Windows update KB2267602 keeps reinstalling causing loop.

[GDMTT]

SUMMARY

There is currently an issue with KB2267602 where it installs and then shows up as available to install again and no matter how many times it's installed it is still listed as available for install. This has the effect of causing win update to loop, which blocks the progress in the job.

ISSUE TYPE

• Bug Report

COMPONENT NAME

win update

ANSIBLE VERSION

bash-5.1$ ansible --version
ansible [core 2.15.2rc1]
config file = None
configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /runner/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.9.17 (main, Jun 26 2023, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
bash-5.1$

##### COLLECTION VERSION
# /usr/share/ansible/collections/ansible_collections
Collection              Version
----------------------- -------
amazon.aws              6.2.0  
ansible.posix           1.5.4  
ansible.windows         2.0.0  
awx.awx                 22.5.0 
azure.azcollection      1.16.0 
community.vmware        3.8.0  
google.cloud            1.2.0  
kubernetes.core         2.4.0  
openstack.cloud         2.1.0  
ovirt.ovirt             3.1.2  
redhatinsights.insights 1.0.7  
theforeman.foreman      3.12.0 

note ansible-galaxy collection list community.general returns nothing. 

##### CONFIGURATION
ash-5.1$ ansible-config dump --only-changed
CONFIG_FILE() = None
bash-5.1$ 

##### OS / ENVIRONMENT
AWX 22.3.0
AWX-EE (latest)

##### STEPS TO REPRODUCE
Playbook used:
---
 - hosts: all
   serial:
     - 5
   tasks:
   - name: Ping host to wake up
     ansible.windows.win_ping:

   - name: Check for missing updates
     win_updates:
       state: searched
     register: update_results

   - name: report update results
     debug:
       msg: |
         {% for k in update_results.updates %}
         {{ update_results.updates[k].title }}
         {% endfor %}         

   - name: Apply Security, Critical updates, Update Rollups log to C:\ansible_wu.txt
     ansible.windows.win_updates:
       category_names:
         - SecurityUpdates
         - CriticalUpdates
         - UpdateRollups
         - Updates
         - DefinitionUpdates
         - MicrosoftDefenderAntivirus
       reboot: yes
       log_path: C:\ansible_wu.txt

   - name: Check for missing updates
     win_updates:
       state: searched
     register: update_results

   - name: report update results
     debug:
       msg: |
         {% for k in update_results.updates %}
         {{ update_results.updates[k].title }}
         {% endfor %}         

and when there is a windows KB that is always showing as avalible for install even when it is installed , in this case KB2267602

##### EXPECTED RESULTS
TASK [Apply Security, Critical updates, Update Rollups log to C:\ansible_wu.txt] ***
<VTest1.domain.LOCAL> Running win_updates - round 1
<VTest1.domain.LOCAL> Running win_updates - round 2
<VTest1.domain.LOCAL> Running win_updates - round 3
<VTest1.domain.LOCAL> Running win_updates - round 4
<VTest1.domain.LOCAL> Running win_updates - round 5
<VTest1.domain.LOCAL> Running win_updates - round 6
<VTest1.domain.LOCAL> Running win_updates - round 7
<VTest1.domain.LOCAL> Running win_updates - round 8
<VTest1.domain.LOCAL> Running win_updates - round 9
<VTest1.domain.LOCAL> Running win_updates - round 10
<VTest1.domain.LOCAL> Running win_updates - round 11
<VTest1.domain.LOCAL> Running win_updates - round 12
<VTest1.domain.LOCAL> Running win_updates - round 13
<VTest1.domain.LOCAL> Running win_updates - round 14


##### ACTUAL RESULTS
The job is blocked but the install loop until its canceled. 

[jborean93]

Are you able to share the Windows OS version you are running with? I've just been able to replicate it on Server 2016 with Update KB2267602 and KB4052623 (once I manually updated the defender definitions). Unfortunately Windows Updates through the GUI gets stuck in this loop as well. We can certainly not continuously loop through the updates if this is detected but I'm not sure if we can solve the underlying problem.

[GDMTT]

agreed the underlying issues is the update and that's on Microsoft, but avoiding a situation where this blocks the job from progress would be better and rather warn of failed on the affected server.

Thanks for the work on #536 when is the next release scheduled ?

[jborean93]

Thanks for the work on #536 when is the next release scheduled ?

As soon as I find a satisfactory solution to this issue and the other endless looping problem :)

[jborean93]

Ok this is going to be a brain dump because it's the end of the day and I need to write this down. The KB 2267602 is the Defender engine or virus definition update and while the KB stays the same the update itself changes multiple times a day. The log file C:\Windows\TEMP\MpSigStub.log has been helpful in this case to figure out what is happening.

From what I've seen Windows Updates fails to install the update on the first round with

mpengine.dll version in package is 1.1.23070.1005, but after update machine has older version 1.1.12805.0
ERROR 0x8007051a : One or more of the packages found failed to update for Microsoft Windows Defender (RS1+).
ERROR 0x8007051a : 'Microsoft Windows Defender (RS1+)' failed to update.

                         Watson Report:                     Position:
                HRESULT: 0x8007051a                         P1
         FailedFunction: ValidateUpdate                     P2
              Operation: NIS Engine and Base,Engine only    P3
 SourceComponentVersion: 1.1.23080.1001,1.1.23070.1005      P4
    SourceComponentName: mpsigstub.exe                      P5
         ProductVersion: 4.10.14393.4651                    P6
            ProductName: Microsoft Windows Defender (RS1+)  P7

ERROR 0x8007051a : MpSigStubMain

Subsequent rounds and WUA thinks it has been installed but in the background the MpSigStub.exe that this update has spawned is still running and fails around 1-2 minutes later with

============================== AccumulatePackages ==============================

PackageName: C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe
PackageName: C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe
ERROR 0x800705b4 : AccumulatePackages

What is interesting is that version of the update when it fails doesn't seem to match up with the version on https://www.microsoft.com/en-us/wdsi/defenderupdates but when they do line up WUA seems to be able to install the update just fine.

What is even more interesting is that the commands on that page seem to work just fine when WUA does not. So as a workaround I'm going to have the code run that on a failure as a fallback option and check the error code.

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

I still need to put in a solution so that an install loop can't happen but this seems promising to get this tricky update to install without an error.

[jborean93]

I've opened the PR #542 which includes a workaround for getting this installed using MpCmdRun.exe in case WUA fails. It also includes a fix to ensure it doesn't endlessly loop like it did before.