Windows Updates Take Long Time to Install
search cancel

Windows Updates Take Long Time to Install

book

Article ID: 286693

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Windows Patches taking long time to apply
  • Windows Updates failing to install due to timeout

Environment

  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions

Cause

Large number of files being introduced to the system at the same time

Resolution

  1. Verify the endpoint is using the latest Agent version
  2. Verify the Agent Antivirus Exclusions are added to any other antivirus or security product (including Windows Defender)
  3. Verify existing Updaters (such as Windows Defender) are enabled in the Console > Rules > Software Rules > Updaters.
  4. Log in to the Console and navigate to https://ServerAddress/Agent_config.php
  5. Add an Agent Config to ignore file operations on .tmp files used during the Windows Update process:
    Property Name: Windows Update Performance
    Host ID: 0
    Value: kernelFileOpExclusions=*\Windows\SoftwareDistribution\Download\*\inst*.tmp:8386431
    Platform: Windows Status: Enabled
  6. Save
  7. Add an Agent Config to limit the type of activity done during the USN Journal Check:
    Property Name: USN Journal Flag
    Host ID: 0
    Value: usn_journal_flags=5634
    Platform: Windows
    Status: Enabled
  8. Save
  9. Add an Agent Config to increase the default threshold of new files required before Cache Analysis
    Property Name: USN Journal Max CC
    Host ID: 0
    Value: usn_journal_max_analysis_messages_before_cc=10000
    Platform: Windows
    Status: Enabled
  10. Save


If excessive upgrade times are still observed after applying these changes please collect log with the following steps:

  1. Collect the following information:
    • How are the patches being deployed (Windows Update Server, SCCM, 3rd party, etc)?
    • Is the issue reproducible (snapshotted virtual machine, anecdotal, etc)?
    • What is the time difference with the agent enabled versus when it is disabled to complete patching?
  2. Collect the following logs:
    1. Verify all configs in article are in place.
    2. If possible, snapshot a sample virtual machine encountering this issue before applying the Windows patches.
    3. Use a command prompt to issue the following commands:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalCLIPassword
      dascli flushlogs
      dascli resetcounters
    4. Do not increase any Debug Levels, this will add overhead and skew the results.
    5. Apply the Windows patches and then capture logs:
      dascli capture "%userprofile%\Desktop\%computername%-Patching.zip"

Additional Information

  • Values for agent configs are case sensitive and should not begin or end with a space.
  • Each configuration can be set for either one agent, to specific set of Policies or to all agents.
  • The default usn_journal_flags submits both new and existing files (i.e. files the agent already knows about) appearing in the USN journal for analysis.
  • This "usn_journal_flags" value above will instructs the agent to:
    • Initiates a CC2 (rescan of known files) if the USN journal change is new (0x0002)
    • Analyzes known files that were modified if they still match the known hash (0x0200)
    • Stop processing USN file changes with timestamp after the agent start time (0x0400)
    • Generates an Event if a file was discovered, modified, or removed via USN scan (0x1000)