How to install out of band Windows update?

One of my customers came across a “weird” issue that one Windows update KB5001567 refuses to show up in the WSUS console regardless of repeated synchronizations. With a little search on the internet, I found it to be an out-of-band Windows update.

What is an out-of-band Window update? To put it simple, “An out-of-band patch is a patch released at some time other than the normal release time. Microsoft, for example, normally releases patches on the second Tuesday of every month.“

There are three possible ways to install KB5001567 .

Release Channel	Available	Next Step
Windows Update and Microsoft Update	Yes	Go to Settings > Update & Security > Windows Update. In the Optional updates available area, you’ll find the link to download and install the update.
Microsoft Update Catalog	Yes	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	No	You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions.

For details, refer to – March 15, 2021—KB5001567 (OS Builds 19041.868 and 19042.868) Out-of-band (microsoft.com)

To install an out-of-band Windows update, another feasible alternative is to download and install it manually. Take this KB5001567for example. We can download it from Windows Catalog site and then install it on each computer by hand or via GPO.

Demo steps –

1. Create folder C:\temp
2. Download the Update to C:\temp directory  (KB5001638 download path: http://download.windowsupdate.com/d/msdownload/update/software/updt/2021/03/windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.msu )
3. Expand the .msu file to extract the .cab file by running below command in CMD:

   expand -F:* C:\temp\windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.msu C:\temp

4. Copy windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.cab along with other expanded files to a shared path (that is, copy all the extracted files)
5. Use the following DISM command to install the update:

    dism /online /add-package /packagepath:\\<Shared-Path>\windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.cab

If you want to use GPO to save efforts in case of too many computers –

1. Create a bat file and put the command at step 5 in it and save the bat file.
2. Then, use GPO startup script to run batch file. Refer to – Using Startup, Shutdown, Logon, and Logoff Scripts in Group Policy | Microsoft Docs

References

• March 15, 2021—KB5001567 (OS Builds 19041.868 and 19042.868) Out-of-band (microsoft.com)
• Using Startup, Shutdown, Logon, and Logoff Scripts in Group Policy | Microsoft Docs

Permissions needed to connect remote to WMI on a workgroup computer

One of customers tried to connect with WBEMTEST from its sccm site server to a managed workgroup client host. But he failed with 0x80070005 meaning “Access is denied“. There are three common errors you may run into while connecting to WMI on a workgroup client.

Error	Possible Issue	Solution
0x800706BA – RPC Server Unavailable Firewall issue or server not available.	The computer really doesn’t exist · The Windows Firewall is blocking the connection	Connecting to Vista: netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes Connecting to downlevel: Allow the “Remote Administration” rule in Windows Firewall.
0x80070005 – E_ACCESS_DENIED Access denied by DCOM security.	The user does not have remote access to the computer through DCOM. Typically, DCOM errors occur when connecting to a remote computer with a different operating system version.	Give the user Remote Launch and Remote Activation permissions in dcomcnfg. Right-click My Computer-> Properties Under COM Security, click “Edit Limits” for both sections. Give the user you want remote access, remote launch, and remote activation. Then go to DCOM Config, find “Windows Management Instrumentation”, and give the user you want Remote Launch and Remote Activation. For more information, see Connecting Between Different Operating Systems
0x80041003 – WMI Access Denied Access denied by a provider	The user does not have permission to perform the operation in WMI. This could happen when you query certain classes as a low-rights user, but most often happens when you attempt to invoke methods or change WMI instances as a low rights user. The namespace you are connecting to is encrypted, and the user is attempting to connect with an unencrypted connection	Give the user access with the WMI Control (make sure they have Remote_Access set to true) Connect using a client that supports encryption.

To be able to connect successfully to WMI on a workgroup computer, you can follow the steps below on the target workgroup computer.

1. First finish the steps described in Securing a Remote WMI Connection

2. Launch DCOMCNFG and expand Component Services>Computers, then right click on My Computer
3. In Access Permissions, click Edit Limits
4. Select ANONYMOUS LOGON and grant Remote Access, OK.

5. In Launch and Activation Permissions, select Everyone and grant Remote Launch and Remote Activation. OK.

6. Then disable UAC –
   a. Open the Local Security Policy (secpol.msc)
   b. Expand open Local Policies and Security Options in the left pane of Local Security Policy, and double click/tap on the User Account Control: Run all administrators in Admin Approval Mode policy
   c. Set it to Disabled, save.

7. Restart the computer

Go to your another computer and launch WBEMTEST.

References

• https://social.msdn.microsoft.com/Forums/vstudio/en-US/6229334e-d5ef-4016-9e7e-1c8718be8d43/access-is-denied-exception-from-hresult-0x80070005-eaccessdenied-in-vbnet
• https://docs.microsoft.com/en-us/windows/win32/wmisdk/securing-a-remote-wmi-connection