[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: RE: [patchmanagement] Anyone seeing Endless repair loops on Win10 Pro PC's from updates?
From: "Deaton, Doug" <DDeaton () viresorts ! com>
Date: 2017-06-30 18:46:17
Message-ID: f8eb187cbf474ce9acb0f833efa775c5 () mail16 ! vtsresorts ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
John,
Agree with your findings. Same thing we found, and same thing Ivanti/Shavlik \
mentioned about mistakenly allowing both patches to come out in the XML file. We \
could never get into a broken machine until we reset is, so forensics weren't of much \
use. I can assure you though that we have done a full survey of all of our machines \
both local and remote to verify system restore is on, with 5% drive space available, \
and created new restore points on all. Sadly a lot of machine had it turned off. Went \
from a 20 minute fix to 2+ hrs. per machine. Took a lot of work and we only have 350+ \
machines. Pity anyone with more and I know there are folks out here with a whole \
bunch more than I have.
Doug Deaton, MCSE
Network Administrator
Vacation Internationale, Inc.
425-454-3065 xt 1212
From: John Bailey [mailto:rekkanoryo@rekkanoryo.org]
Sent: Friday, June 30, 2017 8:54 AM
To: Patch Management Mailing List
Subject: Re: [patchmanagement] Anyone seeing Endless repair loops on Win10 Pro PC's \
from updates?
So as an update to this...
The registry entries below did not exist on my trouble boxes. I assume this is \
because I was in recovery mode, not safe mode--I couldn't get to any form of safe \
mode, only to the recovery options. However, creating the Exclusive value with a \
value of 0 and TotalSessionPhases with a value of 1 allowed dism (operating with \
/image:D:\ as this is where recovery mounted the windows drive) to finish the revert \
pending actions task without error. However, this didn't help. The machines were \
still unbootable. My only recourse was a "reset" or a reinstall. Thankfully the \
last two machines were ones I could test and attempt to break again to find a root \
cause.
I was able to determine that the cause of these repair loops was my own stupidity. \
In Ivanti Patch (formerly known as Shavlik Protect--hey, by the way can we PLEASE \
quit renaming this thing every two years?!) when I deployed June patches, I didn't \
pay enough attention to what appeared. The scan results I used to deploy to these \
machines was conducted on 2017-06-14 at 14:27:11 UTC using the then-current XML \
definitions. In the scan results, KB4022715 (also shown with Shavlik's artificial \
MS17-06-W10 bulletin ID) appeared twice for the 1607 systems, marked as missing both \
times. One had the file name Windows10.0-RS1-KB4022715-x64.msu and the other had the \
file name Windows10.0-RS1-KB4022715-x64_delta.msu. When I deployed the outstanding \
patches, I simply chose to "Deploy all missing patches" which installed both the \
delta and non-delta versions of the update. Both of these update packages installing \
is what killed the machines.
I rebuilt one of the machines to the exact state it was in before deploying June's \
patches to verify, and sure enough, deploying both the delta and non-delta packages \
reliably bricks the machine (confirmed twice). Conducting a fresh scan in Ivanti \
Patch on a machine in the same state as when I conducted the original scan, however, \
now does not show the delta update in the list of outstanding patches and lists only \
the non-delta package, and deploying all missing patches from this scan result leaves \
me with a machine that's actually functional.
So, lesson learned the hard way--make sure I'm not deploying two versions of the same \
patch at the same time. This gets messy fast.
On the bright side, this has allowed me to accelerate my rollout of 1703 to all my \
Windows 10 machines (I have a grand total of nine, with one left to upgrade), so I \
guess it's saving me time next month.
John
On Fri, Jun 16, 2017 at 5:01 PM, Deaton, Doug \
<DDeaton@viresorts.com<mailto:DDeaton@viresorts.com>> wrote: Thanks Chris. We can't \
get to safe mode. We can do command prompt,system restore and PC reset. Will give it \
a shot. Appreciate the continuing assistance.
Sent from my T-Mobile 4G LTE Device
-------- Original message --------
From: "Thelen, Chris" <Chris.Thelen@dawnfoods.com<mailto:Chris.Thelen@dawnfoods.com>>
Date: 6/16/17 1:59 PM (GMT-08:00)
To: Patch Management Mailing List \
<patchmanagement@listserv.patchmanagement.org<mailto:patchmanagement@listserv.patchmanagement.org>>
Subject: RE: [patchmanagement] Anyone seeing Endless repair loops on Win10 Pro PC's \
from updates?
Ok, for that error, the main cause of that is a registry entry that is stuck and \
needs to be changed.
Its been years since I've done this, but you can edit the registry files from command \
line. Though first I would try booting to safe mode if you haven't already. Here is \
the registry entry that needs to be changed. Change the "Exclusive"=dword:00000003 \
to "Exclusive"=dword:00000000, then try booting again and the dism command if still \
no boot. Hopefully this works for you guys.
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component \
Based Servicing\SessionsPending] "Exclusive"=dword:00000003
"TotalSessionPhases"=dword:00000001
This message (including any attachments) is intended only for the use of the \
individual or entity to which it is addressed and may contain information that is \
non-public, proprietary, privileged, confidential, and exempt from disclosure under \
applicable law or may constitute as attorney work product. If you are not the \
intended recipient, you are hereby notified that any use, dissemination, \
distribution, or copying of this communication is strictly prohibited. If you have \
received this communication in error, notify us immediately by telephone and (i) \
destroy this message if a facsimile or (ii) delete this message immediately if this \
is an electronic communication.
---
PatchManagement.org is hosted by Shavlik
The content on the email list is intended for assisting administrators. If you would \
like to use any of this content in a blog or media publication, please contact the \
owners of the list for approval.
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.gmail-
{mso-style-name:gmail-;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">John,<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Agree \
with your findings. Same thing we found, and same thing Ivanti/Shavlik mentioned \
about mistakenly allowing both patches to come out in the XML file. We could never \
get into a broken machine until we reset is, so forensics weren't of much use. I can \
assure you though that we have done a full survey of all of our machines both local \
and remote to verify system restore is on, with 5% drive space available, and \
created new restore points on all. Sadly a lot of machine had it turned off. Went \
from a 20 minute fix to 2+ hrs. per machine. Took a lot of work and we only have \
350+ machines. Pity anyone with more and I know there are folks out here with a \
whole bunch more than I have. <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Doug \
Deaton, MCSE<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Network \
Administrator<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Vacation \
Internationale, Inc.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">425-454-3065 \
xt 1212<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John \
Bailey [mailto:rekkanoryo@rekkanoryo.org] <br>
<b>Sent:</b> Friday, June 30, 2017 8:54 AM<br>
<b>To:</b> Patch Management Mailing List<br>
<b>Subject:</b> Re: [patchmanagement] Anyone seeing Endless repair loops on Win10 Pro \
PC's from updates?<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">So as an update to this...<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The registry entries below did not exist on my trouble \
boxes. I assume this is because I was in recovery mode, not safe mode--I \
couldn't get to any form of safe mode, only to the recovery options. However, \
creating the Exclusive value with a value of 0 and TotalSessionPhases with a value \
of 1 allowed dism (operating with /image:D:\ as this is where recovery mounted the \
windows drive) to finish the revert pending actions task without error. \
However, this didn't help. The machines were still unbootable. My only \
recourse was a "reset" or a reinstall. Thankfully the last two \
machines were ones I could test and attempt to break again to find a root \
cause.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I was able to determine that the cause of these repair loops was \
my own stupidity. In Ivanti Patch (formerly known as Shavlik Protect--hey, by \
the way can we PLEASE quit renaming this thing every two years?!) when I deployed \
June patches, I didn't pay enough attention to what appeared. The scan results \
I used to deploy to these machines was conducted on 2017-06-14 at 14:27:11 UTC using \
the then-current XML definitions. In the scan results, KB4022715 (also shown \
with Shavlik's artificial MS17-06-W10 bulletin ID) appeared twice for the 1607 \
systems, marked as missing both times. One had the file name \
Windows10.0-RS1-KB4022715-x64.msu and the other had the file name \
Windows10.0-RS1-KB4022715-x64_delta.msu. When I deployed the outstanding \
patches, I simply chose to "Deploy all missing patches" which installed \
<i>both</i> the delta and non-delta versions of the update. Both of these \
update packages installing is what killed the machines.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I rebuilt one of the machines to the exact state it was in \
before deploying June's patches to verify, and sure enough, deploying both the delta \
and non-delta packages reliably bricks the machine (confirmed twice). \
Conducting a fresh scan in Ivanti Patch on a machine in the same state as when I \
conducted the original scan, however, now does not show the delta update in the list \
of outstanding patches and lists only the non-delta package, and deploying all \
missing patches from this scan result leaves me with a machine that's actually \
functional.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So, lesson learned the hard way--make sure I'm not deploying two \
versions of the same patch at the same time. This gets messy \
fast.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On the bright side, this has allowed me to accelerate my rollout \
of 1703 to all my Windows 10 machines (I have a grand total of nine, with one left to \
upgrade), so I guess it's saving me time next month.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Jun 16, 2017 at 5:01 PM, Deaton, Doug <<a \
href="mailto:DDeaton@viresorts.com" target="_blank">DDeaton@viresorts.com</a>> \
wrote:<o:p></o:p></p> <div>
<div>
<p class="MsoNormal">Thanks Chris. We can't get to safe mode. We can do command \
prompt,system restore and PC reset. Will give it a shot. Appreciate the continuing \
assistance.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="gmail-m_-2411990163903772187composer_signature">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757">Sent from my \
T-Mobile 4G LTE Device<o:p></o:p></span></p> </div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-------- Original message --------<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">From: "Thelen, Chris" <<a \
href="mailto:Chris.Thelen@dawnfoods.com" \
target="_blank">Chris.Thelen@dawnfoods.com</a>> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Date: 6/16/17 1:59 PM (GMT-08:00) <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">To: Patch Management Mailing List <<a \
href="mailto:patchmanagement@listserv.patchmanagement.org" \
target="_blank">patchmanagement@listserv.patchmanagement.org</a>> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Subject: RE: [patchmanagement] Anyone seeing Endless repair \
loops on Win10 Pro PC's from updates? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Ok, \
for that error, the main cause of that is a registry entry that is stuck and needs to \
be changed.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Its \
been years since I've done this, but you can edit the registry files from command \
line. Though first I would try booting to safe mode if you haven't \
already.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Here \
is the registry entry that needs to be changed. Change the \
"Exclusive"=dword:00000003 to "Exclusive"=dword:00000000, then \
try booting again and the dism command if still no boot. Hopefully this works \
for you guys.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:27.0pt;line-height:125%;background:white">
<span style="font-size:10.0pt;line-height:125%;font-family:Symbol;color:#333333"> \
·</span><span style="font-size:7.0pt;line-height:125%;color:#333333">
</span><i><span style="font-size:10.0pt;line-height:125%;font-family:"Segoe \
UI","sans-serif";color:#333333">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component \
Based Servicing\SessionsPending]</span></i><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:27.0pt;line-height:125%;background:white">
<i><span style="font-size:10.0pt;line-height:125%;font-family:"Segoe \
UI","sans-serif";color:#333333">"Exclusive"=dword:00000003</span></i><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:27.0pt;line-height:125%;background:white">
<i><span style="font-size:10.0pt;line-height:125%;font-family:"Segoe \
UI","sans-serif";color:#333333">"TotalSessionPhases"=dword:00000001</span></i><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p> \
</div> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p>This message (including any attachments) is intended only for the use of the \
individual or entity to which it is addressed and may contain information that is \
non-public, proprietary, privileged, confidential, and exempt from disclosure under \
applicable law or may constitute as attorney work product. If you are not the \
intended recipient, you are hereby notified that any use, dissemination, \
distribution, or copying of this communication is strictly prohibited. If you have \
received this communication in error, notify us immediately by telephone and (i) \
destroy this message if a facsimile or (ii) delete this message immediately if this \
is an electronic communication.</p> </body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic