4

My primary WIN 2012 VM domain controller cannot update anymore, every update fails with this error:

Windows failed to install the following update with error 0x800f0900

I tried many things:

  • reset SoftwareDistribution directory
  • sfc /scannow ends without errors
  • dism /online /cleanup-image /restorehealth stucks at 40% (I wait 18hours, then I stoped it)
  • dism /online /cleanup-image /source.... /restorehealth get from a DVD source stucks at 40% like the previous
  • clean and secure boot before previous commands

What can I try to do?

**** EDIT WindowsUpdate.log content:

2017-01-17  22:33:14:450     920    ff4 Handler Generating request for CBS update 641FE631-29F1-46B4-BBED-7D2B8D56741B in sandbox C:\Windows\SoftwareDistribution\Download\61d75607e4a6a41d2d6d304bed92af67
2017-01-17  22:33:14:529     920    ff4 Handler Selected payload type is ptExpress
2017-01-17  22:33:14:607     920    ff4 Handler UH: DpxRestoreJob returned 0x80070002
2017-01-17  22:33:14:607     920    ff4 Handler Detected download state is dsHavePackage
2017-01-17  22:33:30:935     920    364 Handler FATAL: CBS called Error with 0x800f0900, 
2017-01-17  22:33:30:951     920    ff4 Handler FATAL: UH: 0x800f0900: Async stage operation failed in CUHCbsHandler::StageCbsPackage
2017-01-17  22:33:31:107     920    ff4 Handler FATAL: Request generation for CBS update complete with hr=0x800f0900 and pfResetSandbox=0 
2017-01-17  22:33:31:107     920    ff4 Handler FATAL: Error source is 106.
2017-01-17  22:33:31:107     920    ff4 DnldMgr FATAL: DM:CAgentDownloadManager::GenerateAllDownloadRequests: GenerateDownloadRequest failed with 0x800f0900.
2017-01-17  22:33:32:404     920    ff4 DnldMgr WARNING: Download request generation failed with 0x800f0900.
2017-01-17  22:33:32:435     920    ff4 DnldMgr Error 0x800f0900 occurred while downloading update; notifying dependent calls.
2017-01-17  22:33:32:466     920    174 AU  >>##  RESUMED  ## AU: Download update [UpdateId = {4485F552-0451-4646-B224-BEC7507523F3}]
2017-01-17  22:33:32:466     920    174 AU    # WARNING: Download failed, error = 0x800F0900
2017-01-17  22:33:32:779     920    174 AU  #########
2017-01-17  22:33:32:779     920    174 AU  ##  END  ##  AU: Download updates
2017-01-17  22:33:32:779     920    174 AU  #############

CBS log:

2017-01-27 17:11:26, Info                  CBS    Exec: Package: Package_20_for_KB2934016~31bf3856ad364e35~amd64~~6.2.1.1 is already in the correct state, current: Installed, targeted: Installed
2017-01-27 17:11:26, Info                  CBS    Exec: Skipping Package: Package_20_for_KB2934016~31bf3856ad364e35~amd64~~6.2.1.1, Update: 2934016-60_neutral_LDR because it is already in the correct state.
2017-01-27 17:11:26, Info                  CBS    Exec: Skipping Package: Package_20_for_KB2934016~31bf3856ad364e35~amd64~~6.2.1.1, Update: 2934016-61_neutral_LDR because it is already in the correct state.
2017-01-27 17:11:26, Info                  CBS    Exec: Skipping Package: Package_20_for_KB2934016~31bf3856ad364e35~amd64~~6.2.1.1, Update: 2934016-62_neutral_GDR because it is already in the correct state.
2017-01-27 17:11:26, Info                  CBS    Failed to peek next token (status=0xc0000161) [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to get next Token [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Wrong XML DECL [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Invalid xml format [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Manifest parsing error at line: 1, context: 
 [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to parse the manifest from the buffer. [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Error                 CBS    Failed to parse package manifest: \\?\C:\Windows\Servicing\Packages\Package_357_for_KB2836988~31bf3856ad364e35~amd64~~6.2.1.0.mum [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Mark store corruption flag because of parsing failure on package: Package_357_for_KB2836988~31bf3856ad364e35~amd64~~6.2.1.0. [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to initialize package: Package_357_for_KB2836988~31bf3856ad364e35~amd64~~6.2.1.0, from path: \\?\C:\Windows\Servicing\Packages\Package_357_for_KB2836988~31bf3856ad364e35~amd64~~6.2.1.0.mum, existing package: 1 [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Mark store corruption flag because of package: Package_357_for_KB2836988~31bf3856ad364e35~amd64~~6.2.1.0. [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to resolve package [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to get next package to re-evaluate [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Failed to process component watch list. [HRESULT = 0x800f0900 - CBS_E_XML_PARSER_FAILURE]
2017-01-27 17:11:26, Info                  CBS    Perf: InstallUninstallChain complete.
2017-01-27 17:11:26, Info                  CSI    00000b91@2017/1/27:16:11:26.555 CSI Transaction @0x6db95b2ce0 destroyed
2017-01-27 17:11:26, Info                  CBS    Exec: Store corruption found during execution, but auto repair is already attempted today, skip it.
Tobia
  • 1,272
  • 9
  • 41
  • 81

4 Answers4

3

The simplest solution would be to create a new DC, and retire the broken one.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • Not sure why this was downvoted, I would take this option. If your DC is so badly broken that you're struggling to fix it then you'd be far safer with a fresh build and join a new DC to the domain. I assume you have multiple DCs already? Make sure you transfer any FSMO roles off the broken DC before downing it. – Steve365 Jan 16 '17 at 20:33
  • I think its also the fastest solution as well. – Jim B Jan 16 '17 at 21:37
  • 1
    I'm not the downvoter! I agree its surely the fastest solution! but if someday I stumble into that bug, I would be happy if someone found a solution for it, as like if it's a third part program the OP installed that cause the bug, the bug would come back anyway. – yagmoth555 Jan 16 '17 at 21:45
  • 2
    @yagmoth555 That's certainly an interesting question, but I'm coming at this from an admin point of view. I can spend 3-4 hours working out what's the issue, then work on a solution for an hour, then hope there are no side effects, or build another DC in an hour or so, and know that I'm good. Ultimately I care far more about the health of AD than any given server. – Jim B Jan 17 '17 at 15:11
  • 1
    This dc is also a certification authority for my domain... this would be my last option. – Tobia Jan 18 '17 at 09:06
  • 1
    So you don't have an offline root? – Jim B Jan 18 '17 at 16:05
  • @JimB no I don't :-( – Tobia Jan 27 '17 at 16:45
  • see https://blogs.technet.microsoft.com/pki/2010/04/20/disaster-recovery-procedures-for-active-directory-certificate-services-adcs/ and https://blogs.technet.microsoft.com/askds/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery/ and https://technet.microsoft.com/en-us/library/cc755153(v=ws.10).aspx – Jim B Jan 27 '17 at 19:59
1

Solution 1 Corrupt Update Files

Microsoft provides a walk-through named Fix Windows Update errors. Yes, it is for Windows 10 (or 8.1 or 7), but I found an extended DISM.exe command here.

What does this guided walk-through do?

This guided walk-through provides steps to fix problems when installing updates. Here are some commonly seen error codes: 0x80073712, 0x800705B4, 0x80004005, 0x8024402F, 0x80070002, 0x80070643, 0x80070003, 0x8024200B, 0x80070422, 0x80070020. These steps should help with all errors and not just the ones listed.

How does it work?

We’ll walk you through a series of troubleshooting steps to get your Windows up to date. Be sure to follow the steps in order.

While clicking through various steps the solution of executing the DISM.exe command is displayed. I am aware that you tried this step already, but try the advanced option:

Important

When you run this command, DISM uses Windows Update to provide the files that are required to fix corruption. However, if your Windows Update client is already broken, use a running Windows installation as the repair source, or use a Windows side-by-side folder from a network share or from a removable media, such as the Windows DVD, as the source of the files. To do this, run the following command instead:

DISM.exe /Online /Cleanup-Image /RestoreHealth /Source:C:\RepairSource\Windows /LimitAccess

The referenced source C:\RepairSource\Windows can be a network share temporarily attached to the DC or a thumb drive with a copy of a working Windows installation as outlined in the Microsoft article.

You can download a fresh copy of Windows 10 using the Media Creation Tool (Microsoft). Then, convert the install.esd file to a WIM file (TheITBros.com).

On a side note:

If you have a policy (GPO) that is setting the TRUSTEDINSTALLER service to manual, disable this policy.

Solution 2 Permission Issue

Some errors are related to permissions issues on the C: drive and can be solved with the following steps:

  1. Login to the server as "Administrator"
  2. Change permissions to provide full access to C-drive for the user "Network Services"
  3. Log off the from the server
  4. Log back in as "Administrator"
  5. Re-run the Updates

That should install all the pending updates.

Sources

Fix Windows Update errors
Installation Failures / CBS Store corruptions: Uncommon issues and troubleshooting
Windows Server 2008 Std. Update Error with code 8000FFFF
CBS called Error with 0x800f0900,(Google Search)

John K. N.
  • 2,055
  • 1
  • 17
  • 28
  • I cannot change full access to Cdrive, there are some permission error "enumating" c:\program files, c:\windows and other folders. I'm working with administrator user as suggested. – Tobia Jan 27 '17 at 14:09
  • You could try continuing through the errors (or skipping the relevant errors) and still rerun the updates. Basically changing the permissions as much as you can, but not for everything. – John K. N. Jan 27 '17 at 14:22
  • Ok I will try, the CBS log is HUGE (6GB), I don't think it is normal. – Tobia Jan 27 '17 at 16:19
  • I added the CBS last part log, i tried to search but I did not find a solution googeling. – Tobia Jan 27 '17 at 16:46
0

It appears to be Bitlocker and UEFI related issue. 

Alternatively, if you do not want to install the Bitlocker feature,
simply disable Secure Boot on the HyperV guest as shown below, 
then re-enable Secure Boot after the update is applied.

Here is the documentation from Microsoft.

  • You receive a 0x800f0922 error when you try to install this security update

Symptoms

Consider the following two configurations:

Scenario one

  • You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.

Scenario two

  • You have a Windows Server 2012 R2-based Hyper-V host running and you are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.

In these configurations, security update 2871690 may not install, and you receive a 0x800f0922 error message.

Cause

This error occurs because the installer for security update 2871690 incorrectly expects BitLocker to be installed.

Workaround

To work around this issue, use one of the following methods, based on your scenario:

Workaround for scenario one

Install the BitLocker optional component on the server that uses UEFI and that has the Secure Boot option enabled.

Workaround for scenario two

Install the BitLocker optional component on the guest virtual machine in the Hyper-V configuration. Note You do not have to configure BitLocker on any drive. It is only necessary for the BitLocker component to be present on Window Server 2012 when you install security update 2871690.

Microsoft lists some package to download, but all 3 links are dead.
Troy Osborne
  • 106
  • 1
  • 13
  • I think I'm not using secure boot, this is a gen1 hyper-v machine running on Win2012 (not R2). I don't have the secure boot option in VM options. – Tobia Jan 18 '17 at 08:48
0

Option 1:

Check your windowsupdate.log (C:\Windows) for errors.

Stop Windows Update and BITS services

Delete C:\Windows\Software Distribution folder

Reset your WMI Repository --> Open CMD and type winmgmt /resetrepository

Start BITS and Windows Updates services

Try again.

Option 2: Check for Service Corruptions: https://technet.microsoft.com/en-us/library/ee619779%28WS.10%29.aspx

Please post the results.

HEMAN85
  • 415
  • 3
  • 9
  • I update my question with the log, but I did not find nothing useful. – Tobia Jan 18 '17 at 09:06
  • Option 1 and 2, already tried. – Tobia Jan 18 '17 at 09:07
  • The 0x80072EFD error is logged when the Windows Update Agent receives NO RESPONSE from the website destination or WSUS Server. Try this: run BITSADMIN /ALLUSERS /RESET and try again. Questions: Are you using WSUS Server on your environment? Are you using SCCM? Check the following registry value on your server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client – HEMAN85 Jan 19 '17 at 14:20
  • Make sure the BITS service is set to automatic and started. Also, Open CMD and type proxycfg -d You may need to enter your credentials when you run Windows Updates again. – HEMAN85 Jan 19 '17 at 14:26