After performing a Windows update on Windows Server 2012 R2 it failed to install with error 0x8004FF04.
A note to Windows 8, 8.1 or 10 users receiving this error for a Microsoft Security Essentials update: The built-in Windows Defender replaces Microsoft Security Essentials, if you have previously installed Microsoft Security Essentials but updated your operating system version it may no longer be supported and it should be safe to uninstall as Defender has taken over. This post is aimed toward those that have knowingly installed Microsoft Security Essentials on an unsupported operating system such as Windows Server 2012 R2 and want to update it.
Updating Microsoft Security Essentials
After running Windows update it found KB3205972 which came out 29. November 2016 and was an update for Microsoft Security Essentials, version 220.127.116.11 to be exact as shown below.
Take note that this particular update is 9.2MB in size, this will be important later on.
The problem begins when trying to install this update, as shown the update fails and results in error code 8004FF04, simply meaning that the update does not support this version of the operating system.
This makes sense as technically Microsoft Security Essentials does not support Windows Server 2012 R2, we installed it with some slight customizations which we need to do again during the update.
I looked through this Microsoft Security Essentials installation guide, and i have noticed that error 8004FF04 came up there as well. Essentially the update is failing to install because it is not being run in compatibility mode for Windows 7, or with the /disableoslimit flag via Windows update causing it to fail.
In order to install the update, i had to run it manually with these customizations in place.
Windows update stores its downloaded update files in the C:\Windows\SoftwareDistribution\Download folder with different hashes for the file names. As the particular update that is failing to install in this case is 9.2MB in size, we simply look for a file within this folder that is also 9.2MB in size – in this case the file that is selected shown below.
For this example, I copied this file over to my desktop to perform the required changes rather than modifying the original, I then renamed it to ‘update.exe’.
Next right click the file and select properties. From the properties window select the Compatibility tab. Under Compatibility mode, tick the “Run this program in compatibility mode for:” box and then select Windows 7 from the drop down menu, then click OK.
Now open command prompt as administrator and execute the file with the /disableoslimit flag on the end as shown below.
Assuming you selected the correct file from the Windows update folder, you should be greeted with the Microsoft Security Essentials upgrade wizard as shown below, simply click the Upgrade button to proceed.
Once the upgrade has completed, click the finish button to complete the process.
From here you can now open up Microsoft Security Essentials, select the Help drop down and then click About and you should see that the Client Version has been successfully updated to the version noted through Windows Update.
This confirms that Microsoft Security Essentials has successfully been updated to the version that Windows update was failing to install. At this point we can go back to Windows update and run a check for updates, which should now no longer list the update as available, as it is now installed.
As Microsoft Security Essentials is not officially supported in Windows Server 2012 R2, we should expect strange and unexpected behaviour such as Windows updates failing to update it.
By applying similar changes that were done when we installed it, including setting the compatibility mode to Windows 7 and running the executable with the /disableoslimit flag, we can successfully update Microsoft Security Essentials when newer updates become available through Windows update that are not yet available for download through the Windows website.