Can't Install Cumulative Update 2021-07 on Windows 10 20H2
Due to this printnightmare thing we are trying to install the 2021-07 Cumulative update to our systems. We're on Windows 10 20H2. I've downloaded the .msu from Microsoft, but every time I run it it fails and gives me the error "Windows Modules Installer needs to be updated". If I search for an update for Windows Modules Installer the only thing Microsoft seems to have is for Windows 7 and Windows 8. I also read that the error could be because of Servicing Stack needing an update. I checked the Microsoft update catalog and there is only one thing for ver 20H2 and when I try to run it it tells me the version is incompatible. Any ideas on how I can make this thing work?
some additional info:
- Due to most people teleworking random hours during the pandemic we have not been pushing out any Windows Cumulative Updates. We're using new laptops where the initial image was created mid-2020, but we're still several months out of date so if there are any pre-requisite updates for the 07 cumulative than we're probably missing them.
- I have tried to push the 2020-07 cumulative update via KACE but it fails and shows deployment error code 2148468771,0x800F0823. I cant find anything for the first number, but the second code seems to be for the servicing stack requiring an update. I tried to run the servicing stack update via KACE but it doesnt seem to have pushed anything (again, I'm having trouble finding the correct update, if there is one, for ver 20H2).
- We push out all updates using KACE so we have the Windows Update service disabled by default. I don't think this was an issue in the past in terms of pushing windows updates via KACE, but it's been so long that I cant remember. I have to manually re-enable it in order to run the .msu files, but I still get the above error
Any help or advice is much appreciated!!
Answers (3)
I ran into a similar issue on Windows 10 version 1809 and had to update the SSU, reboot, then apply the patch. It's definitely cumbersome, but depending on how critical it is (for us it was to mitigate the PrintNightmare vulnerability, so pretty urgent) it's worthwhile. We were able to download the SSU from Microsoft's Update catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4598481 - Hope this helps
How many systems are exhibiting this behavior?
What happens if you manually initiate Windows update on the device via control panel, what updates are installed?
If this is workstations we're talking about, I would suggest doing something like pushing out the registry policy to disable remote inbound printing as a stopgap for preventing the RCE until devices are fully patched.
On a side note: As Microsoft has documented, the patch alone isn't enough. you need to make sure that you do not have any local or domain policies on systems that override the default point to print security settings.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
I ran into a similar issue where Servicing Stack Updates (SSU) were missing. Without the correct SSU or certificate, Kace will not detect later updates as applicable until the SSU is installed, because the servicing stack is a prerequisite. This can be a problem getting a PC up to date if it's old or far out of date.
Somewhere online I read that the SSU basically updates Windows Update components to new updates can be installed.