Recently (and previously actually), we had some issue when using SCCM to deploy security updates specifically for the following KBs which are either Microsoft .Net Framework 2 SP2 or Microsoft .Net Framework 3.5 SP1:
- MS11-100 – KB2656352, KB2657424
- MS11-078 – KB2572073
- MS11-044 – KB2518864
So far this has affected some population of Windows XP and Windows 2003 x86 servers.
The issue is that SCCM would offer these hotfixes to the client machines and upon installation it will report “failed”. However, if you install the hotfixes manually, it will say installation was successful. Evenlogs status also reports successful. This obviously is causing issues especially if you are using SCCM to track security patch compliance status. Even though the hotfixes were installed on those machines, SCCM will report them as non-compliance. Furthermore, the client machines are being offered the same hotfixes again and again.
Investigation reported by the support team found that it appears that the detection logic from WSUS for those patches is flawed or incorrect. The detection logic looks for the following registry keys to determine applicability along with some file versions.
HKLM\Software\Microsoft\Updates\Microsoft .NET Framework 2.0 Service Pack 2
But some client machines have the following key instead:
HKLM\Software\Microsoft\Updates\Microsoft .NET Framework 2.0 SP2
Changing this to “Microsoft .NET Framework 2.0 Service Pack 2” then retrying the update installation would complete successfully reporting the update to be installed.
In another server, KB2657424 became applicable and installs after I’d amended a reg key for .Net 3.5 SP1 from ..\Microsoft .NET Framework 3.5 SP1 to “..\\Microsoft .NET Framework 3.5 Service Pack 1”
So the workaround is the rename the registry keys, but we are not sure what this may impact. Personally, I feel that this is sufficient and should not have too much impact. Nevertheless, this issue is being raised to Microsoft for their comments and further investigation.