locked
Win 10- 1709 - device at risk RRS feed

  • Question

  • Hello,

    I have a new windows 10 build 1709 image that I deploy via SCCM.  This image has no additional software installed on it.  It connects to a WSUS server (not connected to SCCM).  All the updates that are approved on WSUS install but the Windows 10 1709 computer reports the device is still at risk because its out of date.  

    The computer is getting the WSUS settings via a GPO.  If I remove the GPO from the computer and have it go directly to the MS Windows Updates servers it reports are being up to date and ok without installing any additional updates.  Any suggestions on what might be causing the computer to not be reporting correctly against my internal WSUS server

    Below is a snippet of the get-windowsupdatelog

    2018/04/13 11:42:14.8091114 5028  5308  ComApi          * START *   Federated Search ClientId = UpdateOrchestrator (cV: P7kr5EI9/ECcLbrK.0.1.0)
    2018/04/13 11:42:14.8092400 5028  5308  IdleTimer       WU operation (SR.UpdateOrchestrator ID 21) started; operation # 120; does use network; is not at background priority
    2018/04/13 11:42:14.8150431 5028  3880  IdleTimer       WU operation (SR.UpdateOrchestrator ID 21, operation # 120) stopped; does use network; is not at background priority
    2018/04/13 11:42:14.8159141 5028  2060  ComApi          Federated Search: Starting search against 1 service(s) (cV = P7kr5EI9/ECcLbrK.0.1.0)
    2018/04/13 11:42:14.8160148 5028  2060  ComApi          * START *   Search ClientId = UpdateOrchestrator, ServiceId = 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 (cV = P7kr5EI9/ECcLbrK.0.1.0.0)
    2018/04/13 11:42:14.8165545 5028  2060  IdleTimer       WU operation (CSearchCall::Init ID 22) started; operation # 123; does use network; is not at background priority
    2018/04/13 11:42:14.8430857 5028  2060  Agent           * START * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 22]
    2018/04/13 11:42:14.8430891 5028  2060  Agent           Removing service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 from sequential scan list
    2018/04/13 11:42:14.8430921 5028  2060  Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is not in sequential scan list
    2018/04/13 11:42:14.8430956 5028  2060  Agent           Added service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 to sequential scan list
    2018/04/13 11:42:14.8432427 5028  7360  Agent           Service 3DA21691-E39D-4DA6-8A4B-B43877BCB1B7 is in sequential scan list
    2018/04/13 11:42:14.8536892 5028  732   Agent           * END * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 22]
    2018/04/13 11:42:14.8638818 5028  732   Agent           * START * Finding updates CallerId = UpdateOrchestrator  Id = 22
    2018/04/13 11:42:14.8638835 5028  732   Agent           Online = Yes; Interactive = Yes; AllowCachedResults = No; Ignore download priority = No
    2018/04/13 11:42:14.8638865 5028  732   Agent           Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""
    2018/04/13 11:42:14.8638889 5028  732   Agent           ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2018/04/13 11:42:14.8638896 5028  732   Agent           Search Scope = {Machine}
    2018/04/13 11:42:14.8639074 5028  732   Agent           Caller SID for Applicability: S-1-5-21-532232810-2887549319-116533624-500
    2018/04/13 11:42:14.8639080 5028  732   Agent           ProcessDriverDeferrals is set
    2018/04/13 11:42:14.8875491 5028  732   Misc            Got WSUS Client/Server URL: http://myinternalwsusserver:8530/ClientWebService/client.asmx""
    2018/04/13 11:42:14.9046523 5028  732   Driver          Skipping printer driver 2 due to incomplete info or mismatched environment - HWID[(null)] Provider[Microsoft] MfgName[Microsoft] Name[Remote Desktop Easy Print] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]
    2018/04/13 11:42:14.9046554 5028  732   Driver          Skipping printer driver 5 due to incomplete info or mismatched environment - HWID[(null)] Provider[(null)] MfgName[(null)] Name[CutePDF Writer] pEnvironment[Windows x64] LocalPrintServerEnv[Windows x64]
    2018/04/13 11:42:14.9046595 5028  732   Driver          Skipping printer driver 6 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]
    2018/04/13 11:42:15.1138888 5028  732   ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://myinternalwsusserver:8530/ClientWebService/client.asmx
    2018/04/13 11:42:15.1141257 5028  732   ProtocolTalker  OK to reuse existing configuration
    2018/04/13 11:42:15.1141284 5028  732   ProtocolTalker  Existing cookie is valid, just use it
    2018/04/13 11:42:15.1141298 5028  732   ProtocolTalker  PTInfo: Server requested registration
    2018/04/13 11:42:15.6278489 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 124; does use network; is at background priority
    2018/04/13 11:42:15.6278751 5028  732   WebServices     Auto proxy settings for this web service call.
    2018/04/13 11:42:15.6524181 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 124) stopped; does use network; is at background priority
    2018/04/13 11:42:15.6534895 5028  732   Metadata        *FAILED* [8024500C] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfig:793]
    2018/04/13 11:42:15.6534977 5028  732   Metadata        *FAILED* [8024500C] GetFragmentSigningConfig (Using default enforcement mode: Audit)
    2018/04/13 11:42:15.6535025 5028  732   Metadata        *FAILED* [8024500C] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfigAndUpdateEnforcementPolicy:745]
    2018/04/13 11:42:15.6535055 5028  732   Metadata        Policy-driven service enabled. Using Ignore Policy.
    2018/04/13 11:42:15.6535134 5028  732   ProtocolTalker  SyncUpdates - 0 bad out of 0 metadata signatures checked using Audit enforcement mode.
    2018/04/13 11:42:15.7402664 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 125; does use network; is at background priority
    2018/04/13 11:42:15.9203735 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 125) stopped; does use network; is at background priority
    2018/04/13 11:42:15.9205838 5028  732   Metadata        *FAILED* [8024500C] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfig:793]
    2018/04/13 11:42:15.9205861 5028  732   Metadata        *FAILED* [8024500C] GetFragmentSigningConfig (Using default enforcement mode: Audit)
    2018/04/13 11:42:15.9205889 5028  732   Metadata        *FAILED* [8024500C] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfigAndUpdateEnforcementPolicy:745]
    2018/04/13 11:42:15.9205899 5028  732   Metadata        Policy-driven service enabled. Using Ignore Policy.
    2018/04/13 11:42:15.9205936 5028  732   ProtocolTalker  SyncUpdates - 0 bad out of 0 metadata signatures checked using Audit enforcement mode.
    2018/04/13 11:42:18.2268535 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 126; does use network; is at background priority
    2018/04/13 11:42:18.2565424 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 126) stopped; does use network; is at background priority
    2018/04/13 11:42:18.2686389 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 127; does use network; is at background priority
    2018/04/13 11:42:18.2754711 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 127) stopped; does use network; is at background priority
    2018/04/13 11:42:18.2754809 5028  732   ProtocolTalker  SyncUpdates round trips: 4
    2018/04/13 11:42:18.7999111 5028  732   ProtocolTalker  ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://myinternalwsusserver:8530/ClientWebService/client.asmx
    2018/04/13 11:42:18.7999128 5028  732   ProtocolTalker  OK to reuse existing configuration
    2018/04/13 11:42:18.7999151 5028  732   ProtocolTalker  Existing cookie is valid, just use it
    2018/04/13 11:42:18.7999162 5028  732   ProtocolTalker  PTInfo: Server requested registration
    2018/04/13 11:42:18.8080969 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery) started; operation # 128; does use network; is at background priority
    2018/04/13 11:42:18.8129923 5028  732   IdleTimer       WU operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation # 128) stopped; does use network; is at background priority
    2018/04/13 11:42:18.8134251 5028  732   Metadata        *FAILED* [8024500C] Method failed [MetadataIntegrity::SignatureVerifier::GetFragmentSigningConfig:793]
    2018/04/13 11:42:18.8134296 5028  732   Metadata        *FAILED* [8024500C] GetFragmentSigningConfig (Using default enforcement mode: Audit)



    • Edited by thomppg Friday, April 13, 2018 2:53 AM
    Friday, April 13, 2018 2:45 AM

All replies

  • On the affected client run the following from an Administrative Command Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

    If this fixes the problem, the issue is with the master image and improperly letting it talk with a WSUS Server and not removing the registry keys listed above. You'd need to run this script on every client system or re-do the master image.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Saturday, April 21, 2018 9:25 PM