General Information
.net Framework
Never limit patching to Critical + Important if you’re managing .NET Framework:
.NET Cumulative Updates alternate between “Updates/None” and “Security/Important-Critical” → meaning they could be skipped every other month.
SSU
Since February 2021, the SSU is included in the Cumulative Update — except in out-of-band SSU cases.
Classification
The “Security Update” classification can have the following severity levels:
- Critical: Remote Code Execution → patch immediately
- Important: Compromise of Confidentiality, Integrity, or Availability (CIA) → patch as soon as possible
- Moderate: Risk mitigated by configuration
- Low: Minimal impact
- None: No security risk (except .net framework )
Command line
Install CAB –> DISM /Online /Add-Package /PackagePath:"C:\Path\file.cab"
Install MSU –> wusa C:\Path\file.msu /quiet /norestart
Operating System Logs
- C:\Windows\WindowsUpdate.log (generate via PowerShell Get-WindowsUpdateLog)
- C:\windows\SoftwareDistribution\ReportingEvents.log
- C:\Windows\Logs\CBS\CBS.log
Check Agent Status
On Reports : Patch – Coverage Status Details
Maintenance Windows
Check that the Maintenance Window is configured correctly
Action Lock Status: ON
If Action Lock is ON, no patches will be applied (see Patch module configuration)
Get Action Lock Status from all machines
Patch Scan Age
Get Patch – Scan Age from all machines
Is Process Running
Get Patch - Is Process Running from all machines
Tools Status
Get Endpoint Configuration - Tools Status from all machines
Windows Update Agent Version
Get Operating System and Windows OS Release ID and Windows Update Agent Version from all machines with Is Windows equals True
Check patch Status
Scan Error – Interract
Get "Patch – Scan Errors" and "Patch – Scan Age" from all machines with Is Windows equals True
Scan Error – Scan Management
Patch UI => Modules > Patch > Scan Management > Scan Errors
| Scan Error returned by Tanium Patch | Suggested First Remediation | Comment |
|---|
| Unable to load PatchLib | Uninstall the TPT | Patch Tools engine library is corrupted. |
| Failed to start the Tanium Scan update service | Uninstall the TPT | PatchScanUpdate service no longer starts. |
| Windows Update Error Code 7 – “Out of memory” | Check the page file → minimum 16 GB or open a ticket to adjust the batch size | Common on low-RAM VMs. |
| -2147023293 ERROR_INSTALL_FAILED | Reset the WUA Client | Generic install failure from Windows Update Agent. |
| -2145124338 WU_E_XML_INVALID | Reset the WUA Client | Corrupted catalog XML. |
| -2145116147 WU_E_UH_NEEDANOTHERDOWNLOAD | Reset the WUA Client | WUA requests a new download. |
| Failed to Parse XML | Delete the listed XML file (harmless). | Usually a partial or temp file. |
| WU_E_NO_INTERACTIVE_USER | Block Patch distribution → manual installation only. | Device without an interactive session. |
| PatchManager – error changing WUA service state (timeout) | Fully rebuild the WUA service or run SFC/DISM scans. | WUA service stuck or system files corrupted. |
Link : Troubleshooting Patch
Deployment Error
Get Patch - Deployment Errors from all machines
Installed status
Get Patch – Installation State[“”] having Patch – Installation State:KB Articles contains KB from all machines
Get Patch - Installation State[Installed Only] from all machines
Deployment result
Get Patch - Deployment Results from all machines
Installation source (Tanium / Windows update)
Get Patch Installation History[30,0,1,1,1,1,0] from all machines
Patch Installation History
Get Patch Installation History[30,0,1,1,1,1,0] from all machines
Deployment status
Get Computer Name and Operating System and Patch - Deployment Statuses from all machines
Check Tanium Server
Sync tanium scan for Windows database
- Patch UI : Modules › Patch › Overview › (?) Help › Support › Initialize Endpoints
- Click on “Initialize Endpoints”
- Patch UI : Modules > Patch > Scan Management > Tanium Scan for Windows
Solution
Reinstall Patch tools
Use action (package) – Endpoint Configuration -Reinstall Tools
Reset Windows update agent
-2145124323 WU_E_INVALID_UPDATE-2145124321 WU_E_NO_CONNECTION-2147023293 ERROR_INSTALL_FAILED-2145124338 WU_E_XML_INVALID-2145116147 WU_E_UH_NEEDANOTHERDOWNLOAD
Use package “Patch – Reset Windows Update Client“
Force Scan
Option 1 (prefered)
- Create a package “with command”Patch – Delete patch-scan-results”
cmd.exe /d /c del /f /q ..\..\Patch\scans\patch-scan-results.txt
Option 2
- Create a package “with command”Patch – Create Scan-Now”
cmd.exe /d /c echo Scan invoked on %DATE% %TIME% from package >> ..\..\Patch\scans\scan-now.txt
External link
https://www.rapidtables.com/convert/number/decimal-to-hex.html?x=-2145124329
https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference
