During a recent Windows Defender deployment we ran in to an issue with the onboarding script where the Windows Defender feature would fail to install with Enable-WindowsOptionalFeature : The referenced assembly could not be found.
When checking the the CBS log under C:\Windows\Logs\CBS\CBS.log we found that the issue was related to a missing package for a previously installed update.
CBS Failed to pin deployment while resolving Update: Package_8092_for_KB5005043~31bf3856ad364e35~amd64~~10.0.1.3.5005043-16635_neutral from file: (null) [HRESULT = 0x80073701 – ERROR_SXS_ASSEMBLY_MISSING]
After a bit of troubleshooting there where two fixes to this issues, if the update that is missing is available, we can download the update MSU / CAB file from the Microsoft update catalog using the KB ID. I have covered this in a previous blog post so wont go over that fix on this post use the below link to view that post.
In some of our case the update file was not available to download any more, in this case we need to modify the registry to set the package values that are corrupted to be ignored.
Doing any modification of the registry comes with risk and this should only be done when all other solution have been attempted. Make sure there is a valid a backup before attempting this fix.
First we need to get the list of packages that are showing in the CBS logs as corrupted. The below script will go through the CBS log and get the packages and format the results.
$cbsLog = "c:\windows\logs\cbs\cbs.log"
$results = @()
Write-Host "Checking CBS logs for SXS Assembly Errors" -ForegroundColor Green
$checkingfailure = Get-Content $cbsLog | Select-String "ERROR_SXS_ASSEMBLY_MISSING"
$cbsresults = Get-Content $cbsLog | Select-String "Resolving Package:"
if ($cbsresults) {
foreach ($cbsresult in $cbsresults) {
$packageresult = ($cbsresult | Out-String).Split(":").trim().Split(',')| Select-String "Package_"
$results += $packageresult
}
}
$results | Select-Object -Unique
Now that we have the list we need to set the local administrators group as the owner of the component registry key in order to be able to update the effect packages current state so they wont be checked.
Open regedit and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Select Administrators as the owner and replace owner on subcontainters and objects.
Last step is to set the local administrators with full control of the registry key.
Now that we have the permissions set we can modify the registry values. This can be either scripted or manually done.
The current value needs to be change to 0 to set.
Set each of the corrupted package to 0
Then revert the permission back so Administrators have read access and trusted installer (NT Service\TrustedInstaller) is the owner of the components registry key and subkeys.
Now when we try and run the onboarding script again the Windows Defender feature enables without issue.