Cumulative Update problems

[NotABot]

So I’m seeing some very odd behavior with our 2019 servers.

Earlier this month I applied this months security patches via BP. I discovered last night that even though I thought I applied all the patches it didn’t. Usually after BP applies the updates and reboots the system, I do another check to make sure there aren’t any lingering patches.

This morning, I ran another Windows Update check via BP on a swath of our servers. Nothing comes up. I log into the server and launch WU, it will tell me that it last checked yesterday at blah blah time and there are no updates. However, if I force a check, suddenly it thinks that CU3 needs to be installed!?

Any idea what is going on? I have repeated the above process on multiple servers. Same thing where BP says nope, all is good, WU when I pop on says it’s good, however doing a manual check within WU, BAM! You need CU3. Even though that same update I know BP said it installed before.

Please advise.

Thanks

[doug]

You’re finding optional, “seeker” updates. In Windows 10/2019 build 1809 or newer, if you go to the Windows Update control panel on a machine that was recently updated, you may find additional optional updates available if you use the ‘Check for updates’ button. Microsoft releases these optional updates usually toward the end of the month. Microsoft says that while the updates do not contain any new functionality, they may contain fixes for specific outstanding issues. They are released through what is essentially a completely separate channel that is only available to “seekers” who use the ‘Check for updates’ button. At the time they are made available to “seekers” as optional updates they are not yet released to WSUS nor are they released to the normal automatic updates channel in ‘Windows Update’ or ‘Microsoft Update.’ However, Microsoft generally moves them from optional status into the normal release channel in the following month after they are initially released to only “seekers” who manually use the ‘Check for updates’ button in the Windows Update control panel.

In BatchPatch you can find these optional updates by selecting the checkbox under ‘Tools > Settings > Windows Update > Search for only optional software updates’

Unless you have a specific need for one of these optional updates, we generally do not recommend installing them. We believe that unless you have a specific need for a fix that is included in one of these updates, it usually makes the most sense to wait until the following month when Microsoft moves them from optional status to the normal deployment channels.

[NotABot]

Wow, lots of great information!

So looking closer at the updates that are coming up. They are indeed CU3 however I didn’t read the whole description closely. They are CU3 “Preview”. Which I’m still a little confused why those are coming up even after the real CU3 was already applied. At least now I know not to do the Check for Updates within WU anymore!

Part of the problem was that I was running a Nessus scan on a VM that I had just updated. It came back with an alert that .net core needed to be patched. Struck me as odd, so then I went in and did a Check for updates within WU and that was when the CU3 “Preview” came up. At that time, I didn’t realize that was a preview and made the assumption that the CU3 would cover that issue. It does not. I had to flip the “Give me updates for other MS products when I update Windows” switch (which I thought I had already done by oh well). Once I flipped that switch, BP was able to then see that there is a new update specific for .net core.

If that switch is not set in WU, is there a way to set it or just look for those updates within BP without going to all the VM’s and manually checking that switch?

Thanks much!

[doug]

Use ‘Actions > Windows updates > Opt-in to Microsoft Update (enable updates for other MS products)’ to turn on the setting for the selected target computer(s)

Then set BatchPatch server selection to use ‘Microsoft Update’ under ‘Tools > Settings > Windows Update > Server Selection > Microsoft Update’

.NET, in general, is normally considered part of Windows and typically does not require the setting to be enabled. It’s interesting that they would treat .NET Core differently. Kinda makes sense, but kinda doesn’t. Oh well. Good to know either way. Thanks.

[NotABot]

Nice, I’ll be applying that Opt-in on all the systems just to make sure I didn’t miss any.

So there seems to be a new “issue”. The VM that Nessus said that needed .net core updates, I had gone into the console and flipped the switch in it’s WU advanced settings to get all Microsoft product updates. Then I did a rescan in BP and it showed there was a new update for .net core (hooray). Download, install, and reboot if needed. After it completed the reboot, I did another Nessus scan. Same alert came up? Did a rescan in BP, nothing new. I looked at the history in BP and this is what I find:

03/26 10:46:09> Windows Update: No Reboot Required. Overall Installation Result: Failed
03/26 10:44:44> Windows Update: Executing BatchPatchRemoteAgent.exe…
03/26 10:44:44> Windows Update: Applying specific updates filter list…
03/26 10:44:44> Windows Update: Attempting to initiate Windows Update (Action: Download and install updates: ‘SoftwareOnly’ | Server selection: Default / Managed) …
03/26 10:44:44> Windows Update: Establishing connection…
03/26 10:44:44> Windows Update: Initializing…
03/26 10:44:44> Windows Update: Queued… (Download and install updates + reboot if required)
03/26 10:44:20> Windows Update: 2 update(s) found
03/26 10:43:45> Windows Update: Executing BatchPatchRemoteAgent.exe…
03/26 10:43:44> Windows Update: Attempting to initiate Windows Update (Action: Search for updates: ‘SoftwareOnly’ | Server selection: Default / Managed) …
03/26 10:43:44> Windows Update: Establishing connection…
03/26 10:43:44> Windows Update: Initializing…
03/26 10:43:44> Windows Update: Queued… (Check for available updates)

I switched the server selection from the default to “Microsoft Update” mentioned above, did a rescan, still no new updates.

Slightly confused again.

[doug]

The ‘Remote Agent Log’ column in BP is where you can see the details and reason for the update installation failure for the current Windows Update operation. You can view the historical log under ‘Actions > Windows Update > View BatchPatch.log’

[NotABot]

::Begin installation

1> Security Update for Microsoft ASP.NET MVC 4.0 (KB2993928) – Installation Result: Failed. HRESULT: -2147023293. Reboot Required: FALSE

::End installation

Overall Installation Result: Failed
Reboot Required: FALSE

Looks like I’m failing on reading lately. ASP.NET <> .net core. So I guess I’ll need to hunt for the .net core patch individually? Odd since I see that MS did announce it should be available from WU (LINK)

Thanks

[doug]

This is a generic failure HRESULT value. I couldn’t tell you why it’s failing, but it could be just that it needs another try. Or it could be that you’d have to reinstall .NET MVC on there, or reboot the system and try again etc.

With regard to “I guess I’ll need to hunt for the .net core patch individually” I’m not sure if I understand what you mean.

[NotABot]

Since WU wasn’t bringing the appropriate update for .net core, I just found the update from MS, downloaded it and just now installed it in our test environment.

I think we might be ok now.

Thanks much for all the help!

[doug]

Great, thanks. Glad you got it worked out. I see that the ghacks link you posted above mentions some registry values that enable/disable the .NET Core updates from being available in Windows Update, so perhaps you just need to tweak those so that you can see them through Windows Update? Not sure. Worth looking at though. Take care.

[Author]

Posts