SCCM logic detects failure for some .Net 2 or 3.5 hotfix although successfully installed

11 Jan

Recently (and previously actually), we had some issue when using SCCM to deploy security updates specifically for the following KBs which are either Microsoft .Net Framework 2 SP2 or Microsoft .Net Framework 3.5 SP1:

  • MS11-100 – KB2656352, KB2657424
  • MS11-078 – KB2572073
  • MS11-044 – KB2518864

So far this has affected some population of Windows XP and Windows 2003 x86 servers.

The issue is that SCCM would offer these hotfixes to the client machines and upon installation it will report “failed”. However, if you install the hotfixes manually, it will say installation was successful. Evenlogs status also reports successful. This obviously is causing issues especially if you are using SCCM to track security patch compliance status. Even though the hotfixes were installed on those machines, SCCM will report them as non-compliance. Furthermore, the client machines are being offered the same hotfixes again and again.

Investigation reported by the support team found that it appears that the detection logic from WSUS for those patches is flawed or incorrect. The detection logic looks for the following registry keys to determine applicability along with some file versions.

HKLM\Software\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2

But some client machines have the following key instead:

HKLM\Software\Microsoft\Updates\Microsoft .NET Framework 2.0 SP2

Changing this to “Microsoft .NET Framework 2.0 Service Pack 2” then retrying the update installation would complete successfully reporting the update to be installed.

In another server, KB2657424 became applicable and installs after I’d amended a reg key for .Net 3.5 SP1 from ..\Microsoft .NET Framework 3.5 SP1 to “..\\Microsoft .NET Framework 3.5 Service Pack 1”

So the workaround is the rename the registry keys, but we are not sure what this may impact. Personally, I feel that this is sufficient and should not have too much impact. Nevertheless, this issue is being raised to Microsoft for their comments and further investigation.


Leave a comment

Posted by on January 11, 2012 in Windows


Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: