WSUS KB2938066 and its effect in the environment

[wilbywilson]

In this month's list of updates, Microsoft came out with new patch for WSUS servers (3.0 and above.) In a "normal" WSUS environment, updating the main WSUS server would then automatically/gradually update all of the managed clients to the latest Windows Update Agent. But in an SCCM environment, most of us have disabled Automatic Updates per best practice recommendations, and the updating of the client WUA version needs to be done via some other method. This blog goes into more depth on that scenario: http://blog.configmgrftw.com/the-wua-dilemma-in-configmgr/

 

My question is, has anyone applied KB2938066 to their WSUS servers yet? If so, are your SCCM clients still checking in and getting Windows updates without any issues? I don't think we're ready to update the Windows Update Agent version on our clients (currently 7.6.7600.256) throughout the environment at this point. I want to make sure that if I update the main SCCM/WSUS server, I don't create some sort of "mismatch", where the clients wouldn't be able to receive updates (until they get the newer Windows Update Agent at a later time.) My Primary/SCCM server is Windows 2012 R2, fully patched as of last month. Just not sure if I should include KB2938066 with this month's updates.

 

Thanks for any advice.

[JohnHroch]

Hi Wilby,

 

as we have similar environment I would not recommend installing KB2938066 just yet.

 

I installed the update on my SCCM/WSUS machine (fully patched WS2012 R2) and the clients were not checking in for the updates. As you mentioned, the clients need to be updated in different way unless managed by WSUS directly.

 

Most of all, I ran into some issues in our second (an much larger environment), where the WSUS server (WS2008 R2 SP1 with WSUS 3.0 SP2) stopped self-updating and other server clients (mostly WS2008 R2 SP1) have troubles checking in after installing KB2938066. Unfortunatelly, these changes cannot be rolled back.

 

Here is part ot the WindowsUpdate.log in case you have some advice for me...

 

Agent *************
Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
Agent *********
Agent * Online = Yes; Ignore download priority = No
Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
Agent * Search Scope = {Machine}
Setup Checking for agent SelfUpdate
Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab with dwProvFlags 0x00000080:
Misc Microsoft signed: NA
Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmp with dwProvFlags 0x00000080:
Misc FATAL: Error: 0xc000000d when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmp
Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmp are not trusted: Error 0xc000000d
Setup FATAL: Ident cab verification failed with error 0XC000000D
Setup WARNING: SelfUpdate check failed to download package information, error = 0xC000000D
Setup FATAL: SelfUpdate check failed, err = 0xC000000D
Agent * WARNING: Skipping scan, self-update check returned 0xC000000D
Agent * WARNING: Exit code = 0xC000000D
Agent *********
Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
Agent *************
Agent WARNING: WU client failed Searching for update with error 0xc000000d
AU >>## RESUMED ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
AU # WARNING: Search callback failed, result = 0xC000000D
AU # WARNING: Failed to find updates with error code C000000D
AU #########
AU ## END ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]
AU #############

[wilbywilson]

Hi John,

 

Thank you for your report. I'm sorry to hear that you're having issues. I'm always wary of "patching the patch infrastructure", because if something goes wrong, the entire environment could be affected.

 

On the WindowsUpdate.log that you pasted above, what is the operating system on that machine? I see that it's already at Windows Update Agent version 7.6.7600.320, which I believe is the latest release (depending on the O/S). Do you have any machines that are still at 7.6.7600.256? Is their behavior the same? I think the first step would be to try and find the common ground. For instance, are all machines in the environment having issues checking in for updates? Or just certain operating systems? If it's just certain operating systems, what version of the Windows Update Agent do they have?

 

Hopefully that will get you on the right track. I think for now, I'm going to hold off on applying KB2938066. Microsoft should hopefully be putting out more information on troubleshooting/fixing, when/if things do go wrong with this patch.

[JohnHroch]

Hi Wilby,

 

here is an interesting blog post from July 14, 2014 with all the considerations and how-tos for upgrading the WU agent on client computers... http://blogs.technet.com/b/configmgrteam/archive/2014/07/14/how-to-install-the-windows-update-agent-on-client-computers.aspx

 

Cheers, J.

[wilbywilson]

Good find. I wish there was a KB that could be approved for the Windows 7 machines (similar to Windows 8), because that would make things much easier. But at least there is a good write-up of how to accomplish the task through a somewhat more "manual" method.

 

Thanks for posting.

[Charles Anderson]

Do you have any machines that are still at 7.6.7600.256? Is their behavior the same?

 

My environment is experiencing the same issue since installing KB2938066 on the WSUS server. Only clients with the new agent are broken:

Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320

 

The ones like this are functional:

Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.256

 

We also use SSL on 8531 with an enterprise certificate whose issuer is pushed out by GPO.

 

Failures begin with

FATAL: Error: 0xc000000d when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\TMPD28D.tmp

 

which seems to directly stem from these lines after the WuAuServ service starts but before the Agent initializes:

DtaStor Default service for AU is {00000000-0000-0000-0000-000000000000}

DtaStor Default service for AU is {9482F4B4-E343-43B6-B170-9A65BC822C77}

Agent WARNING: could not get the auth file name 0x80070002

Agent WARNING: Default Service Recovery: Attempting to add pending registration for service 7971f918-a847-4430-9279-4a52d1efe18d to the data store

Uninstalling KB2938066 from the WSUS server and rebooting was an instant fix for both client versions.

[JohnHroch]

I started a thread regarding this issue directly on Microsoft Social Technet forums. Hopefully, this gets resolved till next Patch Tuesday in August.

[JohnHroch]

Uninstalling KB2938066 from the WSUS server and rebooting was an instant fix for both client versions.

 

Charles, how did you managed uninstall this particular update. I tried almost everything on WS2008R2SP1, wusa.exe, msiexec etc.

 

Did the WUAgents on client machines downgraded as well?

[Charles Anderson]

 

Charles, how did you managed uninstall this particular update. I tried almost everything on WS2008R2SP1, wusa.exe, msiexec etc.

 

Did the WUAgents on client machines downgraded as well?

 

On WS2012R2 I only had to uninstall KB2938066 from Programs and Features and reboot. No changes made client-side. Clients remained at Core/Aux of 7.6.7600.320, but started working again.

 

In troubleshooting clients I tried wiping out WUagent entirely and re-registering DLLs as per http://support.microsoft.com/kb/971058 but it made no difference. Strongly hints at the root cause being server-side.