Windows 7 OS Updates blocked since October

I have followed up with you via DM to keep you updated on the progress.

I was also able to look into the logs you provided to advise some further troubleshooting steps. 

Let me know if you can report back your findings either to the support case or via DM so that I may update the case internally. 

Thank you,

Hi Kushal, many thanks for your reply, i will look at your DM now, and report back. thanks

For anyone wanting an update on this issue...there is still no update..Level 3 support have supposedly passed this onto development..but other than being asked to run a few more tests on a w7 machine, nothing really has moved on this...i had removd sophos agent from one device which of course then allowed the machine to apply its updates, i then provided a log on this so they could compare a 'failed' log when sophos was installed and one when it wasnt, i then reinstalled sophos which caused further updates to still fail again as expected..but disabling all the sophos services on this device then allowed the updates to install..leading us to beleive it was a services issue with one or more of the sophos services..however on trying to do the same on another machine (that hadnt had sohpos uninstalled and reinstalled however) this hasnt produced the same result with the services disabled...very odd..awaiting further responce from Sophos!

We have also been experiencing this issue for Server 2008 r2 ESU patches. Started around the beginning of November. Patches install fine when Sophos Endpoint Agent is uninstalled. As soon as it is installed, patches get uninstalled/fail on the reboot phase.

Here is the official advisory from Sophos Advisory: Windows 7 and 2008 R2 Nov/Dec 2021 Updates May Fail to Install (sophos.com)

Hello, we have the same error behavior on a Windows Server 2012 (without R2).

Only the following procedure helped here as well:
* Turn off Tamper Protection
* Stop all Sophos Services
* Perform the Windows Update
* Start all Sophos Services

Thanks

We are having the same issue with Windows 7 devices: Microsoft Updates will install only if Sophos is uninstalled first. We raised a call with Microsoft, who confirmed that Sophos is locking the files. Sophos has referred us to the link below, which is very unhelpful. 

Advisory: Windows 7 and 2008 R2 Nov/Dec 2021 updates may fail to install (sophos.com) 

The link above mentioned files ntdll.dll and cryptnet.dll, which are included in the Windows 7 December update (KB5008244). (ntdll.dll 6.1.7601.25792 10-Nov-21 20:19
cryptnet.dll 6.1.7601.25757 11-Oct-21 20:31)

Microsoft have advised that Sophos should raise a call with them to resolve the issue.

I too am awaiting a response from Sophos.

Yup and this is still an issue for us as the original poster...the sophos article also doesnt help, at least the workaround as turning off tamper and disabling the services doesnt work on all devicves for some reason..so the best and confirmed only way is to remove sophos do the upddates and reinstall sophos..but this isnt a great option espeially when we have many W7 devices for special reasons and there is no policy method to turn tamper offf in central anymore for bulk amount of devices..its eitehr the entire thing, or manually on individual devices...ilm still awating sophhos to get back to me..

Yup, see my reply to Jonathan...still open ticket with Sophos, level 3 support who say they are working with there dev team on this still...what we were told is its an issue since the Nov updates where MS made a change to some .dlls..which Sophos have its fingers in causing issues with the updates therefore failing as these .dlls are held in action or something...so either MS need to change there update back to how they were (or fix the problems with what ever vulnerabilties caused them to change these .dlls) or sophos need to find a better way to allow these to update without causingissues whilst sophos centrla is installed/running.

yup, but even as i replied above, stoping the services isnt a fix on all ...about 1/3 of our W7 clients will work with this method, the others still fail, so only fix is to remove sophos central fully, allow the installs to apply sucessfully and reinstall sophos (but they then have issues when the next set of updates come around)...so something needs to be done via MS in the changes they made to there CU updates for W7 etc from that point..or Sophos need a better way to work round these...im still waiting a reply from there level 3 support worknig with there dev team on this issue..as that current workaround isnt a fix, and is also only a temp workaround each month..for ESU which will be around for another year..we need a perm fix