none
Windows 10 2017-0X Cumulative Update from WSUS failed with 5 under-second retries RRS feed

  • Question

  • Hi Everyone,

    A few months back, in awareness of the WannaCry worm, I started to deploy WSUS in our domain on a Windows 2012 Server. Our clients are all Windows 10. It ran okay for about two months until the 2017-07 Cumulative update rolls out. I discovered 2 clients with failed installation. In the event viewer of the client PC there is the following message:

    Installation Failure: Windows failed to install the following update with error 0x80248007: 2017-08 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4034674).

    - System
    - Provider
    [ Name] Microsoft-Windows-WindowsUpdateClient
    [ Guid] {945A8954-C147-4ACD-923F-40C45405A658}
    EventID 20
    Version 1
    Level 2
    Task 1
    Opcode 13
    Keywords 0x8000000000000028
    - TimeCreated
    [ SystemTime] 2017-08-17T00:14:33.132024300Z
    EventRecordID 4606
    Correlation
    - Execution
    [ ProcessID] 436980
    [ ThreadID] 471172
    Channel System
    Computer ****
    - Security
    [ UserID] S-1-5-18
    - EventData
    errorCode 0x80248007
    updateTitle 2017-08 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4034674)
    updateGuid {7AF4B2D1-799A-4C3E-BC78-B3806C47B958}
    updateRevisionNumber 204
    serviceGuid {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}

    I then tried manually trigger the installation from Windows Update. When I clicked "Check for updates" it finds the 2017-07 Cumulative Update from WSUS and it first displays "initialising..." then a "Preparing to install..." progress bar which run from 0% to 100% in less than one second and then goes back to initialising again. It occurs exactly 5 times, leaving 5 failed logs in the event viewer. 

    * I tried the troubleshooter which claims it cannot fix the potentially corrupted database.

    * Tried using DISM with the command: DISM.exe /Online /Cleanup-image /Restorehealth /Source:\\192.168.x.x\C$\Windows /LimitAccess which reports back the source files could not be found. 

    * Tried stopping Windows Update service and truncate the cache folder to no avail.

    * Tried "Check online for updates from Microsoft Update" to bypass the WSUS which reports "You device is up to date" (lie in my face).

    * Last I tried downloading the update from Windows Update Catalogue and double click to install it... worked.

    So I though this is occasional and decided to leave it at that because only 2 clients failed. I can handle the labour.

    When the 2017-08 Cumulative Update rolls out, a dozen of clients showed up with error with this one. Oh man do I want to install one after one by hand.

    I googled so much to find no similar problem reports. Has anyone experience this or what can I try please?

    Thursday, August 17, 2017 1:11 AM

Answers

  • Go to services, and stop [Windows Update] service. Then nuke out the cache - I didn't eliminated the whole software distribution folder. Just delete the two sub-folders below it:

    C:\windows\SoftwareDistribution\DataStore

    C:\windows\SoftwareDistribution\Download

    • Marked as answer by LionetChen Tuesday, May 29, 2018 6:44 AM
    Monday, August 28, 2017 2:34 AM

All replies

  • Hi LionetChen,

    You could check if it is related with Windows Update components.

    Reset Windows Update Components

    https://support.microsoft.com/en-sg/help/971058/how-do-i-reset-windows-update-components

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 18, 2017 9:29 AM
    Moderator
  • Did you by any chance just update to the 1703 release? and this is the very first update that WSUS is attempting to install?
    Monday, August 21, 2017 6:28 AM
  • Honey this is not an answer.  I am merely asking him for clarification.  Resetting WU does not work.
    Monday, August 21, 2017 4:41 PM
  • Lionet I noticed the same thing in my network so let's brainstorm and see if we can figure out what's going on.

    I just rolled out 1703, these are the first updates after that.  I have a Sophos UTM (in case that is running interference).  When I install the update from the catalog it works fine.  The Flash update also installed  as well.

    The WSUS version however kept doing that 5 second install and fail.

    Monday, August 21, 2017 6:45 PM
  • https://www.reddit.com/r/Windows10/comments/3467al/windows_10_cannot_update_error_0x80248007/

    Did you try nuking out the software distribution folder?  

    Monday, August 21, 2017 6:55 PM
  • Did you by any chance just update to the 1703 release? and this is the very first update that WSUS is attempting to install?

    @ Susan

    This reminded me of a thread I was involved in and so I looked at some of the other threads a poster had started and found this

    https://social.technet.microsoft.com/Forums/en-US/1320daa4-efc2-4ae2-a7a5-1f1013da38bb/1703-distributed-clients-now-cannot-contact-wsus-anymore?forum=winserverwsus#7c4ff649-3cb5-4316-9d3f-cfabdab8f847

    <quote>

    created a completely new SUSDB and Content store. That was the only way to start from scratch since remove and reinstall of WSUS did not work
    </quote>



    Robert Aldwinckle
    ---

    Monday, August 21, 2017 8:17 PM
  • The thing is they are contacting WSUS, they installed the flash update, they just are failing on the large cumulative update.  There have been historical issues (WSUS getting 10 updates before the patches to handle 10 updates, deployment of 8.1 I think? brain is too old) whereby clearing out the software distribution folder was needed because it was tainted by corrupted info.
    Monday, August 21, 2017 11:39 PM
  • I was wondering as well. But I didn't go to all clients and checked. A few of them I can confirm is 1703 but the 2017-08 update is not the first one they encounter after the 1703 update - the 2017-07 came first which installed okay. But that's just a few that I checked. The other clients might well be the case you stated.
    Tuesday, August 22, 2017 1:45 AM
  • https://www.reddit.com/r/Windows10/comments/3467al/windows_10_cannot_update_error_0x80248007/

    Did you try nuking out the software distribution folder?  

    Hi Susan,

    I'm glad someone had the same problem - not to gloat but to have someone to discuss with.

    I tried the method you mentioned from Reddit. This is what I do:

    Go to services, and stop [Windows Update] service. Then nuke out the cache - I didn't eliminated the whole software distribution folder. Just delete the two sub-folders below it:

    C:\windows\SoftwareDistribution\DataStore

    C:\windows\SoftwareDistribution\Download

    Note that if Windows Updates service is not stopped you won't be able to remove some files from DataStore, which bodes me I'm on the right track.

    After deleting them, run windows update again and click [Check for update]. Don't bother to restart [Windows Update] service, it will be started automatically when you click the button. Just so it is fixed. Didn't even need to restart the computer. I tried on 2 clients, For both of which 2017-08 is the first update after the 1703 upgrade.

    Now I'm trying out on another 2 clients. But this time I just deleted the folders without manually triggering the update. I want to see if WSUS will kick in now that these folders are gone. Will update you after the scheduled installation time.

    • Edited by LionetChen Tuesday, August 22, 2017 2:44 AM
    Tuesday, August 22, 2017 2:06 AM
  • Did you by any chance just update to the 1703 release? and this is the very first update that WSUS is attempting to install?

    I was wondering that as well. But I didn't go to all clients and checked. I checked 4 of them that I can confirm is 1703 and 2017-08 will be their first cumulative update after upgrade 1703.

    They had 1703 upgrade installed on 21st July, meaning they missed the 2017-07 Cumulative. After that, some smaller ones like adobe flash and the 2017-06 critical update is installed. Then the first cumulative stuck.

    Also on all the computers that failed the installation, all of their version is 10.0.15063.483. Their Last Contact time is recent, but their Last Status Report is all 10th Aug evening or 11th Aug morning (I'm in Australia so my 10 Aug is United State's Tuesday, which means as soon as the update rolled out on patch Tuesday they failed the installation and stopped reporting back to WSUS).

    Tuesday, August 22, 2017 2:28 AM
  • The thing is they are contacting WSUS, they installed the flash update, they just are failing on the large cumulative update.  There have been historical issues (WSUS getting 10 updates before the patches to handle 10 updates, deployment of 8.1 I think? brain is too old) whereby clearing out the software distribution folder was needed because it was tainted by corrupted info.

    The thing is they are "contacting" WSUS but not be able to "report" status after the failed installation. See my other quote reply to you.

    In my brief 2 months dealing with WSUS I encountered 3 major problems:

    1. The problem about WSUS getting 10 updates before the patches to handle 10 update - I stepped into that pitfall, too. Took me almost a week to find a solution without nuking out the whole SUSDB database and reinstalling WSUS service. Solution I posted on server fault. I put the link here now in case anyone stumble in: https://serverfault.com/questions/849014/wsus-and-issues-pushing-win-10-1703-update-and-win-7-upgrades/853976#853976 Heads up: clearing out the software distribution folder is not enough as the problem is WSUS not being able to decrypt and serve the upgrade. Data's tainted long before it reaches client. I remember it vividly due to the hours I wasted on this thing.

    2. The first WSUS upgrade after a cleaning installation of Windows Server 2016: the installation will stuck at 0% for hours, days even without moving. The only solution to that one I found is to download from Windows Update Catalogue and manually install any of the cumulative update (not have to be the latest one) - and after that the latter cumulatives will be installed with no problem.

    3. The third one is this. Solved under inspiration from your Reddit link.

    I can't say I am really enjoying the WSUS experience. Seems to me that every time a major upgrade to the system will break their link to WSUS which requires human intervention. The Windows troubleshooting tool does not help.

    Tuesday, August 22, 2017 2:43 AM
  • So to confirm, nuking the software distribution folder made this work?
    Tuesday, August 22, 2017 4:08 AM
  • Did you by any chance just update to the 1703 release? and this is the very first update that WSUS is attempting to install?

    @ Susan

    This reminded me of a thread I was involved in and so I looked at some of the other threads a poster had started and found this

    https://social.technet.microsoft.com/Forums/en-US/1320daa4-efc2-4ae2-a7a5-1f1013da38bb/1703-distributed-clients-now-cannot-contact-wsus-anymore?forum=winserverwsus#7c4ff649-3cb5-4316-9d3f-cfabdab8f847

    <quote>

    created a completely new SUSDB and Content store. That was the only way to start from scratch since remove and reinstall of WSUS did not work
    </quote>



    Robert Aldwinckle
    ---

    Hi Robert,

    Scrapping the whole SUSDB and rebuilding all the settings is time-consuming, although I did tried it once some while ago. Moreover, doing so does not guarantee preventing of the problem from emerging again come next patch Tuesday. So we are looking for more of a automatic resolution or a resort to address the root cause.

    Tuesday, August 22, 2017 4:12 AM
  • Hi Carl,

    Thanks for you help. It turns out to be fixed without conducting the whole reset procedures. It can be done without even restarting the computer by deleting two folders. However I want to figure out a way to prevent it from happening in the future.

    Tuesday, August 22, 2017 4:14 AM
  • So to confirm, nuking the software distribution folder made this work?
    I didn't tried removing the whole folder. Only the two said sub-folders. It does make it work if I do it on the target computer and then trigger the update manually. You can try it and see if it works for you too. But when I tried removing the two sub folders with administrative shares remotely and wait for the Windows Update service to kick in, it won't work. More observation pending.
    Wednesday, August 23, 2017 12:05 AM
  • I have the same problem as you guys.   I'm a little confused what the fix was here.   

    I have 30+ machines that tried to do this update and failed... they then decided to never update their status afterwords.

    Friday, August 25, 2017 9:22 PM
  • Go to services, and stop [Windows Update] service. Then nuke out the cache - I didn't eliminated the whole software distribution folder. Just delete the two sub-folders below it:

    C:\windows\SoftwareDistribution\DataStore

    C:\windows\SoftwareDistribution\Download

    • Marked as answer by LionetChen Tuesday, May 29, 2018 6:44 AM
    Monday, August 28, 2017 2:34 AM