In certain cases, ‘Install updates and fix vulnerabilities’ task might fail with some error. Below example contains ‘Error verifying file signature’ error but you may use mentioned keywords and overall approach for investigation of other errors met while running ‘Install updates and fix vulnerabilities’ task. Here are some steps to investigate such problems:

1. First of all view list of updates aimed at installation on client. For this purpose in network agent trace file search for ‘Update to install:’ without quotes. You will get results similar to:

   Quote

   02.12.2024 11:39:59.052 00003254.00004E10 L4  KLNAG: Update to install: b4205e28-dcd2-406f-bcf6-efc5a342c8cb # 200 {2024-11 .NET 6.0.36 Update for x64 Client (KB5047486)}, type = 1

    02.12.2024 11:39:59.049 00003254.00004E10 L4  KLNAG: Update to install: 79ae03df-d6eb-4de2-b59f-37e963d7a69e # 101 {Обновление пакета Office 2003 (KB907417)}, type = 1

   02.12.2024 11:39:59.053 00003254.00004E10 L4  KLNAG: Update to install: 3fefb63f-4dfc-49c4-85db-d40dd6ea3f22 # 102 {Обновление фильтра нежелательной почты для Outlook 2003 (KB2598343)}, type = 1

   etc.
   Some of found updates are skipped by filters so pay attention to skipped updates and to overall number of updates that should be installed.
   

2. Some updates might already be downloaded to the target system so at the second step identify which update files are already downloaded and which should be downloaded. In network agent trace file search for ‘is already downloaded’ and ‘needs to be downloaded’ without quotes. In our sample traces results are:

   Quote

   02.12.2024 11:39:59.066 00003254.00004E10 L4  KLNAG: Update 79ae03df-d6eb-4de2-b59f-37e963d7a69e#101 needs to be downloaded.

   02.12.2024 11:39:59.069 00003254.00004E10 L4  KLNAG: Update e2bd7f45-47f9-402f-8fda-14f78030fe70#111 is already downloaded.

   02.12.2024 11:39:59.071 00003254.00004E10 L4  KLNAG: Update 1e2a55d2-be5f-42da-86a4-8a4135816201#101 is already downloaded.

   02.12.2024 11:39:59.074 00003254.00004E10 L4  KLNAG: Update c9951ae6-3676-4751-b4ce-b94a5df7e010#200 is already downloaded.

   02.12.2024 11:39:59.076 00003254.00004E10 L4  KLNAG: Update d1f7bb56-bd76-4a9f-b8bd-8a5d60807ee9#200 is already downloaded.

   02.12.2024 11:39:59.078 00003254.00004E10 L4  KLNAG: Update f4588607-516b-44af-8ec8-62b7c089c5c7#200 is already downloaded.

   02.12.2024 11:39:59.080 00003254.00004E10 L4  KLNAG: Update 4e3f49d6-694a-4e71-a160-abbdb739fe4b#201 is already downloaded.

   02.12.2024 11:39:59.082 00003254.00004E10 L4  KLNAG: Update 9e4c727d-dec7-406e-98e0-1a7d44590f52#200 is already downloaded.

   02.12.2024 11:39:59.084 00003254.00004E10 L4  KLNAG: Update b4205e28-dcd2-406f-bcf6-efc5a342c8cb#200 is already downloaded.

3. Match code of update which needs to be downloaded (79ae03df-d6eb-4de2-b59f-37e963d7a69e) with results detected at step 1 and you will see that KB907417 needs to be downloaded.

4. Open MS Update catalog and search for KB907417. In search results click ‘Download’ button and observe window with results:
   
   Name of archive containing required update KB907417 is: otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab

5. Search for c87e2fe94dd873224afa65e2af2473ca3e307a37.cab in WindowsUpdate.log from client machine. Pay attention to the found lines:
    

   Quote

   2024.11.22 13:35:59.8856907 18332 18860 DownloadManager Downloading from http://localhost:11696/C87E2FE94DD873224AFA65E2AF2473CA3E307A37.cab to C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB (full file).

   2024.11.22 13:36:00.4933414 18332 15660 Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB with dwProvFlags 0x00000080:

   2024.11.22 13:36:00.5430357 18332 15660 Misc            *FAILED* [80096002] Error: verifying trust for C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB

   2024.11.22 13:36:01.2455912 18332 15660 DownloadManager *FAILED* [80096004] Failed to postprocess the file: URL = 'http://localhost:11696/C87E2FE94DD873224AFA65E2AF2473CA3E307A37.cab', Local path = 'C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB'

6. Search for otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab in administration server trace file to find URL used by administration server to download required update from MS servers:

   Quote

   02.12.2024 11:41:34.929 0000A528.00009DD0 L4  KLSRV: KLSRV::SrvTskSysPatch::DoTask: wstrMUUrl='http://www.download.windowsupdate.com/msdownload/update/software/crup/2008/02/otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab',

7.  Now once we know the name of problem update you may offer the customer to temporarily exclude KB907417 from update installation task to let other updates to be installed. Then proceed with investigation.

8. On Administration server use web browser to download problem update from the link identified at step 6 and make sure that its signature is valid. It should look like on below screenshots
   
   In case if Digital Signatures tab is not present in properties of this file or signature is invalid then try to re-download with disabled AV solution. If this does not help then make sure that no proxy/firewall affect this issue. Verify that MS certificates are up to date on KSC server. In MMC console / Software updates node right click on KB907417 and ‘Delete update files’. Try to launch updates installation task again.

9. On client machine use web browser to download problem update using link identified at step 5. Verify its signature and proceed same way as in step 8. Additionally compare downloaded file with C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB. Verify diginal signature of OTKLOADR.CAB

10. You may use signtool.exe to verify signature of .cab files on server and client:

    signtool.exe verify /pa otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab

    
    The utility signtool.exe goes as part of Windows SDK. It is available at C:\<Path to Windows SDK>\<version>\bin\<build number>\x64\signtool.exe

11. In case if digital signature appears to be correct then use standard recommendations for resetting WUA:

    net stop wuauserv
    net stop cryptSvc
    net stop bits
    net stop msiserver
    

    Rename folders

    Quote

    C:\Windows\SoftwareDistribution -> C:\Windows\SoftwareDistribution.old

    C:\Windows\System32\catroot2 -> C:\Windows\System32\catroot2.old

    Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
    net start wuauserv
    net start cryptSvc
    net start bits
    net start msiserver

12.  After resetting WUA launch ‘Find updates and critical vulnerabilities’ task. It might fail several times because WUA cache was cleared. So after getting error just re-launch task again. Once 'find updates' task completes successfully launch task to install updates and fix vulnerabilities (problem update should be included in task scope this time). Observe the results.