KB4025252 security Update for Internet Explorer 11 Install multiple times RRS feed

  • Question

  • Hello

    today the  KB4025252 was released and installed on many PCs. The installer process means installing successful but Windows Update service will installing the KB again.

    windows update reset not helping. 

    Is this a BUG ?

    Wednesday, July 12, 2017 8:52 AM

All replies

  • Same problem in our testenvironment here. On a x64 Win7 mache the install loops. It also looks in SCCM as all machines with x64 Win7 has KB4025252 installed, but we have only deployed it for test.

    I have logged a case with Premier Support.

    Wednesday, July 12, 2017 9:55 AM
  • I have the same problem with KB4025252 when updating Windows 7 Professional machines (64 bit.) The update installs successfully, without requesting a reboot afterwards, but if I reboot the machine/or check for updates again it shows up again. I can install it again and it says the installation is successful, but after another reboot/update check it just shows up again as if it's not been installed before.

    I use a WSUS server for updates and I've not got the option to try to update directly from Microsoft, though the WSUS server did download the updates directly from the Microsoft servers during the night (as opposed to downloading from an upstream WSUS server.)

    If I do "wuauclt /resetauthorization /detectnow" followed by "wuauclt /reportnow" after the update installed successfully so that the client checks in with the WSUS, the WSUS shows that the client needs 0 updates. If I then tell the the Windows 7 machine to "Check for updates" the same update shows that it needs to install again. It appears that the problem is not with the WSUS server, but rather on the client side.

    If I view the update history on the client it shows an entry that says the update was successfully installed for each time I installed it. In other words, the same update is listed as being installed multiple times.

    The same KB number update is also available for my Windows Server 2008 R2 (64 bit) machines, there it installs successfully and does not show up for installation again after a reboot.

    I uninstalled the update from a Windows 7 machine, it only shows up once on the uninstall list, rebooted and then told Windows to check for updates again. As expected, it shows up for installation and I installed it again. The same problem persists.

    It looks like it does install successfully, but that it wants to reinstall anyway. I'll be installing it once on the Windows 7 machines and ignoring it until next month to see if it's fixed then.

    Wednesday, July 12, 2017 9:55 AM
  • Same here, for the moment I gave deny for KB4025252 windows 7 on WSUS server.

    Windows 8 doesn't seem to have the same problem.

    Wednesday, July 12, 2017 10:58 AM
  • Same problem, Win7Pro x64 on WSUS. Win8.1 and Win2008R2 seems to be normal.
    Wednesday, July 12, 2017 11:26 AM
  • It must be a bug.  We are seeing this as well and have declined it in WSUS.  I had to hide it on my machine most likely due to impatience.  I am not sure whether or not the fact that the update already made it to the machine will allow WSUS settings to have any impact on this issue.
    Wednesday, July 12, 2017 11:40 AM
  • same here, 7-x64, over and over.  I hope someone from M$ is watching this
    Wednesday, July 12, 2017 12:25 PM
  • Same here on nearly all machines in our environment (Windows 7 x64 german lang installation)
    Wednesday, July 12, 2017 12:28 PM
  • Hi,

    same here in corporate environment. Declined in WSUS.

    According to my understanding, the patch does not change any files and so does not recognize that installation is completed and succeeded. This should be a BUG.



    "The fixes included in this Security Update for Internet Explorer 4025252 are also included in the July 2017 Security Monthly Quality Rollup. Installing either the Security Update for Internet Explorer or the Security Monthly Quality Rollup installs the fixes that are resolved in this update."

    "This Security Update for Internet Explorer is not applicable for installation on a computer where the Security Monthly Quality Rollup or the Preview of Monthly Quality Rollup from July 2017 (or a later month) is already installed. This is because those updates contain all fixes in this Security Update for Internet Explorer."


    Wednesday, July 12, 2017 12:32 PM
  • Thanks for that, Red.  I feel a lot better about having declined this update since we have the rollup installed.
    Wednesday, July 12, 2017 12:40 PM
  • Same problem in our testenvironment here. On a x64 Win7 mache the install loops. It also looks in SCCM as all machines with x64 Win7 has KB4025252 installed, but we have only deployed it for test.

    I have logged a case with Premier Support.

    The same here (Win 7 x64). Reports show as installed and update is not detected for deploying.
    Wednesday, July 12, 2017 2:12 PM
  • Yep - seeing the same symptoms here with WSUS.

    Interestingly, I was expecting a high number of nodes listed as "Needed" for the Cumulative Security Update for Internet Explorer, but it became evident that it only appears as needed AFTER installing the "Security Monthly Quality Rollup" was being installed and a subsequent check for updates was run!

    Most definitely a detection issue.

    But I do agree with you - especially quoting MS:

    • The fixes included in this Security Update for Internet Explorer 4025252 are also included in the July 2017 Security Monthly Quality Rollup. Installing either the Security Update for Internet Explorer or the Security Monthly Quality Rollup installs the fixes that are resolved in this update.
    Wednesday, July 12, 2017 2:31 PM
  • For those who are declining this looping update in WSUS, may I ask why?  I'm observing that computers do not re-download the update for the looping installs, so I see the problem as annoying yet benign.
    Wednesday, July 12, 2017 3:36 PM
  • I'm seeing that the update is being offered after the Security Monthly Quality Rollup has been installed, and even if it is installed by itself subsequently, it's still being offered to be installed.

    We use GPO to apply updates lunchtime every weekday, so in our case, KB4025252 would be installed every lunchtime.

    Hence our reason for declining it.

    For now, though, I think I will mark it "Not Approved" for the moment. Does anyone think that's a bad idea?

    Wednesday, July 12, 2017 3:56 PM
  • Same problems on several WIN7pro 64bit.

    Wednesday, July 12, 2017 4:00 PM
  • Same problem here. KB4025252 deployment via SCCM fails on Win7 x64 test clients. However Windows event log on Win7 x64 shows that the update is successfully installed.
    Wednesday, July 12, 2017 4:15 PM
  • whats the statement from Microsoft here? we have dozens of wsus and i sure will not decline kb4025252 manually on all of them!
    Wednesday, July 12, 2017 4:16 PM
  • I am seeing the same thing. Although in my environment it looks like the update is already installed on the computers. I suggest that it is a detection issue. I have decided to hold off on approving for the production computer until this is resolved.
    Wednesday, July 12, 2017 5:13 PM
  • Same for my environement...KB fails to install... It starts the install using SCCM client but when it goes to "Pending Verification" ends with failed

    "The software change returned error code 0x87D00668(-2016410008)."


    Wednesday, July 12, 2017 5:21 PM
  • We're also seeing this issue.  Applied KB4025252 four times this morning and it's waiting to install for a fifth.

    Going to hold off

    Wednesday, July 12, 2017 6:36 PM
  • Same here in Reno
    Wednesday, July 12, 2017 7:18 PM
  • Our WSUS just pulled in new updates at 3:30 eastern time and IE KB4025252 appeared again.  This updated KB seems to have fixed the issue.  Several workstations no longer show that it's needed.   
    Wednesday, July 12, 2017 7:45 PM
  • @MrDaytrade -

    Manually did a WSUS synchronization here. Your observation seems correct and is the solution for us.

    The newly downloaded ~50K file stopped repeatedly offering itself to the WSUS clients. 

    Thank you for noticing and sharing your observation.

    Wednesday, July 12, 2017 9:17 PM
  • +1  
    • Proposed as answer by L_Herzog Thursday, July 13, 2017 12:24 PM
    Thursday, July 13, 2017 10:00 AM
  • Same issue. But this update is installed successfully. 
    Thursday, July 13, 2017 10:06 AM
  • Agreed, workstations are starting to register as fully patched and KB4025252 is not required.
    Thursday, July 13, 2017 11:58 AM
  • I can confirm, that after a manual WSUS Sync, this update has been pulled as a supervised update. A check for updates on the clients changes Windows Update from showing "one update found" to "up to date".

    MS has solved the problem silently.

    • Edited by L_Herzog Thursday, July 13, 2017 12:10 PM
    Thursday, July 13, 2017 12:10 PM
  • Same problem here.  Roughly 60 Windows 7 64-bit PC's.  KB4025252 shows as "1 update available" in Windows Update on the local PC's, however viewing update history on them shows that it is already installed.

    WSUS 3.2.7600.274 shows it as being 13% installed with "58 computers needing this update".  I'm going to spot-check a few more of them and confirm that it is, in fact, installed, then will probably decline it in WSUS.  If MS "fixed this silently" the fix doesn't appear to have trickled down to me yet!  :-(

    ---- Editing my own post.  Manually installing the update and then running a "wuauclt /detectnow /reportnow" on the affected workstations brings their status in WSUS up to 100% installed.  Tested it on 10 systems so far, I assume it will push out to the rest eventually... Or I can just do it manually on all of them myself to fix.  ;-)

    ------ Editing my own post again.  KB4025252 is showing back up on all the workstations again.  Even the ones I just fixed manually.  :-(

    • Edited by Mike442 Thursday, July 13, 2017 5:22 PM
    Thursday, July 13, 2017 4:09 PM
  • In WSUS, right-click the KB4025252 and check the revision history. You'll see that the revision number changed from 209 to 210 the next day. Make sure that your WSUS has revision 210 for KB4025252 . If not, force the sync in the Option menu.

    Revision 210 fixed this issue for us.

    Thursday, July 13, 2017 5:45 PM
  • @SystemCrash69 - Thanks!

    Re-synced my WSUS server (it didn't sync last night due to a cleanup job running), and the list of systems with the update installed jumped from 13% to 93%.  Revision history changed from 209 to 211.  I suspect the rest will clear themselves out soon.  Fingers crossed.  ;-)
    Thursday, July 13, 2017 6:29 PM
  • I have WSUS syncing 4 times per day - it picked the new version of the update during the night and started applying itself throughout the day here.

    A few systems had the older version of the update set to "Failed", but these cleared up throughout the day.

    My advice: sync WSUS and let it go.

    (I just put that song ion your heads now, didn't I?)

    Thursday, July 13, 2017 7:15 PM
  • Hi

    This is the known issue for this update, we can install latest revision of this update via WSUS as SystemCrash69 mentioned.

    Windows 7 for x64-based systems may continue to report that you need to apply this July 11, 2017 Internet Explorer 11 update after it has already been installed.

    • As of this publication date, Microsoft had corrected the issue for both Windows Server Update Services (WSUS), and Microsoft Update Catalog distributions.
    • Update management solutions that use the Windows Update offline scan method, may still experience this issue. Microsoft is currently investigating this issue and will provide an update to the Wsusscn2.cab as soon as possible.
    • As a potential workaround, affected customers can choose to install the update by using WSUS, or manually by using the Windows Update Catalog page.

    For detailed information about this KB, refer to this:


    • Proposed as answer by jeremy.barker Thursday, July 20, 2017 11:40 AM
    Friday, July 14, 2017 6:24 AM
  • I manually tested the patch KB4025252 installation on our test Win7 machines. Now this patch is not getting installed multiple times. Seems that Microsoft updated the update and fix the reinstallation issue.

    Friday, July 14, 2017 5:43 PM
  • WSUS is showing workstations with the previous IE cumulative update installed as already having this update installed but a third party patch monitoring tool we use says it's needed. Out of curiosity I downloaded the update from the Update Catalog and that version does install (usually a patch from the Update Catalog that is isn't needed will not install when you try to install it) and when installed the third party tool now says it installed.

    Something very strange is going on here. Is this patch actually needed if the previous IE cumulative update is installed?

    Thursday, July 20, 2017 11:48 AM