KB3000061 fails to install on Server 2012 RRS feed

  • Question

  • When we tried to install KB3000061 that was released today, it fails to install on all of our Server 2012 machines, with a 'failure configuring windows updates, reverting changes' after restart.  On 2012R2, the update installs OK.  Has anyone else experienced this?
    Tuesday, October 14, 2014 8:54 PM

All replies

  • Did you try installing the update manually ? Or it was via Windows Update only? 

    Can you check it manually, if not checked.

    Arnav Sharma | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 14, 2014 11:44 PM
  • I also am experiencing the same issue with KB30000061. I have about 12 HyperV machines, and I am already seeing this on 3, and have yet to get around the rest in applying todays Windows Updates....

    I find the amount of Windows Update issue this year is off the charts!!!!


    Wednesday, October 15, 2014 1:14 AM
  • I am also seeing this issue, on 2 systems out of 40. both are on hyperv. one is a sql server the other has dirsync which has a local version of sql. I cant find anything else in common. most of the other systems that work are 2012 R2 but some are 2012. I did try to install off download, no joy.
    Wednesday, October 15, 2014 7:38 AM
  • Ironically the systems I am experiencing this issue, are also on Hyper-v machines, as I was able to successfully install the patch on 1 physical Windows Server 2012 machine so far, with success. I will have a better idea as the day goes on and I patch the rest of the VM's and Physicals.


    Wednesday, October 15, 2014 11:06 AM
  • I have a host running server 2012 R2 with 4 hyper-v machines running Server 2012. KB30000061 does not install on 3 of the hyper-v systems. I have not updated the host yet. So far 3 hours troubleshooting this MS FUBAR.
    Wednesday, October 15, 2014 6:37 PM
  • We have this problem on both a physical and a virtual Server 2012. Both are only domain controllers with no other services running. Puzzling.
    Wednesday, October 15, 2014 6:54 PM
  • Someone needs to open a case folks, there are way too many "me toos" on this thread.  Email me at (change the -at- to @) if you need help with getting a free security patch support case set up.

    My blog

    Wednesday, October 15, 2014 7:18 PM
  • There is also a similar thread regarding this for windows 8 x86 and x64
    Wednesday, October 15, 2014 8:01 PM
  • what about sending a mail on : 

    secure 'at' microsoft 'dot' com

    Arnav Sharma | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, October 15, 2014 11:21 PM
  • No, support engineers need log files.  Merely emailing secure won't work here.  I'm more than willing to help anyone open a support case if you don't have the resources to do so, Anyone?  Bueller?

    My blog

    Wednesday, October 15, 2014 11:27 PM
  • Anyone opened a case yet?

    Anyone willing to work with me to open a support case?

    My blog

    Thursday, October 16, 2014 9:25 PM
  • Same shit here

    two laptop, ASUS and LENOVO, MS Windows 8 Enterprise 32 bits

    both failed to install kb3000061. I did cold reboot fix it Windows update but nothing change

    this update KB3000061 is CORRUPTED

    Thursday, October 16, 2014 9:48 PM
  • Hello,
    are there any cases, if so can I get the Case numbers?

    Also looking for logs from these machines.

    All the logs under c:\windows\logs\cbs

    Can we make them available for download?

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 16, 2014 11:00 PM
  • Thank you Darrell for the offer.   If anyone on this thread has not opened a case and would like a free support case for this issue, email me at (change the -at- to @) and I'll set up a support case for you.  I'll need a phone number so that the Microsoft support engineering team can call you back. 

    Otherwise zip up the log files and place them in a onedrive link and post the link here.  If you would prefer a bit of privacy, the security support case will keep these log files more private.

    My blog

    Thursday, October 16, 2014 11:06 PM
  • Just opened a case for Neil D. Case 114101711915623
    Friday, October 17, 2014 2:51 PM
  • If your CBS.log shows the following error as the cause
    2014-10-16 20:41:48, Error                 CSI    00000002 (F) Logged @2014/10/16:18:41:48.424 : [ml:240{120},l:238{119}]"EventAITrace:Provider Microsoft-Windows-Win32k is already installed with GUID {e7ef96be-969f-414f-97d7-3ddb7b558ccc}.

    you can fix this by deleting everything in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT

    Then reboot and install KB3000061.

    You might want to take a backup of the registry key first and then restore everything from it apart from the keys that KB3000061 recreates.

    • Proposed as answer by CountryKING™ Friday, October 17, 2014 3:06 PM
    Friday, October 17, 2014 3:06 PM
  • I also have this issue. See my data dump here

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Friday, October 17, 2014 3:15 PM
  • I am seeing this on my Windows 8 laptop as well.  Have not had time to dig into it just yet.


    Friday, October 17, 2014 3:19 PM
  • It's not just KB3000061. I pulled it from our WSUS server, successfully ran one of the other pending updates (KB2853587) updates, ran the next (KB2923392), same failue without KB3000061 having been downloaded.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Friday, October 17, 2014 3:31 PM
  • I appear to be able to replicate this problem with the following 4:

    Security Update for Windows Server 2012 (KB2923392)
    Update for Windows Server 2012 (KB2995387)
    Security Update for Windows Server 2012 (KB3000061)
    Update for Windows Server 2012 (KB3000988)

    I've been shutting down wuauserv, renaming the softwaredistribution folder, starting it back up and doing each one by one. The other 4 updates I had pending all installed properly. Those 4 fail in the same way.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Friday, October 17, 2014 4:05 PM
  • I showed the same error.  I only deleted the key called {e7ef96be-969f-414f-97d7-3ddb7b558ccc} listed under the Providers key.  Rebooted, installed 3000061 and all of the other 10 updates that failed installation successfully installed on the restart.  I observed this behavior on a VM and a physical machine.
    Friday, October 17, 2014 4:09 PM
  • Thanks.  I followed this and only deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc} and the patch installed fine and the registry key was also back then.   
    • Proposed as answer by Jack Jameson Saturday, October 18, 2014 8:55 PM
    Friday, October 17, 2014 11:41 PM
  • Same problem on Windows Server 2012. I restored the system state from a backup prior to the updates and was able to install all updates successfully except KB3000061.


    Once I install KB3000061

    1. No other updates will install.
    2. Unable to remove Hyper-V role from the server (have not tried adding or removing any other roles or features).
    3. I get the following Manageability error in Server Manager "Online - Data retrieval failures occurred 10/18/2014 11:57:58 AM [product id] (Activated)"
    Saturday, October 18, 2014 4:03 PM
  • Opened case for Charles P. 114101811917976

    My blog

    Saturday, October 18, 2014 5:16 PM
  • Thanks. Deleting registry key did the trick for me too.

    (Just HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}.)

    All updates installed normally and my error in Server Manager went away.

    Does anyone know what this key does? Should I restore it now that the server is running properly? Thanks.

    Saturday, October 18, 2014 10:33 PM
  • Hey it worked good. I tried it.

    1. Please remember to take a back up first.

    2. open Run> type "regedit"

    3. Locate the WINEVT using the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEV

    4. Export the the folder for the backup

    5. Delete everything in the folder but the default key cant be deleted, let it be

    6. Restart the computer

    7. Performed Windows updates.

    8. It will work now. :)

    Monday, October 20, 2014 1:34 AM
  • I continue to have this problem but my server does not have the e7ef96be-969f-414f-97d7-3ddb7b558ccc key.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Monday, October 20, 2014 1:11 PM
  • We do too. No key. We have 750+ 2012 servers, this issue has only occurred on 1/3 of them, all with the same configuration interestingly.
    Tuesday, October 21, 2014 4:56 AM
  • you can fix this by deleting everything in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT

    Then reboot and install KB3000061

    This solution is perfetc for windows  server 2012 but service windows remote management will be afected.

    I am using thix corrector for windows 8. I am waiting



    Tuesday, October 21, 2014 2:51 PM
  • you can fix this by deleting everything in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT

    Then reboot and install KB3000061.

    running regedit you will find this registry.

    After a short wait updates for windows 8 are corrects. There is not reverting "puto fastidioso".

    Thanks again

    Tuesday, October 21, 2014 3:09 PM
  • I'd like to get an understanding of what's going on before we start advising everyone to nuke out this registry key.

    I've got a couple of support cases opened, let's see what they say first before deleting this across the board.

    My blog

    Tuesday, October 21, 2014 3:44 PM
  • Agreed. Most sensible answer so far.
    Tuesday, October 21, 2014 4:03 PM
  • I concur. I'm not willing to delete hundreds of keys from the registry on production machines without a full grasp of the issue *especially* given that not everyone appears to even have the key in question.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Tuesday, October 21, 2014 5:23 PM
  • From some deducing what i can tell is the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc} points to a resource
    Microsoft-Windows-Win32k at %SystemRoot%\system32\win32k.sys

    The KB article for the patch ( ) lists as files being changed:

    For all supported x64-based versions of Windows 8 and Windows Server 2012

    File name File version File size Date Time Platform
    Win32k.ptxml Not applicable 4,172 11-Oct-2012 00:37 Not applicable
    Win32k.sys 6.2.9200.17130 4,068,352 28-Sep-2014 04:18 x64
    Win32k.ptxml Not applicable 4,172 25-Jul-2012 20:29 Not applicable
    Win32k.sys 6.2.9200.21247 4,067,840 28-Sep-2014 03:39 x64
    Wow64_win32k.ptxml Not applicable 4,172 12-Feb-2013 00:14 Not applicable
    Wow64_win32k.ptxml Not applicable 4,172 12-Feb-2013 00:09

    Not applicable

    I can see the relevance of deleting that registry key ONLY (not the whole WINEVT root) as a probable workaround solution. Granted if that is the case then Microsoft should release an updated patch that checks for and correct whatever issue is with that tree causing the update to fail.

    It seems from the CBS.log that the updater doesn't not correctly unregister the win32k publisher prior to updating and attempting to re-register the publisher causing it to fail with an already registered message. Deleting the key must simulate the unregistration so when the update gets applied it doesn't fail there.

    For those that don't have the key present it is likely there is another issue as the root of the install problem.

    EDIT 1:

    If I just delete the reg key without rebooting and install the update it works. It succeeded, I also double checked and the registry key did not come back. I will check for more updates then do a reboot see if the keys come back and which ones. If they don't I will restore the backup I took and let you know what happens. I assume it will work as normal, I think these registry keys are just for the event logs.

    EDIT 2:

    Looks like the old key is supposed to be deleted but it is not being deleted. The key does get replaced but under a different GUID {8c416c79-d49b-4f01-a467-e56d3aa8234c} everything is the same as before with the exception of 2 new entries and one changed one (basically counting the number of entries).

    ChannelReferences 5 (Messages) and 6 (Contention) get added and the count in the main key updated to account for the two new references.

    I am not sure why the GUID changed, either someone at Microsoft goofed and set the wrong GUID or its supposed to change but again there was a mistake in where the accidentally put the wrong GUID (new one) for the old key thus doesn't get deleted before being re-inserted.


    I would say it is very safe to delete the key under the old GUID since it is being recreated by the update under a new GUID and the issue seems to be that the updater is not correctly deleting the old key thus leading to the update error. Hopefully this helps put to ease J Cervero's concern of grasping the issue. Those who do not have they key likely got it correctly deleted or are already using the new GUID. Can someone who did not have they key originally check to see if one with the new GUID is present?

    • Edited by Axelrtgs Tuesday, October 21, 2014 11:04 PM
    Tuesday, October 21, 2014 10:08 PM
  • Hello,

    I would like to see more logs from these failures.

    Thanks for ones we have gotten so far, but we could use some more.

    looking for the logs under c:\windows\logs\CBS.

    if they could be made available for download that would be great.

    or you can email the logs ( zipped up please)

    My first name and last initial

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, October 21, 2014 11:31 PM
  • Well I have 270 production servers which no longer install any updates or report software update compliance in SCCM. Case number: 114102011918799
    Wednesday, October 22, 2014 12:08 AM
  • Hello,

    Thanks, got the logs from that case

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, October 22, 2014 12:52 AM
  • Hello,

    Can one of you experiencing this issue do the following for me please.

    If you don’t have KB2756872, install it and retry the update

    If you do have KB2756872:

    1. Go to
    2. Click download
    3. Select delmigprov.exe
    4. Confirm
    5. Run that executable locally
    6. Try installing the update again and let me know if it works

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 23, 2014 6:42 PM
  • Hello,

    Can one of you experiencing this issue do the following for me please.

    If you don’t have KB2756872, install it and retry the update

    If you do have KB2756872:

    1. Go to
    2. Click download
    3. Select delmigprov.exe
    4. Confirm
    5. Run that executable locally
    6. Try installing the update again and let me know if it works

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    I'll give this a shot in the morning we have a few systems with this issue in our org.
    Friday, October 24, 2014 1:20 AM
  • Hello,

    Can one of you experiencing this issue do the following for me please.

    If you don’t have KB2756872, install it and retry the update

    If you do have KB2756872:

    1. Go to
    2. Click download
    3. Select delmigprov.exe
    4. Confirm
    5. Run that executable locally
    6. Try installing the update again and let me know if it works

    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    No success for me.

    ALL of my failures are Hyper-V guests with the RODC role.  My other 270 physicals were fine, as where the other 270 guests that's just do file print.


    Originally, I had KB3000061 and KB2995387 in the same deployment. KB2995387 failed which caused the rollback.

    I removed it and re-ran the deployment which included KB3000061 and the installs where successful.

    I have a heap of severs like this so I will test against a few more of them on Monday.

    KB2995387 continues to fail on a RODC.

    • Edited by JT_DPS Friday, October 24, 2014 3:45 AM
    Friday, October 24, 2014 1:53 AM
  • Interesting point, here are all and only RODC (physical) affected (4 at all). Failing Updates are KB3000988 and KB2995387.
    Friday, October 24, 2014 7:50 AM
  • Another case opened for a customer:


    My blog

    Tuesday, October 28, 2014 4:06 PM
  • Me help next:

    you can fix this by deleting everything in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT

    Then reboot and install KB3000061.

    You might want to take a backup of the registry key first and then restore everything from it apart from the keys that KB3000061 recreates.


    Wednesday, October 29, 2014 9:29 AM
  • I am seeing engineers tell customers to delete this reg key.  It would be WONDERFUL if there was authoritative information about what this reg key is and what the impact is of removing it.

    My blog

    Wednesday, October 29, 2014 9:54 PM
  • Interestingly, I only had an issue with KB3000061 on  5 Server 2012 machines - all of which were HyperV VMs.  We have only 6 other Windows Server 2012 boxes (We have a lot of 1012 R2 servers).  2 2012 Servers are physical HyperV hosts and 4 are VMware VMs.  None of these 6 had issues.

    I only deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc} and the patch installed fine.  Also, Server Manager remote management also started behaving afterwards.

    Thursday, October 30, 2014 5:27 PM
    • To alleviate this problem on Windows 8 and Windows Server 2012 based systems, please export and delete the following registry value, reboot your system and then re-attempt the update: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}
    • If deleting the above registry value does not resolve the issue for you, please ping this thread as I'd like to see your follow-up CBS.logs from the system
    • For those of you running Windows 8 and Windows Server 2012, I'd actually like to know some additional information about your environments, namely, if the systems impacted were upgrades of a specific kinda (Vista->Win7->Win8) or if there was a special process used when creating your images.  Anything you think might be relevant and would be outside of a 'clean install' from media.
    • For Windows 8.1 and Windows Server 2012 R2 customers, I still haven't seen a set of logs to confirm we're seeing the same issue.  Everything I've seen to this point has been on Windows 8/Windows 2012.  I'd love to see logs if you're having an issue.

    This is the supported method to resolve this issue (and as others have noted above, this works).  This occurs when servers have been upgraded from 2008R2 to 2012 (or WinVista to Win8).  The key is being carried over in these scenarios and not being set to the proper value.  We're investingating why this occurred but deleting the key and rebooting the system will resolve the problem.  If you see something otherwise, please let me know.

    --Joseph [MSFT]

    Thursday, October 30, 2014 7:35 PM
  • All 5 of the systems that experienced the issue were upgraded from 2008 R2 SP1 to Server 2012 .  Systems built from scratch did not display the issue
    Thursday, October 30, 2014 7:39 PM
  • Thank you very much for this clarification!

    My blog

    Thursday, October 30, 2014 7:39 PM
  • Same as above.. My 2 affected systems were in-place upgrades from 2008 R2 SP1
    • Edited by adamf83 Thursday, October 30, 2014 7:41 PM
    Thursday, October 30, 2014 7:40 PM
  • This occurs when servers have been upgraded from 2008R2 to 2012 (or WinVista to Win8).

    --Joseph [MSFT]

    I think there is a typo here.

    Yuhong Bao

    Thursday, October 30, 2014 11:38 PM
  • What typo are you referring to exactly?  This is an upgrade only scenario on client or server.

    --Joseph [MSFT]

    Thursday, October 30, 2014 11:48 PM
  • My systems are all clean installs and I do not have that registry key on at least one of the affected systems.

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Friday, October 31, 2014 12:27 PM
  • Can you share your CBS.logs somewhere for me so we can take a look at them? 

    Do you have the following key in your registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{8c416c79-d49b-4f01-a467-e56d3aa8234c}

    --Joseph [MSFT]

    Friday, October 31, 2014 2:35 PM
  • Joseph,

    After installing KB3000061, I do have the registry key you specified.

    How can I get you the logs?

    Friday, October 31, 2014 2:41 PM
  • If the fix is installing, you're all set and I dont need the logs.  I only need logs from folks who have clean installs and are still having issues getting the fix installed.  Thanks!

    --Joseph [MSFT]

    Friday, October 31, 2014 2:43 PM
  • The fix for me was manually deleting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}.  After that, I was able to install the patch
    Friday, October 31, 2014 2:45 PM
  • Excellent, then you're good to go.  Glad that worked for you and have a good weekend.

    --Joseph [MSFT]

    Friday, October 31, 2014 2:46 PM
  • Yuhong was questioning directly going from Vista to Windows 8.  There's a stop at Windows 7 along the way.

    My blog

    Friday, October 31, 2014 10:29 PM
  • Ahh gotcha, thanks Susan

    --Joseph [MSFT]

    Friday, October 31, 2014 10:46 PM
  • Just to confirm that this fix (del just the sub key) works fine for me on several W2012 systems, both VMs and physical, and also upgrades and clean installations.OOI all of them are Datacentre editions...

    Many thanks!

    Sunday, November 2, 2014 6:06 PM
  • Are there plans to release a patch that does the registry surgery for end users, or is everyone advised to take it upon themselves to experiment with production servers?
    Monday, November 3, 2014 3:46 PM
  • We're rooting causing this on our side and will need to figure out the best way to eliminate this in the future.  For now, the 'registry surgery' is the supported method for resolving this on impacted systems.

    --Joseph [MSFT]

    Monday, November 3, 2014 3:48 PM
  • OK. You said the magic words that this was a "supported method" (which I missed in your earlier post). Just tried this on a virtual domain controller whose history includes having been upgraded from Server 2008 R2. The update succeeded, WSUS can now receive status updates from this machine, and all appears to be well. Thanks for your useful assistance. Those who are waiting for a patch that does all of this automatically should consider the simple registry key value delete/reboot/repatch/reboot method outlined in Joseph's Oct. 30 post and get on with their other security chores.
    Tuesday, November 4, 2014 6:08 PM
  • Glad to hear that worked.  Have a good week

    --Joseph [MSFT]

    Tuesday, November 4, 2014 6:14 PM
  • Thank you for the help but what I want to know is why it causes all the other updates to fail at the same time. I had just upgraded to windows 8 from windows 7 and wanted to upgrade to windows 8.1. There were well over 100 updates and they all failed and took about 2 hours to do so. I tried to choose a few but the automatic update kept adding 80 or 100 to the ones I had chosen and each time it took about 2hours to undo the changes. I eventually turned off automatic updates and ran one at a time before progressing to 2 at a time until the KB3000061, which is so small, failed. Only then could I find a work around to the problem after spending the better part of 4 days updating the system.
    Tuesday, November 4, 2014 10:46 PM
  • At a simplistic level, we keep a change list where we store information about all of the updates being installed in a session.  We parse a portion of this list prior to shutdown and pass that through to the reboot.  If we notice any of the changes in the list didnt properly take place on the reboot, we halt the session and roll back all updates in the list to preserve the integrity of the machine.  Thats what happened in this case, because you had a large amount of updates, even if only one requires a rollback, the entire session is rolled back.

    --Joseph [MSFT]

    Tuesday, November 4, 2014 11:12 PM
  • I still cannot install KB3000061 after eliminating HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}.

    I also tried eliminating HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}, but that did not help.

    The system is 64-bit Windows 8, originally installed directly from a Win8 install media.
    Thursday, November 6, 2014 11:52 PM
  • Can you share out your CBS logs for me so I can look at them.  You dont need to delete the Wi6432Node key.

    --Joseph [MSFT]

    Friday, November 7, 2014 12:40 AM
  • Tried again.  Worked this time.  Not sure what I was doing wrong, but all appears to be well now.

    Any point in importing the deleted key back in?

    Friday, November 7, 2014 1:56 AM
  • Excellent, glad you got it working.  You dont need to reimport the key.

    --Joseph [MSFT]

    Friday, November 7, 2014 3:17 PM
  • great info.  Your solution worked great.  All current updates installed.
    Monday, November 10, 2014 6:37 PM
  • I removed the key from the WOW6432Node location (it's not in the other location), and I still cannot install KB3000061.  My system is Windows 8 and it was an in-place upgrade from Windows 7.

    I also am getting failures on all of the November updates (not sure if that is related).



    Wednesday, November 12, 2014 6:13 PM
  • The Wow6432Node key isnt related to the problem above and should not be deleted.  I would reimport it if you have the key still.  It sounds like you have other servicing related problems though, I would recommend opening a case if with support if you havent already.

    --Joseph [MSFT]

    Wednesday, November 12, 2014 6:17 PM
  • I have the Key "KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{8c416c79-d49b-4f01-a467-e56d3aa8234c}". There is no Key like "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}". All affected hosts are clean installs and all of them are physical RODC. Updates KB3000988 and KB2995387 failed.

    Any suggestion? If needed, I would share the cbs.logs (how can I get the logs to you?).

    Thursday, November 13, 2014 2:40 PM
  • There is an issue with RODCs we're investigating that is seperate from the WMI Provider issue mentioned above.  I'll let you know once we have more information on a workaround.

    --Joseph [MSFT]

    Thursday, November 13, 2014 3:08 PM
  • Any news on the RODC issue}
    Monday, November 24, 2014 3:23 PM
  • Still investigating.  At this point, its likely that the fix for this wont be until after the first of the year.

    --Joseph [MSFT]

    Monday, November 24, 2014 3:38 PM
  • OK, thank you for the info.
    Monday, November 24, 2014 3:55 PM
  • That's handy - I've 79 2008R2->2012 RODCs that I now can't apply any patches to until 2015 then?

    I did a trial with WSUS last night and a couple non-kernel patches (IE, Flash, dotnet) etc and they all rolled back.

    Thursday, November 27, 2014 10:53 AM
  • Try removing the 300061 update from the deployment.  If you're still seeing rollbacks after that, then you have a different issue.

    --Joseph [MSFT]

    Thursday, November 27, 2014 5:11 PM
  • Microsoft needs to address this issue period!

    Telling users to open a case is like telling a million people whom are sick with the same virus that in order to have a cure that we first have to tell you whether our cough is scratchy or wheezy. What does that matter. Microsoft is the one creating these problems and they know it.

    Instead of using the public as guinea pigs, they should be more focused on proper development from the very beginning and perform thorough testing before releasing any so-called fixes to end-users.

    Microsoft is a multi-(Billion)-dollar corporation! Should we be expected to believe that they don't have enough resources to run their own test-labs of hundreds of differently configured systems with various versions of Windows, some of which are sand-boxed as well as others which are connected to the net?!]

    It's nothing but the same old song and dance from Microsoft. If they spent enough time to get it right before releasing anything, then maybe more of the updates we actually see from them would simply be software additions rather than patches and bug-fixes.

    We already pay through the nose for this so-called "Proprietary Software" but in the end, it really is anything but that!

    Microsoft needs to improve upon its development and implementation strategy so that it is not needlessly causing so much software distortion and frustration for it's customer's whom rely heavily upon their software to be dependable.

    • Edited by zeroneday Friday, November 28, 2014 8:51 AM Spelling
    Friday, November 28, 2014 8:35 AM
  • Thanks for the comment.  We will be addressing the problem in the near future.  I've tried to stick to being as transparent as possible.  We have a fix in testing now but its unlikely to ship before the end of the year (with the next patch Tuesday being just next week it likely wont make it).

    --Joseph [MSFT]

    Monday, December 1, 2014 2:56 AM
  • I've been running into this problem on three different Server 2012 servers. Tons of updates are failing and reverting. I've been able to cherry-pick some updates and install them individually, especially those that don't trigger a reboot. However, I've seen dozens of updates across these three servers failed with error 0x800F0922. That led me to some forum posts suggesting that the System Reserved partition was missing. I created the partition, but that didn't fix the problem.

    So while finding some success installing updates one or two at a time (the .NET updates I did in larger batches), I came across a different error 0x80073AA2. I'm not sure how I didn't see that yesterday or today, but maybe after seeing so many occurrences of 0x800F0922, I may have simply missed the 0x80073AA2. Only once I was performing updates one or two at a time did it become apparent.

    In my case, the 0x80073AA2 error appeared on KB3002885, the successor to KB3000061. I also noticed on all three servers, in Server Manager, the "online - data retrieval failures occurred" was present. And so I am attempting the Registry key removal fix on one server and will see how it goes. Given the fact that many of you have found success, I am cautiously optimistic it may work for me as well. If it works on one server, I'll try it on the other two. And also make sure KB300061 is yanked from our WSUS.

    Thursday, December 11, 2014 9:08 PM
  • Matthew,

    Unless those servers were upgraded from a downlevel OS like 2008 R2, you aren't hitting the same issue described above.  It sounds like you have a completely different servicing issue across the environment.

    --Joseph [MSFT]

    Thursday, December 11, 2014 9:13 PM
  • Joseph,

    It's possible that the 0x800F0922 error may have come from a different source, but I don't think so. I applied the Registry fix described above (just HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc) and the problem went away on all of the servers. I just realized there was a fourth server involved, and when I viewed the update history--it had updates failing since November. Sure enough, the problems started when KB3000061 showed up.

    So to the folks who identified the Registry fix, I applaud you. And thank you!

    Friday, December 12, 2014 1:11 AM
  • Glad to hear it worked for you Matthew.

    --Joseph [MSFT]

    Friday, December 12, 2014 2:22 AM
  • Excellent! - having spent 2 days trying to figure out why updates were failing, this registry fix worked for me.

    My situation: Windows 8 Pro x64 running as a virtual machine under VMware Fusion 7.0.1

    After much trial an error (manually installing each of 100+ updates as standalone patches) I determined that KB3002885 was the culprit.  

    Exporting and deleting  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7ef96be-969f-414f-97d7-3ddb7b558ccc}  enabled me to install KB3002885and now everything is working fine.

    Many thanks to all the Alan Turings out there who figured this out.

    Sunday, December 14, 2014 3:48 PM
  • Were you also an inplace upgraded workstation?
    Sunday, December 14, 2014 6:55 PM
  • I have been searching for this for 3 months when I came across it.

    I noticed that I had all the symptoms for this problem but could not find the KB3000061 in the list of updates to install.  When I look back at the history of updates, I found that it was the first update to fail. 

    I followed the instructions to remove only the key and all my VMs that were having this problem now are up to date without any errors.

    Thank you for this help


    Wednesday, December 17, 2014 8:04 PM
  • This worked! Per instructions, I deleted the registry key {e7ef96be-969f-414f-97d7-3ddb7b558ccc} identified in a TechNet thread and was able to FINALLY install the dastardly Security Update KB 3000061. As confirmed in the TechNet thread, the KB 3000061 recreated the security key with a different GUID upon reboot.

    Monday, December 29, 2014 1:21 AM
  • Oh, forgot to mention that I did follow CountryKING's menu path to get to the above-mentioned registry key - {e7ef96be-969f-414f-97d7-3ddb7b558ccc}. Sorry about that...

    Monday, December 29, 2014 1:24 AM
  • Any further progress on this issue?

    Justin Cervero - MS Enterprise Admin - Appalachian State University

    Wednesday, January 14, 2015 9:05 PM
  • In regards to the registry related issue, the workaround of exporting and deleting the key is the fix.  We wont be packaging anything additional for it.

    --Joseph [MSFT]

    Wednesday, January 14, 2015 9:40 PM
  • I have removed the key mentioned multiples times in this thread. But it won't solve my issue .
    Monday, February 2, 2015 1:43 PM
  • Good morning all

    Our product support group opened an official case and reported this with Microsoft and they've found the cause. PLEASE NOTE however, that this relates to RODC and ALL patches failing, not just 3000061 on non-RODC. I'll open a separate thread for this as well.

    000093 2015-01-23 20:18:30, Info                  CSI    00000015 Begin executing advanced installer phase 38 (0x00000026) index 4 (sequence 43)
    000094     Old component: [ml:350{175},l:348{174}]"Microsoft-Windows-Web-Services-for-Management-Core, Culture=neutral, Version=6.2.9200.16384, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=wow64, versionScope=NonSxS"
    000095     New component: [ml:350{175},l:348{174}]"Microsoft-Windows-Web-Services-for-Management-Core, Culture=neutral, Version=6.2.9200.17100, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=wow64, versionScope=NonSxS"
    000096     Install mode: install
    000097     Installer ID: {118ca598-79a0-4297-953d-e82183960fd2}
    000098     Installer name: [13]"Group Trustee"
    000099 2015-01-23 20:18:30, Error                 CSI    00000001@2015/1/23:20:18:30.673 (F) CMIADAPTER: Inner Error Message from AI HRESULT = HRESULT_FROM_NT(STATUS_NOT_SUPPORTED)
    000100  [
    000101 (null)
    000102 ]
    000103 [gle=0x80004005]
    000104 2015-01-23 20:18:30, Error                 CSI    00000002@2015/1/23:20:18:30.673 (F) CMIADAPTER: AI failed. HRESULT = HRESULT_FROM_NT(STATUS_NOT_SUPPORTED)
    000105     Element:
    000106     [372]"<groupTrustee xmlns="urn:schemas-microsoft-com:asm.v3" name="WinRMRemoteWMIUsers__" description="Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user." type="User" enabled="true">
    000108   <members></members>
    000110 </groupTrustee>"
    000111 [gle=0x80004005]
    000112 2015-01-23 20:18:30, Error                 CSI    00000003@2015/1/23:20:18:30.673 (F) CMIADAPTER: Exiting with HRESULT code = HRESULT_FROM_NT(STATUS_NOT_SUPPORTED).
    000113 [gle=0x80004005]
    The installer uses SAM API calls to manage the group. It always connects to the local SAM instance. The component also handles an uninstall task in the same function. On uninstall the group is being deleted.
    So the SAM handle is requested with "Create Group" and "Delete" access.
    The error happens because a RODC does not allow any changes and thus returns STATUS_NOT_SUPPORTED.
    More information about the prevent from accidental deletion feature please refer :
    This is a Bug in the RODC running on server 2012, However you may do an in place upgrade to Server 2012 R2 and then proceed with the installation of the patch.

    The bad news is this is fixed in 2012 R2 with a hotfix - but it isn't fixed in 2012 and it won't be because.. they've only had one official report logged. And that was by us. So, if you want this fixed, you need to start logging this with MS now.

    What I can say just now is that this isn't related to the registry fixe with WinEVT we've all been trying, it's NOT limited to 2008 that has been upgraded in place to 2012 (our product support group replicated it in the lab with a brand new 2012 promoted to RODC) and it IS only happening with RODC. Possible fix might be to make your RODC RW for a bit and install your patches then.

    More details when I get them.

    • Edited by andreww Friday, February 6, 2015 11:49 AM
    Friday, February 6, 2015 11:16 AM
  • @andreww

    If you're referring to the RODC issue, I'm not sure who in support said we weren't fixing this (and I would like to know so we can correct them) on anything but 2012 R2 but I can tell you that isn't accurate.  I'm the PM for the team working on this and we're investigating several editions of the OS including 2012.  We are (and have been) investigating this since December but the fix isn't as straightforward as we'd initially hoped.  I'm not guaranteeing a fix but we are investigating it. 

    --Joseph [MSFT]

    Friday, February 6, 2015 2:32 PM
  • Hmm. Thanks @joscon - could I just check tho whether you're referring directly to KB3000061 or is this the failure of all patches on RODC since ~October ?

    Can you direct message me at andyjgw / and I'll pass on the MS call reference number? I don't want to post too much here, not sure if it's appropriate (altho if it's OK to quote internal reference numbers here, I can do so if you prefer).

    • Edited by andreww Friday, February 6, 2015 2:48 PM
    Friday, February 6, 2015 2:42 PM
  • I'm referring to the RODC issue all up.  I believe KB300061 was the red herring that started the conversation.  Obviously if we do get this fixed and rolled out and there are additional problems then I'd want to know about it.  For the case information, you can send it to me directly here at work and I'll make sure CSS has a proper update on where we are with our investigations.

    --Joseph [MSFT]

    Friday, February 6, 2015 2:52 PM
  • Thanks, I will do - can't see where your contact details are tho.. ;-)

    Should I just post the call number here instead? Or can you email me?

    Friday, February 6, 2015 2:56 PM
  • I'll shoot you mail.

    --Joseph [MSFT]

    Friday, February 6, 2015 3:04 PM
  • Any update on this? We have 6 RODC's out of 87 that are experiencing this issue with Update KB2995387.

    The error in the CBS.log is exactly as described with the WinRM issue. These are fresh install RODC's on a Hyper-V host (2012 Standard) as guest CORE 2012 vm's.

    I don't have the reg keys mentioned so I am stuck with these 6 and behind on updates unless I manually install all updates besides this particular one.

    • Edited by Quo-Vadis Tuesday, April 14, 2015 9:09 PM
    Tuesday, April 14, 2015 9:09 PM
  • Actually, yes, I have an update.  We have a fix created for this which is likely to ship next week.  We're in the final stages of testing it now.

    --Joseph [MSFT]

    Tuesday, April 14, 2015 9:26 PM
  • Actually, yes, I have an update.  We have a fix created for this which is likely to ship next week.  We're in the final stages of testing it now.

    --Joseph [MSFT]

    This is great news! Thank you for the quick response. I will keep an eye on this thread in the mean time but hopefully it does come out soon.
    Wednesday, April 15, 2015 3:05 PM
  • This sounds very relevant:

    Issue that is fixed in this update

    If the Protect object from accidental deletion option is enabled in the domain root object, some component updates cannot be installed on a read-only domain controller (RODC) in Windows Server 2008 R2 Service Pack 1 (SP1).

    Tho I'm a little concerned it says W2008R2 and our issue is with 2012... Any thoughts, Joseph?

    edit: checked our WSUS server, it's only listed for 2008R2 (x86 and x64)


    • Edited by andreww Thursday, April 23, 2015 1:26 PM
    Thursday, April 23, 2015 9:28 AM
  • Thanks for the question, I was in the middle of trying to put a response together when I saw this.  There are two components to this fix for Win7, one of which is referenced above and the other is the servicing stack update itself.  We haven't released the SSU broadly however these updates are now available via DLC.  We don’t have a timeframe on when the updates will release via WU/WSUS channels at this time.  You can find the relevant version of the files via the links below:

    Windows 7/Server 2008 R2 SP1:

    Windows 8/Server 2012:

    Windows 8.1/Server 2012 R2:

    In addition, on Tuesday 4/21, we released a new version of the cmitrust.dll binary which is held in the %windir%\System32\AdvancedInstaller directory.  For customers experiencing the RODC failure on Windows 7/Server 2008 R2, this file is required in addition to the SSU noted above.  For Windows 8 and Windows 8.1, this is not required to fix the RODC issue but we are recommending that this update be installed alongside the SSU to keep versions up to date. 

    The DLC version of this file is available for all Windows editions here: and the KB for Win7 specifically is located here:

    Thursday, April 23, 2015 2:50 PM
  • Hi,

    Confirm the patch above resolves the issue With 2012 Server RODC. It is also available via WSUS now. It did not require restart so you can immediately install problem Update KB2995387 afterwards.

    Monday, May 4, 2015 6:58 AM