Microsoft Confirms Windows Update Failures: What You Need to Know
Keeping your systems updated is a cornerstone of cybersecurity and stability. However, a recently acknowledged issue by Microsoft is causing some Windows updates to fail silently, potentially leaving systems vulnerable without any warning. This problem specifically involves the Windows Update Standalone Installer (WUSA.exe), a tool many administrators and users rely on for manual patch installation.
If you manually install updates using .msu files, this is critical information for ensuring your devices are truly protected.
Understanding the WUSA Installation Bug
The Windows Update Standalone Installer, or WUSA.exe, is the built-in utility that runs when you double-click an .msu update file. It is designed to simplify the process of applying individual patches outside of the automatic Windows Update service.
The core of the problem is a deceptive “silent failure.” When an affected update is installed using WUSA, the process may incorrectly report that the installation was successful. The confirmation dialog appears, and everything seems normal. However, behind the scenes, the update has not been fully applied and is rolled back, leaving the system in its pre-patch state.
This creates a dangerous situation where administrators and users believe a critical security patch has been installed when, in fact, the system remains unpatched and vulnerable.
Which Systems Are Affected?
Microsoft has confirmed this issue can occur on several widely-used Windows versions, including both client and server operating systems. The affected platforms include:
- Windows 11
- Windows 10
- Windows Server 2022
- And potentially other recent versions receiving cumulative updates.
The issue is not tied to a specific update but rather to the installation method. Any .msu package installed via WUSA on these systems could be susceptible to this silent failure.
The Official Solution: Use DISM for Manual Updates
To bypass this bug and ensure your updates are installed correctly, Microsoft’s official recommendation is to stop using WUSA for manual installations. Instead, you should use the Deployment Image Servicing and Management (DISM) command-line tool.
DISM is a more robust and reliable tool for servicing Windows images and applying packages. Unlike WUSA, DISM will correctly apply the update or provide a clear error message if the installation fails for any reason.
Actionable Steps for Securely Installing MSU Updates:
Open an elevated command prompt. You can do this by searching for “cmd” in the Start Menu, right-clicking “Command Prompt,” and selecting “Run as administrator.”
Use the following DISM command to install the update package, replacing the placeholder path with the actual location of your
.msufile:DISM.exe /Online /Add-Package /PackagePath:C:\path\to\update.msu- /Online: This targets the currently running operating system.
- /Add-Package: This is the command to add a package (like an update) to the OS.
- /PackagePath: This specifies the full location of the
.msufile you want to install.
Verify the installation. After running the command, it’s always a best practice to confirm the update was applied. You can do this by checking the installed update history in Settings > Windows Update > Update history or by using the following PowerShell command:
Get-HotFix -Id KB#######(Replace KB####### with the specific KB number of the update.)
Why This Matters for Your Security
This bug highlights a critical gap in system administration: the difference between perceived security and actual security. A silent failure provides a false sense of security, which can be more dangerous than a known vulnerability.
For IT professionals and managed service providers, the key takeaway is to adjust standard operating procedures immediately. Relying on double-clicking .msu files is no longer a reliable method. Scripting and manual installations should be updated to use the DISM command to guarantee that critical security patches are properly applied. By adopting this more robust method, you can close this potential security gap and ensure your Windows environments remain secure and compliant.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-windows-server-2025-updates-may-fail-from-network-shares/
