Troubleshooting patch deployment failures on Windows

A Patch Deploy job fails to install a patch or multiple patches on Windows target servers.

This topic helps you to locate and review the appropriate log files to determine why the patch deployment failed and either identify and resolve the issue or create a BMC Customer Support case.

Related topic

Troubleshooting-false-positives-in-Windows-Patch-Analysis-job-results

Issue symptoms

A Patch Deploy job fails to apply one or more patches on Windows target servers. The following image shows how the failure is represented on the job run logs view.

image2021-2-11_18-35-0.png

The Commit phase of the Deploy Job throws a numeric exit code that varies depending on the root cause. For instance:

APPLY failed for server [target]. Exit code = -4001
APPLY failed for server [target]. Exit code = -4002
APPLY failed for server [target]. Exit code = -4003

Issue scope

  • The issue may occur for a single or multiple Windows patches.
  • The issue may occur on a single Windows target server or multiple servers.

Diagnosing and reporting an issue

Task

Action

Steps

Reference

1

Understand the problem scope.

  • Check whether this issue affects all target servers or specific target servers.
  • Identify the versions of Windows where the issue occurs. For instance, Windows 2012, Windows 2016, and so on.


2

Identify and locate the logs.

The job run log package for the Windows Patch Deploy job contains all the log files that you can refer to troubleshoot the issue. Do the following to obtain the log package for a Windows Patch Remediation job:

  1. On the TrueSight Server Automation console, navigate to the failed Remediation job.
  2. Right-click the failed Remediation job run, and click Show Generated Batch Deploy Job Results. The job result details for the failed Deploy job are displayed.

    image2021-1-28_17-37-45.png
  3. Right-click the failed Deploy Job run and select Download Log Package to capture the required logs.

    image2021-1-28_17-40-28.png

You can also refer to STDeploy.log file, which is included in the log package. This file should be collected manually. For details, see the Logs for Deploy jobs topic.

3

Review the log files to understand the patches that failed to install the generated error message.

Refer to the referenced webinar link, which walks you through the process of reviewing the logs to determine why the patch installation failed.

The Log Collection section begins at 50:29.


4

Convert any Microsoft error codes found in the bldeploy.log file from decimal (DEC) to hexadecimal (HEX).

The bldeploy logs prior to 20.02.01 release display Microsoft error codes in the decimal format. For example,

image2021-1-28_10-57-23.png

However, online Microsoft resources typically display error codes in the hexadecimal format. Therefore, you can convert the decimal error code to the hexadecimal format before searching Microsoft resources for additional details.

Refer to the referenced video, which walks you through the process of converting the decimal error code to hexadecimal.

Note: Starting TrueSight Server Automation 20.02.01, the bldeploy.log file lists error codes in both decimal and hexadecimal format. Therefore, manual conversion is not required.

5

Search for the error codes in the "Resolutions for common issues" section.

Use the "Resolutions for common issues" section to review common issues in Windows patch deployment failures along with how they can typically be resolved.

If you are unable to identify and resolve the problem, see the next step to create a BMC Support Case.


6

Create a BMC Support Case

Provide the following information and log files when creating a case with BMC Customer Support:

  • Scope of the issue as identified in step 1
  • Log Files collected in step 2
  • The Application Server OS vendor and version
  • The TrueSight Server Automation version


Resolutions for common issues

Symptom

Action

Reference

A Windows Patch Deploy job fails with exit code 4001 and the bldeploy*.log shows return code 2145124329 :

Line 420: date INFO     bldeploy - [2][windows8.1-2012-R2-kb4512489-x64.msu-MS19-08-SO81-4512489-en-WINDOWS SERVER 2012 R2 DATACENTER (X64)-CU1] Found ReturnCode = -2145124329

Common causes of this issue are:

  • Detection logic issue whereby a patch installation is being attempted on a server where the patch is not applicable.
  • Possible issues with the operating system.

Refer to the referenced KA for the complete troubleshooting details.

A Windows Patch Deploy job fails with exit code 4001 and the bldeploy*.log shows return code 1058:

08/14/19 11:48:10.086 INFO bldeploy - [2][windows8.1-2012-R2-kb4470602-x64.msu-MS18-12-SONET-4471983-en-WINDOWS SERVER 2012 R2 DATACENTER (X64)-CU1] Found ReturnCode = 1058
08/14/19 11:48:10.086 DEBUG bldeploy - [2][windows8.1-2012-R2-kb4470602-x64.msu-MS18-12-SONET-4471983-en-WINDOWS SERVER 2012 R2 DATACENTER (X64)-CU1] Sending deploy end status event: #1317052.1#0#57000#1058#The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Return code 1058 indicates that the Windows Update Service has a startup type of "Disabled". The startup type must be "Automatic" or "Manual".

For details, see the referenced KA.

image2021-2-11_10-48-31.png

A Windows Patch deploy job fails with exit code 4001 and the bldeploy log displays return code 1618:

06/13/20 09:21:44.621 DEBUG bldeploy - [4][windows10.0-2016-kb4562561-x64-1607.msu-MS20-06-SSU-4562561-en-WINDOWS SERVER 2016 STANDARD-1607] Found failure indication in patch-level deployment status file.

06/13/20 09:21:44.621 DEBUG bldeploy - [4][windows10.0-2016-kb4562561-x64-1607.msu-MS20-06-SSU-4562561-en-WINDOWS SERVER 2016 STANDARD-1607] Found ReturnCode token with value '1618'

The Windows Installer process can run only a single installation at a time. Error 1618 indicates that the Windows Installer Service is currently being utilized for another installation or update.

For details, see the referenced KA.

A Windows Patch deploy job fails with exit code 4001 and the bldeploy*.log shows return code 2359302:

DEBUG    bldeploy - [2][windows10.0-2016-kb4530689-x64-1607.msu-MS19-12-W10-4530689-en-WINDOWS SERVER 2016 DATACENTER-1607] Found ReturnCode token with value '2359302'

This error occurs when the target server is not rebooted after installing the previous patch.

For details, see the referenced KA.

A Windows Patch deploy job fails with Exit code 4003 and the bldeploy*.log shows return code 3010:

1/12/21 17:22:50.822 DEBUG    bldeploy - [3][windows8.1-2012-R2-kb4516064-x64.msu-MS19-09-SO81-4516064-en-WINDOWS SERVER 2012 R2 STANDARD (X64)-CU1] Found ReturnCode token with value '3010'

3010 is not an error. It indicates that the patch is installed successfully and the system needs a reboot.

Refer the Error codesfor various MSI exit codes.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*