Hello,
Wondering if anyone else has noticed the following behavior when applying Microsoft Monthly Rollups to the workstations on their environment:
When applying the Windows 7 August Monthly Rollup (KB4034664), BigFix reports the update has been applied and no longer applicable to the computer. However, when checking the update history on the computer, that patch doesn’t appear as installed, even after restarting the computer. I can see that the Windows update log shows the update failed to install most of the times with error code 0x80092004, for which I don’t find much information. If I try to reapply the rollup, BigFix tells me the rollup is Not Relevant. However, when checking the BigFix console the list of applicable updates on that computer, I can see that the Security Only Update (KB4034679) and IE Cumulative Update (KB4034733) are applicable but not KB4034664.
If I apply the Security Only Update and IE update, they install fine and report back as installed.
I wouldn’t think there is anything wrong with the computer or Windows update components since the two updates are installing fine but rather some issue with the Monthly Rollup itself?
Has anyone experienced this behavior and if so, what steps have taken to resolve?
I cannot speak to the relevance portion of your post, but starting with July Security/Quality Rollup (and the same for August), we have high failure rates on our Windows 7 endpoints (close to 20%). The common Exit Code in BigFix is -2146885628 (0x80092004), as you mentioned.
We deploy with a baseline that starts the 3rd Wed of each months and runs until the end of the month. With the July failures, we deployed just the single Rollup (not requiring a reboot) about 10 days into our patch cycle. Those seemed to have a much higher success rate and since the baseline action was still open, we saw the error drop from the 20% down to about 5%.
It seems I’ll have to perform that process again this month. These rollups are becoming a PITA.
We are 8 days into our patching cycle and like last month, we have about a 20% failure rate with just the Rollup patch. Next month with two of our locations, we are going to try deploying the baseline with a behavior of “On failure, retry 1 times waiting until computer has been rebooted”. I’m unsure how well that behavior will work with a baseline (for example, does it show all the same prompts?), but this may be the only practical workaround to address this.
Here is the error in the Event log on a failed system. Is this looking like a Fixlet issue?
Windows update "Security Update for Windows (KB4034664)" could not be installed because of error 2148081668 "Cannot find object or property." (Command line: ""C:\Windows\system32\wusa.exe" "C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\Enterprise Security\__Download\windows6.1-kb4034664-x64_e4daa48a7407d5921d004dd550d62d91bf25839e.msu" /quiet /norestart")
Hi Alexa,
While troubleshooting, one thing I have noticed is that with error 0x80092004 sometimes the PC requires several reboots for the patch to apply (my baseline is set to reapply several times if the components become relevant).
On my case, I cannot tell an exact failure rate since we cannot force reboot on every computer after install (except if user is logged off) but have to wait for users to manually reboot… In some cases that cannot happen for days or months.
I notice some computers on the ‘Pending Restart’ state show the Rollup is applied but others show it’s not so I don’t know how BigFix is picking up the status.
In others, I can confirm the Monthly Rollup is installed, but the Quality update still appears relevant even after some long time.
I’m setting up a separate baseline to deploy the security update and the IE 11 update to apply to the PCs where the rollup is failing.
Update: so I noticed the same behavior on September Win 7 Monthly Rollup (KB4038777) failing to install and still not showing up as applicable afterwards. I found an MS article that suggest applying KB317467 (Servicing stack update for Windows 7 SP1).
I did so and on some machines, not all, i’m noticing that after installing KB3177467, restarting the PC and then applying KB4038777, it does install successfully. It dows work on some machines. On others, even after applying KB3177467, KB4038777 is still coming up as Not relevant.
I’ll continue testing further
We made a change to retry our Baseline one time if a patch failed and that was a big help. It reduced our failure rate from over 20% to about 5%.
Other issues we were getting:
An “Install encountered an error: 0xc80003f3” which was resolved by stopping the Windows Update service (wuauserv) and deleting %windir%\SoftwareDistribution\DataStore.
A few cases had the WU service set to disabled, so we changed those to startup type: Manual
A few cases the endpoint was missing the Windows Modules Installer service (C:\windows\servicing\TrustedInstaller.exe doesn’t exist). An in-place upgrade worked; otherwise a re-image.
Yes, on our baseline, I have it to reapply once after restart. It works in some cases. Installing the Servicing Stack Update did help with a large percentage of the failures but still have about 10% of the computers for which none of the above have worked. I’ll be closely looking at those PCs and troubleshoot individually to see if I find similar scenarios as yours and address as suggested.