Unable to install the July 2021 Cumulative Update KB5004946 on Windows 10 1909 Professional for PrintNightmare

Question

Unable to install the July 2021 Cumulative Update KB5004946 on Windows 10 1909 Professional for PrintNightmare

Richard Roati 31

Hi There,
I am unable to install the July 2021 Cumulative Update KB5004946 on Windows 10 1909 Pro after downloading and installing from the Microsoft Catalog. The update completes and prompts for a reboot. The computer reboots, gets to 98% complete, and then rolls back the update. This is the update needed to resolve the "PrintNightmare" vulnerability that is in the news. In WSUS, this update shows as "Not Applicable," even though it clearly is applicable.
This is the same behavior that we saw with the June 2021 Cumulative Update KB5003635 on Windows 10 1909. It too rolled back after reaching 98% after the reboot. It too shows as "Not Applicable" in WSUS.
If these updates are flagged to only work on Windows 10 1909 Enterprise, that would explain the behavior.
Microsoft has released a similar "PrintNightmare" fix for Windows 7, but somehow doesn't appear to be able to test this important security update on Windows 10 1909 Pro?
Where is the testing for security updates at Microsoft?
Please fix this ASAP.
Thank you!
Thanks,
Richard Roati

David Frederick 21 Reputation points

2021-07-08T01:34:15.537+00:00

We are running into the same problem. The update seems to be applying to other Windows 10 builds that we have, but not to 1909 even though the update is in the WSUS catalog.
Thakkar, Sneh 1 Reputation point

2021-07-09T19:58:25.113+00:00

We are in the same boat. We are also in the middle of upgrading our Win10 fleet to 20H2, but this is a critical vuln that needs to be patched ASAP, so we cannot wait for endpoints to upgrade to 20H2 since its a more disruptive upgrade and needs to be communicated properly.
NkCX 36 Reputation points

2021-07-12T16:40:07.127+00:00

Similar boat here: It appears that the latest update which can install without issue on Windows 10 1809 Ent is the April one, making the possibility of installing the print nightmare OoB update impossible. Are there any moves to rectify this, and also to extend to those with 10 Pro 1809 (as there are a few in the estate also)
SaigonBoy 1 Reputation point

2021-07-14T15:43:21.1+00:00

MS just released KB5004946 & KB5004245 for v1909, and Windows 10 1909 failed to install upon reboot the computer. It had to undo the installation.
Any one has this problem. One of our app function on 1909 normally, but not 20H2 and 21H1. So, we dont want to upgrade them yet.
Richard Roati 31 Reputation points

2021-07-14T15:47:44.907+00:00

I had the same issues with this week's updates for 1909 on 1909 Pro , thanks, Saigon. Does anyone know how to edit patches to remove the checks for the version? Perhaps an MSI editor would do the trick? It is frustrating to find WSUS Updates in my WSUS server that will not install, and an MSI editor might resolve the issue.
Ed Med 1 Reputation point

2021-08-01T21:02:58.667+00:00

Same problem with my machines except all are 20h2 pro's. Win update will install all but CU and this happens on a regular basis. None of MS tricks/workarounds work and I am done with delete and reinstall

5 answers

Your answer

David Frederick 21 Reputation points

2021-07-08T01:34:15.537+00:00

We are running into the same problem. The update seems to be applying to other Windows 10 builds that we have, but not to 1909 even though the update is in the WSUS catalog.
Thakkar, Sneh 1 Reputation point

2021-07-09T19:58:25.113+00:00

We are in the same boat. We are also in the middle of upgrading our Win10 fleet to 20H2, but this is a critical vuln that needs to be patched ASAP, so we cannot wait for endpoints to upgrade to 20H2 since its a more disruptive upgrade and needs to be communicated properly.
NkCX 36 Reputation points

2021-07-12T16:40:07.127+00:00

Similar boat here: It appears that the latest update which can install without issue on Windows 10 1809 Ent is the April one, making the possibility of installing the print nightmare OoB update impossible. Are there any moves to rectify this, and also to extend to those with 10 Pro 1809 (as there are a few in the estate also)
SaigonBoy 1 Reputation point

2021-07-14T15:43:21.1+00:00

MS just released KB5004946 & KB5004245 for v1909, and Windows 10 1909 failed to install upon reboot the computer. It had to undo the installation.
Any one has this problem. One of our app function on 1909 normally, but not 20H2 and 21H1. So, we dont want to upgrade them yet.
Richard Roati 31 Reputation points

2021-07-14T15:47:44.907+00:00

I had the same issues with this week's updates for 1909 on 1909 Pro , thanks, Saigon. Does anyone know how to edit patches to remove the checks for the version? Perhaps an MSI editor would do the trick? It is frustrating to find WSUS Updates in my WSUS server that will not install, and an MSI editor might resolve the issue.
Ed Med 1 Reputation point

2021-08-01T21:02:58.667+00:00

Same problem with my machines except all are 20h2 pro's. Win update will install all but CU and this happens on a regular basis. None of MS tricks/workarounds work and I am done with delete and reinstall

Answer 1

Jenny Feng 14,276

@Richard Roati
Hi,
Thank you for your feedback,
Microsoft has now started rolling out out-of-band Windows updates to remedy a PrintNightmare security bug affecting all supported versions of Windows 10.

For those using Windows 10 version 1909 (November 2019 Update), they should be getting KB5004946 and this patch will also install automatically depending on update policies.
This update will automatically sync with WSUS if you configure Products and Classifications as follows:
Product: Windows 10, version 1903 and later
Classification: Security Updates

If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Hope above information can help you.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Bruce MacLeod 1 Reputation point

2021-07-08T15:57:50.07+00:00

The KB5004946 patch got to 99% complete, indicated that the install could not be completed, and backed out. The link shown above to see FAQs and workarounds above (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) shows '404 ~ Not Found'. Apparently the servers are down for maintenance. Is the information available anywhere else?
Richard Roati 31 Reputation points

2021-07-08T16:15:12.737+00:00

Hi Jenny,
Sorry, but you are incorrect. The KB5004946 patch will not install on Windows 10 1909 Professional, as Bruce notes below, David notes above, and I have stated as well. Likely it will install on Windows 10 1909 Enterprise, but I don't have any of those. This despite the fact that the patch shows up in my WSUS. Can MS provide the same support for Windows 10 1909 Professional as it is providing for Windows 7 and Windows 10 1607 Professional? Can MS test KB5004946 on Windows 10 1909 Professional and let us know what they find?
Thanks,
Richard Roati
Jenny Feng 14,276 Reputation points

2021-07-09T07:23:17.163+00:00

Hi,
The Out of support product, like Windows 10 1607 SAC or Windows 10 1809 SAC cannot install the security update. While Windows 10 1607/1809 LTSC can install the security update because they are still in the lifecycle.
We have a clear public document here:
Windows 10 - release information | Microsoft Learn

Windows 10 1909 Professional has end of service, I will watching closely to this issue.
If there is any related update, I will let you know.
Richard Roati 36 Reputation points

2021-07-09T18:11:04.587+00:00

Thank you, Jenny. I hope you will forward this conversation to the same folks at Microsoft who prepared the update for Windows 7. We believe that if the flag for requiring Windows 10 1909 Enterprise were removed or modified, this update would work on Windows 10 1909 Pro and maybe Home as well. This would allow Windows 10 1909 to get the same consideration given to Windows 7 for this important update. Thank you for passing along this request!
Sincerely,
Richard Roati
Robert Rice 6 Reputation points

2021-07-12T20:46:31.02+00:00

For those of us not using WSUS, how do we deploy it?
Manually updating 1,000's of machines is out of the question.
All testing fails at 98%.

So the bigger question is, what is Microsoft going to do for those machines that are 1909 or 1809 that can't be upgraded right now for various reasons?
The only Windows 7 machines that should be getting the patch are the ones with the EOS licenses. Do we have to buy a special license for the EOL Windows 10?
Jenny Feng 14,276 Reputation points

2021-07-14T09:22:11.197+00:00

Hi,
Windows 7 and Windows Server 2008 R2 have reached the end of mainstream support and are now in extended support.
Customers who have purchased the Extended Security Update (ESU), it is supported.
If they do not have an ESU, they will receive the error on a device that is running an edition that is not supported for ESU.
This update cannot currently be installed in the end of support version.

I could understand your existing mode, I will submit this to Microsoft via our channel.

Answer 2

Pierre-Luc Giguere 1,076

Hi RichardRoati,

REMINDER Windows 10, version 1909 reached end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10

We will continue to service the following editions: Enterprise, Education, and IoT Enterprise.

Source: https://support.microsoft.com/en-us/topic/july-6-2021-kb5004946-os-build-18363-1646-out-of-band-18c5ffac-6015-4b3a-ba53-a73c3d3ed505
And
https://support.microsoft.com/en-us/topic/june-8-2021-kb5003635-os-build-18363-1621-2cc248e5-ca5f-4f51-bce4-004d6863e4cd

Richard Roati 31 Reputation points

2021-07-07T21:13:17.79+00:00

Hi Pierre,
You are correct of course, but Microsoft released a July 2021 "PrintNighmare" patch for Windows 7, and Windows 7 has been End of Life for a year and a half. Also, Microsoft made 1909 end of life earlier than any other build of Windows 10. Three builds were made end of life in May, something that has never been done before. Windows 10 1607 is still supported. We are still struggling to build a 20H2 Upgrade that will succeed. Can 1909 receive the same level of support as Windows 7 or 1607?
Thanks,
Richard
Bimal Kumar Das 1 Reputation point

2021-07-13T09:48:12.933+00:00
Hi Richard,

can i upgrade to windows 10 version 20h2 or later version from version 1909 with using iso.

please suggest if its possible by installing kb patches manually.

Thanks

List item
Skeeter 1 Reputation point

2021-07-27T21:39:23.497+00:00

It is not end of service for Enterprise editions. I don't see the update showing up in SCCM anymore either. 1909 is supported.
Sascha Oetiker 1 Reputation point

2021-08-10T11:48:19.44+00:00

i have the same problem, but i have Win10 1809 Enterprise...since Cumulative Update 06 i cant install because no Win10 is needing it from WSUS point of view...

Thxs

Sascha
js2010 191 Reputation points

2021-08-10T12:56:12.9+00:00

1809 can't be patched for print nightmare unless it's the LTSB version. The docs and error messages are confusing and unclear. You'll have to feature update. It may go to version 1903, in which case you'll have to feature update a second time to a supported version like 1909 or above.

Answer 3

NkCX 36

Will Microsoft create a single KB update (rather than CU) for those unsupported OSes?

Answer 4

Dirk Ameling 1

Hello,

@1st, my english ist not very well...

We have the same Problem here, but we use Enterprise (N) Windows 10. All Windows 1809 stops apply CU Updates at 2021-05. The WSUS Status Report shows the updates as not applicable. The manual Installation ends in a rollback.

So, it seems there is a bug anywhere.

Greets
Dirk

Richard Roati 36 Reputation points

2021-07-16T13:49:18.937+00:00

Thank you very much for this information, Dirk. So, Microsoft is supplying "Print Nightmare" security updates for Windows 7, but confirmed so far the supplied update is not working for Windows 10 1809 Enterprise and Windows 10 1909 Pro. Very interesting. MS, please help.
Thanks,
Richard

Answer 5

M L 6

We are experiencing similar issues initially with 1809 Enterprise. KB5004947 would install and require a reboot, however during boot up it would report that it couldn't complete the update and proceeds to undo the changes. From what we could see from the Event Viewer it was returning a 0x800F0922 error.

We were initially also able to roll-out KB5004946 for 1909 but after we had released KB5004245 in our environment KB5004946 is no longer able to install with a 0x80240017 error. We manage a few thousand machines still operating 1809 and 1909 and we cannot afford to simply upgrade to the latest Enterprise builds due to the nature of our operation, and many of our staff use specialized software that requires very careful planning and validation before upgrading platforms.

We are seeking an effective solution that can be deployed centrally and not require any user interaction. We can be reached at the email registered in this profile.

Thank you

TWolf 1 Reputation point

2021-07-22T15:34:15.927+00:00

We are experiencing similar issues initially with 1809 Enterprise. KB5004947 would install and require a reboot, however during boot up it would report that it couldn't complete the update and proceeds to undo the changes. From what we could see from the Event Viewer it was returning a 0x800F0922 error.

This is the same issue I am running into on several of my systems. I am running the .msu file directly on the machine. The installation says it has finished and needs to be rebooted but as the machine is rebooting windows says the update failed to install and the changes are being undone. Error Code 0x800F0922.

Anyone have a solution?
John Wolf 1 Reputation point

2021-07-25T20:09:10.42+00:00

Hello TWolf,

Ive just upgraded 305 Servers, with KB5004244, worked on all, exept one. Same behavior, it installed, is visible under Add/Remove Programs, after the Reboot, Server 2019 does a Rollback.

kind regards
John
js2010 191 Reputation points

2021-08-04T19:27:53.927+00:00

Agree. Monthly cumulative updates for 1809 appear broken after May 2021, with error 0x800f0922. After that windows update tries to feature update to version 1903, which is unsupported. Then it finally feature updates to 20h2.

1999 june 8 not work KB5003646
2028 june 15 not work KB5003703
2029 july 6 not work KBKB5004947- print nightmare patch
M L 6 Reputation points

2021-08-04T19:38:39.443+00:00

After some further reading, we determined the cause was that updates released after May 11, 2021 were no longer applicable to Windows 10 1809 Enterprise (https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-1803-1809-end-of-servicing). So we're forced to accelerate our environment to at least be at 1909 to continue receiving security updates.

As for the issue with KB5004946 for 1909, turns out the monthly roll-up KB5004245 supersedes KB5004946 as it includes the fixes in the latter and makes it no longer applicable.

Hope this helps.
js2010 191 Reputation points

2021-08-04T19:45:49.393+00:00

This explains what's happening. And yet there's a print nightmare patch posted for 1809 on July 16th KB5004947. Isn't 1809 still supported for enterprise? Why are there several July monthly updates if it's not supported anymore?

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
M L 6 Reputation points

2021-08-04T19:53:11.087+00:00

Not Enterprise, the CVE doesn't really specify which flavor of 1809 it supports, but if you go to the Update History for 1809, anything past KB5003171 only applies to LTSC versions. https://support.microsoft.com/en-us/topic/may-11-2021-kb5003171-os-build-17763-1935-3f03e74b-4759-4ca3-b9f1-4bc0d5ab5d27

The info was not obvious at first glance, but unfortunately, it's indeed there.

Share via

Unable to install the July 2021 Cumulative Update KB5004946 on Windows 10 1909 Professional for PrintNightmare

5 answers

Your answer