Windows 2022 Updates Installed... But Server Doesn't Think They Are

[gregorywmoore]

I am seeing a strange issue with the 'windows-update' plugin 0.14.1 and Packer 1.8.0. The issue occurs with the Azure Marketplace Windows 2022 DataCenter ... 2016 and 2019 DataCenter do not exhibit the issue.

  image_offer                         = "WindowsServer"
  image_publisher                     = "MicrosoftWindowsServer"
  image_sku                           = "2022-Datacenter"

I am calling the 'windows-update' provisioner and just taking the defaults:

  provisioner "windows-update" {
  }

The plug-in identifies patches, installs them, handles any needed reboots, and everything appears to be good. But when a VM is provisioned from the image created during the Packer build, on first boot I am immediately prompted that Updates Are Available. Performing a "Check for Updates" shows that the same updates that were installed during the Packer image build are Pending Install. If I click 'Install Updates', it is like the system realizes at that point that they are already installed, and they immediately transition to Installed.

I had opened a call with Microsoft and didn't get very far with them. They had me check numerous log files and perform checks for updates using different methods, and ultimately stated that the updates were being installed correctly and there were no outstanding updates.

I just want to avoid releasing an image for production that is falsely calling for updates that are already installed.

Anyone encounter this, or know of any commands that I can integrate into the Packer build process that can make the server realize that the patches it says are pending install are already there and installed?

I have tried executing the windows-update provisioner twice, and even put a windows-restart provisioner in between them to no avail.

Any recommendations appreciated.

2022-09-30T18:31:37.6900434Z ==> azure-arm.win2022: Uploading the Windows update elevated script...
2022-09-30T18:31:40.4213988Z ==> azure-arm.win2022: Uploading the Windows update check for reboot required elevated script...
2022-09-30T18:31:44.8633682Z ==> azure-arm.win2022: Uploading the Windows update script...
2022-09-30T18:31:56.9296191Z ==> azure-arm.win2022: Running Windows update...
2022-09-30T18:32:05.3688164Z     azure-arm.win2022: Waiting for the Windows Modules Installer to exit...
2022-09-30T18:32:19.9018714Z ==> azure-arm.win2022: Restarting the machine...
2022-09-30T18:32:20.8129785Z ==> azure-arm.win2022: Waiting for machine to become available...
2022-09-30T18:32:21.5441796Z ==> azure-arm.win2022: A system shutdown is in progress.(1115)
2022-09-30T18:33:02.0551283Z ==> azure-arm.win2022: Checking for pending restart...
2022-09-30T18:33:08.3460914Z     azure-arm.win2022: w2022d-vm13529 restarted.
2022-09-30T18:33:08.3466818Z ==> azure-arm.win2022: Restart complete
2022-09-30T18:33:08.3472108Z ==> azure-arm.win2022: Running Windows update...
2022-09-30T18:33:14.5571985Z     azure-arm.win2022: Searching for Windows updates...
2022-09-30T18:33:24.6010604Z     azure-arm.win2022: Found Windows update (2022-08-09; 0.07 MB): 2022-08 Security Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5012170)
2022-09-30T18:33:24.6016044Z     azure-arm.win2022: Found Windows update (2022-09-13; 36.67 MB): Windows Malicious Software Removal Tool x64 - v5.105 (KB890830)
2022-09-30T18:33:24.6022302Z     azure-arm.win2022: Found Windows update (2022-09-22; 57.2 MB): 2022-09 Cumulative Update Preview for .NET Framework 3.5, 4.8 and 4.8.1 for Microsoft server operating system version 21H2 for x64 (KB5017860)
2022-09-30T18:33:24.6024914Z     azure-arm.win2022: Downloading Windows updates (3 updates; 93.95 MB)...
2022-09-30T18:33:29.5999796Z     azure-arm.win2022: Installing Windows updates...
2022-09-30T18:34:10.8076978Z     azure-arm.win2022: Waiting for operation to complete (system performance: 39% cpu; 24% memory)...
2022-09-30T18:35:12.0766902Z     azure-arm.win2022: Waiting for operation to complete (system performance: 42% cpu; 25% memory)...

[ac-miller]

@gregorywmoore I'm having this issue now, but with Windows Server 2019. The Packer logs show the windows updates as being found and installed. But when I create a VM from this template, the updates still show pending.

Did you figure anything out with your problem?

[gregorywmoore]

I have not seen this issue using the Windows update provisioner on 2019.

The thing that I discovered on my Win 2022 issue is that the updates were in fact installed, but the OS just didn't realize they were installed. They showed pending. If you clicked Install, they wouldn't actually install, they would just immediately transition to installed.

If I didn't do anything and just let a deployed system sit for a couple or few hours, it would eventually figure out on its own that that updates were installed and would no longer say that there were pending updates.

Sorry, I know that probably isn't much help. I racked my brain on it, never got any further, and have just been living with it on 2022.

provisioner "windows-update" { }

[raptorrico]

Yes I have the same experience on Windows 11 multi-session. Updates are installed correctly during the build and Window Update just needs a new sync to realise.

[svetecs]

I thought this was just me. I originally used PSWindowsUpdate in my template but noticed that while the updates get detected and installed during the build, the VM created from the image still reports things like dotNET and a Server CU. So I changed the Windows Updates task to use the packer plugin, but the same thing happens.

In Azure, I use the latest SKU, so I know that image has the most recent monthly CU. My Server 2022 build won't show me the latest CU, but Server 2019 will after the image is built. I also notice that in winver, the OS build number matches what the latest CU is...so it's strange. Packer says its installed, Windows says no.

On-Prem, since I'm using an untouched ISO, I see that it will download the latest CU's during the updates phase, install them and continue on. But just like Azure, when I spin up a VM, I'm told there are updates available.

I might have a look at adding a step in my packer sequence to call up wuauclt /detectnow /updatenow and see how that does/does not impact Windows acknowledging the updates are installed.

[BorysMariusz]

Any update on that, I have the same issue azure-arm.windows2022: Searching for Windows updates... azure-arm.windows2022: Found Windows update (2024-01-09; 22.02 MB): 2024-01 Security Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5034439) azure-arm.windows2022: Found Windows update (2024-02-13; 65.98 MB): 2024-02 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Microsoft server operating system version 21H2 for x64 (KB5034682) azure-arm.windows2022: Found Windows update (2024-03-12; 64.77 MB): Windows Malicious Software Removal Tool x64 - v5.122 (KB890830) azure-arm.windows2022: Downloading Windows updates (3 updates; 152.77 MB)... azure-arm.windows2022: Installing Windows updates... azure-arm.windows2022: Waiting for operation to complete (system performance: 7% cpu; 11% memory)... azure-arm.windows2022: Waiting for operation to complete (system performance: 2% cpu; 13% memory)...

Windows Update