wilbywilson Posted July 14, 2014 Report post Posted July 14, 2014 In this month's list of updates, Microsoft came out with new patch for WSUS servers (3.0 and above.) In a "normal" WSUS environment, updating the main WSUS server would then automatically/gradually update all of the managed clients to the latest Windows Update Agent. But in an SCCM environment, most of us have disabled Automatic Updates per best practice recommendations, and the updating of the client WUA version needs to be done via some other method. This blog goes into more depth on that scenario: http://blog.configmgrftw.com/the-wua-dilemma-in-configmgr/ My question is, has anyone applied KB2938066 to their WSUS servers yet? If so, are your SCCM clients still checking in and getting Windows updates without any issues? I don't think we're ready to update the Windows Update Agent version on our clients (currently 7.6.7600.256) throughout the environment at this point. I want to make sure that if I update the main SCCM/WSUS server, I don't create some sort of "mismatch", where the clients wouldn't be able to receive updates (until they get the newer Windows Update Agent at a later time.) My Primary/SCCM server is Windows 2012 R2, fully patched as of last month. Just not sure if I should include KB2938066 with this month's updates. Thanks for any advice. Quote Share this post Link to post Share on other sites More sharing options...
JohnHroch Posted July 15, 2014 Report post Posted July 15, 2014 Hi Wilby, as we have similar environment I would not recommend installing KB2938066 just yet. I installed the update on my SCCM/WSUS machine (fully patched WS2012 R2) and the clients were not checking in for the updates. As you mentioned, the clients need to be updated in different way unless managed by WSUS directly. Most of all, I ran into some issues in our second (an much larger environment), where the WSUS server (WS2008 R2 SP1 with WSUS 3.0 SP2) stopped self-updating and other server clients (mostly WS2008 R2 SP1) have troubles checking in after installing KB2938066. Unfortunatelly, these changes cannot be rolled back. Here is part ot the WindowsUpdate.log in case you have some advice for me... Agent *************Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]Agent *********Agent * Online = Yes; Ignore download priority = NoAgent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} ManagedAgent * Search Scope = {Machine}Setup Checking for agent SelfUpdateSetup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab with dwProvFlags 0x00000080:Misc Microsoft signed: NAMisc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmp with dwProvFlags 0x00000080:Misc FATAL: Error: 0xc000000d when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmpMisc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\TMPC435.tmp are not trusted: Error 0xc000000dSetup FATAL: Ident cab verification failed with error 0XC000000DSetup WARNING: SelfUpdate check failed to download package information, error = 0xC000000DSetup FATAL: SelfUpdate check failed, err = 0xC000000DAgent * WARNING: Skipping scan, self-update check returned 0xC000000DAgent * WARNING: Exit code = 0xC000000DAgent *********Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]Agent *************Agent WARNING: WU client failed Searching for update with error 0xc000000dAU >>## RESUMED ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]AU # WARNING: Search callback failed, result = 0xC000000DAU # WARNING: Failed to find updates with error code C000000DAU #########AU ## END ## AU: Search for updates [CallId = {9CD5DB56-3B59-4481-90D0-FD1E34D65233}]AU ############# Quote Share this post Link to post Share on other sites More sharing options...
wilbywilson Posted July 15, 2014 Report post Posted July 15, 2014 Hi John, Thank you for your report. I'm sorry to hear that you're having issues. I'm always wary of "patching the patch infrastructure", because if something goes wrong, the entire environment could be affected. On the WindowsUpdate.log that you pasted above, what is the operating system on that machine? I see that it's already at Windows Update Agent version 7.6.7600.320, which I believe is the latest release (depending on the O/S). Do you have any machines that are still at 7.6.7600.256? Is their behavior the same? I think the first step would be to try and find the common ground. For instance, are all machines in the environment having issues checking in for updates? Or just certain operating systems? If it's just certain operating systems, what version of the Windows Update Agent do they have? Hopefully that will get you on the right track. I think for now, I'm going to hold off on applying KB2938066. Microsoft should hopefully be putting out more information on troubleshooting/fixing, when/if things do go wrong with this patch. Quote Share this post Link to post Share on other sites More sharing options...
JohnHroch Posted July 17, 2014 Report post Posted July 17, 2014 Hi Wilby, here is an interesting blog post from July 14, 2014 with all the considerations and how-tos for upgrading the WU agent on client computers... http://blogs.technet.com/b/configmgrteam/archive/2014/07/14/how-to-install-the-windows-update-agent-on-client-computers.aspx Cheers, J. Quote Share this post Link to post Share on other sites More sharing options...
wilbywilson Posted July 17, 2014 Report post Posted July 17, 2014 Good find. I wish there was a KB that could be approved for the Windows 7 machines (similar to Windows 8), because that would make things much easier. But at least there is a good write-up of how to accomplish the task through a somewhat more "manual" method. Thanks for posting. Quote Share this post Link to post Share on other sites More sharing options...
Charles Anderson Posted July 17, 2014 Report post Posted July 17, 2014 Do you have any machines that are still at 7.6.7600.256? Is their behavior the same? My environment is experiencing the same issue since installing KB2938066 on the WSUS server. Only clients with the new agent are broken: Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.320 The ones like this are functional: Setup Client version: Core: 7.6.7600.320 Aux: 7.6.7600.256 We also use SSL on 8531 with an enterprise certificate whose issuer is pushed out by GPO. Failures begin with FATAL: Error: 0xc000000d when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\TMPD28D.tmp which seems to directly stem from these lines after the WuAuServ service starts but before the Agent initializes: DtaStor Default service for AU is {00000000-0000-0000-0000-000000000000} DtaStor Default service for AU is {9482F4B4-E343-43B6-B170-9A65BC822C77} Agent WARNING: could not get the auth file name 0x80070002 Agent WARNING: Default Service Recovery: Attempting to add pending registration for service 7971f918-a847-4430-9279-4a52d1efe18d to the data store Uninstalling KB2938066 from the WSUS server and rebooting was an instant fix for both client versions. Quote Share this post Link to post Share on other sites More sharing options...
JohnHroch Posted July 18, 2014 Report post Posted July 18, 2014 I started a thread regarding this issue directly on Microsoft Social Technet forums. Hopefully, this gets resolved till next Patch Tuesday in August. Quote Share this post Link to post Share on other sites More sharing options...
JohnHroch Posted July 18, 2014 Report post Posted July 18, 2014 Uninstalling KB2938066 from the WSUS server and rebooting was an instant fix for both client versions. Charles, how did you managed uninstall this particular update. I tried almost everything on WS2008R2SP1, wusa.exe, msiexec etc. Did the WUAgents on client machines downgraded as well? Quote Share this post Link to post Share on other sites More sharing options...
Charles Anderson Posted July 18, 2014 Report post Posted July 18, 2014 Charles, how did you managed uninstall this particular update. I tried almost everything on WS2008R2SP1, wusa.exe, msiexec etc. Did the WUAgents on client machines downgraded as well? On WS2012R2 I only had to uninstall KB2938066 from Programs and Features and reboot. No changes made client-side. Clients remained at Core/Aux of 7.6.7600.320, but started working again. In troubleshooting clients I tried wiping out WUagent entirely and re-registering DLLs as per http://support.microsoft.com/kb/971058 but it made no difference. Strongly hints at the root cause being server-side. Quote Share this post Link to post Share on other sites More sharing options...