20 November, 2021

Install-WindowsFeature fails with ERROR_SXS_ASSEMBLY_MISSING

I was helping a client deploy Microsoft Defender for Endpoint, which on Server 2016 means installing the Windows Defender feature.

It was all going well, except on a handful of servers, I got an error trying to install the windows feature:

PS C:\windows\system32> Install-WindowsFeature -Name Windows-Defender
Install-WindowsFeature : The request to add or remove features on the specified server failed.
Installation of one or more roles, role services, or features failed.
The referenced assembly could not be found. Error: 0x80073701
At line:1 char:1
+ Install-WindowsFeature -Name Windows-Defender
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],
    + FullyQualifiedErrorId : DISMAPI_Error__Failed_To_Enable_Updates,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
False   No             Failed         {}

From CBS.log:

Info                  CBS    Exec: Resolving Package: Package_7514_for_KB4571694~31bf3856ad364e35~amd64~~, Update: 4571694-14851_neutral, PinDeployment: amd64_64c67151d23f10652627ea697836de04_31bf3856ad364e35_10.0.14393.2608_none_88836d82ce01d273
Info                  CBS    Exec: Resolving Package: Package_7520_for_KB4577015~31bf3856ad364e35~amd64~~, Update: 4577015-15021_neutral
Info                  CBS    Exec: Resolving component from existing package; passing NULL manifest path to PinDeployment and hoping things haven't been scavenged.
Info                  CBS    Exec: Resolving Package: Package_7520_for_KB4577015~31bf3856ad364e35~amd64~~, Update: 4577015-15021_neutral, PinDeployment: amd64_64c67151d23f10652627ea697836de04_31bf3856ad364e35_10.0.14393.2608_none_88836d82ce01d273
Info                  CBS    Exec: 2 deployments need bulk staging
Error                 CSI    000000e6@2021/11/19:19:40:23.162 (F) onecore\base\wcp\componentstore\csd_locking.cpp(200): Error STATUS_SXS_ASSEMBLY_MISSING originated in function CCSDirectTransaction::LockComponent expression: (null)

Error                 CSI    000000e7 (F) STATUS_SXS_ASSEMBLY_MISSING #387975# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]
Error                 CSI    000000e8 (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #387823# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = 64c67151d23f10652627ea697836de04, version 10.0.14393.2608, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = 'Package_7514_for_KB4571694~31bf3856ad364e35~amd64~~', rah = '2', manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]
Info                  CBS    Failed to pin deployment while resolving Update: Package_7514_for_KB4571694~31bf3856ad364e35~amd64~~ from file: (null) [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]
Info                  CBS    Failed to bulk stage deployment manifest and pin deployment for package:Package_2070_for_KB5006669~31bf3856ad364e35~amd64~~ [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]
Info                  CBS    CommitPackagesState: Started persisting state of packages
Info                  CBS    CommitPackagesState: Completed persisting state of packages

Long story short, in this environment they were using a 3rd party patch management system, which seemed to have had an issue about a year prior to the MDfE deployment, resulting in an earlier Windows Defender KB not being installed correctly on a handful of their servers. Because the KB wasn't successfully installed, it also wasn't successfully cleaned up either.

I'd always recommend a rebuild of the servers whenever you have Windows Installer issues; it usually isn't worth the risk of trying to fix it. Unfortunately, this wasn't available to the client at the time.

Plan B was to stay on their existing AV technology and forget about MDfE for a while, but that wasn't an option either.

So plan C is to very carefully remove references to the failed KB from the PackageDetect registry, so that Install-WindowsFeature doesn't look for it as part of installing Windows Defender.

  1. Confirm the latest backup was successful.
  2. Login to each server with Admin account, open regedit, and take a backup of the registry - both the full hive, as well as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect
  3. Modify the permissions of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect so that your admin account has full admin
  4. Repeat until Windows Defender has been installed successfully:
    • Select-String -Path "c:\windows\logs\cbs\cbs.log" -Pattern "Failed to pin", and note the package ID (e.g. Package_7373_for_KB4556813)
    • Try to remove the package properly via DISM.exe /Online /Remove-Package /PackageName:Package_7373_for_KB4556813... it'll fail, but you've gotta at least try to do things properly!
    • In HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect, search for the above package, and delete the result. There should be 1-2 results for each package name.
    • Try again to install: Install-WindowsFeature -Name Windows-Defender