Using Package to install updates returned 1641

Sometimes you may need to deployment via SCCM through Packages using the command WUSA. You may put in Command line in Program something like below: wusa.exe …..

After deployment, the client shows the update gets installed successfully but the SCCM console shows Error with the code 1641.

Strictly speaking, 1641 cannot even be considered as an error because all it asks is a reboot:

Error Code: 0x669 (1641)
Error Name: ERROR_SUCCESS_REBOOT_INITIATED
Error Source: Msi.h
Error Message: The requested operation completed successfully. The system will be restarted so the changes can take effect.

If you look at the execmgr.log, you can find similar information as below. You follow the instructions to restart the client computer, but the error messages in the SCCM console stays forever.

07-15-2021 16:18:03.644 execmgr 10342 (0x27a4) Program exit code 1641
07-15-2021 16:18:03.645 execmgr 10342 (0x27a4) Looking for MIF file to get program status
07-15-2021 16:18:03.647 execmgr 10342 (0x27a4) Script for Package:testpkg, Program: Install failed with exit code 1641
07-15-2021 16:18:03.660 execmgr 10342 (0x27a4) Raising event:
[SMS_CodePage(874), SMS_LocaleID(1054)]
instance of SoftDistProgramErrorEvent
{
AdvertisementId = "APRCONTOSO";
ClientID = "GUID:ed123456-e3e9-2345-9f26-3ff8b875f376";
DateTime = "20210715091803.654000+000";
ExitCode = "1641";
MachineName = "cntcontoso";
PackageName = "testpkg";
ProcessID = 4788;
ProgramName = "Install";
SiteCode = "CNT";
ThreadID = 10342;
UserContext = "NT AUTHORITY\SYSTEM";
};
07-15-2021 16:18:03.663 execmgr 10342 (0x27a4) Raised Program Error Event for Ad:APRCONTOSO, Package:testpkg, Program: Install
07-15-2021 16:18:03.685 execmgr 8256 (0x2040) Execution is complete for program Install. The exit code is 1641, the execution status is FailureNonRetry

A simple way to resolve is to wrap the command wusa.exe in a bat file, eg. installupdate.bat and add exit 0 at the end. Something like this:

wusa.exe .....
exit 0

That way the package will always return 0, which will be considered as a Success.

References

• Description of the Windows Update Standalone Installer in Windows (microsoft.com)

How to Check for a Pending Reboot on a host with SCCM client installed

If you have Configuration Manager managed client host, there will be ROOT\ccm\Client namespace in WMI. Class SDKCCM_ClientUtilities has a properties with two possible values:

• RebootPending
• IsHardRebootPending

NAMESPACE	CLASS	PROPERTY	VALUE	PRODUCT	NOTES
ROOT\ccm\Client	SDKCCM_ClientUtilities	DetermineifRebootPending	RebootPending	SCCM	ReturnValue needs to be 0 and this value is not null
ROOT\ccm\Client	SDKCCM_ClientUtilities	DetermineifRebootPending	IsHardRebootPending	SCCM	ReturnValue needs to be 0 and this value is not null

You can use the following PowerShell command to verity the client host needs a reboot or not.

Invoke-WmiMethod -ComputerName localhost -Namespace "ROOT\ccm\ClientSDK" -Class "CCM_ClientUtilities" -Name DetermineIfRebootPending | Select-Object -Property PSComputerName,RebootPending

PSComputerName RebootPending
—————————— ————————-
D00155DD61A6F False

You can also replace localhost with a real computer name to verify a remote host.

References

• https://adamtheautomator.com/pending-reboot-registry-windows/

Logs to collect for Windows Update

Windows Update functionality often runs into trouble. When Windows Update issue happens, we can collect the following logs for analysis.

WindowsUpdate.log

• Windows 10, Windows Server 2016: Open Powershell and run (file will be save on the desktop):

Get-WindowsUpdateLog

Or just get the logs under C:\Windows\Logs\WindowsUpdate

• Windows 7/8/2008/2012: C:\Windows\WindowsUpdate.log

ReportingEvents.log

C:\Windows\SoftwareDistribution\ReportingEvents.log

Event logs

Applicatioin.evtx and System.evtx in C:\windows\system32\winevt\logs

If it is related to software update management in Configuration Manager, this article KB4505440 from Microsoft Knowledge Base should be helpful.

References

• Windows Update log files – https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting
• How to troubleshoot Windows Update – https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting

Check for updates failed with “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.”

Days ago, one customer reported that when he click on Check for updates button on Windows Update window in Settings of his Windows Server 2016 he ran into the following problem.

We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.

What is going on here?

Windows Update Log

Looking into WindowsUpdate.log, I found the following information.

[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – WSUS server: http://WSUSSVR1.asia.contoso.group:8530
[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – WSUS status server: http://WSUSSVR1.asia.essilor.group:8530
[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – Alternate Download Server: http://10.201.3.40:8530
[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – Fill Empty Content Urls: No
[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – Target group: Contoso-TEST-AUTO
[agent] Unknown_cxx00 CSusSettingCache::TraceScenarioInfo() – Windows Update access disabled: No
…
[sls] Unknown_cxx00 CSLSDownloader::GetUrlContent() – Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.14393.0/0?CH=712&L=en-US&P=&PT=0x8&WUA=10.0.14393.3269
[susenginelib] Unknown_cxx00 SendRequestWithAuthRetry() – Send request failed, hr:0x80072efe
[downloadfile] Unknown_cxx00 CDownloadSession::ShouldFileBeDownloaded() – WinHttp: SendRequestToServerForFileInformation failed with 0x80072efe; retrying with default proxy.

Apparently, the client administered by Active Directory Domain Controller has “Specify intranet Microsoft update service location” under “Computer Configuration\Administrative Templates\Windows Components\Windows Update” as http://WSUSSVR1.asia.contoso.group:8530. However, the client end was still trying to connect to HTTPS://sls.update.microsoft.com to download update information while it was, as I found out, not possible to access the internet.

Solution

There are two possible solutions to solve this issue.

• Grant Windows Update Internet access to the client end
• Disable Windows Update Internet access

Since the customer could not grant the client end Windows Update Internet access, finally I suggested them enabling the group policy:

“Do not connect to any Windows Update Internet locations – Enabled“

At the same time, make sure do not enable any settings that can trigger Dual Scan. So, it is better to enable “Do not allow update deferral policies to cause scans against Windows Update“. If you cannot find this setting from group policy, an alternative is to leave all the WUfB properties under “Computer Configuration\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates or Windows Update for Business” as “Not configured“:

Select when Feature Updates are received – Not configured
Select when Quality Updates are received – Not configured

References

• Demystifying Dual Scan – https://docs.microsoft.com/en-us/archive/blogs/wsus/demystifying-dual-scan
• Improving Dual Scan on 1607 – https://docs.microsoft.com/en-us/archive/blogs/wsus/improving-dual-scan-on-1607

Check Windows Update settings on a client

A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

In order to check the WSUS server that the clients are contacting and also check for any GPOs affecting those clients, you will need to check the following aspects.

RsoP.msc on the client

Check the Computer Configuration > Administrative Templates > Windows Components > Windows Update
– Does it show the correct WSUS server?

• 

RSoP

Registry settings

Compare the following registry keys on the “problematic” machine with the same registry keys from a “working” machine:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

To check the two registry items’ properties, you can run in PowerShell:

Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate'
Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'

Active Directory Group Policy and SCCM settings

Check if WSUS is defined in the Group Policy (i.e: server name and port) versus how it is set in Configuration Manager(i.e. FQDN)

WUAHandler.log on the client

Check the WUAHandler.log for the WSUS URL used.

Enabling WUA Managed server policy to use server: http://wsussvr.contoso.com:8530

When an Active Directory Group Policy setting overrides the local Group Policy setting, you will see the following:

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://newwsussvr.sccmpeek.com:8530 and Policy ENABLED WUAHandler

References

• Troubleshooting Group Policy Configuration for Software Updates – http://technet.microsoft.com/en-us/library/bb735866.aspx

WUAUClt and USOClient

I believe some of you must have noticed that WUAUClt no longer works on Windows 10 or Windows Server 2016 / 2019. There is a replacement for WUAUClt named USOClient located in C:\WINDOWS\SYSTEM32\ directory.

WUAUclt Utility

Before Windows 10 and Windows Server 2016 / 2019, you can use WUAUClt to search for and download and install new updates.

WUAUClt.exe /detectnow - forcing an update detection. If there are updates approved for install that client needs, it ill download them when the command run.

WUAUClt.exe /updatenow - installs the downloaded updates

Note that WUAUClt.exe /detectnow works only when Automatic Update is enabled and that WUAUClt.exe /updatenow works only when 4 – Auto download and schedule the install is selected for Configure Automatic Updates. You can enable Automatic Updates via Group Policy.

Other command line switches for WUAuclt utility

Option	Description
/a /ResetAuthorization	Initiates an asynchronous background search for applicable updates. If Automatic Updates is disabled, this option has no effect.
/r /ReportNow	Sends all queued reporting events to the server asynchronously.
/? /h /help	Shows this help information.

WUAUclt switches

wuauclt.exe /resetauthorization /detectnow - you can use this command to expire the cookie, initiate detection, and have WSUS update computer group membership.

Sometimes you may need to re-register a client with WSUS server. In that case you can run the following command.

gpupdate /force
WUAUclt.exe /detectnow

Note that for Windows 10 and Windows Server 2016 / 2019 +, you need to run USOClient.exe StartScan instead of WUAUclt.exe /detectnow. Read further for USOClient utility.

USOClient Utility

USO stands for Update Session Orchestrator, and it’s the replaced Windows Update Agent. Windows Update service, USOClient.exe, is basically a command to run either scan for updates, install or resume updates.

USOClient utility works on Windows 10 and Windows 2016 / 2019 + as a replacement of WUAUclt.

USOClient utility switches

Option	Description
StartScan	Used To Start Scan
StartDownload	Used to Start Download of Patches
StartInstall	Used to Install Downloaded Patches
RefreshSettings	Refresh Settings if any changes were made
StartInteractiveScan	May ask for user input and/or open dialogues to show progress or report errors
RestartDevice	Restart device to finish installation of updates
ScanInstallWait	Combined Scan Download Install
ResumeUpdate	Resume Update Installation On Boot

USOClient switches

To scan and install updates, you can simply run:

USOClient.exe ScanInstallWait 
USOClient StartInstall

References

• Automatic Update behavior – https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127351
• Automatic Update configuration – https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates
• WUAuclt Utility – https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720477(v=ws.10)?redirectedfrom=MSDN
• Re-register client with WSUS – https://support.microsoft.com/en-us/help/555974/
• USOClient documentation – https://www.urtech.ca/2018/11/usoclient-documentation-switches/