Microsoft Security Advisory 4022345

Identifying and correcting failure of Windows Update client to receive updates

Published: May 9, 2017 | Updated: May 12, 2017

Version: 1.3

Executive Summary

Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed a Windows 10 or Windows Server 2016 operating system, and who have never interactively logged in to the system or connected to it through remote desktop services. These systems may not receive Windows updates until a user has completed initial setup by interactively logging in or by logging in through remote desktop services.

To address this scenario, Microsoft has released an update to the Windows Update Client through a self-healing mechanism in the Windows Update release channel to correct the Windows Update behavior for server operating systems that are not scanning for, or receiving, updates. After machines are un-stuck by this mechanism, all existing settings a system administrator has configured will be honored, and updates will not be forced on a machine that has been configured to disable Windows Updates.

This advisory provides guidance for customers to identify whether they are affected by this uncommon scenario and what, if any, actions they need to take to correct the behavior.

Advisory Details

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Client Operating Systems
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Server Operating Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)

Mitigating Factors

Microsoft has identified the following mitigating factors:

  • Users who login to a system interactively are not affected by this behavior. Most users interactively login to Windows after initial setup and are not affected.
  • Servers that are connected to the internet will automatically receive the update via the WU self-healing system. Only customers with isolated networks or who have blocked Windows Update URLs with a firewall may need to take manual action.
  • Many enterprise software deployment tools and scanners may cause a login event, which prevents a system from being affected by this issue. There is an event log, described in the FAQ, that can be checked to determine if a tool causes a login and thereby precludes any update failure.

Advisory FAQ

How do I know if I’m affected?

Customers who interactively login to their computers, or who login through remote desktop services, are not affected by this issue. Customers who use automated image building and deployment mechanisms, such as DISM and Windows Deployment Services, could have Windows 10 or Windows 2016 systems where updates are not automatically scanned or downloaded. Running systems that have been deployed and that have never been interactively logged onto, or that have been logged into via remote desktop services, may result in these systems being in a state where updates are not scanned or downloaded. A system configured as a headless machine will not be affected.

I’ve logged into my system. Must I take further manual action?

Only customers who have not enabled automatic updating or who have blocked automatic update URLs with a firewall need to check for updates and install manually. Customers who use WSUS and who have blocked systems from accessing the Windows Update URLs must also install the current cumulative update manually. Alternatively, WSUS includes the ability to audit if machines receive updates. So long as a system is receiving updates no action is necessary. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

I am using an affected client OS. Will I receive an automatic update?

No, there is currently no plan to release an automatic update for Client OS versions. Please follow the guidance in the Suggested Actions section of this document, which explains how this scenario can be addressed for those OS versions.

How can I determine if my system is Headless?

You can check the value of the “Headless” key located in the registry. This key is located at a path of “HKLM\SYSTEM\CurrentControlSet\Control\WinInit”. If this key has any non-zero value it is running as a Headless system. If the key has no value, or its value is zero, the system is not headless and may be affected by this issue. Changing this value manually will not remediate this issue, and is not suggested.

Are there event logs I can check to determine if my system has the proper logon event?

Yes. You can check 4624 security events in the Security Event Log for Logon Type of either 2 or 10. If a system has any of these events, it is not affected by this issue.

Suggested Actions

Log into each machine

If you have a low number of possibly affected machines, the simplest way to ensure your machines are not in this state is to log into each machine. This can be an interactive logon, or a logon via remote desktop. You only need to do this once after the operating system is installed.

Other Information

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 9, 2017): Advisory published.
  • V1.1 (May 10, 2017): Advisory updated to include Logon Type 2 Security Event Log entries. This is an informational change only.
  • V1.2 (May11, 2017): Advisory updated to clarify the WSUS environment. This is an informational change only.
  • V1.3 (May 17, 2017): Updated FAQ to clarify the update that needs to be installed: “the current cumulative update”. This is an informational change only.

Page generated 2017-05-17 10:48Z-07:00.