This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lockdown issues with failing Windows Update 0x80070005

We're having issues to install 2022-01 Patches on Windows Servers when the server has Lockdown enabled and is locked.

From what we've been told and my understanding, WU should with Lockdown enabled.

The Update ins installed but after reboot, it get's rolled back. Finally you can see the error in Eventlog: 0x80070005

What's the current feedback of Sophos about WU and Lockdown?

Lockdown Event:

<Event event_id="2003" event_time="1642527846828" ip_address="xxx.xxx.xxx.xxx" cause_id="File Action" cause="File delete blocked due to no write permissions" parent_name="\Device\HarddiskVolume2\Windows\System32\poqexec.exe" parent_process_file_name="\Device\HarddiskVolume2\Windows\System32\poqexec.exe" target_file_name="\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.14393.4886_none_fcf994c0f726058d\bootmgfw.efi" target_file_path="\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.14393.4886_none_fcf994c0f726058d\bootmgfw.efi" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="S-1-5-18" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event>
<Event event_id="1022" event_time="1642527851328" ip_address="xxx.xxx.xxx.xxx" cause_id="0" cause="SLDService" parent_name="" parent_process_file_name="" target_file_name="" target_file_path="" target_file_sha1="" target_file_size="0" target_application_name="" target_user_name="" target_user_sid="" target_certificate_subject="" target_certificate_sha1="" target_certificate_size="0" target_change_info="" ask_reason="" ask_email=""></Event></EventList><?sha1 C1DEC312BB11C47C9E68430F1BA74C219CED66B1?><?sha1-content-size 1376?>

Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070005 fehlgeschlagen: 2022-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5009546)

The update installs fine if Lockdown is set to unlocked before installing the update.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi There,

    It is recommended to do windows update BEFORE locking down a server.

    If a server is having issues doing windows update while the lockdown is active then please open this KB:

    https://support.sophos.com/support/s/article/KB-000033519?language=en_US

    ->go to Windows Server Update Services (WSUS), click the link and consider adding the recommended exclusions on your sophos central configuration.

    Regards,

    Fernan Tutor

    If this post solves your question, please use the "Verify Answer" button.

  • Thanks @fernan tutor for your answer. So comclusion is that we'll need to unlock/lock servers for Windows Updates.

    The KB and WSUS exclusion would not have prevented file access blocking by Sophos Lockdown from poqexec.exe to

    Windows\WinSxS\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.14393.4886_none_fcf994c0f726058d\bootmgfw.efi

  • FormerMember
    +1 FormerMember in reply to LHerzog

    Hello,

    I just doubled checked and it shows we really need to unlock the server before you do windows update on the machine

    The other thing I'm thinking you can try is put scanning exclusion on the folder location of your previous reply.

    Unlock the server>make folder/file exclusions>do sophos update on the machine (to get the latest policy)>then lock again the server.

    Check if problem would persist. IF it is, then there's not much we can do anymore.

    Regards,

    Fernan Tutor

Reply
  • FormerMember
    +1 FormerMember in reply to LHerzog

    Hello,

    I just doubled checked and it shows we really need to unlock the server before you do windows update on the machine

    The other thing I'm thinking you can try is put scanning exclusion on the folder location of your previous reply.

    Unlock the server>make folder/file exclusions>do sophos update on the machine (to get the latest policy)>then lock again the server.

    Check if problem would persist. IF it is, then there's not much we can do anymore.

    Regards,

    Fernan Tutor

Children
No Data