Windows 10 V1703: Update error 0x8024000d (on WSUS)

[German]It’s a strange error behavior, I found recently within a German administrator website. A user reported, that all his Windows 10 V1703 clients trigger error code 0x8024000d when searching for an update. The clients are receiving updates from WSUS on Windows Server 2012 R2. There was also Office 2007 installed on the clients.


Advertising

Update error 0x8024000d in detail

The user also posted his case within German Technet forum in more details and has analyzed the log files. Here’s what he observed.

after upgrade to Creators Update [Version  1703] of Windows 10 (x64)  all systems with Office 2007 Standard/Prof (32 bit) installed, Windows Update fails. All systems are reporting 0x8024000d.

The user obtained the Windowsupdate.log created from Windows Update, and located at

%windir%\Windowsupdate.log

He found the following entries:

2017.08.01 14:13:04.1189449 4736  2516  Metadata        [0]1280.09D4::08/01/2017-14:13:04.118 [metadataintegrity] failed: hr = 0x8024500C
2017.08.01 14:13:04.1189456 4736  2516  Metadata        [0]1280.09D4::08/01/2017-14:13:04.118 [metadataintegrity]GetFragmentSigningConfig failed with 0x8024500C. Using default enforcement mode: Audit.
2017.08.01 14:13:04.1189460 4736  2516  Metadata        [0]1280.09D4::08/01/2017-14:13:04.118 [metadataintegrity] failed: hr = 0x8024500C
2017.08.01 14:13:04.1189479 4736  2516  Metadata        [0]1280.09D4::08/01/2017-14:13:04.118 [metadataintegrity]Policy-driven service enabled. Using Ignore Policy.
2017.08.01 14:13:04.1190057 4736  2516  ProtocolTalker  [0]1280.09D4::08/01/2017-14:13:04.119 [agent]SyncExtendedUpdateInfo – 0 bad out of 0 metadata signatures checked using Audit enforcement mode.
2017.08.01 14:13:04.1310942 4736  2516  Misc            [0]1280.09D4::08/01/2017-14:13:04.131 [updparse]Missing required node AdditionalDigest
2017.08.01 14:13:04.1311162 4736  2516  Agent           [0]1280.09D4::08/01/2017-14:13:04.131 [agent]Failed to parse extended metadata for 6D629889-8D3F-4F26-929A-E08B8F363F49.100, hr=8024000d
2017.08.01 14:13:04.1320713 4736  2516  Agent           [0]1280.09D4::08/01/2017-14:13:04.132 [agent]Failed to get extended update infos, hr=0x8024000d.
2017.08.01 14:13:04.1808464 4736  2516  Agent           [0]1280.09D4::08/01/2017-14:13:04.180 [agent]Exit code = 0x8024000D

There are several meta data errors reported. The user, who is an admin of a company network wrote:


Advertising

If I uninstall Office 2007 or upgrade to an Office version above Office 2010, Windows Updates works. Installing Office 2007 again, brings the update error back

I tried to download and install all updates available for Windows 10 V1703 manually. But this won’t fix this error.

He wrote, that 30 systems within the company are affected. And he are using WSUS on Windows Server 2012 R2.

Trouble with Windows 10 V1703 and WSUS

Searching the web for error code 0x8024000d, brought me to a Technet forum entry Windows 10 1703 and WSUS. Dort somebody reported, that this error has been fixed with cumulative June 2017-Update KB4022716. But, if Windows Update fails, the clients won’t receive this cumulative update. The Technet thread linked above contains a couple of proposals, what has fixed this issue (on Dell systems DELL UPDATE has fixed the issue). Some posts indicated, deleting third party meta data (Dell, Adobe etc.) has fixed the issue. Also error code 0x80240042 (WU_E_UNKNOWN_SERVICE The update service is no longer registered with AU) has been mentioned.

I found also a link to this Technet forum thread, dealing with the ‘Dual Scan’ issue under Windows 10.

Server Cleanup Wizard

At Windows Partner support I found this thread, where somebody mentioned error 0x8024000d in connection with Windows 10 V1703 and WSUS. A Microsoft employee pointed to Server Cleanup Wizard to clean updates on Windows Server (see screenshot above). But that doesn’t help.

The document How to clean up the WSUS server and clients when reaching the locally published category limit contains hints, how to clean WSUS Update memory.

A Microsoft support engineer reported, on June 26, 2017 a known issue within Windows 10 Version 1703:

Based on our discussion, there is a known issue about Windows 10 1703 and WSUS. If we used to import any third party update or any tools that the publisher is not Microsoft, WSUS would not work well with Windows 10 1703. So please help me double confirm if we have import and third party update or tools to WSUS. We could use WSUS to list all updates and look for the updates that do not have the corresponding KB number. If there is such an update listed, it means that we have used WSUS to install the third party updates. This may be our cause.

The issue should be fixed via manual installing updates (KB4022716 has been mentioned) under Windows 10 Version 1703. But this hasn’t been helpful within the case mentioned above.

What does the error code means?

According to my blog post Tip: Windows Update error code 0x8024xxxx list I searched at Microsoft’s error code list for error 0x8024500C, but couldn’t find en entry. The log file entry says, the meta data integrity are damaged. A German blog reader pointed out, that the error code has been documented in the newest Win 10 SDK as:

0x8024500C = WU_E_REDIRECTOR_CONNECT_POLICY = Connections to the redirector server are disallowed by managed policy.

Error code 0x8024000d has been documented within Microsoft’s error code list as

WU_E_XML_MISSINGDATA – Windows Update Agent could not find required information in the update’s XML data.

There are meta data missing, the client needs meta data, that hasn’t been found locally.

Finding the broken updates

The users investigated this case over 6 weeks and finally found a solution and a reason for this behavior. He managed it to analyze the log file and found an entry :

[agent]Failed to parse extended metadata for 6D629889-8D3F-4F26-929A-E08B8F363F49.100, hr=8024000d

He then intend to use PowerShell to find the broken update with the ID outlined above in bold. Open an administrative PowerShell command window, allows to retrieve the state of an update using the following command:

Get-WsusUpdate -UpdateId <ID>

Here are the command for the ID given above and the results:

PS H:\> Get-WsusUpdate -UpdateId 6D629889-8D3F-4F26-929A-E08B8F363F49

Title                  Classification    Installed/Not Applicable  Approved Percentage
-----                  --------------    --------------------------- --------
Microsoft Office File  Wichtige Updates  Nicht genehmigt
Validation Add-in 

PS H:\>

The ‘Microsoft Office File Validation Add-in’ hasn’t been available on Windows 10 clients, because it has been blocked on WSUS. As a consequence, the required Office 2007 metadata are missing.

What is Microsoft Office File Validation Add-in?

Microsoft writes for Microsoft Office File Validation Add-in (KB2501584):

Office File Validation is a security add-in for Office 2003 and 2007. Office File Validation is used to validate that Binary File Format files conform to the Microsoft Office File Format. The user will be notified of possible security risks if files fail to conform to the format.

Many administrators are blocking this update on their corporate networks.  This Technet forum post from 2011 warns to install this update. I found also this blog post warning to install the update.

The Office File Validation Add-In blocks files created with 3rd party software (LibreOffice or OpenOffice) in Microsoft Office. Also documents created with 3rd party Office add-ons may be affected.

So there is a dilemma. The Add-in blocks some documents, but a missing Add-in is causing error 0x8024000d in Windows 10 Creators Update (Version 1703).

A solution for error 0x8024000d

The fix for error 0x8024000d is a kind of obscure. The user wrote at Technet forum, that he unblocked this update (in WSUS on Windows 2012 R2) for  Windows 10 V1703 clients. Then his Windows 10 V1703 clients started to search for Windows updates again, the error was gone.

But there is a note: The user wrote, that the update for the missing Add-in isn’t required itself – it hasn’t been installed at all. And he mentioned:

If I change the client’s configuration to obtain updates from Microsoft’s Update Servers, Windows Update works. After updating one client, I switched back to WSUS, and error 0x8024000d came back. Then I disabled „Update for other Microsoft products“ on a client, but error 0x8024000d was still present.

It seems that there is a WSUS issue with Windows 10 Clients. But the log file entry 0x8024500C stands for E_REDIRECTOR_CONNECT_POLICY = Connections to the redirector server are disallowed by managed policy.

User Damon B reported at Technet, that updating the admx files helped. User McLion mentioned registry fixes, he made for Windows Update to fix the issue. Also wrong SSL settings has been reported. At Technet there is a blog post, addressing issues with Windows 10 V1511 und V1607. User Matthias Miks reported, deactivating real time protection in Windows Defender solved the issue. And user Chris Michetti had to update his Realtek PCIe GBE Family driver and fixes the registry solved his issue. Voodoo at it’s best …


Advertising
This entry was posted in issue, Update, Windows and tagged , , , . Bookmark the permalink.

1 Response to Windows 10 V1703: Update error 0x8024000d (on WSUS)

  1. Pingback: Windows 10-Clients, Windows Update und Fehler 0x8024000d bei WSUS-Nutzung – Weblog vom Boettjer

Leave a Reply

Your email address will not be published. Required fields are marked *