Windows Update/ Automatic Update Failing - for some

We appear to be having the a problem here on a number of clients (though
not all clients). Users (who are administrators of their local machines
through
domain group membership) are unable to install the last set of updates. Our
workaround has been to log into the machine as a domain administrator and
run windows update/ automatic update (either) and the updates will install.
I have listed errors from log files below. Having google'd the issue as
well I found suggestions to check security policy settings comparing local
settings to effective settings - everything checks out here (and we are not
currently using any non-default group policy). Installing any update(s)
alone also fails with the same error. Any help would be greatly appreciated
as it is not possible to log into client computers as domain admins if they
are off-site and we would obviously like to find a cause so that the
situation can be avoided in the future.

Thanks to all of you!

FROM KB873333.log
0.070: 2005/02/25 10:31:03.696 (local)
0.070: c:\e1e07c4741b397d55d08\update\update.exe (version 5.5.33.0)
0.070: Failed To Enable SE_SECURITY_PRIVILEGE
0.070: Setup encountered an error: You do not have permission to update
Windows 2000.
Please contact your system administrator.
0.080: You do not have permission to update Windows 2000.
Please contact your system administrator.
0.080: Update.exe extended error code = 0xf004
0.100:
================================================== ========================

FROM WindowsUpdate.log
2005-02-24 09:17:48 16:17:48 Success IUENGINE Install started
2005-02-24 09:17:48 16:17:48 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:17:48 16:17:48 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:17:56 16:17:56 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:17:56 16:17:56 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:17:58 16:17:58 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:17:58 16:17:58 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:18:01 16:18:01 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:18:01 16:18:01 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:18:04 16:18:04 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:18:04 16:18:04 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:18:07 16:18:07 Success IUENGINE Installing SOFTWARE
item from publisher com_microsoft
2005-02-24 09:18:07 16:18:07 Success IUENGINE Installer Command
Type: EXE
2005-02-24 09:18:09 16:18:09 Error IUENGINE See iuhist.xml for
details: Install finished (Error 0x8007F004)
2005-02-24 09:18:10 16:18:10 Success IUENGINE Shutting down
2005-02-24 09:18:10 16:18:10 Success IUCTL Shutting down

FROM IUHist.log
<?xml version="1.0" ?>
- <items
xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">
- <itemStatus xmlns="" timestamp="2005-02-25T10:26:55">
- <identity
itemID="ie60x.internetexplorer6x.ver_platform_win3 2_nt.5.0.x86.en...2195.4.0
..com_microsoft.q867282_ie6_sp1_updateexe." name="Q867282_IE6_SP1_updateexe">
<publisherName>com_microsoft</publisherName>
</identity>
- <description priority="3" hidden="0">
<size>3891464</size>
- <descriptionText>
<title>Cumulative Security Update for Internet Explorer 6 Service Pack 1
(KB867282)</title>
<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />
A security issue has been identified that could allow an attacker to
compromise a computer running Microsoft Internet Explorer and gain control
over it. You can help protect your computer by installing this update from
Microsoft. After you install this item, you may have to restart your
computer.
</descriptionText>
</description>
- <platform name="ver_platform_win32_nt">
<processorArchitecture>x86</processorArchitecture>
<version major="5" minor="0" build="2195" servicePackMajor="4"
servicePackMinor="0" />
</platform>
<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />
<client>au</client>
</itemStatus>

"James Fabulous" <> wrote in message news:%
....
> I found suggestions to check security policy settings comparing
> local settings to effective settings - everything checks out here
> (and we are not currently using any non-default group policy).

> 0.080: Update.exe extended error code = 0xf004


Nevertheless the code implies that something about those accounts
is deficient for installing that update.

BTW I couldn't find the extended error code documented as a hex
value but I was able to find it as its equivalent decimal value of 61444:

http://www.microsoft.com/technet/pro...pdte.mspx#EAAA
<TITLE>Inside Update.exe - The Package Installer for Windows and Windows Components</TITLE>

<quote>
61444 STATUS_INSUFFICIENT_PRIVS
You do not have permission to update %1.
Please contact your system administrator.
</quote>

My guess would be that you have locks on some keys.
I would try running RegMon to monitor the update
in hopes that that could uncover the accesses which are failing.
(FYI RegMon is freeware from SysInternals.)

Have you checked newsgroups which specialize in security
for your OS? Some other approaches are described in these:

http://groups-beta.google.com/groups...oft.*.security

(Google Groups search for
61444 OR F004 OR 0xF004 OR 0x8007F004 OR 8007F004 group:microsoft.*.security
)

Another possibility is that the code is being used to signal another
type of problem during the update. For example, some XP users
have discovered that an "access denied" symptom can be avoided
by removing a Read-Only flag from branches.inf. (I just noticed
branches.inf referred to as an Installer binary in the above document
while searching it for " log" and was reminded of that.) For diagnosing
that without knowing about it you could use FileMon, another freeware
tool from SysInternals.


Good luck

Robert Aldwinckle
---

Hey James. I had this problem as well.

In my case it was a group policy that was interfering with the updates.

The computer I was trying to update was in an OU that had a GP setting to
auto download Windows updates from one of the servers on our network. The
policy was in Computer Configuration>Administrative Templates> Windows
Components/Windows Updates>.

The name of the policy in that container was "Specify intranet Microsoft
update service location" and it was set to enabled and was pointing to one of
our servers on our local intranet.

To fix the problem I moved the computer that I was trying to install on to a
OU that had no Group Policy and the updates went fine after that.

So in short, you may want to have a look at your domain Group Policy not
your local.

"James Fabulous" wrote:

> We appear to be having the a problem here on a number of clients (though
> not all clients). Users (who are administrators of their local machines
> through
> domain group membership) are unable to install the last set of updates. Our
> workaround has been to log into the machine as a domain administrator and
> run windows update/ automatic update (either) and the updates will install.
> I have listed errors from log files below. Having google'd the issue as
> well I found suggestions to check security policy settings comparing local
> settings to effective settings - everything checks out here (and we are not
> currently using any non-default group policy). Installing any update(s)
> alone also fails with the same error. Any help would be greatly appreciated
> as it is not possible to log into client computers as domain admins if they
> are off-site and we would obviously like to find a cause so that the
> situation can be avoided in the future.
>
> Thanks to all of you!
>
> FROM KB873333.log
> 0.070: 2005/02/25 10:31:03.696 (local)
> 0.070: c:\e1e07c4741b397d55d08\update\update.exe (version 5.5.33.0)
> 0.070: Failed To Enable SE_SECURITY_PRIVILEGE
> 0.070: Setup encountered an error: You do not have permission to update
> Windows 2000.
> Please contact your system administrator.
> 0.080: You do not have permission to update Windows 2000.
> Please contact your system administrator.
> 0.080: Update.exe extended error code = 0xf004
> 0.100:
> ================================================== ========================
>
> FROM WindowsUpdate.log
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Install started
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:09 16:18:09 Error IUENGINE See iuhist.xml for
> details: Install finished (Error 0x8007F004)
> 2005-02-24 09:18:10 16:18:10 Success IUENGINE Shutting down
> 2005-02-24 09:18:10 16:18:10 Success IUCTL Shutting down
>
> FROM IUHist.log
> <?xml version="1.0" ?>
> - <items
> xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">
> - <itemStatus xmlns="" timestamp="2005-02-25T10:26:55">
> - <identity
> itemID="ie60x.internetexplorer6x.ver_platform_win3 2_nt.5.0.x86.en...2195.4.0
> ..com_microsoft.q867282_ie6_sp1_updateexe." name="Q867282_IE6_SP1_updateexe">
> <publisherName>com_microsoft</publisherName>
> </identity>
> - <description priority="3" hidden="0">
> <size>3891464</size>
> - <descriptionText>
> <title>Cumulative Security Update for Internet Explorer 6 Service Pack 1
> (KB867282)</title>
> <eula href="/msdownload/update/v3/static/eula/en/eula.htm" />
> A security issue has been identified that could allow an attacker to
> compromise a computer running Microsoft Internet Explorer and gain control
> over it. You can help protect your computer by installing this update from
> Microsoft. After you install this item, you may have to restart your
> computer.
> </descriptionText>
> </description>
> - <platform name="ver_platform_win32_nt">
> <processorArchitecture>x86</processorArchitecture>
> <version major="5" minor="0" build="2195" servicePackMajor="4"
> servicePackMinor="0" />
> </platform>
> <installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />
> <client>au</client>
> </itemStatus>
>
>
>
>