locked
Cannot install KB4565539 on Server 2008 R2, fails RRS feed

  • Question

  • Hi,

    I cannot get KB4565539 to install on two servers running Windows Server 2008 R2 Service Pack 1. I can run the .msu package fine and it seems to install successfully, tells me that it needs to reboot to finish the update, but then upon reboot the package will fail (trying to apply the update before the login screen). I have the latest SSU on each server and have followed all of the steps/prerequisites in this article - https://support.microsoft.com/en-us/help/4565539/windows-7-update-kb4565539

    I found this helpful, but still neither 2020-07 Rollup (KB4565524) or 2020-07 Security only (KB4565539) will install after installing KB4565354 - https://docs.microsoft.com/en-us/answers/questions/30613/microsoft-windows-server-patches-not-installing-on.html

    I started a sfc scan and will run dism checks to see if anything is corrupted. I also checked out the CBS log and I see some errors but I'm not sure how to proceed. There is a lot in here, I took out what seems like it could help:

    ~

    2020-07-16 12:06:55, Info                  CBS    Appl: Selfupdate, Component: amd64_microsoft-windows-photo-image-codec_31bf3856ad364e35_0.0.0.0_none_1f323f66464683e5 (7.1.7601.18742), elevation:16, lower version revision holder: 7.1.7601.18325
    2020-07-16 12:06:55, Info                  CBS    Applicability(ComponentAnalyzerEvaluateSelfUpdate): Component: amd64_microsoft-windows-photo-image-codec_31bf3856ad364e35_7.1.7601.18742_none_eeadac95e75f3e9d, elevate: 16, applicable(true/false): 1
    2020-07-16 12:06:55, Info                  CBS    Appl: SelfUpdate detect, component: amd64_microsoft-windows-photo-image-codec_31bf3856ad364e35_7.1.7601.18742_none_eeadac95e75f3e9d, elevation: 16, applicable: 1
    2020-07-16 12:06:55, Info                  CBS    Appl: Evaluating applicability block(non detectUpdate part), disposition is: Staged, applicability: Applicable, result applicability state: Installed
    2020-07-16 12:06:55, Info                  CBS    Appl: Package: Package_3_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, Update: 3035126-6_neutral_GDR, Applicable: Applicable, Dis
    2020-07-16 12:06:55, Info                  CBS    External EvaluateApplicability, package: Package_3_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, package applicable State: Installed, highest update applicable state: Superseded, resulting applicable state:Superseded
    2020-07-16 12:06:55, Info                  CBS    Appl: detect Parent, Package: Package_4_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, Parent: WinEmb-Media-Support~31bf3856ad364e35~amd64~~6.1.7601.17514, Disposition = Detect, VersionComp: EQ, ServiceComp: EQ, BuildComp: EQ, DistributionComp: GE, RevisionComp: GE, Exist: present
    2020-07-16 12:06:55, Info                  CBS    Appl: detectParent: package: Package_4_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, no parent found, go absent
    2020-07-16 12:06:55, Info                  CBS    Appl: detect Parent, Package: Package_4_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, disposition state from detectParent: Absent
    2020-07-16 12:06:55, Info                  CBS    Appl: Evaluating package applicability for package Package_4_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, applicable state: Absent
    2020-07-16 12:06:55, Info                  CBS    EvaluateApplicability, package: Package_4_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, Package applicability: Absent.
    2020-07-16 12:06:55, Info                  CBS    External EvaluateApplicability, package: Package_for_KB3035126_SP1~31bf3856ad364e35~amd64~~6.1.1.2, package applicable State: Installed, highest update applicable state: Superseded, resulting applicable state:Superseded
    2020-07-16 12:06:55, Info                  CBS    External EvaluateApplicability, package: Package_for_KB3035126~31bf3856ad364e35~amd64~~6.1.1.2, package applicable State: Installed, highest update applicable state: Superseded, resulting applicable state:Superseded
    2020-07-16 12:06:55, Info                  CBS    Session: 30825355_544352502 initialized by client WindowsUpdateAgent.
    2020-07-16 12:07:08, Info                  CBS    Warning: Unrecognized packageExtended attribute.
    2020-07-16 12:07:08, Info                  CBS    Expecting attribute name [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]
    2020-07-16 12:07:08, Info                  CBS    Failed to get next element [HRESULT = 0x800f080d - CBS_E_MANIFEST_INVALID_ITEM]
    2020-07-16 12:07:08, Info                  CBS    Warning: Unrecognized packageExtended attribute.

    ~

    much farther down in the CBS log:

    ~

    2020-07-16 12:12:30, Info                  CSI    0000006a@2020/7/16:16:12:30.312 CSI perf trace:
    CSIPERF:TXCOMMIT;447324
    2020-07-16 12:12:30, Info                  CSI    0000006b No more queue entries, deleted pending.xml
    2020-07-16 12:12:30, Info                  CBS    Startup: Primitive operations were successfully rolled back.
    2020-07-16 12:12:30, Error                 CBS    Startup: Completed rollback, startupPhase: 0. [HRESULT = 0x80004005 - E_FAIL]
    2020-07-16 12:12:30, Info                  CBS    Setting ExecuteState key to: CbsExecuteStateFailed
    2020-07-16 12:12:30, Info                  CBS    Doqe: Enabling Device installs
    2020-07-16 12:12:30, Info                  CSI    0000006c Cancelling transactions: [1:[78]"TI4.30825355_21249816:3/Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11"[1]"]"

    2020-07-16 12:12:30, Info                  CSI    0000006d Creating NT transaction (seq 2), objectname [6]"(null)"
    2020-07-16 12:12:30, Info                  CSI    0000006e Created NT transaction (seq 2) result 0x00000000, handle @0x28c
    2020-07-16 12:12:30, Info                  CSI    0000006f@2020/7/16:16:12:30.890 CSI perf trace:
    CSIPERF:TXCOMMIT;99634
    2020-07-16 12:12:30, Info                  CBS    Clearing HangDetect value
    2020-07-16 12:12:30, Info                  CBS    Saved last global progress. Current: 1, Limit: 1, ExecuteState: CbsExecuteStateFailed
    2020-07-16 12:12:30, Info                  CBS    Doqe: Unlocking driver updates, Count 1
    2020-07-16 12:12:30, Info                  CBS    WER: Generating failure report for package: Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11, status: 0x80070661, failure source: AI, start state: Staged, target state: Installed, client id: WindowsUpdateAgent
    2020-07-16 12:12:30, Info                  CBS    Failed to query DisableWerReporting flag.  Assuming not set... [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2020-07-16 12:12:30, Info                  CBS    Failed to add %windir%\winsxs\pending.xml to WER report because it is missing.  Continuing without it...
    2020-07-16 12:12:30, Info                  CBS    Failed to add %windir%\winsxs\pending.xml.bad to WER report because it is missing.  Continuing without it...
    2020-07-16 12:12:30, Info                  CBS    Failed to submit WER report. [HRESULT = 0x800700a1 - ERROR_BAD_PATHNAME]
    2020-07-16 12:12:30, Info                  CBS    Failed to submit WER report. [HRESULT = 0x800700a1 - ERROR_BAD_PATHNAME]
    2020-07-16 12:12:30, Info                  CBS    WER: Failed to generate failure report for package: Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11 [HRESULT = 0x800700a1 - ERROR_BAD_PATHNAME]
    2020-07-16 12:12:30, Info                  CBS    Failed to submit WER report for pending package: Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11 [HRESULT = 0x800700a1 - ERROR_BAD_PATHNAME]
    2020-07-16 12:12:30, Info                  CBS    SQM: Reporting package change completion for package: Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11, current: Staged, original: Staged, target: Installed, status: 0x80070661, failure source: AI, failure details: "Extended Security Updates AI installer 80070661 38 Install (upgrade) Microsoft-Windows-SLC-Component-ExtendedSecurityUpdatesAI, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS ", client id: WindowsUpdateAgent, initiated offline: False, execution sequence: 2370, first merged sequence: 2370
    2020-07-16 12:12:30, Info                  CBS    SQM: Failed to initialize Win SAT assessment. [HRESULT = 0x80040154 - Unknown Error]
    2020-07-16 12:12:30, Info                  CBS    SQM: average disk throughput datapoint is invalid [HRESULT = 0x80040154 - Unknown Error]
    2020-07-16 12:12:30, Info                  CBS    SQM: Upload requested for report: PackageChangeEnd_Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11, session id: 142862, sample type: Standard
    2020-07-16 12:12:30, Info                  CBS    SQM: Ignoring upload request because the sample type is not enabled: Standard

    ~

    Any leads would be super appreciated as we really need this patch installed, thanks.

    *I am aware that 2008 R2 support ended in Jan 2020, multiple replication issues migrating to new version still working on it*


    Thursday, July 16, 2020 5:01 PM

All replies

  • Update: I followed this article to try and troubleshoot the issue further but the installation is still failing.

    https://support.microsoft.com/en-us/help/947821/fix-windows-update-errors-by-using-the-dism-or-system-update-readiness

    Thursday, July 16, 2020 6:39 PM
  • Having the same issue on 3 seperate 2008r2 servers. Seems like a general issue.
    Thursday, July 16, 2020 9:35 PM
  • Same issue here.
    Thursday, July 16, 2020 10:41 PM
  • Same here. Found this in the CBS log:

    2020-07-16 17:14:08, Info                  CSI    00000001 ESU: Product = 7.
    2020-07-16 17:14:08, Info                  CSI    00000002 ESU: Is IMDS check needed:TRUE
    2020-07-16 17:14:08, Info                  CSI    00000003 ESU: Checking IMDS
    2020-07-16 17:14:08, Info                  CSI    00000004 ESU: not eligible HRESULT_FROM_WIN32(1633).

    ...

    2020-07-16 17:14:08, Error      [0x01803d] CSI    000000bd (F) Failed execution of queue item Installer: Extended Security Updates AI installer ({4e9a75dd-0792-460c-a238-3f4130c39369}) with HRESULT HRESULT_FROM_WIN32(1633).  Failure will not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable (2)[gle=0x80004005]

    Seems like maybe an ESU key is required, but why does it bail out mid install rather than before the install? And why does the patch guidance mention machines running without ESU key without also mentioning that actually you can't install the patch without an ESU key? "IMPORTANT WSUS scan cab files will continue to be available for Windows 7 SP1 and Windows Server 2008 R2 SP1. If you have a subset of devices running these operating systems without ESU, they might show as non-compliant in your patch management and compliance toolsets." (https://support.microsoft.com/en-us/help/4565539/windows-7-update-kb4565539)

    Friday, July 17, 2020 4:40 AM
  • Hi alexmcfarland,
     
    Thanks for posting on this forum.

    To research further for me, please help to confirm the following information: 

    1. Whether there is other error message on the computer after the restart or not. If so, consider sharing it on this forum.

    2. What is the source of the updates for the Windows Server 2008R2 client? WSUS or Windows Update
     
    In addition, in the information you provided, I checked the following errors. Here's what I check shared with you.
    Error message:
    CBS    SQM: Reporting package change completion for package: Package_for_KB4565539~31bf3856ad364e35~amd64~~6.1.1.11, current: Staged, original: Staged, target: Installed, status: 0x80070661, failure source: AI, failure details: "Extended Security Updates AI installer
     


    Hope you have a nice weekend.

    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 17, 2020 6:17 AM
  • I'm experiencing the same issue with both updates (rollup or security only) on Windows 2008R2 SP1. Updates are downloaded from Windows Update Catalog site.  Can you verify that the correct version of this update is being published?

    Search.aspx?q=KB4565539

    Saturday, July 18, 2020 3:24 PM
  • Anyone could confirm that must purchase the ESU for windows server 2008 r2? 

    I tried fail in 5 windows server 2008 R2.

    Saturday, July 18, 2020 3:52 PM
  • Downloaded de MSU from the Windows update catalog. Tried both 2020-07 Rollup (KB4565524) and 2020-07 Security only (KB4565539)
    They both fail and roll back.

    Saturday, July 18, 2020 5:53 PM
  • Hi,

    I am also facing the same issue, Tried both 2020-07 Rollup (KB4565524) and 2020-07 Security only (KB4565539)
    They both fail and roll back.

    anyone raised case with MS..?? it has to be solved by MS even the OS is EOL.

    Sunday, July 19, 2020 4:30 PM
  • Good day
    Faced the same problem on two Server 2008 R2
    Used wsus and windows update - does not found. I download msu and install, reboot and rollback
    Sunday, July 19, 2020 9:51 PM
  • add me to the list. Had 7 domain controllers company wanted this ASAP as emergency change, DC's are not open to internet either, configured internally

    Microsoft Windows Server DNS Vulnerability “SIGRed”   (CVE-2020-1350)

    Performed prerequisite, based on MS information; Order and Results below. All patches download from MS catalog site.

    prior to install: ran PS Get-Hotfix  all DCs prior to organizing a deployment, only reported back (KB4474419) as installed, but found different in my results below on 2 DC's; stopped after this. (this has ugly written all over it)

    1.) (2019.03.12) (KB4490628) - installed already
    2.) (2019.09.10) (KB4474419) - installed already
    3.) (2020.06.09) (KB4562030) - installed, reboot (reboot not required)
    4.) 2020.07.14) (B4565539)  (Security-only update)  -  installed, reboot required (goes into a loop of configure and failure to configure, cycle itself during process) ends up not installed according to EVT logs, SYS & SETUP
    5.) (2020.07.13) (KB4565354) - installed, reboot (reboot not required)

    I have to get another team to open with MS, I hope to do that today.


    Sunday, July 19, 2020 10:30 PM
  • Same problem here. 2 remote access-only 2008 R2 servers. First one never came back up
    with the prerequisites from Microsoft:

    1. 4490628 (already installed)
    2. 4474491 (already installed)
    3. 4562030 (installed, no reboot)
    4. 4538483 (Feb 20, not May as instructed, installed, no reboot
    5. 4565354 (installed, no reboot)
    6. 4565524 (full rollup, not just security patch, reboot)

    Remote server not accessible after >30 mins.

    Not about to do 2nd server!

    Monday, July 20, 2020 12:03 AM
  • Same problem here,

    We still have a few remaining 2008R2 DNS servers, and can't be updated.
    They keep rolling back.

    Monday, July 20, 2020 8:42 AM
  • Same here, in our labs 2008R2 are all rolling back with a fail status on the security only patch KB4565539. 

    All pre-requisite are meet like @61in61 did , servers rebooting and reverting the patch.

    Monday, July 20, 2020 12:15 PM
  • From other sources it appears that an ESU is required even for such a critical bug. I've done the workaround in the meantime:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
      DWORD = TcpReceivePacketSize
      Value = 0xFF00

    Restart DNS service

    Monday, July 20, 2020 4:53 PM
  • I did the same to fix , thanks for the info about the ESU. 
    Monday, July 20, 2020 6:01 PM
  • Hi,
     
    It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2020 3:17 AM
  • I think we're all waiting for an updated patch before we attempt to install it again. Seems likely that the architecture check in the patch is wrong or the wrong file was uploaded for 2008 R2 x64.

    Also confirmation from MS that we should be able to install this patch on 2008 without ESU

    Tuesday, July 21, 2020 3:46 AM
  • Any update on this? Does anyone know if the "workaround" is the same as applying the patch? This has got to be a pretty big deal, yet I'm not seeing it widely reported.
    Wednesday, July 22, 2020 3:17 PM
  • Microsoft is trying to force us to buy an ESU to protect against a fault in their OS. This borders on extortion. We've already paid for the OS and now they want more $$$.
    Thursday, July 23, 2020 1:48 AM
  • We are also having this issue with our servers running Windows Server 2008 R2 SP1.

    I have installed the following updates according to the articles describing how to install and prerequisites:

    Prerequisites:
    01_windows6.1-kb4490628_SSU_March12-2019.msu
    02_windows6.1-kb4474419_SHA2-September-2019.msu (restart after required)
    03_windows6.1-kb4555449-x64_SSU_May5-2020.msu
    04_windows6.1-kb4538483_ESU_May5-2020.msu
    05_windows6.1-kb4562030_SSU_June9-2020.msu
    06_windows6.1-kb4565354_SSU_July13-2020.msu

    Lastly I install the update in question:
    07_windows6.1-kb4565539-CVE-2020-1350_July14-2020.msu

    The installation goes fine, then it reboots, when the server starts back up again it runs for a bit and then I get error message: "Failure configuring Windows updates. Reverting changes."

    Thursday, July 23, 2020 10:38 AM
  • Hi Rita,

    Thank you for your response & suggestion. To answers your questions:

    1) No other error messages. Every other MS patch installs perfectly.

    2) I mostly rely on WSUS but I have gone to Microsoft's Windows Update Catalog and downloaded the .msu straight from there to install. Both methods return the exact same results where the patch installs, fails, then rolls back and does not apply.

    It does seem plausible that this is due to the ESU requirement based on the logs & what others are saying. Does Microsoft have any plan to remove the ESU requirement or address this issue as it seems to be affecting many customers? 

    I have not found any workarounds yet, although I do see that someone on this forum suggested making a DNS registry change. 

    Thanks, Alex



    Thursday, July 23, 2020 3:13 PM
  • I have the exact same issue with the same patch on 2x 2008R2SP1 servers.

    The patch installs, I reboot, and it gives a failure and reverts.

    I checked the ESU error in the CBS.log and got the same message about the ESU, and being not eligible:

    2020-07-24 9:46:50, Info                  CSI    00000001 ESU: Product = 7.
    2020-07-24 9:46:50, Info                  CSI    00000002 ESU: Is IMDS check needed:TRUE
    2020-07-24 9:46:50, Info                  CSI    00000003 ESU: Checking IMDS
    2020-07-24 9:46:50, Info                  CSI    00000004 ESU: not eligible HRESULT_FROM_WIN32(1633).

    However i DO have ESU, but it hadnt been installed on this machine. So i tracked down the ESU info and installed it, then re-tried the patch, but it still failed. Looking in the CBS.log i can see the ESU is now eligible:

    2020-07-24 10:54:13, Info                  CSI    00000001 ESU: Product = 7.
    2020-07-24 10:54:13, Info                  CSI    00000002 ESU: eligible : 16 (0x00000010)

    This implies that its not the ESU check thats causing this to fail.

    The error code above (80070661) implies a processor type issue, and the CBS.log shows mention of the processor type being amd64, but im installing it on a physical server with a Xeon. So I suspect the patch itself has a fault.

    Friday, July 24, 2020 4:22 AM
  • Hi Alex,
     
    Thanks for your response.
     
    Please refer to the link below to check the prerequisites for all installation of ESUs for your Windows Server 2008R2 client have been meeted.
     
    Link: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091#
     
    Thanks for your patience and cooperation.
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 24, 2020 10:29 AM
  • Hi Rita,

    We are getting the same results on Windows 2008 R2 Sp1 servers with the below error:

    Package KB4565539 failed to be changed to the Installed state. Status: 0x80070645.

    Package KB4565524 failed to be changed to the Installed state. Status: 0x80070645.

    Please advise on how we get this installed on the servers.

    Friday, July 24, 2020 1:06 PM
  • If you do not have an ESU key, these 2008 R2 patches will not install.  Do all of you have ESU?  And keep in mind that unless you are a large customer with SA contracts and all that, you are out of luck.
    Friday, July 24, 2020 2:14 PM
  • If you do not have an ESU key, these 2008 R2 patches will not install.  Do all of you have ESU?  And keep in mind that unless you are a large customer with SA contracts and all that, you are out of luck.
    Susan Bradley..... please see response from ArgHereBeDragons on Tuesday, July 21, 2020 3:46 AM

    "Also confirmation from MS that we should be able to install this patch on 2008 without ESU"


    Friday, July 24, 2020 2:41 PM
  • Hi Direct Data Systems,
     
    Thanks for your time.
     
    0X80070645 is a generic failure code from Windows Installer installs. It is difficult to analyze. Please help to check if there are any error information in windowsupdate.log or not.
     
    In addition, please refer to the link below to check the prerequisites for all installation of ESUs for your Windows Server 2008R2 client have been met.
     
    Link: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-eligible-windows-devices/ba-p/1167091#
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, July 26, 2020 2:45 AM
  • If you do not have an ESU key, these 2008 R2 patches will not install.  Do all of you have ESU?  And keep in mind that unless you are a large customer with SA contracts and all that, you are out of luck.
    I absolutely do have ESU, and the log confirms it, but it still fails.
    Monday, July 27, 2020 3:45 AM
  • Hi Rita,

    Both patches don't install they roll back once the server has been rebooted to complete the installation.

    Microsoft have confirmed ESU is not required for the patch.

    I am rolling out the workaroud as this seems the only possibilty for Windows 2008 R2 SP1.

    Please can you confirm if there is a issue with the patch for the this version of Windows or they you DO require ESU to install the patch correctly.....

    Monday, July 27, 2020 8:19 AM
  • Has anyone got any new information on this - its getting a bit long in the tooth for what appears to be such a critical vulnerability
    Friday, July 31, 2020 1:40 AM
  • Same for me, can't install KB4565539on 2008R2 DCs :-(

    Something new from MS ?


    Ingénieur Système - http://yannbouvier.free.fr

    Tuesday, August 4, 2020 8:26 AM
  • Has anyone tried installing it again since we started this journey - perhaps they've quietly fixed it and not told us?
    Monday, August 10, 2020 8:48 AM