Environment
- App Control Console: All Supported Versions
- App Control Windows Agent: All Supported Versions
Symptoms
- Windows Updates taking an extended time to install.
- Windows Update failing to install due to timeout.
Cause
Large volumes of files being introduced to the endpoint at once
Resolution
- Verify the endpoint is using the latest Agent version.
- Verify the steps for a Trusted Directory approval of WIM files has been enabled & configured.
- Verify the Agent Exclusions are added to any other antivirus or security product (including Windows Defender)
- Verify existing Updaters (such as Windows Defender) are enabled in the Console > Rules > Software Rules > Updaters.
- Login to the Console and navigate to https://ServerAddress/agent_config.php
- Add an Agent Config to ignore file operations on inst*.tmp files used during the Windows Update process:
Property Name: Windows Update Performance
Host ID: 0
Value: kernelFileOpExclusions=*\Windows\SoftwareDistribution\Download\*\inst*.tmp:4192127
Platform: Windows
Status: Enabled
- Save
- Add an Agent Config to limit the type of activity done during the USN Journal Check:
Property Name: USN Journal Flag
Host ID: 0
Value: usn_journal_flags=5634
Platform: Windows
Status: Enabled
- Save
- Add an Agent Config to increase the default threshold of new files required before Cache Analysis
Property Name: USN Journal Max CC
Host ID: 0
Value: usn_journal_max_analysis_messages_before_cc=10000
Platform: Windows
Status: Enabled
- Save
If excessive upgrade times are still observed after applying these changes, please collect the following information and open a case with Support:
- How are the patches being deployed (Windows Update Server, SCCM, 3rd party, etc)?
- How can the test be reproduced (snapshotted virtual machine, anecdotal, etc)?
- What is the time difference with the Agent installed/uninstalled to complete patching?
Additional Notes
- Values for Agent Configs are case sensitive and should not begin or end with a space.
- Each configuration can be set for either one host, or limited to specific Policies.
- The default usn_journal_flags value will resubmit both new and existing (i.e. files the Agent already knows about) appearing in the journal for re-analysis.
- The new usn_journal_flags value above will instruct the Agent to:
- Initiate a CC2 if the current USN Change Journal is new.
- Generate an Event if a file was discovered, modified, or removed via USN Scan.
- Verify known files that were modified still match the known hash.
- Stop processing if the file's timestamp is after the Agent running time.
Related Content