none
KB2920189 fails to install on generation 2 vm's

    Question

  • It looks like there is a problem with the KB2920189 update.

    When trying to install it via Windows Update on some servers, they all fails the installation of this update - they are all running 2012 R2 inside generation 2 Hyper-V machines.

    Has this update been tested with the UEFI implementation inside Hyper-V?

    Wednesday, May 14, 2014 8:55 AM

Answers

All replies

  • Its the same here!


    Fons system and network engineer Balie Amsterdam

    Wednesday, May 14, 2014 9:09 AM
  • Okay, this is broken - however, there is a workaround:

    After a bit of searching around using <INSERT SEARCH ENGINE HERE> for the error code, I found this article: http://www.eightforums.com/windows-updates-activation/39758-error-800f0922-installing-update-kb2871690.html

    The solution is simple:

    1. Shutdown the VM
    2. Disable Secure Boot for the VM
    3. Start the VM and install the update
    4. Shutdown the VM again
    5. Enable Secure Boot
    6. Start the VM

    Annoying, but it works :)



    • Marked as answer by GurliGebis Wednesday, May 14, 2014 9:14 AM
    • Edited by GurliGebis Wednesday, May 14, 2014 9:16 AM Whitespace missing
    Wednesday, May 14, 2014 9:14 AM
  • in addition:

    the update fails with error code 0x800f0922 at event id 20

    server 2012 r2 updating from wsus

    the update installed correct to win 8.1 computers


    Fons system and network engineer Balie Amsterdam

    Wednesday, May 14, 2014 9:14 AM
  • in addition:

    the update fails with error code 0x800f0922 at event id 20

    server 2012 r2 updating from wsus

    the update installed correct to win 8.1 computers


    Fons system and network engineer Balie Amsterdam


    Could you try the workaround above, and see if it fixes it for you too?
    Wednesday, May 14, 2014 9:18 AM
  • Hi Gurli,

    the workaround works for me as well. thanks for that.

    but I have to do about 10 VM's. I'll will be awaiting a solution by MS. Hope you don't mind.

    regards


    Fons system and network engineer Balie Amsterdam

    Wednesday, May 14, 2014 9:47 AM
  • Hi Gurli,

    the workaround works for me as well. thanks for that.

    but I have to do about 10 VM's. I'll will be awaiting a solution by MS. Hope you don't mind.

    regards


    Fons system and network engineer Balie Amsterdam

    Sure, it's more to make sure if it works for other people than me :)

    Thanks

    Wednesday, May 14, 2014 10:16 AM
  • It's great that this works, but for large-scale deployments this won't work for us. We cannot shut down 100+ VMs and perform this step to complete this update. We will have to wait for a fix on this update from MS, which hopefully will happen soon. 
    Wednesday, May 14, 2014 12:16 PM
  • Hi,

    The workaround worked for me as well.

    Thank you!

    Wednesday, May 14, 2014 12:33 PM
  • Work around works!

    Microsoft should have tested this :(

    Wednesday, May 14, 2014 2:21 PM
  • The proposed solution worked for me as well.  Thanks!
    Wednesday, May 14, 2014 2:25 PM
  • Hmm it sure looks like this update not only causes problems on VM's using UEFI. I have a 2012R2 server that runs on physical hardware, and UEFI + secure boot are enabled on this machine.

    It did most of the updates except for 13 off them. After reboot it would revert back the changes for these 13 updates with error:

    update(KB number)  failed to be changed to the Installed state. Status: 0x800f0922.

    I actually did these 13 manually and one by one to find the offending update, which is KB2920189

    Now I do use generation 2 vm's, so definitely will exclude this update until MS bothers to issue a fix.

    I don't get it, since a couple of monhts, patch tuesdays has been changed to horror Tuesday, it seems some kicking is in order, as in all my years as admin I have not seen such a mess on patch Tuesday as the last 4-5 months.

    Edit:

    Oh and sure enough, a VM on which I installed the updates, and just rebooted, the exact same behaviour, updates are being reverted back during boot. I don't get it, how does ONE update cause 12 others to be reverted back, these are SERVERS we are talking about here.


    • Edited by Jvangent100 Wednesday, May 14, 2014 4:10 PM
    Wednesday, May 14, 2014 4:04 PM
  • Worked for me.  Thanks!
    Wednesday, May 14, 2014 4:08 PM
  • Description of the update rollup of revoked noncompliant UEFI modules: May 13, 2014:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;2920189

    Is someone willing to work with me to open a free support case?

    If so email me at susan-at-msmvps.com (change the -at- to @)


    Unfortunately TechNet subscriptions aren&#39;t coming back, sorry folks :-(

    Wednesday, May 14, 2014 5:07 PM
  • Thank you! I was wondering what was up when I tried to update a brand new VM install and Windows Update was already failing. It would find 38 updates, it would appear to install them, it would continue wrapping up the install after a reboot, but after a long delay, it would say that the updates couldn't be installed. It would then take an extraordinarily long time rolling them back. After another reboot, it would report 38 updates available again.

    It's amazing how much time in IT ends up wasted on stuff like this. Thank you for posting the answer!

    Now if I could just get KB2919355 to install through Windows Update. It hasn't run successfully for me on any machine yet--2012 R2 or 8.1, physical or VM. Not one. I've had to run the update manually on each. When the update is so problematic, the requirement for this update for ongoing patches is baffling.

    • Edited by rhelmer Wednesday, May 14, 2014 5:23 PM
    Wednesday, May 14, 2014 5:22 PM
  • I believe this issue is documented in the KB article: https://support.microsoft.com/kb/2962824

    The relevant text is here:

    You receive a 0x800f0922 error when you try to install this security update

    Symptoms
    Consider the following two configurations:

    • Configuration 1
      You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
    • Configuration 2
      You have a Windows Server 2012 R2-based Hyper-V host running and you are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.
    In these configurations, security update 2871690 may not install, and you receive a 0x800f0922 error message. 

    Cause
    This error occurs because the installer for security update 2871690 incorrectly expects BitLocker to be installed.

    Workaround
    To work around this issue, use one of the following methods, based on your scenario:
    • Workaround for configuration 1
      Install the BitLocker optional component on the server that uses UEFI and that has the Secure Boot option enabled. 
    • Workaround for configuration 2
      Install the BitLocker optional component on the guest virtual machine in the Hyper-V configuration.
    Note You do not have to configure BitLocker on any drive. It is only necessary for the BitLocker component to be present on Window Server 2012 when you install security update 2871690.

    A fix for the installer issue is being investigated.


    [MSFT]

    • Proposed as answer by n0b0dykn0ws Wednesday, May 14, 2014 8:12 PM
    Wednesday, May 14, 2014 5:49 PM
  • Hey Rhelmer?  Topic drift:  What error messages do you get when installing (or attempting to) install KB2919355?

    Unfortunately TechNet subscriptions aren&#39;t coming back, sorry folks :-(

    Wednesday, May 14, 2014 5:55 PM
  • Where do you see the phrase "a fix for the installer issue is being investigated"?  It may be documented, but to ask admins to install additional roles on a server is a tad unreasonable (IMO).


    Unfortunately TechNet subscriptions aren&#39;t coming back, sorry folks :-(

    Wednesday, May 14, 2014 6:17 PM
  • I've received a few different errors installing KB2919355, including:

    80244021

    8024402C

    80200056

    The first two errors suggest a proxy settings issue, but it's odd that only this update would be affected if that's the case. In a couple cases, I also had to run the Windows Update diagnostic tool afterwards in order to make Windows Update start working again.

    Wednesday, May 14, 2014 7:01 PM
  • Worked great for me! Thanks!
    Wednesday, May 14, 2014 7:57 PM
  • Okay, this is broken - however, there is a workaround:

    After a bit of searching around using <INSERT SEARCH ENGINE HERE> for the error code, I found this article: http://www.eightforums.com/windows-updates-activation/39758-error-800f0922-installing-update-kb2871690.html

    The solution is simple:

    1. Shutdown the VM
    2. Disable Secure Boot for the VM
    3. Start the VM and install the update
    4. Shutdown the VM again
    5. Enable Secure Boot
    6. Start the VM

    Annoying, but it works :)



    pretty amazing how a 31KB update fails to install on WS2012R2 server running in Gen2 VM only because of a Secure Boot ... LOL!

    Anyways, the workaround worked here as well, thanks for posting it!

    Thursday, May 15, 2014 6:00 PM
  • Thanks! Worked for me too. Watch several reboots with this problem and delayed me for few hours. Thanks MS (with sarcasm).
    Saturday, May 17, 2014 12:30 PM
  • Thank you!
    Sunday, May 18, 2014 5:35 PM
  • Symptoms

    Consider the following two configurations:

    • Configuration 1
      You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
    • Configuration 2
      You have a Windows Server 2012 R2-based Hyper-V host running and you are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.

    ...
    Workaround
    To work around this issue, use one of the following methods, based on your scenario:

    ...

    • Workaround for configuration 2
      Install the BitLocker optional component on the guest virtual machine in the Hyper-V configuration.

    FWIW, I can confirm that Workaround for configuration 2 worked for my VM's.

    Monday, May 19, 2014 9:51 PM
  • Hi,

    I'm very happy that I've found this post here. I belief that the Windows Server 2012 R2 has issues with more updates than only that one here. I've a Server 2012 R2 Hyper-V Cluster with among others 2012 R2 guests as V2 machines. This machines have a terrible Long list of failing updates. When I'm back in the Office I'll try to diable secure boot to get rid of this issue.

    Cheers

    Robert

    Monday, May 26, 2014 4:33 PM
  • Robert, it is likely that the "terrible long list of failing updates" is triggered by the failure of security update 2871690 alone.  By default, when multiple updates are installed at once, if a single one fails all others will also be rolled back and marked as failed in the updates history log.

    Personally, I temporarily declined the violating update in WSUS until I had time to enable the Bitlocker Drive Encryption feature.  After doing so, the other updates that were getting logged as failing installed without issue.  While my experience may not be applicable to your scenario, I at least offer this as anecdotal evidence that the other updates are likely not problematic.

    Tuesday, May 27, 2014 7:38 PM
  • I agree with merv_f.

    I've seen those massive failures on updates many times, and usually it was just a single update failed (or a conflict between updates) causing that massive roll back. Happens to me once in a while when I (re)install older 2008 server in some VM and do the initial flood of updates manually not yet from WSUS and forget to uncheck IE7/8 patches and leaving IE9 upgrade package in the list.

    Try doing updates in smaller batches to see if you can push through as much as it can take without failing all. or do them by categories, e.g. security patches one time, platform patches other time, IE patches next time and so on, that should narrow it down at least a bit.

    Wednesday, May 28, 2014 2:32 AM
  • Hello,

    yes this might be really it. When I was writing my comment I could not check the updates on my test servers as I was home already. But now I can confirm that the update KB2920189 was also in the queue which caused then the roll-back of all updates. Quite nasty problem anyway but good that this is workarounded now.

    Thanks for that.

    Regards

    Robert

    Wednesday, May 28, 2014 5:44 AM
  • Thank you so much for this post.  Worked like a dream.
    Tuesday, June 03, 2014 5:37 PM
  • The workarounds are good but is Microsoft expecting us to do this to 100's of VMs???

    Orange County District Attorney

    Friday, June 06, 2014 4:03 PM
  • Okay, this is broken - however, there is a workaround:

    After a bit of searching around using <INSERT SEARCH ENGINE HERE> for the error code, I found this article: http://www.eightforums.com/windows-updates-activation/39758-error-800f0922-installing-update-kb2871690.html

    The solution is simple:

    1. Shutdown the VM
    2. Disable Secure Boot for the VM
    3. Start the VM and install the update
    4. Shutdown the VM again
    5. Enable Secure Boot
    6. Start the VM

    Annoying, but it works :)



    It actually worked perfectly for my Gen 2 VM not joined to my domain. I will try it for one of my clients' domain controller that has this issue.

    Thanks for this.

    Friday, June 06, 2014 5:36 PM
  • The workarounds are good but is Microsoft expecting us to do this to 100's of VMs???

    Orange County District Attorney

    I think you can enable the optional Bitlocker component (Workaround no.2) via some startup script (DISM /online or PowerShell script) and that should allow for that pesky 31KB update installation, somebody confirmed it worked afterwards.

    I have only a few VMs with 2012R2, so for now am sticking with Workaround no.1

    Saturday, June 07, 2014 3:08 AM
  • This also worked for my customer's domain controller and other domain-joined VMs.

    Appreciate this.

    Thursday, June 19, 2014 7:31 AM
  • I confirm that installing Bitlocker feature "fixes" the issue but...

    Good, I am not a hosting service provider :)

    Wait, I AM!

    Thursday, July 10, 2014 2:16 PM
  • The other alternative is to not install this security update on VMs since this security update is blacklisting UEFI components that OEMs are shipping and would not exist in a VM.

    [MSFT]

    Thursday, July 10, 2014 2:25 PM
  • How do you Shut it down for this to work?

    I have tried Shutdown.  I have tried Turn off.

    Turn it Off will at least stop it, but when ever I restart the VM, it's right back at the spot I left off trying to Undo changes.

    This is a pretty serious issue.  Our Directory Sync is on this box.  WTF Microsoft?

    I have turned off the Secure boot but that does nothing.

    Help!

    Thanks.

    Monday, April 27, 2015 6:25 PM
  • Over a year later, and this issue STILL seems to exist.  You'd think that a pure MS virtual virtual machine would work with a pure MS OS and pure MS patch.  It's not like there's ANY non-microsoft component involved with installing updates on a 2012R2 Gen2 VM.  

    The frightening thing is that most people would probably wait 2-3 hours to install the (currently 122) windows updates, watch it reboot, see it fail... wait another 2-3 for the rollback, and do it all again thinking that it must have been a bad d/l or something.  It's not like the one patch fails and a message pops up saying "Hey, patch XYZ failed so you should check KB article ABCD for a work-around" 

    I wonder how many people have just given up on using hyper-v because of this....


    Saturday, July 25, 2015 7:47 AM
  • KB2920189 was bundled with KB2981685 to solve this problem but it appears that it isn't working on your VM. Try the following:

    1) Download and install KB2981685.

    2) Download and install KB2920189.

    Report any errors you receive from attempting to install these updates.


    [MSFT]

    Saturday, July 25, 2015 3:48 PM
  • KB2920189 was bundled with KB2981685 to solve this problem but it appears that it isn't working on your VM. Try the following:

    While I appreciate you taking the time to fill in that information, I had already worked around the issue by turning off secure boot.  If it weren't for the abilities of <a competing internet search engine with the same first initial as my own>, I'd probably have just given up by now.

    When it takes SO LONG to catch up on windows updates, and then it just fails with no good information... and then spends at least as long rolling back EVERYTHING... it's just a disaster.


    Sunday, July 26, 2015 2:47 PM
  • After having this issue myself, I'd like to share this link which was an absolute life saver!  Andy, whoever you are...THANKS!!!

    http://andyparkes.co.uk/blog/index.php/category/hyper-v-2/

    Simply open Server Manager from your physical host, then add the Bitlocker service as per the above instructions, and BAM.  The machine fires right up.  You will also need secure boot disabled too.

    This fix also works if your machine is stuck reverting the failed updates.


    • Edited by Lukebrynycz Tuesday, August 11, 2015 10:16 AM
    Tuesday, August 11, 2015 10:15 AM
  • http://andyparkes.co.uk/blog/index.php/category/hyper-v-2/

    Here's how to install Bitlocker if your VM is stuck installing updates and disabling secure boot doesn't work!

    Tuesday, August 11, 2015 10:21 AM
  • Perfect! Thanks

    Resolved!


    Maia

    Friday, August 14, 2015 1:32 PM
  • Tried everything here that everyone else was trying. Unfortunately for me not even the method presented at Andy's blog worked - Server Manager kept spitting out an error attempting to inject BitLocker into the offline vhdx for the hosed VM. I ended up deleting and then rebuilding a new VM. I lost a full 24 hours on this, what a shame by Microsoft for allowing this problem to exist for well over a year and still doing nothing to fix it. I mean com'on, having to bag a fully installed server for one stupid, buggy update is non-sense.

    And the worse part is, we still have to deal with the "Downloading updates" forever problem that is happening to all of our Server 2012 installs, virtual and physical. It is taking 2+ hours to install 150+ (1.6GB) of updates for a brand new server install!

    The madness of it all...


    • Edited by NHJonesy2 Wednesday, December 16, 2015 9:34 PM
    Wednesday, December 16, 2015 9:33 PM
  • Why does anyone deploy more than one virtual machine from base ISO in 2015? Make one, sysprep it, and run offline patches against it every month. Copy/paste your way into new VMs.

    As for this patch: "Generation 2 virtual machines are not affected by this issue, and you do not have to install the update in this case." from https://support.microsoft.com/en-us/kb/2962824 which is linked from the "Known Issues" section on the KB article for this patch: https://support.microsoft.com/en-us/kb/2920189. Hide the update in WU or don't approve it in WSUS for Gen2 VMs.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.

    • Proposed as answer by xerxesmatrix Friday, March 04, 2016 11:48 AM
    • Unproposed as answer by xerxesmatrix Friday, March 04, 2016 11:48 AM
    • Proposed as answer by xerxesmatrix Friday, March 04, 2016 11:59 AM
    • Unproposed as answer by xerxesmatrix Friday, March 04, 2016 11:59 AM
    Wednesday, December 16, 2015 10:44 PM
  • thanks for fix Solution.....
    we have like issue on the VMWare 6.X Version and 2012R2. can i use this Solution for VMware ?
    I can't find an the VMWare Disable Secure Boot !
    I hear is not exist at Vmware this features
    Friday, March 04, 2016 12:42 PM
  • Hi,

    I've tried this after forcibly shutting down the server as this message seemed caught in a loop for multiple hours.  I eventually turned the VM (yes, contrary to the message but having left it overnight), but every time I restart the VM server after having disabled secure boot per above, the same message appears "We couldn't complete the updates.  Undoing them".  This appears irrespective of the user logging in. 

    How is it possible to kill the Windows update process restart the Windows update please?

    Friday, April 08, 2016 4:09 PM
  • When left again overnight at the undoing message, the server has righted itself.  Thanks.
    Saturday, April 09, 2016 2:36 AM
  • We've just decided to use gen 1 VMs for server 2012 R2, since we've had a lot of other kinda random failures with Gen 2.  Maybe by server 2016 Gen 2 VMs will be ready for primetime, cause currently they're not supported by Microsoft apparently.

    Too bad there's no service pack, because it sucks to have to install 214 updates on every new server.

    Friday, June 17, 2016 3:53 PM
  • I have the same situation. The shutdown not working on the guests, only the turn off.
    I switched off the secure boot option, then started the guestst, but the issue is the same.

    I tried restart the host too, but nothing changed.

    Tuesday, August 30, 2016 5:37 PM
  • I  do not see the Firmware option in Hyper -V , I am facing this issue with Windows server R2. Can you advise?

    Regards

    Wednesday, July 12, 2017 5:05 PM