cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User49499375
Level 7
Report Inappropriate Content
Message 1 of 3
‎03-31-2020 06:59 AM

KB4538461 Fails to Install via WSUS with Threat Prevention Module Installed

We're experiencing a peculiar issue where KB4538461 will fail to install when it's distributed via WSUS but install fine when manually applied via the .msu file from Microsoft Catalog. We're trying to install it on Windows 10 1809 machines.

Windows Event viewer is displaying the following: 

EventID 20:

Installation Failure: Windows Failed to install the following update with error 0x80246007. <patch name>

WindowsUpdate.log is showing entries with: 

 

 

2020/03/26 14:32:40.7147903 5956  11724 DownloadManager Generating download request for update 3630658E-AF88-44C6-B0AA-075DB3DFCAD6.200.
2020/03/26 14:32:45.7883820 5956  11724 Misc            *FAILED* [80070005] Failed to copy file from \\?\C:\WINDOWS\SoftwareDistribution\Download\bee4c9540b0fb930f2b3d8ab769d18e7\Windows10.0-KB4538461-x64.cab to \\?\C:\WINDOWS\SoftwareDistribution\Download\137076212a7d96e0c482a73f11e320d8\Windows10.0-KB4538461-x64.cab2020/03/26 14:32:45.7883849 5956  11724 Misc            *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelperRecursive:1648]
2020/03/26 14:32:45.7884144 5956  11724 Misc            *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelper:1728]
2020/03/26 14:32:45.7887961 5956  11724 DownloadManager *FAILED* [80070005] GDR2020/03/26 14:32:45.8611222 5956  11724 Handler         Loaded state: cCompleteIterations: 0, pt: Unknown, nNextRequestID: 0.
2020/03/26 14:32:45.8735219 5956  11724 DownloadManager *FAILED* [80070005] Error occurred while downloading update 3630658E-AF88-44C6-B0AA-075DB3DFCAD6.200; notifying dependent calls.

The only consistent solution that allowed WSUS to install the update was uninstalling the Threat Prevention module from the client. On a few machines, disabling Access Protection would suffice. but uninstalling Threat Prevention yielded the most consistent positive results.

Does any one have any idea why this could be happening? There are no threat events being generated whatsoever. I tried to exclude the following paths but it made no difference: C:\WINDOWS\SoftwareDistribution\Download .

 

Labels (1)
Labels
4 people had this problem.
0 Kudos
Reply
2 Replies
rgijsen
Level 8
Report Inappropriate Content
Message 2 of 3
‎06-14-2020 12:35 PM

Re: KB4538461 Fails to Install via WSUS with Threat Prevention Module Installed

Exact same issue here. Multiple servers (all Windows 2019 by the way) report similar to this:

2020-06-14 19:59:33.3028305 32488 10444 DownloadManager Generating download request for update 0BDE518C-FEDD-476F-8353-C68F42FA669C.201.
2020-06-14 19:59:38.4596233 32488 10444 DownloadManager Calling into handler 0x3 to generate download request for update 0BDE518C-FEDD-476F-8353-C68F42FA669C.201.
2020-06-14 19:59:38.4599382 32488 10444 Handler MSP download: file excel-x-none.cab already exists in sandbox directory (C:\Windows\SoftwareDistribution\Download\c086fea6fe4cf0c67171130983a726df)
2020-06-14 19:59:39.7367541 32488 10444 Handler MSP Download: file C:\Windows\SoftwareDistribution\Download\c086fea6fe4cf0c67171130983a726df\excel-x-none.cab passed cert/hash validation.
2020-06-14 19:59:49.8412534 32488 10444 Misc *FAILED* [80070005] Failed to move file from \\?\C:\Windows\SoftwareDistribution\Download\c086fea6fe4cf0c67171130983a726df\excel-x-none.cab to \\?\C:\Windows\SoftwareDistribution\Download\d07645b65daaaa09188311decc3f2978\excel-x-none.cab
2020-06-14 19:59:49.8412603 32488 10444 Misc *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelperRecursive:1648]
2020-06-14 19:59:49.8412914 32488 10444 Misc *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelper:1728]
2020-06-14 19:59:49.8586626 32488 10444 DownloadManager Resetting shared sandbox
2020-06-14 19:59:49.8595903 32488 10444 DownloadManager *FAILED* [80070005] GDR
2020-06-14 19:59:49.8747739 32488 10444 DownloadManager *FAILED* [80070005] Error occurred while downloading update 0BDE518C-FEDD-476F-8353-C68F42FA669C.201; notifying dependent calls.
2020-06-14 19:59:49.8785798 32488 10444 DownloadManager Generating download request for update EF54CFD2-0168-4E42-B249-02698632654A.201.
2020-06-14 19:59:55.0469046 32488 10444 DownloadManager Calling into handler 0x3 to generate download request for update EF54CFD2-0168-4E42-B249-02698632654A.201.
2020-06-14 19:59:55.0472164 32488 10444 Handler MSP download: file mso-x-none.cab already exists in sandbox directory (C:\Windows\SoftwareDistribution\Download\d365de3ac85718526c4d7361e64f5b78)
2020-06-14 19:59:56.1988343 32488 10444 Handler MSP Download: file C:\Windows\SoftwareDistribution\Download\d365de3ac85718526c4d7361e64f5b78\mso-x-none.cab passed cert/hash validation.
2020-06-14 20:00:06.2786008 32488 10444 Misc *FAILED* [80070005] Failed to move file from \\?\C:\Windows\SoftwareDistribution\Download\d365de3ac85718526c4d7361e64f5b78\mso-x-none.cab to \\?\C:\Windows\SoftwareDistribution\Download\d39893db6dd2b0f45429abbe17d60942\mso-x-none.cab
2020-06-14 20:00:06.2786061 32488 10444 Misc *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelperRecursive:1648]
2020-06-14 20:00:06.2786271 32488 10444 Misc *FAILED* [80070005] Method failed [SusMoveOrCopyDirectoryContentsHelper:1728]
2020-06-14 20:00:06.2969977 32488 10444 DownloadManager Resetting shared sandbox
2020-06-14 20:00:06.2978007 32488 10444 DownloadManager *FAILED* [80070005] GDR
2020-06-14 20:00:06.3093960 32488 10444 DownloadManager *FAILED* [80070005] Error occurred while downloading update EF54CFD2-0168-4E42-B249-02698632654A.201; notifying dependent calls.
2020-06-14 20:00:06.3107720 32488 10836 DownloadManager * END * Download Call Complete. Call 8 for caller UpdateOrchestrator has completed; signaling completion.

 

And so on and so on. It started back in April when we moved from VSE 8.8 to ENS, a move I regret to this day. Since we are on ENS, we have multiple machines not being able to update, while others work perfectly fine with the very same policies. Sometimes retrying to download the updates works, most often it doesn't. Disabling threat protection alltogether seems to fix it, but that's not feasible.

I can't find anything at all in the McAfee logs about anything being blocked. I'll try to see what the ENS debug-logs say when I enable them, and if I don't find a hint then I'll log a ticket.

Sidenote: So far, I'm extremely unpleased with ENS vs VSE so far. It's all so sluggish. We run Xeon 6248R machines. That's no **bleep** hardware, we choose it for it's thread performance, not for its numer of threads. But while single threaded it screams through everything with ease, the ENS console is bringing it down. Who programmed that console, that takes 5-10 seconds after you press the settings button, to show a list of 10 or so settings? We are seriously considering calling ENS a day, and move back to VSE.

 

0 Kudos
Reply
rgijsen
Level 8
Report Inappropriate Content
Message 3 of 3
‎06-15-2020 12:22 PM

Re: KB4538461 Fails to Install via WSUS with Threat Prevention Module Installed

I hhave worked through all the debug logs, no block or anything reported. Yet I tried excluding c:\windows\SoftwareDistribution and its subdirs from on-access scanning when writing. That fixed the issue on all my servers. I've rolled back some machines and removed that exclusion again, and they failed again, just to verify. So you could try that in your environment.

What baffles me is that NOwhere there is a log entry at all. Probably it's just the slowness of ENS when scanning the files after writing. We never had these weird issues with VSE at all. VSE was much slicker, faster and didn't have that ugly and terribly slow UI. ENS is an incoherent piece of 'advancement' over VSE to us.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC