TL;DR:
Clear your C:\Windows\Temp
directory and other Temp directories for good-measure - then it should install updates fine.
Explanation:
As this is an Azure VM, Microsoft's "Basic" support tier is available - granted it took 3 days to arrange a phone-call, but the support staff were able to find a workaround just today.
In the CBS.log
file he spotted this line (trimmed and tidied-up by me):
2016-08-16 20:26:50, Error CSI 00000006@2016/8/16:20:26:50.808 (F) CMIADAPTER: Inner Error Message from AI HRESULT = 8004402f [Error,Facility=FACILITY_ITF,Code=16431 (0x402f)]
[
[210]"Parsing MOF file: C:\Windows\system32\wbem\NetTCPIP.mof
Error 80 in Function CMofLexer::CMofLexer line 614
C:\Windows\system32\wbem\NetTCPIP.mof (1): error SYNTAX 0X8004402f: Error creating temporary file"
]
[gle=0x80004005]
The important bit being this error:
Error creating temporary file
He instructed me to change the default environment-variables: TEMP
and TMP
in both System and User definitions to C:\TEMP
and to ensure Everyone
had Full Access
to C:\TEMP
.
After rebooting the clogged-up updates installed without any further issues.
After installing those updates fine I then deleted all of the files in the original C:\Windows\Temp directory (which took 5+ minutes, there were a lot of deeply nested files). I then reset the TMP and TEMP environment variables back to C:\Windows\Temp
and rebooted.
Two new updates were then ready to install and installation completed without any problems.
So I think the problem was bad data in the Temp directory that prevented the updates from doing anything.
Update in Mid-2017: I had a similar incident on a Windows 10 laptop recently with the same error code. I immediately went to the C:\Windows\Temp
directory and saw it had a lot files in it (about 16,000 files and folders), including deeply-nested folders too. After I deleted everything in the directory and rebooted I was able to install the updates again.
Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.
The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.
The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.
Here is what you have to do to fix it:
Run the following commands in Powershell on the offending server
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService
You will get something back like this:
Windows Update Standalone Installer - False
Windows Server Update Service - False
Windows Update - True
If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...
The first thing you have to do is make sure the following patches are installed on your server.
kb4103720 and kb4462928
You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.
These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.
Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)
Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Set to "Enabled"
Select search order: "Do not search Windows Update"
Specify the search server for device driver updates
Set to "Enabled"
Select Update Server: "Search Managed Server"
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')
Set to "Enabled"
Turn off access to the Store
Set to "Enabled"
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
Set to "Enabled"
No auto-restart with logged on users for scheduled automatic updates installations
Set to "Enabled"
Specify intranet Microsoft update service location
Set to "Enabled"
Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530"
Set the intranet statistics server:"http://[YOUR SERVER]:8530"
Set the alternate download server: "http://[YOUR SERVER]:8530"
Uncheck the box Download files with no Url in the metadata if alternate download server is set
Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.
Run the above powershell commands again.
It should now say
Name IsDefaultAUService
------- --------------------------
Windows Server Update Service True
Windows Update False
If you get "Windows Server Update Service" True, then it should work!
I hope this helps someone else. This has certainly been a frustrating issue...
I accept donations in unmarked bills, gold bars and scotch.
Best Answer
I only found some discussion from 2012-2013 on this issue, stating that on IPv6 only system:
So I did some
dig
ging. Situation today, in 2017:URL's that are needed by the Microsoft Update without WSUS:
windowsupdate.microsoft.com
doesn't haveAAAA
, not working.update.microsoft.com
doesn't haveAAAA
, not working.windowsupdate.com
not in use, noA
/AAAA
.download.windowsupdate.com
has (viaCNAME
s)AAAA
, answers (only) HTTP on IPv6. OK!download.microsoft.com
has HTTP/HTTPS on IPv6 (302 redirect
towww
). OK!test.stats.update.microsoft.com
doesn't haveAAAA
, not working.Microsoft Activation uses www.microsoft.com, port 80/443: has
AAAA
, answers HTTP(S). OK!NTP
time.windows.com
, still no IPv6, change to an IPv6 Time Server like2.pool.ntp.org
.So it seems like the situation has't change much, at least not for all Microsoft services.
However, TechNet article IPv6 Support in Microsoft Products and Services claims that Windows Update has full IPv6 support and leads us to Connecting with IPv6 in Windows 8 blog post, that has more information:
As
*.microsoft.com
sites answers HTTP(S) on IPv6,you should try to visit the working sites above from the server.
For further diagnostics on the problem:
tracert -6 download.windowsupdate.com
tracert -6 2001:14b8:1800:300::3eb7:aa1a
(or find the currentAAAA
on another computer with working DNS).download.microsoft.com
/ its (current)AAAA 2a02:26f0:103:19d::e59
If you don't have working routing on your IPv6, e.g. if your IPv6 is only local setup, you could configure NAT64 and DNS64 with Forefront Unified Access Gateway (UAG) DirectAccess. It has been there since Windows Server 2012 and remains essentially unchanged through 2012 R2 to 2016.
Or... simply enable IPv4. You probably have capability, if you haven't yet declared IPv4 historic.