Investigating systemic patching failures on Windows 11 24H2.

At endpointX we operate patching services for a variety of organisations, from small business to large global enterprises. Recently we’ve noticed a consistent and systemic reduction in patch success rates. Our normal 98%+ patching rates were down, with some environments dropping to ~80% or lower on our normal automated patching cycles.

Naturally this became a high priority concern for both ourselves and the businesses we support. Upon investigation what we uncovered was both technically interesting and perplexing. The issue appeared to be related specifically to Windows 11 24H2 devices being unable to apply any of the latest cumulative updates from Microsoft, regardless of if the deployment mechanism used was Windows update or other endpoint management (EM) tooling.

This article outlines our investigation, findings and solutions to the issue.

Our Investigation

endpointX conducted an in-depth investigation of affected machines to attempt to find the root cause and correlate which machines were diagnosed with this issue.

When our engineers analysed the update logs from affected machines, it was discovered that affected endpoints had been unable to apply multiple successive cumulative updates.

Potential indicators of the issue were identified as:

• Endpoint management tooling presenting back 0x800F0991/2148469137 error codes from the windows update agent.
• Successive monthly cumulative updates failing to be applied. We saw a significant number of endpoints fail to apply patches from the May 2025 cumulative update (but this may be build specific).
• Ad-hoc deployment of updates failed (both current cumulative updates and previous patches).

Affected machines were specifically running Windows 11 24H2. These systems appeared to believe the September 2024 cumulative update KB5043080 (a checkpoint patch) was not installed. However, they would not allow this patch, or any subsequent cumulative updates, to be installed.

Numerous forums across the web corroborated our own findings. The following suggested fixes were all attempted but proved unsuccessful in our environments:

• Resetting the windows update agent and clearing the software distribution cache.
• Using DISM to repair the installed operating system (using both windows update or an offline ISO as a source).
• Applying the cumulative update by downloading the .msu and installing via DISM /Add-package or wusa.exe (also executing these steps with the September 2024 checkpoint patch in the same directory).

The Fix

Our investigation had exhausted most approaches we would normally take to resolve similar patching issues. We then undertook a process of performing a comprehensive operating system repair by utilising the setup.exeutility used usually for in-place upgrades (Microsoft documentation).

endpointX engineers created a bootable Windows 11 24H2 ISO with the latest cumulative update packaged into the Windows image.

This ISO was then distributed via our EM tooling to affected endpoints and the setup.exe repair process automatically executed. This was done silently with no impact to end-users. Combining this with a scheduled reboot returned the endpoint to a fully patched state. This fix was validated at the next automated patching cycle when repaired machines patched successfully and overall patching rates returned to their pre-issue levels.

During this investigation, Windows 25H2 was released. We applied a similar approach at some organizations by packaging the setup.exe with the newly released 25H2 ISO to simultaneously repair and in-place upgrade affected machines. This has also been validated as successful in an automated patching cycle. It’s important to note that 25H2 allows for an “enablement package” upgrade from 24H2 machines—we believe this would not be sufficient to fix affected endpoints and that a full in-place upgrade from the ISO is required.

Root Cause

At present we’ve been unable to identify a definitive root cause for this issue. Some recent reporting has suggested that it may be related to an issue that was introduced in a Windows 11 preview patch released in January. However, during our investigation we found affected endpoints that had recently been in-place upgraded from Windows 10, these endpoints would not have received or been eligible for a January preview patch and so its unlikely this reason is a definitive root cause for all endpoints.

What next?

We continue to monitor our automated patching cycles for any recurrence of this issue.

Microsoft continues to have market share dominance across enterprise workstations. Companies are reliant on the mechanisms that are exposed in the Windows operating system to apply patches, and when this fails there are often very few alternative avenues for remediation. Unfortunately this current industry norm leaves enterprises beholden to Microsoft being proactive in identifying and resolving these types of issues. Having autonomy and vendor diversity allows organisations to mitigate some of this risk, and Tanium’s independence from the Microsoft stack is one of the reasons Tanium is the preferred endpoint management tool at endpointX.

Tanium’s real-time visibility was instrumental in allowing us to deploy fixes and monitor results, allowing our engineering teams to iterate solutions rapidly. Tanium’s native patching functionality allows you to quickly identify machines which are non-compliant. Investigations into these endpoints via patch applicability and install history sensors can rapidly provide feedback on failed patching attempts and determine how long given machines have been out of compliance.

Patching is a core pillar of robust IT hygiene. As a patching service provider we understand the importance of maintaining high compliance rates to minimise the threat surface exposed by the organisations we support. Any extended downward trend needs investigating and remediating rapidly to minimise potential threats. Our patching service and Tanium’s excellent visibility enabled us to swiftly mitigate the risk posed by this complex issue.