Skip to content

Blog

Windows Upgrade Woes — 0x8024000d when searching for updates after 1703 upgrade

Windows as a Service.

It sounds like an eminently sensible idea in world where failing to keep software up-to-date, in particular with security fixes, has a tangible negative impact on people. Treating software as a service also provides a healthy ongoing income stream, as well. 😉

At work, we had many issues with our first attempt at running an in-place upgrade from Windows 10 1511 to 1607 using ConfigMgr. They were resolved, in the end, but required a lot of effort.

So, naively, I am assuming that we couldn’t possibly quite as unlucky a second time, when testing using the same Windows 10 Servicing method for upgrading 1607 to 1703.

Alas, the upgrade to the new build itself worked without issue, but once booted into the new OS, Configuration Manager-mediated Windows Update scanning now fails.

This, from the WUAHandler.log:

OnSearchComplete - Failed to end search job. Error = 0x8024000d.
Scan failed with error = 0x8024000d.

Digging a little deeper, I’m seeing errors relating to the metadata for the updates.

[metadataintegrity] failed: hr = 0x80245004
[metadataintegrity]GetFragmentSigningConfig failed with 0x80245004. Using default enforcement mode: Audit.

We’re seeing an error relating to missing XML content, which I guess adds up with the suggestion that the metadata integrity is not validating.

0x8024000D WU_E_XML_MISSINGDATA Windows Update Agent could not find required information in the update's XML data.

My searching so far indicates that folks have fixed this with rather significant rebuilds of their WSUS infrastructure. I’d like to avoid that, of course!

It seems that perhaps third-party products being added to WSUS (such as Adobe Flash Player, before it was shipped as part of MS updates from Windows 8 onwards) may be related to the issue.

It is odd, and frustrating, that whatever issue it is only manifests in 1703, and that, once again, the nuclear option of a rebuild of a significant infrastructure piece is the dominant suggested solution.

I will update this post with any success I have resolving the issue without starting afresh with WSUS.

Light

Filesystem? What New Filesystem?

A quite legitimate criticism of iOS for some time has been the fact that you seem to end up with multiple gigabytes of unexplained “other” disk space usage after using the device for some time. It’s frustrating, especially on smaller devices.

Reinstalling iOS and restoring from your most recent backup would clear the mythical “other”, at least for a while.

It seems that the latest update to iOS, version 10.3, introduces a whole new filesystem technology, APFS. This wasn’t mentioned in the release notes, and is only really detectable by the end user in the form of a much longer upgrade process than would be needed for a typical iOS release.

Since upgrading a few devices, I have noticed a big jump in the available free space on those devices. The pesky “other” is still there, but appears to have shrunk significantly.

Hats of to Apple for fixing what was a criticism going a long way back, and for managing a quite potentially disruptive filesystem migration in such a transparent way for the end user.

May the “other” space usage forever remain small.

Let’s Encrypt on Windows with ACMESharp and letsencrypt-win-simple

The march of freely available TLS certificates for domain validation continues in the form of the Let’s Encrypt project and I’m very pleased that it does.

I’m very happy with the Certbot client on most systems where I need to deploy Let’s Encrypt, but on hosts facing the big wide world that are Windows-based, Certbot obviously is not an option!

Fortunately, I’ve had success with the ACMESharp library for PowerShell. What’s cool about the library is that it does break down the process into individual commands, meaning you can automate, script and report on your certificate status with a great deal of flexibility.

For simpler scenarios, though, the letsencrypt-win-simple client offers a nice friendly command line interface to the ACMESharp library and is a nice easy way to quickly retrieve and install a Let’s Encrypt certificate on a public-facing IIS instance. Automating the renewal process is easy too — just create a Task Scheduler task.

Yes, it’s a command line client, and there are Windows folks who may not be comfortable with that, but it walks you through every part of the process. No memorising of switches and flags are needed!

There really is no excuse — now is the perfect time to get everything on HTTPS!

Appeasement is not Acceptable

I have avoided overt political statements on this blog, unless they fell within the sphere of technology and I felt very strongly. 

But this is beyond political. 

I am appalled at my government’s appeasement of Mr Trump. I am appalled at their willingness to do deals with this new US administration.

Through the factually verifiable acts of this new administration (for example, the dismissal of the Attorney General after opposing the president), there is a clear attempt to dismantle checks and balances that are an integral and essential part of a democratic state. There is an obvious contempt for the rule of law. 

Functioning democracies do not behave in this way.

We must not wait for this US administration to start ‘disappearing’ people who lawfully oppose the administration before we act to say, loudly and clearly, that enough is enough

Safeguarding British values (as those values are defined by my government) demands that we condemn and oppose this behaviour.

I demand that my government condemn the Trump administration’s rejection of democratic norms and utilise any and all diplomatic pressure to make this clear.

History will judge us very poorly if we sit around waiting for it to get ‘bad enough’ before we take a stand.

Hopes for 2017

I hope for a world where we are able to actually keep calm and carry on in the face of significant challenges, rather than just displaying the aforementioned in poster form.

I hope for a world where those with all different political persuasions will have the courage to stand up for what is right, even when it is hard.

I hope for a world where we always remember to treat each other like human beings.

Happy New Year everyone.

The Investigatory Powers Act

I sincerely hope the UK Government plans to actually debate the “Repeal the new Surveillance laws (Investigatory Powers Act)” petition in Parliament now that it has reached 100,000 signatories, including myself.

Of course, the commitment they made is carefully worded such that attracting that number of signatures merely means it will be “considered” for debate.

Recent events in the United States and elsewhere demonstrate that maintaining the right balance of power between the state and the individual is more important than ever. I would not normally get political here, but the circumstances are anything but normal — the frightening jolt the western world seems to be making towards extreme right-wing authoritarianism means that maintaining that balance is nothing short of absolutely critical.

The list of organisations who can access internet connection records is enormously wide and includes bodies as mundane as the Food Standards Agency! This is way beyond something that could be argued as essential to maintaining the UK’s operational intelligence capabilities for preventing domestic acts of mass violence.

This law would be deeply, deeply troubling at any time, but is even more so as the US election shows us the threat of home-grown extremism that rises through established political bodies and gains the powers of high office.

Personally, I urge everyone to support efforts to mount legal challenges to this legislation.

Please consider supporting organisations like Open Rights Group.

Running SpinRite 6.0 on a Mac

SpinRite logo

SpinRite is a fantastic tool for repairing and maintaining hard drives, and I am proud to say that its purchase price has been more than recouped on drives that it has brought back into service that would otherwise have needed replacing!

Running it on an Intel Mac hasn’t been possible with version 6.0. It actually boots fine, but there is no way to give keyboard input, and thus there is no way to kick off a scan.

Reports that people had succeeded at getting SpinRite to work on various weird and wonderful platforms indirectly, using VirtualBox and its raw disk access mode, led me to experiment with this to run SpinRite on a Mac. This is particularly useful on iMacs where pulling the hard drive out of the case is… undesirable(!)

This is an advanced, technical process.

Performing the wrong operations when you have raw access to the disk, a technique this process uses, can cause you to lose data. You must have a backup.

Obviously, I do not accept any responsibility and cannot help if you break things by using these notes. Hard hats must be worn beyond this point. All contractors must report to the site office.

Boot from another disk

You’ll need a working MacOS install on another disk that you can boot from, as we need to unmount all the volumes on the disk to be scanned in order to gain raw access to the disk. I use SuperDuper to make bootable backups, and these work great for this purpose too.

Prepare the Environment

Make sure you have VirtualBox installed, with the optional Command Line Tools.

Turn off screen savers, sleep timers and screen lock, just in case the VM has taken keyboard input away from you and you are unable to unlock the Mac to check on SpinRite’s progress. It’s certainly not an ideal situation to have to pull the plug on the computer while that VM has raw access to your target disk!

Identify the Target Disk

It is critical that you identify the BSD device name for the whole disk that you want to operate on. In my case, I’d booted from disk1 and the SpinRite target disk was disk0.

Determine the correct disk identifiers with:

diskutil list

diskutil list

» Read the rest of this post…

Morning

QuickArchiver on Thunderbird — Archiving Messages to the Right Folder with One Click

QuickArchiver icon

Even despite the dominance of webmail, I have long used a traditional desktop email client. I like having a local mail archive should “the cloud” have trouble, as well as the ability to exert control over the user interface and user experience. (That might be partly a euphemism for not having to see ads!)

Apple’s Mail.app built into macOS (going to have to get used to not calling it OS X!) has served me pretty well for quite some time now, alongside Thunderbird when I’m on Linux, and while Mail.app offered the most smooth interface for the platform, it didn’t always have all the features I wanted.

For example, being able to run mail rules is more limited than I wanted in Mail.app. I could have rules run automatically as messages arrived in my inbox, or disable them entirely. But actually how I wanted to use rules was to be able to cast my eye over my inbox, and then bulk archive (to a specific folder) all emails of a certain type if I’d decided none needed my fuller attention.

Recently, I moved to Thunderbird on my Mac for managing email and discovered QuickArchiver.

As well as letting you writing rules yourself, QuickArchiver offers the clever feature of learning which emails go where, and then suggesting the right folder to which that message can be archived with a single click.

It’s still early days, but I am enjoying this. Without spending time writing rules, I’m managing email as before, and QuickArchiver is learning in the background what rules should be offered. The extra column I’ve added to my Inbox is now starting to populate with that one-click link to archive the message to the correct folder!

It’s just a nice little add-on if, like me, you (still??) like to operate in this way with your email.