Patch Manager Security cumulative Update in error on some Windows 11 or Windows 2025 servers
search cancel

Patch Manager Security cumulative Update in error on some Windows 11 or Windows 2025 servers

book

Article ID: 423418

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

Installation of a Patch Manager Security cumulative Update is in error on some Windows 11 or Windows 2025 machines.

Some error seen in Job output file

Continuing execution....
[Executing...] cmd /C wusa.exe Win11-Server2025-kb5066835-x64-24H2.msu /quiet /norestart /log:C:\WINDOWS\TEMP\ipEvent.evtx
[Executing...] cmd /C WEVTUtil query-events C:\WINDOWS\TEMP\ipEvent.evtx /lf:true /format:text /q:"*" > C:\WINDOWS\TEMP\ipEventOutput.log
Patch installation failed with error code -2146498504.

WusaGetErrorMessage.00296: Failed to get message for error 0x800f0838

"Security Update for Windows (KB5066835)" could not be installed because of error 2148468792 "" (Command line: "wusa.exe  Win11-Server2025-kb5066835-x64-24H2.msu /quiet /norestart /log:C:\WINDOWS\TEMP\ipEvent.evtx")

"Security Update for Windows (KB5066835)"; Error: 0X800f0838. Command line: wusa.exe  Win11-Server2025-kb5066835-x64-24H2.msu /quiet /norestart /log:C:\WINDOWS\TEMP\ipEvent.evtx

 

Environment

Client Automation - All Versions

Cause

On some environment the installation of checkpoint Update patch windows11.0-kb5043080-x64 is needed to install the latest Security cumulative Update

See for example :

August 12, 2025—KB5063878 (OS Build 26100.4946)

The solution is to install the security patch using the powershell command Add-WindowsPackage with patch kb5043080 in same directory.

Example for patch kb5068861

  • Put these 2 files in same directory :

Win11-Server2025-kb5043080-x64-24H2.msu
Win11-Server2025-kb5068861-x64-24H2.msu

  • Execute following powershell command :
    powershell.exe -command Add-WindowsPackage -Online -NoRestart -PackagePath ".\Win11-Server2025-kb5068861-x64-24H2.msu"

Resolution

  • Patch "2025-11 Cumulative Update - Win11-Server2025-kb5068861-x64-24H2-v2" has been published and include an enhancement in installation script.

  • Patch CA - Patch Me - Security IntelliRollup v2512.01 has also be published and includes the enhanced script for the patch "2025-12 Cumulative Update - Win11-Server2025-kb5072033-x64-24H2-v2.

Additional Information

Patch "2025-11 Cumulative Update - Win11-Server2025-kb5068861-x64-24H2-v2" contains the patches :

Win11-Server2025-kb5043080-x64-24H2.msu
Win11-Server2025-kb5068861-x64-24H2.msu

 

The script first tries to the patch using wusa.exe :

command="cmd /C wusa.exe Win11-Server2025-kb5068861-x64-24H2.msu /quiet /norestart /log:" + eventFile
TextUpdater(LogFileName,"[Executing...] " + command)
ErrorCodeReturn=exec(command,true,0)

 

And if it fails it tries with powershell command Add-WindowsPackage

if (errorcodereturn = -2146498504 or errorcodereturn = -2148468792 or errorcodereturn = -2147942487 or errorcodereturn = -2149842967 or errorcodereturn = -2147942413) then
   Textupdater(LogFileName, "Patch installation returned with exit code " + str(errorcodereturn) + ".")
   Textupdater(LogFileName, "Installation attempt with Add-WindowsPackage command from Powershell.")
   command="cmd /C powershell.exe -command " + """Add-WindowsPackage -Online -NoRestart -PackagePath .\Win11-Server2025-kb5068861-x64-24H2.msu -LogPath " + eventFileOutput + """
   TextUpdater(LogFileName,"[Executing...] " + command)
   ErrorCodeReturn=exec(command,true,0)
Powered by Wolken Software