[German]A brief information for users who install the August 2019 security updates KB4512506 or KB4512486 for Windows 7 SP1 and Windows Server 2008 R2 in an installation error 0x80092004. It is highly likely that updates to retrofit SHA-2 support will then be missing.
Users report error 0x80092004
It didn’t take long after the release of the security updates KB4512506 (Monthly Rollup) or KB4512486 (Security Only) for Windows 7 SP1 and Windows Server 2008 R2 until the first users reported issues within my German blog. German blog reader Heidemann wrote in this comment:
The attempt to install the update to W2K8R2 fails here with Installation Failure: Windows failed to install the following update with error 0x80092004: Security Update for Windows (KB4512486).
No Symantec or Norton (but McAfee) on the systems.
And a short time later M. Gruber posted this comment with the same tenor, but to another German blog post.
I repeatedly fail to install KB4512506 (Monthly Security Quality Rollup) with code 80092004 under a naked Win7 x64 without AV software.
Am I the only one or is there a workaround?
The user then pointed out similar feedback from users in the English DSL forum.
I can’t install KB4512506 on two different Windows 7 64 bit systems. Each one fails with the error code: 80092004. Multiple restarts and retries result in same error. Anyone else seeing this?
I found also a japanese post mentions this error code without giving further hints.
The error has already occurred with .NET
I mentioned the error code 0x80092004 in some blog posts (see links at the end of the article) and Microsoft also published a KB article about the error. However, this KB article refers to a bug in the .NET framework that prevents updates from being installed. However, I don’t consider this to be a valid cause, as these are currently Windows updates.
What does error code 0x80092004 stands for?
Before you start any wild experiments, it’s good to know what the cause of the error is. The error code 0x80092004 stands for CRYPT_E_NOT_FOUND. Windows Update could not find any cryptographic value and rejects the update.
There was something SHA-2 signing?
I had it mentioned in the blog post Symantec/Norton blocks Windows Updates (SHA-2). Microsoft changed the signing of update packages for Windows 7 SP1 and Windows Server 2008/R2 for the first time in August 2019. Instead of signing the packages with both SHA-1 and SHA-2, only a SHA-2 hash value is stored in the package. The above error code indicates that Windows Update is looking for the SHA-1 signature in the package and does not find it.
What should be checked
One possibility is that an external virus scanner recognizes and modifies the update packets incorrectly. The blog post Symantec/Norton blocks Windows Updates (SHA-2) mentions that Symantec and Norton security solutions cause trouble. In this scenario, however, Microsoft blocks the delivery of security updates.
Weighting the above information, there is a lot of evidence that the support for the new updates and Windows signed exclusively by SHA-2 is simply missing. As of March 12, 2019, Microsoft had extended support article 4472027 (2019 SHA-2 Code Signing Support requirement for Windows and WSUS) to include the SHA-2 updates required for Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, and Windows Server 2008 Service Pack 2.
- Update KB4474419 (SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) adds support for SHA-2 signature checks for the above operating systems.
- In addition, the Servicing Stack Update KB4490628 was published in March 2019. This fixes a problem in the Servicing Stack, which occurs as soon as packages are signed with SHA-2 only.
I had mentioned within my blog post Windows 7: Updates for SHA-2 support, that it’s required both updates are installed. Within my German comment here I had recommended checking to see if the relevant updates were available. In fact, blog reader M. Gruber reported here that the SSU KB4490628 was missing on his machine. After installing the Servicing Stack Update (SSUs) from March 2019, the August 2019 security update for Windows 7 SP1 and Windows Server 2008 R2 was successfully installed. And I got a 2nd feedback, that this was the root cause for the update install error. Perhaps it will help one or the other affected person.
Fix for .Net Framework Update KB4340558 error 0x80092004
.Net Framework: Update KB4340558 drops error 0x80092004?
Patchday: Updates for Windows 7/8.1/Server (August 13, 2019)
Symantec/Norton blocks Windows Updates (SHA-2)
Windows 7: Updates for SHA-2 support