This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

MS Hotfix msu patch wants to install after it has been installed

monolith over 9 years ago

Hey everyone,

I have been on the forum the last three days working on how to deploy Microsoft Hotfixes of the .MSU filetype. After following some successful guides

(Windows Hotfix .msu) and (File Version Applicability Rules Not Working)

I was able to get the .msu file installed on a test workstation, however my problem is that after it has been successfully installed, and it shows as installed on Patch Manager, the test workstation then polls the WSUS server and sees the same update available again to be installed. So something is definiately wrong with either my Applicability or Installed rules. I’d be interested in seeing what others are using for Applicability and Installed Rules for Microsoft Hotfixes in relation to .MSU files particularly. Any help would be very much appreciated!!! I really want to deploy hotfixes via Patch Manager!

So here is the setup I have:

Testing again a Windows 7 Pro x64

Hotfix KB2532445 – this fixes a bug in Software Restriction Policies for Windows 7 and Server 2008 R2

Does not use packageboot, I used Winrar to create sfx executable with all the correct settings, this part works and it does get installed, as after I run the update via WSUS, it shows up under updates in Control Panel/Program Files.

Requires a reboot is selected.

Prerequisite Rules: Processor Architecture=x64

Applicability Rules: NOT File Exists: Path=SoftwareDistribution\Download\7789ba8a663f7e637e25bbdc0c7a68d3\Windows6.1-KB2532445-v2-x64.cab Common Path=WINDOWS Version= Size=N/A Modified Date=10/4/2011 11:55:00 PM Creation Date=N/A Language=Language Neutral

I chose this for applicability rules because I couldn’t find anything else that seemed to be a good fit for this hotfix, I know for a fact that this file/directory does not exist prior to the installation of this update, so I chose that for applicability if this does NOT exist, then the system should install this update? Is my thinking wrong here?

Installed Rules: MSI Product Installed: Product ID={7789ba8a-663f-7e63-7e25-bbdc0c7a68d3}

I couldn’t find anything else to base it on as I do not have remote WMI turned on on remote workstations, so best I could find was to be the product code for the hotfix which is turns out to be the same guid in the download folder that it extracts itself to.

Like I said, the update shows as installed on Patch Manager, but next time the test workstation polls WSUS, it shows that the same patch/hotfix is available to be installed again, and it loops. Please help!!

0 LGarvin over 9 years ago

When an update repeatedly detects and installs, that almost always an indication that the Installed Ruleset is not returning TRUE value when it should.

Installed Rules: MSI Product Installed: Product ID={7789ba8a-663f-7e63-7e25-bbdc0c7a68d3}

Since your only test is for the Product ID, this suggests that you've identified an incorrect Product ID for this rule.

However....Historically, a TRUE result from the Installed Ruleset overruled any other ruleset results; however, recent observations have indicated that the WUA team may have changed (read: BROKEN) the functionality in the Windows Update Agent, and now a TRUE result from the Applicability Rules returns an isInstallable condition, even if the Installed Ruleset returns an isInstalled result.

Applicability Rules: NOT File Exists: Path=SoftwareDistribution\Download\7789ba8a663f7e637e25bbdc0c7a68d3\Windows6.1-KB2532445-v2-x64.cab Common Path=WINDOWS Version= Size=N/A Modified Date=10/4/2011 11:55:00 PM Creation Date=N/A Language=Language Neutral

In addition, this Applicability Rule is problematic, for two reasons:

First, I suggest for Applicability Rules that you use the File Version rule, and specify the test for LESS THAN the file version of the file being installed by the package.

Second, you CANNOT test for the presence/absence of files in the ~\SoftwareDistribution\Download folder -- they do not exist there at the time of detection rule evaluation; you should be testing at the actual installation location of the installed product. Ergo, this rule will always return TRUE (the file will never exist at the time of detection), and thus the update package will always be evaluated as isInstallable.

I covered these basic ruleset creation principles, including the logic evaluation process of the WUA, in these webcasts:

Package Creation Fundamentals

Creating Packages with Patch Manager

0 monolith over 9 years ago in reply to LGarvin

Thanks Lawrence,
Just a question then, can I test for the existence of registry entries in the installable and applicable rules? There is no version number for this hotfix. Also if I do a WMI request, is it a remote request from Patch Manager/WSUS Server to the workstation, or is the WMI request done locally on the workstation itself to determine the existence of an installed product? I only ask because I have WMI firewalled off so remote machines cannot query anything. Also are there any other things I can try in regards specifically to MSU hotfixes which don't seem to have an installation path or version number of files? This KB in particular has tons of files in the Microsoft listing, and none of them match any on a machine where I have this manually installed because more recent updates have overwritten these file versions. Thank you for your reply.
I also don't quite understand why the applicability rule wouldn't work because that particular file is not there prior to installation of the hotfix, and it IS there afterwards, just confused as to why this wouldn't fall under that? I will rewatch the webcasts again. I really appreciate your help.
Cancel
Vote Up 0 Vote Down

Cancel
0 monolith over 9 years ago in reply to LGarvin

what's interesting is, i changed to the following rules and it is still having the same issue, however, another machine that i manually installed this hotfix on but didn't approve the update for was in another WSUS group and it shows as installed on the Patch Manager Console, so this leads me to believe that the problem is in my Applicability ruleset.
Here is what I have:
Applicability Rule:
NOT WMI Query: Namespace=root\cimv2 WAL Querty=select * from Win32_QuickFixEngineering where HotFixID="KB2532445"
Installed Rules:
WMI Query: Namespace=root\cimv2 WAL Querty=select * from Win32_QuickFixEngineering where HotFixID="KB2532445"
So i'm not sure where the problem lies here then. As you suggested, if the update repeatedly detects and installs, it is an indication that the installed ruleset is not returing "TRUE". However, within the Patch Manger Console, i am seeing another workstation that uses this logic that shows it IS installed and it is. Also as per your previous post, i don't believe the Applicability rule will ring always true, because after it installs, the WMI query should then show that the hotfix is indeed installed and thus not applicable? I really appreciate your help with this! It's so frustrating because these hotfixes do not have valid versions in their dlls since newer updates supercede them. I have also tried registry rules and it yields the same results.
Cancel
Vote Up 0 Vote Down

Cancel