Kaseya Community

Anyone else having issues installing KB3134814 (MS16-009)?

This question has suggested answer(s)

Good Afternoon Everyone,

I am trying to do some patch management today and am seeing that KB3134814 keeps failing when trying to install it via Kaseya. This patch was just released 2/9/2016. This is affecting a very large portion of computers with IE11 installed on it, from servers to desktops. If you go through the c:\Windows\WindowsUpdate.log on the computers you can see that it was added to the list of patches that need applied but nowhere does it say it tried to run but failed. 

If I go into Windows update on the machine and manually install it, it goes just fine. Then run a patch scan after a reboot and it comes back fully patched. But this will not work when you have to touch so many computer.

I have even tried clearing LANCache, and downloading patches directly from the internet. Neither of which worked.

Is anyone else seeing this problem as well?

All Replies
  • ,

    The windowsupdate.log file will only include the install attempt if the Windows Update Agent (WUA) was involved in the install.  Kaseya will leverage WUA when the file source is configured to "Download from Internet" or when the patch itself is flagged as "Internet-based Install Only."   It isn't surprising you see no install/fail information in windowsupdate.log if you're using a LAN Cache.

    You can do some additional troubleshooting by downloading the patch file and executing via command line using the /log switch.  To do so, you need to be sure you download the exact version of the patch that is failing on your machine(s).  I recommend selecting one computer failing to install the patch to use for testing, use the Machine Update page to find the specific patch.  Click the hyperlinked KB number and review the Update Identifier on the Patch Details popup.  This is a unique ID assigned by Microsoft for a specific version of the KB.  Once you have the Update ID, go to the Patch Location function (visible for On Premise installs only), locate the exact same version of the patch, and download the patch from the defined location.

    Note:  To verify the patch supports the /log switch, you can check the help file by running the following at the command line:

    c:\<FullPathToFolder>\PatchFileName.exe /?

    Once downloaded, execute via command line adding the /log switch.  The command line should look like:  

    c:\<FullPathToFolder>\PatchFileName.exe /log

    Note:  Optionally add the /quiet and /norestart (or comparable) switches when running via command line.

    When you run the installer with the /log switch, a log will generate (usually in the same folder from which the patch file was executed).  If the manual install fails, review the log for indications why.

    Optionally, you can add the /log switch to the Kaseya Patch > Command Line function and run the install via Kaseya, then get the resulting log file from the endpoint and review.  The Command Line function is available on premise only.

    If you are using the Cloud/SaaS VSA, you will not have access to the Patch Location or Command Line functions.  In this case, use the patch file name listed on the Patch Details popup and locate the exact patch online (sometimes googling the file name will take you to the download page; in other cases, you may have to hunt through MS documentation).  Download the patch installer and run through the manual install steps listed above.

    If you want a shortcut to resolve the issue (but without the benefit of understanding the cause of the failure), configure the file source of the machines failing this patch to "Download from Internet" and schedule Patch > Automatic Update to run.  This will force Kaseya to use WUA to perform the install.  Given you mentioned you can successfully install via WUA locally, this should be successful.  You MUST use Patch > Automatic Update to run the cycle as Patch Update and Machine Update will not leverage WUA.  I do not recommend the approach of changing the File Source as it is generally better to understand and resolve the underlying cause of the failure.  However, addressing the immediate issue is more critical than resolving a potentially-systemic issue, and this is one way to bypass troubleshooting and just "get 'er done".

  • It showed up as failed on 99% of my machines. However, the patch had been successfully installed, it just had no log file to verify by Patch Mgmt.

  • ,

    That usually indicates the logic included in the patch file itself is invalid.  Essentially, even though the patch is installed, the MS patch scan process (which K leverages) isn't able to detect the patch as installed.  This doesn't happen often, but it's far from rare.  Most (though not all) of the time, if you run a scan locally via Control Panel > Windows Update, the patch will still report as missing even though Windows Update > Installed Updates (or Add/Remove > Installed Updates) report the patch as installed.

    This is something that MS must resolve.  They usually do at some point.  Until then, Kaseya will continue to report the patch as Missing (and therefore Failed) since MS is reporting the patch as missing.  Recourse through the VSA is to mark the patch as denied.  If you want to have the patch installed, run the install, then after the install completes, mark the patch as denied AFTER the patch is installed so the patch doesn't continually attempt to install.

  • Brande,

    I am trying to run it right now on one of the failed machines. I will check the logs when I get a chance and see what they say.

    Thanks for the troubleshooting steps.

  • Same problem here. It's one of these patches that has a patch-within-a-patch. i.e. it also includes patch KB3141092 - not sure if this has something to do with it. The patch management mailing list is currently full of issues with third party apps like Landesk also having issues with this patch.

    I have found the patch works fine if you run WU on the agent using 'check online with Microsoft for updates', so clearly this patch is doing something a little out of the ordinary (buggy patch?)

  • I tried to install the msu for KB3134814 from the command line with the /log and lots of errors showed up in the log. I am still trying to get through them all. In the manual download from Microsoft is also a msu for KB3141092 if you run it via the command line and reboot. Then run another patch scan through Kaseya it comes back fully patched.

    But I am not finding much information about KB3141092. I see that a lot of people having problems with IE after installing it.

  • If anyone comes up with a solution here, please let us all know.  It is a critical patch and is being a real !@#$%^

  • Has anyone found a solution to installing this patch?



  • Everyone of my agents (125) report failure for this patch also.


  • I have got it working on a group of test machines. I am actually having to install the KB3141092 files. Then scan the machines and they come back clean.

    I just created a script that pulls the msu file from the Kaseya Server and the installs it with /quiet /norestart

    All of my testing shows that it works, but I have not deployed that full scale yet.

    So my script just checks weather it is an 32 or 64bit computer

    Then transfers the correct file. Then runs it via this command: C:\Windows\System32\wusa.exe [msu file location] /quiet /norestart

  • I had this issue also.  Basically the MSU patch downloaded installs successfully and even after you run it manually it says it is installed.  But this is a patch within a patch within a patch deal.  So, i configured the path location to Internet-based Install Only to force Kaseya to use the WUA API to deploy the patch.  I tested this and it worked successfully.

    Make sure your enrolled in Microsoft Update if your not already though.

  • Thanks jvanhorn....I will try that out


  • Thanks again jvanhorn, that worked for me

  • Yes, worked for me too...jvnhorn, best post of the week :)

    For those playing at home -> patch management, patch location. enter KB article number 3134814 at the top and press Apply.

    Now, for each instance of the patch listed (you'll see separate versions for x86 and z64, Win 7/8/8.1/10, Server 2008R2/2012/2012R2 etc.) click the bullet and then click the Remove button, so that the patch location is set to "Internet-based Install Only".

    Now, go re-run your patches.

    Problem solved.

  • You guys rock. Thanks everyone.