In Part 4 we discussed how to track an update using the Windows Setup Log and the CBS Logs

In Part 5 we’ll look through the CBS Logs in more detail and use some specific examples where the Windows Defender feature fails to be installed on Windows Server 2016

I’ve seen a number of people report the below errors in forums so I will address them here.

References:
https://docs.microsoft.com/en-us/answers/questions/503797/unable-to-uninstall-windows-defender-on-server-201.html
https://superuser.com/questions/1519058/error-sxs-assembly-missing-on-server-2016

Disclaimer:
If you choose to use these steps, you do so at your own risk. The blog is designed to give you an insight into the problem and is not an official support document.

Common errors I see when Windows Defender feature fails to install:

0x80073701(ERROR_SXS_ASSEMBLY_MISSING)
0x800f081f (CBS_E_SOURCE_MISSING)

What are these errors?

In both cases these errors represent some type of servicing corruption with the Windows Component Store or Registry, that will reference specific Windows Updates

0x800f081f (CBS_E_SOURCE_MISSING)

These errors will reference some issue with missing cat or mum files, this detection occurs when the server is trying to install a feature or another update and you will see the error referenced Server Manager or the Command-Line when trying the operation

CBS Logs

You can check the CBS logs to track down the error and there is also a section that will highlight the corruptions present. In C:\Windows\Logs\CBS you are likely to have more than one CBS log. You should see CBS.log and also an number of logs called CbsPersist_<Date and Time> that are archived to .CAB files

I would extract all the archived .CAB files using a tool like 7-Zip as you may need to review these for information and errors.

Once all the files are extracted, use Notepad ++ and open all CBS files for review.

  1. Ctrl + F
  2. Add the search criteria, some or all of the below information, [HRESULT = 0x800f0831 – CBS_E_STORE_CORRUPTION]
  3. Use the “Find All in All Opened Documents” in Notepad ++

From the output we see two things:

  1. The error, 0x800f0831
  2. The Windows Update and the specific package(s) that are corrupt or missing and causing Defender to fail installation.

Log 1

Next we will search the CBS Logs to identify the summary of the corruptions

  1. Ctrl + F
  2. Add the search criteria, some or all of the below information, “Readiness”
  3. Use the “Find All in All Opened Documents” in Notepad ++

We see 5 missing catalog files:

Log 2

Note:
If you do not see any results for “Readiness” do the following:

  1. Open an elevated Command-Line
  2. Run the following command:

DISM /Online /Cleanup-Image /RestoreHealth /LimitAccess

Check the CBS.log when this completes, it should now be present

How to resolve?

To resolve these corruptions we need to source the missing catalog files from update KB4577015

  1. Download the update that references the corruptions that were found above to a path like C:\Temp
  2. Extract the .CAB files from the .MSU

Extracting the .CAB from the .MSU can be done with a tool like 7-Zip or the Command-Line

3. Extract .CAB from the .MSU
4. Open an elevated command-line
5. Type the following:

CD C:\Temp <or the path where you have downloaded the .MSU>
expand -F:* .\Windows10.0-KB4577015-x64.msu .\
mkdir KB4577015
expand -F:* .\Windows10.0-KB4577015-x64.cab .\KB4577015
cd .\KB4577015
mkdir extracted
expand -F:* .\Cab_* .\ <This will take some time>

Note:
The above commands will extract all of the files from the .CAB files
You now have the source files to fix the corruptions. and you have 2 options:

  • Search for the 5 missing catalog files and add them to a folder
  • Use the “Extracted” folder as repository that contains the source files

Selecting only the files you need will mean that the fix will be quicker.

Repair using DISM

  1. From the elevated command-line

DISM /Online /Cleanup-Image /RestoreHealth /Source:C:\Temp\KB4577015\Extracted /LimitAccess

Note:
By using DISM we will attempt to fix the corruptions by specifying the /Source switch to the extracted files

2. Once this completes check the CBS Log file located at C:\Windows\Logs\CBS
3. Search the log for “Readiness”
4. Look for the entry “Total Repaired Corruption:”

This should indicate the number of corruptions that were fixed, you may also see (Fixed) next to each catalog indicating that this has also been fixed

You can try and install the Defender Feature.

Now to tackle the missing assemble error

0x80073701(ERROR_SXS_ASSEMBLY_MISSING)

The assembly missing error indicates that some component relevant to 2 updates in Windows has some level of corruption and needs to be repaired before the Defender Feature can be installed.

CBS Logs

You can check the CBS logs to track down the error and there is also a section that will highlight the corruptions present. In C:\Windows\Logs\CBS you are likely to have more than one CBS log. You should see CBS.log and also an number of logs called CbsPersist_<Date and Time> that are archived to .CAB files

I would extract all the archived .CAB files using a tool like 7-Zip as you may need to review these for information and errors.

Once all the files are extracted, use Notepad ++ and open all CBS files for review.

  1. Ctrl + F
  2. Add the search criteria, some or all of the below information, (ERROR_SXS_ASSEMBLY_MISSING)
  3. Use the “Find All in All Opened Documents” in Notepad ++

See the bold sections in the log:

CSI 00000009 (F) STATUS_SXS_ASSEMBLY_MISSING #15607# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]
Error CSI 0000000a (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #15455# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = a3d874599429ecb6a05e964bc86e8ace, version 10.0.14393.2999, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = ‘Package_7512_for_KB4577015~31bf3856ad364e35~amd64~~10.0.1.5.4577015-15013_neutral’, rah = ‘2’, manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

CBS Failed to pin deployment while resolving Update: Package_7512_for_KB4577015~31bf3856ad364e35~amd64~~10.0.1.5.4577015-15013_neutral from file: (null) [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

CBS Failed to bulk stage deployment manifest and pin deployment for package:Package_1594_for_KB5005043~31bf3856ad364e35~amd64~~10.0.1.3 [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]

How to resolve?

In this scenario we need to take a note of the updates that appear in the log entry, in this case KB4577015 and KB5005043. We will need both updates available to resolve the issue.

  1. Download the updates to a path like C:\Temp\<Update Folder>
  2. Extract each update from the .MSU

Example:
Open an elevated Command-Line
CD C:\Temp\KB4577015
expand -F:* .\Windows10.0-KB4577015-x64.msu .\

3. Run the following command for each update

DISM /Online /Add-Package /PackagePath:C:\Temp\KB4577015\Windows10.0-KB4577015-x64.cab
DISM /Online /Add-Package /PackagePath:C:\Temp\KB4577015\Windows10.0-KB5005043-x64.cab

Note:
This will inject the update seamlessly back into the OS without any impact
Restart the server between updates being injected
If the corruptions are more serious this may not work

You should now be able to install the Defender feature

Note:
You may see either one of the servicing errors described in the CBS logs or you could be unlucky enough to have both.

More Information

Errors usually present themselves as 0x800 type errors. This free public tool from Microsoft can help interpret these but you may still need additional support to assist