Friday, August 3, 2012

Microsoft System Center Configuration Manager 2007 R3 - unable to download patches - 2. Failed to find updates with error code 800B0001

Hi Guys,

I recently worked upon SCCM case for failing downloading windows updates with below error therefore sharing it here in my blog with solution implemented so that it will help to whoever facing same issue.

Failed to find updates with error code 800B0001

OS- Microsoft Windows 2008 R2
Application - Microsoft SCCM 2007 R3

As Microsoft does not support with SP1 - See Here 
Check Windowsupdate.log & Patchdownloader.log file for error details.
Windowsupdate.log Finding:

2012-07-17          15:46:38:808       816        2168       Misc       WARNING: Error: 0x800b0001 when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab
2012-07-17          15:46:38:808       816        2168       Misc       WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab are not trusted: Error 0x800b0001
2012-07-17          15:46:38:808       816        2168       Setup    WARNING: Self Update check failed to download package information, error = 0x800B0001
2012-07-17          15:46:38:809       816        2168       Setup    FATAL: Self Update check failed, err = 0x800B0001
2012-07-17          15:46:38:867       816        2168       Agent      * WARNING: Skipping scan, self-update check returned 0x800B0001
2012-07-17          15:46:38:922       816        2168       Agent      * WARNING: Exit code = 0x800B0001
2012-07-17          15:46:38:922       816        2168       Agent    WARNING: WU client failed Searching for update with error 0x800b0001
2012-07-17          15:46:38:938       816        11e4      AU          >>##  RESUMED  ## AU: Search for updates [CallId = {C4B3D200-5463-4446-9432-EB74507F131E}]
2012-07-17          15:46:38:938       816        11e4      AU            # WARNING: Search callback failed, result = 0x800B0001
2012-07-17          15:46:38:939       816        11e4      AU            # WARNING: Failed to find updates with error code 800B0001

Patchdownloader.log finding

Contentsource = http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab . Software Updates Patch Downloader 7/25/2012 5:55:17 AM 10344 (0x2868)
Downloading content for ContentID = 9349,  FileName = windows6.1-kb2698365-x64.cab. Software Updates Patch Downloader 7/25/2012 5:55:17 AM 10344 (0x2868)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 10 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 61 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 81 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 91 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab to C:\Users\svc_sccm\AppData\Local\Temp\CAB1D33.tmp returns 0 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Checking machine config Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Cert revocation check is disabled so cert revocation list will not be checked. Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Authentication of file C:\Users\svc_sccm\AppData\Local\Temp\CAB1D33.tmp failed, error 0x800b0004 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
ERROR: DownloadContentFiles() failed with hr=0x80073633 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 10344 (0x2868)
it was happening for all patches and not to specific.

I was getting the same error message in windows update log file as stated above and as Microsoft strengthened the WSUS communication channels in the last month or so, which may explain why older patches worked but newer ones, are not working hence see here.

Additionally you can refer this article as well - See Here

However in my case, issue was still exist. I searched for KB 272011 but they havn't instaled it. So suggested to
install 2718704 and then 2720211

Also during my remote session, I noticed that any of Microsoft update link like http://gva1swparis.hq.intra.who.int:8530/SelfUpdate/wuident.cab downloading sucesfully However, the Digital Signature tab is missing from the file (go to properties, next to general TAB, it should show TAB for 'Digital Signature'. So Looks like there's a problem with the server itself. Since we move the same file to a different machine, we're able to see the Digital signature tab.

Also tried by changing security authentication mode but no sucess.

So, finally I resolved the issue. I have specified details below.

Cause:-

This problem may occur if one or more of the following conditions are true:
  • Log file or database corruption exists in the %Systemroot%\System32\Catroot2 folder.
  • Cryptographic Services is set to disabled.
  • Other Windows files are corrupted or missing.
  • The timestamp signature or certificate could not be verified or is malformed.
  • The hidden attribute is set for the %Windir% folder or one of its subfolders.
  • The Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) is set to Do not allow installation or Warn but allow installation, or the Policy binary value is not set to 0 in the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing
  • The Enable trusted publisher lockdown Group Policy setting is turned on, and you do not have the appropriate certificate in your Trusted Publishers certificate store. This Group Policy setting is located under User Configuration, under Windows Settings, under Internet Explorer Maintenance, under Security, under Authenticode Settings in the Group Policy MMC snap-in.
    Resolution:-
    1. Set Cryptographic Services to automatic, it was set to Manual earlier
    2. Rename catroot2 folder by stopping cryptsvc service, rename to oldcatroot2, start service again & then removed tmp *.cat files from
    %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

    Note - If no files that start with tmp exist in this folder, do not remove any other files. The .cat files in this folder are necessary for installing hotfixes and service packs.
    3. Reregister the DLL files that are associated with Cryptographic Services
    Go to command prompt by 'Run as Administrator'
    regsvr32 /u softpub.dll
    regsvr32 /u wintrust.dll
    regsvr32 /u initpki.dll
    regsvr32 /u dssenh.dll
    regsvr32 /u rsaenh.dll
    regsvr32 /u gpkcsp.dll
    regsvr32 /u sccbase.dll
    regsvr32 /u slbcsp.dll
    regsvr32 /u mssip32.dll
    regsvr32 /u cryptdlg.dll
     if some files failed, ignore it for next try and restart the server
    Once done, again do same excercise and re-register following
    regsvr32 softpub.dll
    regsvr32 wintrust.dll
    regsvr32 initpki.dll
    regsvr32 dssenh.dll
    regsvr32 rsaenh.dll
    regsvr32 gpkcsp.dll
    regsvr32 sccbase.dll
    regsvr32 slbcsp.dll
    regsvr32 mssip32.dll
    regsvr32 cryptdlg.dll
    then restart box again.
    4. Remove the hidden attribute from %Windir% and from its subfolders
    Launch command prompt again with Administrator access and type following
attrib -s -h %windir%
attrib -s -h %windir%\system32
attrib -s -h %windir%\system32\catroot2
exit
    5. Rename EDB.Log file by launching command prompt
ren %systemroot%\system32\catroot2\Edb.log *.tst
    6. Temporarily turn off Trusted Publishers Lockdown and install the appropriate certificates to your trusted publishers certificate storeYou can continue to use the Enable trusted publisher lockdown Group Policy setting, but you must first add the appropriate certificates to your Trusted Publishers certificate store. To do this, turn off the Enable trusted publisher lockdown Group Policy setting, install the appropriate certificates in your Trusted Publishers certificate store, and then turn the Enable trusted publisher lockdown Group Policy setting back on. To install the appropriate certificate for Microsoft Windows and Microsoft Internet Explorer product updates, follow these steps:
    1. Download the Microsoft product update that you want to install from the Microsoft Download Center, from the Windows Update Catalog, or from the Microsoft Update Catalog. For more information about how to download product updates from the Microsoft Download Center, click the following article number to view the article in the Microsoft Knowledge Base:
      119591
      (http://support.microsoft.com/kb/119591/ )
      How to obtain Microsoft support files from Online Services
      For more information about how to download product updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
      323166
      (http://support.microsoft.com/kb/323166/ )
      How to download updates that include drivers and hotfixes from the Windows Update Catalog
    2. Extract the product update package to a temporary folder. The command-line command that you use to do this depends on the update that you are trying to install. View the Microsoft Knowledge Base article that is associated with the update to determine the appropriate command-line switches that you will use to extract the package. For example, to extract the 824146 security update for Windows XP to the C:\824146 folder, run Windowsxp-kb824146-x86-enu -x:c:\824146. To extract the 828750 security update for Windows XP to the C:\828750 folder, run q828750.exe /c /t:c:\828750.
    3. Right-click the KBNumber.cat file from the product update package in the temporary folder you created in step 2, and then click Properties.

      Note The KBNumber.cat file may be in a subfolder. For example, the file may be in the C:\824146\sp1\update folder or in the C:\824146\sp2\update folder.
    4. On the Digital Signatures tab, click the digital signature and then click Details.
    5. Click View Certificate, and then click Install Certificate.
    6. Click Next to start the Certificate Import Wizard.
    7. Click Place all certificates in the following store, and then click Browse.
    8. Click Trusted Publishers, and then click OK.
    9. Click Next, click Finish, and then click OK.

    7. Verify the status of all certificates in the certification path and import missing or damaged certificates from another computerTo verify certificates in the certificate path for a Windows or Internet Explorer product update, follow these steps:

    Step 1: Verify Microsoft certificates

    1. In Internet Explorer, click Tools, and then click Internet Options.
    2. On the Content tab, click Certificates.
    3. On the Trusted Root Certification Authorities tab, double-click Microsoft Root Authority. If this certificate is missing, go on to step 2.
    4. On the General tab, make sure that the Valid from dates are 1/10/1997 to 12/31/2020.
    5. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.
    6. Click OK, and then double-click the NO LIABILITY ACCEPTED certificate.
    7. On the General tab, make sure that the Valid from dates are 5/11/1997 to 1/7/2004.
    8. On the Certification Path tab, verify that either This certificate has expired or is not yet valid or This certificate is OK appears under Certificate Status.

      Note Although this certificate is expired, the certificate will continue to work. The operating system may not work correctly if the certificate is missing or revoked.
    9. Click OK, and then double-click the GTE CyberTrust Root certificate. You may have more than one of these certificates with the same name. Check the certificate that has an expiration date of 2/23/2006.
    10. On the General tab, make sure that the Valid from dates are "2/23/1996 to 2/23/2006."
    11. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.
      Click OK, and then double-click Thawte Timestamping CA.
    12. On the General tab, make sure that the Valid from dates are "12/31/1996 to 12/31/2020."
    13. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.

    Step 2: Import missing or damaged certificates

    If one or more of these certificates are missing or corrupted, export the missing or corrupted certificates to another computer, and then install the certificates on your computer. To export certificates on another computer, follow these steps:
    1. In Internet Explorer, click Tools, and then click Internet Options.
    2. On the Content tab, click Certificates.
    3. On the Trusted Root Certification Authorities tab, click the certificate that you want to export.
    4. Click Export, and then follow the instructions to export the certificate as a DER encoded Binary x.509(.CER) file.
    5. After the certificate file has been exported, copy it to the computer where you want to import it.
    6. On the computer where you want to import the certificate, double-click the certificate.
    7. Click Install certificate, and then click Next.
    8. Click Finish, and then click OK.
   8. Clear the temporary file and restart the hotfix installation or the service pack installation
To clear the temporary file and restart the hotfix installation or the service pack installation, follow these steps:
  1. Delete all the tmp*.cat files in the following folders:

    %systemroot%\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

    %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
  2. Delete all the kb*.cat files in the following folders:
    %systemroot%\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
    %systemroot%\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
  3. Delete all the oem*.* files from the %systemroot%\inf folder.
  4. At the command prompt, type the following commands. Press ENTER after each command.
    net stop cryptsvc
    ren %systemroot%\System32\Catroot2 oldcatroot2
    net start cryptsvc
    exit
  5. Restart the failed hotfix installation or service pack installation.
9. Empty the software distribution folder
  1. Click Start, click Run, type services.msc, and then click OK.

    Note On a Windows Vista-based computer, click Start, type services.msc in the Start Search box, right-click services.msc, and then click Run as administrator.
  2. In the Services (Local) pane, right-click Automatic Updates, and then click Stop.
  3. Minimize the Services (local) window.
  4. Select all the contents of the Windows distribution folder, and then delete them.

    Note By default, the Windows distribution folder is located in the drive:\Windows\SoftwareDistribution folder. In this location, drive is a placeholder for the drive where Windows is installed.
  5. Make sure that the Windows distribution folder is empty, and then maximize the Services (local) window.
  6. In the Services (Local) pane, right-click Automatic Updates, and then click Start.
  7. Restart the computer, and then run Windows Update again.
By following all above step by step, it helped me to resolved my issue.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)