An update for the System Center Endpoint Protection 2012 Client was released today. It installed successfully on Windows clients (Windows 8.1) throughout the organisation but fails on servers (Windows Server 2008 R2, Windows Server 2012 R2).
The Event Viewer reports the following error.
Installation Failure: Windows failed to install the following update with error 0x80070643: Update for System Center Endpoint Protection 2012 Client - 4.9.218.0 (KB3106514).
Technet has an article describing this issue, although it relates to an older update (from April, 2012). It does however give us a few ways to troubleshoot the issue.
1. Make sure the server does not have any pending reboots. PowerShell-script can be found here.
2. Remove any existing security programs
3. Ensure that the Windows Installer service is running
4. If you’re getting updates through Configuration Manager, try clearing the cache. If that does not help run the SCEP setup manually.
Review the article from TechNet for more details.
Please let us know if you’re having similar issues or if you have any additional assistance..
Hi.
In my case I’ve had the same problem with this update and other updates before.
And often they get stuck in “System Pending Restart”. New updates don’t install until system is rebooted.
I solved my problem this way. (I’m sure there’s many other, probably smarter ways to do this).
I Created a Collection called “System Pending Restart” with the following Query, To get all systems in pending restart state in the same collection.
————————————————————————————————————————–
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system inner join SMS_UpdateComplianceStatus ON SMS_UpdateComplianceStatus.machineid=sms_r_system.resourceid WHERE SMS_UpdateComplianceStatus.LastEnforcementMessageID = 9
——————————————————————————————————————————
There are several other enforcement states you can use instead by changing the number after ‘LastEnforcementMessage ID =’ at the end of the query.
1 – Enforcement started
3 – Waiting for another installation to complete
6 – General failure
8 – Installing update
9 – Pending system restart
10 – Successfully installed update
11 – Failed to install update
12 – Downloading update
13 – Downloaded update
Then I created a Package with an empty program, with the command line: shutdown /r /f
Deploys this package to my “System Pending Restart” collection. To run in my MW.
Hi Kristian,
Thank you for the feedback, and an additional resolution.
I ended up in the same situation as you. I solved it using another approach, baselines.
The way I set it up was a baseline that checks for a pending reboot, and also if the computer has not rebooted the last 30 days. If so, it checks if a user is currently online (then wait until midnight to reboot) and if not reboot asap.
Best regards,
Joakim
I had an issue installing KB3106514 only on 4 Hyper-V servers running 2012 R2 Core. I was able to execute the SCEPInstall.exe package manually on each host and have a successful installation.