Server 2019 update error - running in XCP-NG

Greg_E · January 15, 2021, 4:56pm

I have a couple of plain vanilla Server 2019 eval running in XCP-NG and just ran into a problem with the January updates. One specific security update keeps failing:

From what I’ve read this is sometimes a .NET issue so I made sure this feature was installed, and also installed the older .NET 3.5 while I was there. Still an error. The other thing I read was that this requires a 500mb System partition, so I open up command line and Diskpart to check it:

As you can see, there is only 99mb for the system partition. I haven’t tried the GUI to resize things yet, but I have a feeling it won’t let me do anything to the system partition. Just wondering if anyone has any good idea on how to proceed to fix this?

These VM’s were built with the default 2019 template (in XCP-NG), and vanilla “Install Now” click in the Windows installer. I used the publicly available 2019 eval ISO for this install, I don’t think they update this from the base first release like they do some of the other server images.

I have a feeling that I’m going to become more fluent in Diskpart before I finish this task. I do have free space in the “primary” partition so I can size this down a gig or two.

Also, there are no services configured yet, just my test lab, so wiping this out and starting over is always a possible choice. And I should note that this didn’t bother my physical 2019 server which I updated Wednesday, I think it may only have 100mb for the system, I don’t look at things like that very often.

SpookyJosh · January 15, 2021, 5:16pm

Have you possibly tried manually downloading the update through the Microsoft Update Catalog? I’ve had success manually installing failed patches in the past. You can also try stopping the bits,wuauserv, and cryptsvc services, renaming the folders c:\windows\softwaredisitrbution to .old and c:\windows\system32\catroot2 to .old then restarting the services. That will trigger windows to redownload the update files freshly and try to install them again.

Greg_E · January 15, 2021, 9:40pm

Yup, tried all of that and still nothing. Even tried one of the update repair tools which does pretty much all of the same things. Gave up on it for a little while to think about options.

fredrikv · January 25, 2021, 7:40pm

I ran into the exact same issue this weekend. Vanilla Server 2019 Datacenter.
First I thought I messed it up because of an accidental reboot during the update phase, but after setting up a new server in the same way, same thing happended. Another Server 2019 DC I configured a couple of months ago seems to have the same problem as well…

After some research, there seem to be lots of problems with the 2021-01 updates from MS, not only on servers but also laptops and workstations running W10. Don’t know I you have found a solution, but maybe the update package itself needs to be fixed by MS.

I run XCP-ng 8.1 by the way.

Greg_E · January 25, 2021, 7:52pm

Since it was only affecting my eval versions in my lab, I haven’t gotten back to this yet. I did check my production server and it also only has 100mb of space for the system reserved partition. No issues on it as of last week when I checked it again. I’m keeping an eye on it, and thinking that MS needs to fix something or provide instructions on how we can fix this issue. I have not reported this to Microsoft.

I’m on XCP-NG 8.2 which is the latest version, but these VM’s were built on 8.1 with all the patches from early December when they were made.

Greg_E · March 5, 2021, 4:15pm

Coming back around to this as I’ve found more info… This is a secure boot issue, this update it trying to update the secure boot database and XCP-NG doesn’t seem to support this yet.

https://support.microsoft.com/en-us/topic/security-update-for-secure-boot-dbx-january-12-2021-f08c6b00-a850-e595-6147-d0c32ead81e2

I decided to delete the previous VM’s and start again, and chose Secure Boot to see how well it would work, still having the same issue. So for the time being, it seems like we need to run these in legacy BIOS mode. Going to delete the one VM I have running and build in BIOS mode to verify this, but I expect it to work since this update specifically deals with secure boot.

I tried to post this over on the XCP-NG forums, but the forum no longer finds my account and I haven’t taken the time to sort it out.