A few notes on the fix for the recent update scan failure issue

~ Larry Mosley | Senior Escalation Engineer


Hi everyone, in case you weren’t already aware, a fix has been released to address the issue with update scan failures causing incorrect compliance status.

The hotfix for this issue has been released under KB 3050265 (https://support.microsoft.com/en-us/kb/3050265) but there is some additional information I would like to address.

First, read the KB carefully! There is a lot in it, and here are some important points.

1. Windows Server Update Services (WSUS) servers servicing these clients must have the hardening patch installed (KB 2938066)

2. If you are using Configuration Manager to manage updates, ConfigMgr disables automatic updates of the Windows Update agent, so the Windows Agent hotfix in 3050265 will have to be deployed as a package, application, or as a software update from ConfigMgr. Thanks to Mike Johnson for the details below:

a) Deploy via Software Update Management:  The update is published into the Microsoft Update Catalog under the “Updates” classification and will synchronize into your Configuration Manager’s top-level Software Update Point’s WSUS server that connects to Microsoft Update and can be deployed to your client machines via a software update assignment. However, if the client is in-state and getting the documented scan failure, the client will not be able to receive the deployment so you would need to use option B or C below.

b) Deploy via Software Distribution:  You can download the standalone installers from the Microsoft Download Center links noted in the article and target affected client machines with an advertisement.  We have the following document for previous Windows Update Agent releases here: 


c) Deploy via Application Deployment:  You would need to create deployment types to check for each version of Wuaueng.dll among affected clients (x86, x64, or IA-64) as a detection method to determine installation.  For instance, for the x86 version of Wuaeng.dll, you would check if the file version is less than 7.6.7601.18847 as the noted version in the 3050265 article.

Finally, if you separated Windows Update Agent into it’s own svchost instance by following item 1 in the Workarounds section of my original post, you should configure Windows Update Agent to reside in a shared instance again using the following steps:

1.On the client, open an elevated Command Prompt and run sc config wuauserv type= share

2. Stop and then start wuauserv.

Larry Mosley | Senior Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2