forums.wsusoffline.net

[jbrock]

I have had problems with the WSUS updates failing for at least a year. I maintain 80 computer systems all offline. I download the updates on my fileserver then run them individually from the server. I cloned 24 new machines last November of those machines I can do updates on 21 of them now the other 3 stopped working. They use the same files. The other 50 + systems stopped working months ago. Because I am totally offline I have been going to Microsoft and getting the patches from them and loading individually.
Is there any suggestions on where to look to get it working again???

[aker]

Just to make sure: you're talking about WSUS Offline Update, not MS WSUS?

What did you mean with "stopped working"?
Is there any error message?
Could you provide a screenshot of where DoUpdate.cmd stops/crashed?
Could you post the last part of C:\Windows\wsusofflineupdate.log in [code]-tags?

[kierandill]

Here is what we recently found on some of our more hardened systems - hopefully it helps.
Back in April 2015 MS issued KB3033929. What also happened, was MS stopped providing offline installers for certificate revocation checks.
On the systems that would announce "nothing to do!" when there are in fact several recent patches that can be installed manually when downloaded individually from MS, we looked c:\Windows\WindowsUpdate.log. It will show a failure to validate the signature of c:\Windows\SoftwareDistribution\ScanFile\*******\Source.cab
followed by
PTError : 0x800b0109
and several other complaints.
In the past we routinely set
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
to 0x00023c00 (146432) to disable certificate revocation checks for installations on offline machines.
We found that on machines that never had KB3033929 installed, if you configure your WSUS Offline DVD to exclude that patch, it will update all the way to the very latest. Naturally this will only be machines that haven't been updated in a long time.
On the one machine that I tried it on, removing that patch after it was already on did not help. Odd.
However, not having an important patch is less than ideal.

What we found is that wsus offline does not run as Current User, but rather as the System account since it is utilizing the MS WSUS service. So instead we had to set
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
to 0x00023c00 (146432)
And then it did not matter if the offending patch was there, the latest updates all installed from the WSUS offline DVD fine.

Regards,
Kieran

[hbuhrmester]

Just to be sure, you should validate the mentioned files manually: Open a command prompt window, change to wsusoffline\cmd and run:

Code: Select all

sigcheck.exe -h ..\client\wsus\wsusscn2.cab
sigcheck.exe -h ..\client\w61-x64\glb\windows6.1-kb3033929-x64_5b2988b4619138769d347e12aec350c2cf4db4cd.cab
sigcheck.exe -h ..\client\w61\glb\windows6.1-kb3033929-x86_9943ff29461e03a10af55ccd007f9803e0dd3d0e.cab

According to:

COM Error Codes (Security and Setup)
https://technet.microsoft.com/en-us/sys ... =vs.100%29

the error code means:

CERT_E_UNTRUSTEDROOT
0x800B0109
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Maybe there are some differences in the installed certificates? You could list the certificates with Sigcheck and compare the results:

Code: Select all

sigcheck.exe -t '*'
sigcheck.exe -tu '*'

Like any installer, the UpdateInstaller.exe must be run with Administrator privileges. But the System account should not be used, it is only meant for system services.

[aker]

@hburmester
But wuauserv, which parses wsusscn2.cab, is running inside svchost.exe. And that runs a NT-AUTHORITY\SYSTEM.

[jbrock]

I have been looking at the log files I have found that on my failed update it is failing with this:
Report * Locale ID = 1033
Misc Validating signature for C:\Windows\SoftwareDistribution\ScanFile\4dfc7a3f-b490-453a-8e01-8cb01c38a526\Source.cab with dwProvFlags 0x00000080:
AU ########### AU: Initializing Automatic Updates ###########
AU # AU disabled through Policy
AU # Will interact with non-admins (Non-admins are elevated (User preference))
AU Initializing featured updates
AU Found 0 cached featured updates
AU Successfully wrote event for AU health state:0
AU Successfully wrote event for AU health state:0
AU AU finished delayed initialization
Misc WARNING: WVT was not able to determine online revocation. Continuing ...
Misc Microsoft signed: No
Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\ScanFile\4dfc7a3f-b490-453a-8e01-8cb01c38a526\Source.cab are not trusted: Error 0x800b0109
OfflSnc WARNING: failed to verify signature for offline cab. hr = 0x800b0109
PT WARNING: PTError: 0x800b0109
Agent WARNING: WU client fails CClientCallRecorder::OpenOfflineSyncSource with error 0x800b0109
COMAPI WARNING: ISusInternal::OpenOfflineSyncSource failed, hr=800B0109
COMAPI - Exit code = 0x800B0109
AU Sending shutdown notification
AU AU initiates service shutdown
AU ########### AU: Uninitializing Automatic Updates ###########
Service *********
Service ** END ** Service: Service exit [Exit code = 0x240001]

Looks like a bad signature file. I am wondering how it could be corrupted? I download my WSUSoffline onto a server and run the updates all from the same location. The machines that failed to do the installs will install the patches manually using the update files I downloaded directly from Microsoft.
Is there a way to update these signature files?

[hbuhrmester]

You could try the files rootsupd.exe and rvkroots.exe , which were used to update root certificates and certificate revocation lists on Windows XP and Windows Server 2003.

http://download.windowsupdate.com/msdow ... otsupd.exe
http://download.microsoft.com/download/ ... kroots.exe

WSUS Offline Update doesn't download and use these files anymore since version 9.8, but the latest versions from 2014/2015 are still available:

Code: Select all

$ wget --spider --server-response http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
Spider mode enabled. Check if remote file exists.
--2016-06-03 18:14:15--  http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
Resolving download.windowsupdate.com (download.windowsupdate.com)... 13.107.4.50, 2a01:111:2003::50
Connecting to download.windowsupdate.com (download.windowsupdate.com)|13.107.4.50|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Cache-Control: public,max-age=172800
  Content-Length: 414720
  Content-Type: application/octet-stream
  Last-Modified: Wed, 12 Nov 2014 17:33:07 GMT
  Accept-Ranges: bytes
  ETag: "80b75b89efecf1:0"
  Server: Microsoft-IIS/7.5
  X-Powered-By: ASP.NET
  X-CID: 7
  X-CCC: US
  X-MSEdge-Ref: Ref A: B016D6046F6D4C51826CB05B60D1FB38 Ref B: 40791B4F90250011456FFE15DB6A61B0 Ref C: Fri Jun 03 09:14:13 2016 PST
  Date: Fri, 03 Jun 2016 16:14:13 GMT
Length: 414720 (405K) [application/octet-stream]
Remote file exists.

$ wget --spider --server-response http://download.microsoft.com/download/E/5/9/E59E278C-9013-4EA7-83EA-F405B40EA499/rvkroots.exe
Spider mode enabled. Check if remote file exists.
--2016-06-03 18:14:25--  http://download.microsoft.com/download/E/5/9/E59E278C-9013-4EA7-83EA-F405B40EA499/rvkroots.exe
Resolving download.microsoft.com (download.microsoft.com)... 104.87.246.108, 2a02:26f0:e9:284::e59, 2a02:26f0:e9:291::e59
Connecting to download.microsoft.com (download.microsoft.com)|104.87.246.108|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Content-Type: application/octet-stream
  Last-Modified: Tue, 24 Mar 2015 01:34:13 GMT
  Accept-Ranges: bytes
  ETag: "544045a2d265d01:0"
  Server: Microsoft-IIS/8.5
  Content-Disposition: attachment
  Content-Length: 201344
  Date: Fri, 03 Jun 2016 16:14:22 GMT
  Connection: keep-alive
Length: 201344 (197K) [application/octet-stream]
Remote file exists.

The file rootsupd.exe from 12 Nov 2014 is not digitally signed, which caused some problems at the time, since the script DownloadUpdates.cmd is set to validate digital file signatures and to delete unsigned files.

[jbrock]

I had the rvroots already installed on my systems. Tried to do a reinstall and that did not fix the issue. As a test, I had uninstalled 4 of the updates and still getting the message no updates to install. It looks like the SoftwareDistribution/ScanFile/Source.cab file is what is causing the problem. It does not expand on the systems that the install fails.
But I was watching the folder on the ones that don't fail and it expands and creates several install files. I get the no missing updates found message but this is what I had expected on these systems.

[jbrock]

I have tried everything to get my systems to load updates and I still have yet to find a solution. I do have heightened security and I know that the WinTrust has to be changed to 147360 to load any .Net updates but still the Microsoft patches fail to install. I cleaned out all the files in the SoftwareDistribution folder to start that from scratch and still my Source.cab file fails to expand because the certs are not trusted. Running from a file server location and it works on some but not most of my systems.

[Denniss]

https://support.microsoft.com/en-us/kb/2677070

Please try the first two downloadlinks. Installation should be possible by unpacking, then right-click on the two extracted files to install. This may fix your certificate problems.