Microsoft is preparing to rerelease a two-year old update for Windows 7 that's necessary to avoid 'error 0x8000FFFF' when installing its latest security updates.
If your organization's Windows 7 PCs failed to install Microsoft's two most recent monthly rollup updates or the September security-only update, it's because the affected systems were missing a servicing stack update (SSU) that Microsoft released in October 2016.
It seems this happened due to Microsoft's patching nomenclature. That 2016 update, KB 3177467, was a 'full servicing stack update' for Windows 7 Service Pack 1 (SP1).
Microsoft labeled it as 'critical' but didn't classify it as a 'security' fix, which apparently led those organizations that only install updates tagged with 'security' to skip it.
Two years later, that decision -- based on Microsoft's communications -- caused some Windows 7 systems to report 'error 0x8000FFFF', and prevented these devices from installing critical security updates.
This problem affected customers installing the Windows 7 SP1 August 30 Monthly Rollup Preview KB 4343894, the September 11 Monthly Rollup KB 4457144, and the September 11 Security-only update KB 4457145.
"Installing the October 2016 Windows 7 SP1 servicing stack update (KB 3177467) first, and then applying the August 30 or September 11, 2018 updates mitigates this issue," Microsoft's John Wilcox said.
While this move fixes the issue, admins managing Windows 7 devices affected by this issue should take note of Microsoft's definition of servicing stack updates (SSUs).
"Servicing stack updates, or SSUs, are periodic updates released to specifically service or update the software stack for Windows platforms," explains Wilcox.
"These are fixes to the code that process and manage updates that need separate servicing periodically to improve the reliability of the update process, or address issue(s) that prevent patching some other part of the OS with the monthly latest cumulative update (LCU)."
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
In other words, SSUs for Windows 7 aren't security updates, but they're necessary to receive certain future security updates, and that's why Microsoft in the past labeled them as 'critical' even though it didn't previously class them as security updates.
However, it's going to change that now by labeling all SSUs as 'security' and 'critical', even though strictly speaking they're not security updates. And with good reason too, since customers will now know that future Windows 7 security patches can be contingent on SSUs.
"[W]hen a servicing stack update does not exist, there is a risk that a device cannot be patched and kept secure," notes Wilcox.
"This makes a servicing stack update a key part of the security patch payload. However, the Windows 7 update technology and patch installation chronology require the servicing stack update to be handled separately from the monthly Security-only updates."
To ensure that Windows 7 customers don't overlook this dependency on KB 3177467, Microsoft will also reissue that update alongside the October 2018 Patch Tuesday update, and as per Microsoft's new naming scheme, it will be tagged as a security update.
Microsoft didn't spot this issue until now because its pre-flight tests apparently don't include systems with missing SSUs.
"We test our monthly patches on fully patched, up-to-date systems, which is why this issue was not seen in our testing, or by any of our preview partners," noted Wilcox.
Previous and related coverage
Got a 32GB Windows 10 device? You probably shouldn't have bought it, but here's how to make sure it doesn't stumble during the next Windows 10 update.
Microsoft tidies up Windows 10 version 1809 ahead of its expected October release.
Ubuntu VMs can now be launched from Hyper-V Quick Create and use RDP for enhanced session mode.
Microsoft sets out its list of features that are being removed or deprecated in the next Windows 10 release.
Everything you need to know about the support changes at a glance.
Your forum support for these products is up to your fellow problem-solvers now.