Cannot install cumulative updates unless I run SFC /SCANNOW first.

[Tanyac]

I have W10 1709 running on most PCs here. A couple of 1703's.

Installation of the last 4 cumulative updates (2018-02 to 2018-05), all fail until I run SFC /SCANNOW. The Windows update troubleshooter does not work, nor does clearing the software distribution folder and rebuilding the update cache.

I have several group policy settings tweaked. I have several services disabled, and I have replaced the \windows\media folder with a folder of my own with windows 7 sounds.

I have compared my registry, services and group policy before and after running SFC and can't detect any changes. I also put the original Media folder back, complete with the default security and ownership.

Once I have the PC configured the way I want I really don't play with settings. In fact, the PCs are all installed from an image I created, so they are all the same.

We pretty much just go about our business playing games, using MS Office, watching Movies/TV, some Photoshop and editing/authoring of media content and running back ups.

So I'm trying to understand exactly what SFC /SCANNOW is doing that temporarily "fixes" the ability to install cumulative updates. Because a month later, the same scenario occurs.

About the only thing I haven't done yet is to do a file by file size/date/version comparison of every file in C:\Windows (including sub dirs like winsxs). What is a good tool to do such a comparison?

Thoughts?

 

[Colif]

try running DISM on the computers, what it does is checks/fixes the image file that SFC uses to compare system files

right click start button
choose powershell (admin)
copy/paste this command in
Repair-WindowsImage -Online -RestoreHealth and press enter

once its run, re run SFC again.

If DISM comes back with an error asking for source, it gets a little trickier as you need a copy of the ISO that matches the version installed, and the current ISO the media creation tool makes is 1803.

One alternative is upgrade them all to 1803 but it might change some of your settings. download the Windows 10 media creation tool and use it to make a win 10 installer on USB, and use the USB to upgrade all the PC's

 

[Tanyac]

Thanks for your help.

I'm familiar with DISM.

I have all my ISO and ESDs

I'm not getting an error with SFC. If I run /verifyonly it lists thousands of duplicate owner and corrupted files, which from what I've read seem to be a bug with SFC. So it's difficult when you can't trust the tool that's repairing your system to tell the truth. So is it actually fixing anything, or listing thousands of misleading messages?

I'm currently testing 1803. A lot of rubbish in that version.. All of it to be removed/disabled 😉

I don't anticipate having 1803 ready for use on production PCs before August/September. In the mean time I should at least keep the 1709's reasonably up to date.

Upgrades are done as fresh installs only. Never would I do an in place upgrade. That does reset settings and cause havoc.

 

[Colif]

verify only finds the corrupt files, scannow actually fixes them

Sfc Command Syntax
Its basic form, this is the syntax required to execute System File Checker options:

sfc options [=full file path]

Or, more specifically, this is what it looks like with options:

sfc [/scannow] [/verifyonly] [/scanfile=file] [/verifyfile=file] [/offbootdir=boot] [/offwindir=win] [/?]

Tip: See How to Read Command Syntax if you're not sure how to interpret the sfc command syntax as it's written above or described in the table below.

/scannow This option instructs sfc to scan all protected operating system files and repair as necessary.
/verifyonly This sfc command option is the same as /scannow but without repairing.
/scanfile=file This sfc option is the same as /scannow but the scan and repair is only for the specified file.
/offbootdir=boot Used with /offwindir, this sfc option is used to define the boot directory (boot) when using sfc from outside of Windows.
/offwindir=win This sfc option is used with /offbootdir to define the Windows directory (win) when using sfc offline.
/? Use the help switch with the sfc command to show detailed help about the command's several options.
Tip: You can save the output of the sfc command to a file using a redirection operator.

https://www.lifewire.com/sfc-command-system-file-checker-2626020

We often find SFC reports errors on a brand new install, so whether the version installed matches the current build is a question. I don't know why you would need to run it before installing updates. especially if you clean install on version updates.

 

[Tanyac]

verify only finds the corrupt files, scannow actually fixes them

Yes, I know. And the files it reports are not necessarily "corrupt"

We often find SFC reports errors on a brand new install, so whether the version installed matches the current build is a question. I don't know why you would need to run it before installing updates. especially if you clean install on version updates.

The build installed was 16299.15 from the downloaded ESD file.
Updates were applied taking the version to 16299.125

So, as an example, with the latest cumulative May patches...

I approved the updates 2018-05 in WSUS that takes the clients to 16299.431.

KB3143727, the patch in question, failed on 100% of clients with the same error code (cant tell you the code right now - not at one of the affected PCs).

Running SFC /SCANNOW resolved the issue.

I had the same issue with the 2018-04 cumulative update, and so on...