WSUS

Windows Store Error 0x8024500c

I was getting this error company wide when trying to install any app from the Windows Store on a domain joined computer. The store was fully navigational, but any app I tried to install would instantly error. Showing the details would reveal Error Code 0x8024500c.

This is a fairly standard error code and there’s a lot of reasons already posted online; but for me it was one simple Group Policy setting:

Do not connect to any Windows Update Internet locations

Help:

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store.

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.

Note: This policy applies only when this PC is configured to connect to an intranet update service using the “Specify intranet Microsoft update service location” policy.

 

Back in the Windows 7 days, it makes sense to disable this if you want to force clients to only use your WSUS servers and control the experience. However, it completely breaks the Windows Store!

You can find this policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Note that this doesn’t seem to break the private Business Store section if you have that configured up, which can be a nice way of controlling the apps your users see.

Security Quality Rollup Confusion – Windows Updates

Since October 2016, Microsoft have updated their Windows Updates model (for Windows 7, 8.1, Server 2008 R2 SP1 and Server 2012 R2) to a more cumulative approach. To their credit, they had this communicated months before it started, and the word got around long before the first patch rolled out.

At the time I talked to Tom Walat who was reviewing what people thought of this model. There’s been a bit of confusion and changes in the model, including a new one for February 2017 where Internet Explorer will be seperated and have it’s own rollup. If you manage WSUS, you need to be across these changes.

There’s a great detailed blogpost on TechNet about the history and changes, as well as this really useful table:

Windows Updates for 7 and 8.1 table for Feb 2017 (source)

Here;s the TLDR version which is still long, sorry;

Since October 2016 to January 2017, there has been two main update rollups – a Security Monthly Quality Rollup which contains ‘all the patches’. In WSUS, this will have a name like “January, 2017 Security Monthly Quality Rollup for Windows 7”. There is a separate rollup for Windows 7, 8, Server 2008 R2 and 2012 R2. These are cumulative – each Rollup includes all previous rollup patches, but nothing that’s before October 2016. This is the recommended package.

There’s also the similarly named Security Only Quality Update which has just been ‘all the security patches’. This will have a very similar name, e.g. “January, 2017 Security Only Quality Update for Windows 7” again having a separate update for each OS. These are not cumulative, and each needs to be installed seperately. These updates are only required if you’re not doing the monthly rollup for some reason (e.g. one of the updates breaks something in the rollup).

Those both included Internet Explorer, but as of February 2017 that will be it’s own separate set of updates. The IE update set will be cumulative – including all older updates in each new package.

That separate IE set of patches is the Cumulative Security Update for Internet Explorer will be cumulative like the Rollups, where you only need the latest one.

These are big changes and it’s worth getting your head around it all – the end goal is to have only monthly updates for anything older than Windows 10.

There may be future changes as to how this model works, so make sure you keep up to date with what Microsoft is doing in this space.

KB3102429 Re-issued, still breaking things

Things are getting a bit silly in the Microsoft patch world.

KB3102429 was originally released on November 17, 2015. It’s a very unexciting update for most people as it will “Update that supports Azerbaijani Manat and Georgian Lari currency symbols in Windows”. I’d be passing on that – but a lot of people have automatic approvals on any Windows Update relevant to their system. This is partly done because Microsoft used to be great at patching and testing; there was rarely an issue that made it’s way to the world. In the last year or so, that has definitely not rung true.

I’ve written about a few of these recently such as KB3114409 Causes Outlook 2010 to run in Safe Mode and Outlook Patch KB2956128 Breaks Profile Changing (and KB3054881) along with the apparent mismanagement of how these updates are handled from Microsoft. KB3102429 seems to be of a similar story.

When KB3102429 first came out, there were some weird problems that arose. The most common one was with Crystal Reports exporting to PDFs as well as some other programs, and other things broke too if you start digging around on Google with the KB3102429 search.

Stranger still, is that Microsoft have now re-relesaed the same KB on the 19th January 2016 with the generic expalantion of ‘Install this update to resolve issues in Windows.’ – something I’d hope all patches do :)

This now means that WSUS is aware of two patches with the same name – even more confusion!

kb3102429

I have had reports of weird Outlook visualisation problems on random computers, which has taken multiple reboots to clear. This was the only patch that was applied to the PC before the issue occured.

Without knowing what this patch does beyond the original November desription, and appearing to have no security impact – I’d suggest uninstalling. If you have any information to share on this, please do!