WIN7 Windows Update stuck / hangs / hängt

 

Some times the Windows 7 Update Client is stuck. Here is how to solve this in 2017.

This happens on Brand new installation of Windows 7 SP1 PRO or ENTERPRISE Media 64BIT (OEM or VL). The Internet conenction looks fine, You have no packet lost, Your MTU Size is correct. Simply Windows Update hangs and does that for hours. Sometimes it goes through and the time this could happen we have seen from 4 hrs to 3 Days.

 

First hint: On some Patches DISCONNECT the Network cable from your Client! (3020369 as example)

You need to Install 3 Patches from the Windows Update Catalog in a certain order. Keep in MIND that you need to Reboot (Restart) and also in certain cases UNLUG the Internet Connection before installing the Patches. Otherwise the Client will search endless again with the first patch.

http://catalog.update.microsoft.com/v7/site/home.aspx

Search for all 3 Patches mentioned below an add them to the Download basket

3020369

3172605

3125574

Then choose to Download all of them

 

KB3020369 (https://support.microsoft.com/de-ch/help/3020369/april-2015-servicing-stack-update-for-windows-7-and-windows-server-2008-r2)

REBOOT

KB3172605 (https://support.microsoft.com/de-de/help/3172605/july-2016-update-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1)

REBOOT

 

Om most systems we heard this two Patches solved it. IF that did not work also try:

KB3125574 (https://support.microsoft.com/de-ch/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1)

REBOOT

 

 

Please see our further posting regarding WSUS and WSUS-Clients:

http://www.butsch.ch/post/WSUS-Windows-Update-Client-Agent-Commandline-wuaucltexe.aspx

http://www.butsch.ch/post/WSUS-Windows-Update-Server-Most-common-Problems-FAQ.aspx

http://www.butsch.ch/category/WSUS.aspx

http://www.butsch.ch/category/Hotfixes-Updates.aspx

 

 

 

WSUS: Error on 2012R2 WSUS Server ERROR: Connection Error console

The WSUS Server Console on a 2012R2 server suddenly does not work anymore. You checked %appdata%\Roaming\Microsoft\MMC\WSUS (Backup, Remove try if it works and restore if did not solve) and this did not help.

You checked all Services and did a reboot of the WSUS and checked space and Size of Internal DB.

Error: Event 507, Windows Server Update Server

Error: Event 7031, The WSUS Server Service terminated

 

Error as Text from GUI

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

 

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

 

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

 

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

 

System.IO.IOException -- The handshake failed due to an unexpected packet format.

 

Source System

 

Stack Trace:

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

at System.Net.ConnectStream.WriteHeaders(Boolean async)

** this exception was nested inside of the following exception **

 

 

System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.

 

Source

Microsoft.UpdateServices.Administration

 

Stack Trace:

at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)

at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()

 

 

 

Solution:

 

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

 

 

  • Console should work again

 

 

This article describes an update to a feature that enables Windows Server Update Services (WSUS) to natively decrypt Electronic Software Distribution (ESD) in Windows Server 2012 and Windows Server 2012 R2. Before you install this update, see the Prerequisites section.

Note You must install this update on any WSUS server that is intended to sync and distribute Windows 10 upgrades (and feature updates) that are released after May 1, 2016.

How to get this update

 

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Windows Update

 

This update is available on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Update detail information

 

Prerequisites

To apply this update in Windows Server 2012 R2, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed.

Registry information

To apply this update, you don't have to make any changes to the registry.

 

Restart requirement

You may have to restart the computer after you apply this update.

 

Update replacement information

This update can be installed on top or in place of KB3148812.

 

More information

Manual steps required to complete the installation of this update

  1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume "C" as the system volume):

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

  1. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

  2. Restart the WSUS service.

If SSL is enabled on the WSUS server

  1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
  2. takeown /f web.config /a
  3.  

icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

  1. Locate the Web.Config file in the following path:

C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config

  1. Make the following changes in the file.

    Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.
  2. <services>
  3. <service
  4. name="Microsoft.UpdateServices.Internal.Client"

behaviorConfiguration="ClientWebServiceBehaviour">

<!--

These 4 endpoint bindings are required for supporting both http and https

-->

<endpoint address=""

binding="basicHttpBinding"

bindingConfiguration="SSL"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"

binding="basicHttpBinding"

bindingConfiguration="SSL"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address=""

binding="basicHttpBinding"

bindingConfiguration="ClientWebServiceBinding"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"

binding="basicHttpBinding"

bindingConfiguration="ClientWebServiceBinding"

contract="Microsoft.UpdateServices.Internal.IClientWebService" />

</service>

</services>

  1. Add the multipleSiteBindingsEnabled="true" attribute to the bottom of the Web.Config file, as shown:
  2. </bindings>
  3. <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

</system.serviceModel

 

GPO: WSUS Patches June 2016 disabled security filtered GPO

Important change for all GPO-Admin | Change in way GPO's are applied and filtered.

 

The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.

German:

GPO welche auf Usergruppen gefiltert sind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.

June 2016 Patches:

KB 3163018

KB 314913

KB 3159398

 

https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/

This is a normal policy which is not affected by the patches:

Please make a backup of your GPO before changing anything:

Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.

First How NOT to do it (> This would make the POLICY PULL for all!)

Correct way to make it June 2016 Patchday compatible

Make a backup of the GPO before you even think about changing it!

 

Powershell from listed by Stepan Kokhanovskiy on Social MSDN

 

I changed this to a READ only and LIST only version so you can check first if you have SUCH GPO's

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Above Version which will only LIST / Report / Nur lesen

 

Below Version which will Change / Correct / Aenderung

Change version from Posting in Social adapted to German Active Directory with Domänencomputer

$DebugPreference = 'Continue'

 

Write-Debug "Get list of the all group policy objects in the domain."

 

$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'

 

Write-Debug "Select group policies for permissions changing."

 

$ProcessGpo = foreach ($Gpo in $AllGpo)

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Get permission for the `"Authenticated Users`" group."

$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue

 

Write-Debug "Get permission for the `"Domain Computers`" group."

$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue

 

if (-not ($AuthUsersPermission -or $DomainComputersPermission))

{

Write-Debug "No permissions found."

$Gpo

}

else

{

Write-Debug "Permissions found. Skip group policy."

}

}

 

if ($ProcessGpo)

{

Write-Debug "List of the selected group polices."

$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug

 

Write-Debug "Change permissions for the selected group polices."

 

foreach ($Gpo in $ProcessGpo)

{

try

{

Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."

 

Write-Debug "Add the `"Read`" permission for the `"Domänencomputer`" group."

Set-GPPermissions -Guid $Gpo.Id -PermissionLevel GpoRead -TargetName 'Domänencomputer' -TargetType Group -ErrorAction Stop | Out-Null

Write-Debug "Permissions changed successful."

 

$Gpo

}

catch

{

$_ | Write-Error

}

}

}

else

{

Write-Debug "No group policy found."

}

 

Deployment: Flash 22 Juni 2016 Release

It's time to Update Flash to latest Release:

https://www.adobe.com/products/flashplayer/distribution3.html

https://helpx.adobe.com/flash-player/release-note/fp_22_air_22_release_notes.html

See on how to migrate from an old Post from us. And check the Flag, Filenames and Versions to check from below for June 2016 Version 20.06.2016.

http://www.butsch.ch/post/Adobe-Flash-11-1101152-Siletn-Install-and-Migration-from-Vetrsion-10X.aspx

Release

OLD: 21.0.0.242

NEW: 22.0.0.192

OCX File

OLD: Flash32_21_0_0_242.ocx

NEW: Flash32_22_0_0_192.ocx

OCX File

OLD: Flash64_21_0_0_242.ocx

NEW: Flash64_22_0_0_192.ocx

Filename Installer

OLD: install_flash_player_21_active_x.exe

NEW: install_flash_player_22_active_x.exe

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches

 

  • Ein RDP Patch wird zwei Reboots machen (Dies ist normal)
  • DENY KB3114717 Office 2013 macht WinWord 2013 langsam (Problem patch)
  • Die Windows 10 Updates Packages sind jetzt im WSUS erschienen (W7 product)

     

     

These updates have come to WSUS-customer even when to W10 product was chosen. They appear under W7 Product category.