locked
KB3139398 March 2016 Update Failing on all Clients RRS feed

  • Question

  • I am troubleshooting KB3139398 right now. Its failing to install on 100+ machines on our network.

    KB3139398 addresses a USB vulnerability. Many machines on our network have a Group Policy in place to prevent users installing USB devices. Only admins can as per the setup instructions below;

    https://support.microsoft.com/en-us/kb/823732

    All machine with the above policy in place fail the update. All without the policy in place take the update.

    I have tried the KB3139398 update from our WSUS and also as a standalone download from the Microsoft Download centre and get the same failure.

    Microsoft - can you fix please?

    Thanks,

    Barry

    Wednesday, March 16, 2016 12:46 PM

Answers

  • What's the error ? 

    windowsupdate.log file can help. 


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Tony_Tao Wednesday, March 23, 2016 8:25 AM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Wednesday, March 16, 2016 10:56 PM
  • Hi Barry,

     

    Based on your description, it seems that group policy limits the user to install this update.

     

    We may try to use command to see if it helps.

     

    runas /user:Administrator

     

    For more about information, please  refer to the link:

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Security/Installingandmanagingupdatesfromthecommandline.html

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Tony_Tao Wednesday, March 23, 2016 8:25 AM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Thursday, March 17, 2016 11:03 AM
  • DMATRIX, 

    The patch only impacts the usbstor.sys file for the patch per documentation .. are you saying you are having a success message on the patch when installing now? 

    to most likely get the GPO set correctly you would need to create another GPO with desired settings to set it back. Removing the GPO won't actually set the settings back automatically. 

    If you are logged on as a local admin and following the steps to restore the System ownership and full control of the files mentioned earlier you should have success. 


    • Proposed as answer by Jason_Oakes Wednesday, March 23, 2016 4:25 PM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Wednesday, March 23, 2016 1:57 PM

All replies

  • What's the error ? 

    windowsupdate.log file can help. 


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Tony_Tao Wednesday, March 23, 2016 8:25 AM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Wednesday, March 16, 2016 10:56 PM
  • Hi Barry,

     

    Based on your description, it seems that group policy limits the user to install this update.

     

    We may try to use command to see if it helps.

     

    runas /user:Administrator

     

    For more about information, please  refer to the link:

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Security/Installingandmanagingupdatesfromthecommandline.html

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Tony_Tao Wednesday, March 23, 2016 8:25 AM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Thursday, March 17, 2016 11:03 AM
  • We are having same issues. What are the permissions on you USBSTOR.sys file in c:\windows\system32\drivers 

    we also have a GPO in place restricting USB driver execution.

    Thursday, March 17, 2016 9:11 PM
  • We are also using a policy to restrict USB storage and have the same problem with this patch.  Any help is appreciated.
    Tuesday, March 22, 2016 6:46 PM
  • c:\windows\System32\drivers\USBSTOR.sys needs to have the system account permissions restored to have access to change the file. We even tried running the MSU file without changing permissions and it still failed. 

    Also, you may also need to change %SystemRoot%\inf\USBSTOR.pnf and inf permissions as well. It was not until I changed these as well we the USBSTOR.sys permissions was I able to update the file. 

    Currently we are experimenting with a Group policy to set back the restrictive USB settings all be it temporarily. 

    We have had success with putting the MSU in the build task sequence as well until we can update our WIM with the most recent drivers. 

    We also saw in many cases that this update prevented all the other updates from installing when installing on systems with the restrictive USB group policy applied. 

    Hope this helps! 



    • Edited by Jason_Oakes Tuesday, March 22, 2016 7:18 PM
    Tuesday, March 22, 2016 7:17 PM
  • Also, you may also need to change %SystemRoot%\inf\USBSTOR.pnf and inf permissions as well. It was not until I changed these as well we the USBSTOR.sys permissions was I able to update the file. 



    Jason,

    Exactly what permissions did you set on the usbstor.sys, usbstor.inf and usbstor.pnf files, if you don't mind me asking?

    I'm seeing the same issue on some Windows 2012 R2 Servers that do NOT have any USB-affecting GPOs currently applied... however, I know that there was a USBStor GPO active in our environment for a while, and I'm wondering if it may have been applied to these systems at some point (accidentally, I'm sure).

    Thanks!

    Tuesday, March 22, 2016 7:36 PM
  • System account needs full control.

    if the gpo sets  the values it won't default back to original settings. 

    Tuesday, March 22, 2016 7:57 PM
  • I checked and the system account has full control for all of these, but the USBSTOR.SYS seems to be the one not updating. USBSTOR in C:\Windows\inf seems to have updated.
    Tuesday, March 22, 2016 8:58 PM
  • Removed the GPO/AV. I get the same results. I also made the suggested ownership change in the post you provided. The patch installs fine, other than make the change to the usbstor.sys. I don't see any errors.
    Wednesday, March 23, 2016 1:38 PM
  • DMATRIX, 

    The patch only impacts the usbstor.sys file for the patch per documentation .. are you saying you are having a success message on the patch when installing now? 

    to most likely get the GPO set correctly you would need to create another GPO with desired settings to set it back. Removing the GPO won't actually set the settings back automatically. 

    If you are logged on as a local admin and following the steps to restore the System ownership and full control of the files mentioned earlier you should have success. 


    • Proposed as answer by Jason_Oakes Wednesday, March 23, 2016 4:25 PM
    • Marked as answer by arnavsharma Tuesday, March 29, 2016 5:05 AM
    Wednesday, March 23, 2016 1:57 PM
  • Jason,

    I have never had the patch actually fail. I noticed that after our tenable scans the usbstor.sys was never updated. I will give this step a try. "c:\windows\System32\drivers\USBSTOR.sys needs to have the system account permissions restored to have access to change the file."

    Thanks.

    Wednesday, March 23, 2016 2:52 PM
  • Jason,

    That worked for me.

    Thank you!

    Dmatrix

    Wednesday, March 23, 2016 3:46 PM
  • Awesome!  Please mark the pieces that helped you as answered to be sure the thread is helpful to others. 

    Thanks! 


    Wednesday, March 23, 2016 4:26 PM
  • None of these responses have taken into account that if you have over 100+ machines this is not a practical fix. And yes it does make all other security patches fail. You Microsoft moderators need to elevate thios to the proper channels and fix this. We should not have to look for abstract work arounds when we pay thousands of dollars for your companies products.

    This is just another occasion where Microsoft is failing it's clients and leaving it yp to us Admins to do more work to figure out the other issues you fail to act on. Linux is looking better all the time. Because of this I rejected our facility from using SCCM and will most likely stop at Server 2012.

    If you Moderators work for Microsoft why are you not acting on these issues that we bring up.

    Thursday, April 7, 2016 5:57 PM
  • Unless the person answering as "MSFT CSG" behind their name they do not work for Microsoft.  Microsoft responds to numbers and pain.  If you have 100 + machines, I would recommend to open a support case to ensure that it gains the traction it needs to get a long term fix.  Microsoft doesn't code based on words alone, they code based on support cases.

    Thursday, April 7, 2016 6:14 PM
    Answerer
  • The only widespread fix we have found is to 

    1) Apply another GPO to change back the USB settings

    2) Apply the Patch

    3) re-apply the hardened GPO to set back the USB security settings.  

    You could also apply the patch to the build process if using SCCM or the like to install the patch before the GPO gets applied, or update the WIM and let attrition take over but not really a solution. 

    I agree it needs to be fixed but as mentioned.. cases are probably best. .. more $$ though potentially. 

     

    Thursday, April 7, 2016 6:23 PM
  • Issues with a security update are ultimately not charged/comp'd back to you.  But you will have to provide a credit card in order to open a support case :-(  If you have TAM access I'd contact them too.   I'm sorry I can't post a better idea.
    Friday, April 8, 2016 5:37 PM
    Answerer
  • Well, I don't work for Microsoft, but I did see a couple of suggestions in this thread that could work for 100+ machines.  You could potentially use a GPO to change the USBSTOR.SYS settings back to the way they were originally permissioned.  Then send out the Windows Updates to the machines.  If required, update the GPO again after this is done, to lock down the USBSTOR.SYS file.

    Kind of painful, but at least it doesn't involve physically visiting each machine.  (I'm not sure what SCCM has to do with this.  From what I can tell, this problem is with a specific Windows Update, not SCCM, which is just a mechanism to deliver Windows Updates, among other things.  The same problem would exist if you used WSUS, or manually went to Windows Update.)

    Hope you get it all sorted out.


    • Edited by C M Wilson Friday, April 8, 2016 8:14 PM
    Friday, April 8, 2016 8:00 PM
  • And the steps are ????

    "and following the steps to restore the System ownership and full control of the files mentioned earlier "

    Really would help if we had the exact steps here and what the permissions should look like.

    Any help is appreciated.

    thanks,

    Tptools

    Thursday, December 28, 2017 7:04 PM
  • So for weeks I have been working on this issue and followed all recommendations on setting the Ownership/Security/Permissions to no avail.  If you have tried all of that above, with permissions as I did and remain with the issue of not being able to install KB3139398, You should check this out.

    Note: We did have GPO disabling USB Storage devices long ago, but has been changed back and I was down this path to get this update for weeks now. 

    I ran across an article that was about disabling USB storage devices locally from the Registry and not having anything to do with GPO or this issue.

    It mentioned the following: "To disable usb storage devices:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DWORD “Start” value=4, and to enable usb storage the value should be 3.

    My Windows Server 2012 R2, experiencing this issue for KB3139398, did NOT have any "Start" entry that existed under this Registry key location. 

    So by now, you may have guessed it: Yes, just create the DWORD (32 bit) Value there and set the value to 3, restart and watch the magic happen.


    • Edited by TPTOOLS Thursday, December 28, 2017 8:46 PM mispelling
    Thursday, December 28, 2017 8:41 PM
  • And the steps are ????

    "and following the steps to restore the System ownership and full control of the files mentioned earlier "

    Really would help if we had the exact steps here and what the permissions should look like.

    Any help is appreciated.

    thanks,

    Tptools

    Try following this here. I am just working on this exact issue

    http://britv8.com/kb3139398-march-2016-update-failing-issue-solution/


    • Proposed as answer by Lesta G Thursday, January 11, 2018 9:53 PM
    Thursday, January 11, 2018 9:53 PM