key to be exported” is checked.
  6. Click the Subject Name tab, select “Supply in the request” at the top.
  7. Click OK and close Certificate Templates Console.
  8. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  9. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Workgroup Client Certificate, and then click OK.
  10. Close Certification Authority.

Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority

These steps can be performed from any domain joined system including the Certificate Authority.

  1. Launch Microsoft Management Console (MMC) by opening a run dialog, type MMC then click OK.
  2. Click FILE -> ADD/REMOVE SNAP-IN to open the “Add or Remove Snap-ins” dialog.
  3. Choose “Certificates” from the list of available snap-ins, then click the button labeled “Add >”.
  4. When prompted, select “Computer Account” and click Next.
  5. Select “Local Computer: (the computer this console is running on)”, then click Finish.
  6. Click OK to close the “Add or Remove Snap-ins” dialog.
  7. Expand “Certificates (Local Computer)” -> Personal, and click on “Certificates”
  8. Right-click on “Certificates” and choose All Tasks -> Request New Certificate from the menu.
  9. In the Certificate Enrollment wizard that opens, click Next.
  10. Select Active Directory Enrollment Policy, then click Next.
  11. Check the box for ConfigMgr Workgroup Client Certificate that was created earlier, then click the link below it that says “More information is required…”
  12. Under Subject name, choose Common name as the type and enter Workgroup PKI as the value, then click the button labeled “Add >” and click OK.
  13. Click Enroll. If done correctly, you should see a “STATUS: Succeeded” in the results dialog.
  14. Click Finish

Export the ConfigMgr Workgroup Client Certificate

  1. The “Workgroup PKI” certificate should now show in the certificate console under Personal -> Certificates.
  2. Right-click on the “Workgroup PKI” certificate and choose “All Tasks” -> “Export…” from the menu.
  3. In the Certificate Export Wizard, click Next on the welcome screen.
  4. Select “Yes, export the private key”, then click Next.
  5. Select Personal Information Exchange – PCKS #12 (.PFX), and ensure that “Include all certificates in the certification path if possible” AND “Export all extended properties” are checked, then click Next.
  6. Type in a password and confirm it in the boxes provided on the Password screen, then click Next. (Save this password for later use)
  7. Browse for a location to export the certificate to. Make sure that it is somewhere accessible from SCCM, give it a name (ex. – WorkgroupPKI.pfx) and click Save.
  8. Click Next on the File to Export dialog.
  9. Click Finish on the completion dialog.

Modify the MDT Toolkit Package

  1. Open windows explorer and locate the certificate file that you just exported.
  2. Copy the file to the Scripts folder within your MDT Toolkit Package.
  3. Open the Configuration Manager Console and locate the MDT Toolkit Package.
  4. Update the Distribution Point(s) for the package.

Create Answer File

  1. Open the Windows System Image Manager on a computer that has the Windows Automated Installation Kit (WAIK) installed.
  2. Create a new answer file by clicking the icon in the upper left corner , clicking “FILE” -> “New Answer File…”, or by pressing CTRL+N on the keyboard.
  3. Under “Windows Image”, right-click on “Select a Windows Image or Catalog File” and choose Select Windows Image.
  4. Browse to your Operating System Installation Media, and choose the catalog file (.clg) for the desired OS you are trying to deploy, then click “Open”. The CLG file is usually located on the installation media in the Sources directory. (EX – for Windows 7 Enterprise the file name is “install_Windows 7 ENTERPRISE.clg”)
  5. Expand Components.
  6. Locate the appropriate Microsoft-Windows-Deployment-<version>-neutral component for the desired architecture. (for Windows 7 Enterprise 64bit, the component is – amd64_Microsoft-Windows-Deployment_6.1.7600.16385_neutral)
  7. Expand Microsoft-Windows-Deployment -> RunSynchronous.
  8. Right-click on RunSynchronousCommand and choose “Add Setting to Pass 4 specialize”
  9. In the Answer File section, click on “RunSynchronousCommand” to highlight it.
  10. For the properties of “RunSynchronousCommand”, enter the following:
    • Description: Import Workgroup Certificate
    • Order: 5
    • Path: cmd.exe /c certutil –f –p <password> -importpfx <drive>:\_SMSTaskSequence\Packages\<PackageID>\Scripts\<nameofcertificate>.pfx
      • <password> = The password set on the certificate when it was exported.
      • <drive> = The system drive where the Operating System will be installed. This is usually drive C.
      • <nameofcertificate> = The name of the certificate file that was exported earlier.
  11. Richt-click “Credentials” below “RunSynchronousCommand” and choose delete.
  12. Click File -> Save Answer File As, then browse to a location easily accessible by the Configuration Manager Server.
  13. Name the answer file “Unattend.xml” and then click Save.

Create Answer File Package

  1. Open the Configuration Manager Console and navigate to Software Library -> Application Management -> Packages.
  2. Create a new Package called “OSD – Windows 7 Enterprise 64bit Answer File”
  3. Check the box for “This package contains source files”.
  4. Browse to the location where the new answer file was saved. (Ensure that you use the UNC path and not a local volume path when creating packages in Configuration Manager)
  5. Click next
  6. For Program Type, select “Do not create a program”, then click next.
  7. Click next on the Summary screen, then click close on the Completion screen.
  8. Right-click on the package you’ve just created and distribute the content.

Modify the Task Sequence

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Select the task sequence used for Build and Capture of your operating system image.
  3. Right-click on the task sequence and choose Edit.
  4. Select the step called Partition Disk 0
  5. Add a Use Toolkit Package step by clicking Add -> MDT -> Use Toolkit Package
  6. Browse for and choose your MDT Toolkit package from the available packages.
  7. Select the step called Apply Operating System
  8. Ensure that the box is checked for “Use an unattended or Sysprep answer file for a custom installation”
  9. Browse for the answer file package we just created.
  10. For the File Name, enter the name given to the answer file created earlier. (unattend.xml)
  11. Click on the Apply Device Drivers step, then click Add -> MDT -> Use Toolkit Package
  12. Browse for and choose your MDT Toolkit package from the available packages.
  13. Click on the step called Setup Windows and Configuration Manager
  14. In the area provided for “Installation Properties”, enter the following:
      • <FQDN> = Fully Qualified Domain Name of your Configuration Manager Management Point Server
      • <DOMAIN> = Name of the domain where the SCCM Management Point Server resides. (EX – ADVENTURESINSYSCTR.NET)
  15. Click Apply to save the changes to the Task Sequence.
  16. Click OK to close the Task Sequence.

Recreate Boot ISO

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Right-Click on Task Sequences and choose “Create Task Sequence Media” from the menu.
  3. Select “Bootable Media” as the media type and then click next.
  4. On the next screen, choose the option that works best within your environment. For this example, I chose Dynamic Media.
  5. The next screen is the media type screen. If you have access to the local USB ports where you are running the wizard from, you can choose USB Flash Drive. I personally like to use CD/DVD Set, this gives me the option of using the ISO that is created to make several USB boot drives if I need to.
    • For this blog post, I’ve chosen CD/DVD Set. Once selected, browse for a location to place the ISO (CD Image) file to be created, give it a name with the .iso extension and click next.
  6. On the Security Settings screen, set a password if you wish, or you can uncheck the box for “Protect media with a password”.
  7. Ensure that Import PKI Certificate is selected, then browse to the location where the “Workgroup PKI” certificate was exported.
  8. Select the certificate, then type in the password in the space provided and click next.
    • If you’ve already used the certificate on another boot disk, you will get a prompt telling you that the certificate is already in use. Click yes to use the certificate again, or you can go back and request a new one from the CA and export it again.
  9. On the next screen, choose your boot image to use, the distribution point and the desired management point. Then click next.
  10. Do not enter any customizations at this time. If you wish, you can create another boot disk and customize that one. Simply click next here.
  11. Click next on the summary screen to begin creation of the USB or ISO image.
  12. Once completed, you will have a boot disk to use for build and capture (and deployment) of your image. Click Close on the completion screen.

Build and Capture the Image

Using a Virtual Machine, mount the ISO image that we just created and boot from it. If you’ve deployed the Build and Capture task sequence to the “All Unknown Computers” collection, you should have the task sequence available.

Use PowerShell to Create SCCM 2012 Site Boundaries

I needed a script to create IPRange Boundaries within SCCM 2012. One of my coworkers suggested that I use a PowerShell CMDLet  to get this done for me.

So I opened the CM2012 console and ran the PowerShell Session from the menu in the upper left corner. Then I ran ‘get-help boundary’ to see what was available.

One of the Cmdlets returned was ‘new-cmboundary’. The script reads each line of a csv file in and parses it for the needed information to construct the Boundaries.

Here is the script I came up with.

To run this script you will need to do three things.

  • Run the SCCM 2012 Console as administrator
  • Open the PowerShell session from the menu in the upper left corner of the SCCM Console.
  • Run this command: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

CSV File format:

Hyper-V Lab IPRANGE,IPRange,

CreateBoundaries.ps1 <pathtofile>.csv

This script can actually be used to create all of the boundary types in CM2012. To do so, you would need to change the Boundary type and respective value in your CSV file.

Available boundary types are:

  • IPSubnet (Example corresponding value: “”)
  • ADSite (Example corresponding value: “Default-First-Site-Name”)
  • IPv6Prefix (Example corresponding value: “FE80::/64”)
  • IPRange (Example Corresponding value: “”)

For more information about the commands used in the script, open PowerShell from within the SCCM console and type the following commands:

  • Get-Help Import-CSV
  • Get-Help New-CMBoundary