Problem with drivers for Microsoft Surface - State: not required. CB 1802

Joseph Perry · ‎Jul 11 2018

I have followed the steps to get the drivers into WSUS and SCCM.
The problem seems to reside on the clients, detecting that the update is not required (not installed or needed).

I tried joining the shipped image (the one that came with the device) to the domain, with mimimal GPO, and still have this problem.

I verified these settings that were NOT enabled on my workstations:

Prevent installation of devices not described by other policy settings
https://support.microsoft.com/en-ca/help/2500967/how-to-stop-windows-7-automatically-installing-driv...
https://www.howtogeek.com/302595/how-to-stop-windows-10-from-automatically-updating-hardware-drivers...
Do not include drivers with Windows Updates
SearchOrderConfig reg for drivers
• Go to Run –> regedit
• Go to: HKEY_LOCAL_MACHINE –> SOFTWARE –> Microsoft –> Windows –> CurrentVersion –> DriverSearching
• Change the value of “SearchOrderConfig” to 0.

Only thing of note I found was in the windows update logs [ps get-windowsupdatelogs]. Multiple entries of the first and one entry of the second. Attached log for review (changed from .log to .csv to allow upload). I haven't been able to find out much on these entries.
2018/07/03 14:54:17.6160407 6476 5560 ProtocolTalker Skipping driver sync because system spec is not available.
2018/07/06 10:37:46.1848548 6476 15316 ProtocolTalker Skipping driver sync because it's not supported.

Clients are running windows 10 Pro 1703 or 1802.
SCCM CB 1710, then upgraded to 1802 with hotfixes applied. Problem persisted.

Joseph Perry · ‎Jul 11 2018

I neglected to mention the model of surface is Surface_Pro_1796

I had another look through the windows update logs and found something else that might be of note. It looks like it's trying to download something from Microsoft, but the hash is wrong:

win 10 1803
2018/07/06 10:37:38.4900437 6476 4336 SLS             Retrieving SLS response from server using ETAG /UNCl3EoyjFp0TpI3FCEUlFp4oWw8fJjLveSUZA+cyw=_1440"..."
2018/07/06 10:37:38.4905020 6476 4336 SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.17134.81/0?CH=1...
2018/07/06 10:37:38.5049799 10572 5684 ComApi          *RESUMED* Discovery
2018/07/06 10:37:38.5051169 10572 5684 Api             * END *   Discovery ClientId
2018/07/06 10:37:38.5733926 10572 17556 ComApi          * START *   Federated Search ClientId = Update;ScanForUpdates (cV: oYT2+mfYp0CGcUWQ.0.3.1.1.0)
2018/07/06 10:37:38.5742742 6476 5820 IdleTimer       WU operation (SR.Update;ScanForUpdates ID 8) started; operation # 66; does use network; is not at background priority
2018/07/06 10:37:38.5742762 6476 5820 IdleTimer       Activate PDC state for Network
2018/07/06 10:37:38.5743033 6476 5820 IdleTimer       Incremented PDC RefCount for Network to 1
2018/07/06 10:37:38.5747349 6476 1032 Agent           *FAILED* [80240007] Method failed [CAgentServiceManager::GetTargetedServiceMapping:3010]
2018/07/06 10:37:38.5747394 6476 1032 Agent           Processing auto/pending service registrations and recovery.
2018/07/06 10:37:39.6881292 6476 4336 Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab with dwProvFlags 0x00000080:
2018/07/06 10:37:39.6954207 6476 4336 Misc             Infrastructure signed: Yes
2018/07/06 10:37:39.7041678 6476 4336 Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP183B.tmp with dwProvFlags 0x00000080:
2018/07/06 10:37:39.7088923 6476 4336 Misc             Infrastructure signed: Yes
2018/07/06 10:37:39.7093665 6476 4336 Misc            Hash check on memory file using algorithm SHA256 failed; hash values did not match.
2018/07/06 10:37:39.7093768 6476 4336 Misc            Actual Hash: ad37fdb651f8e6f62d55955bf6672d2ffd06ba3de36e6babbc04589cf65dfe67.
2018/07/06 10:37:39.7093846 6476 4336 Misc            Expected Hash: 104342d5707b884fb8e2922fa4a842cf8004338bcb7d9e3af4f64cd94b7fbb46.
2018/07/06 10:37:39.7473058 6476 4336 SLS             Retrieving SLS response from server using ETAG Dz4SzFCT5/mrQAg9OOFFN92uK5JooclKYZNRgCG8Af0=_1440"..."
2018/07/06 10:37:39.7477181 6476 4336 SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{855E8A7C-ECB4-4CA3-B045-1DFA50104289}/x64/10.0.17134.81/0?CH=1...
2018/07/06 10:37:40.9493412 6476 4336 Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\sls.cab with dwProvFlags 0x00000080:
2018/07/06 10:37:40.9530134 6476 4336 Misc             Infrastructure signed: Yes
2018/07/06 10:37:40.9622983 6476 4336 Misc            Validating signature for C:\WINDOWS\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP1D2D.tmp with dwProvFlags 0x00000080:
2018/07/06 10:37:40.9659451 6476 4336 Misc             Infrastructure signed: Yes
2018/07/06 10:37:40.9667295 6476 4336 Misc            Hash check on memory file using algorithm SHA256 failed; hash values did not match.
2018/07/06 10:37:40.9667357 6476 4336 Misc            Actual Hash: 3ab4e03c9ae92afca245a047514f269c3e232bc9b14e62e54cc7f9990b09ff3c.
2018/07/06 10:37:40.9667393 6476 4336 Misc            Expected Hash: 8f043ebcb8b3ffc45b268f98a1d04a74cfe5e2c14da67981756c4e924f8b87ab.
2018/07/06 10:37:41.0403639 6476 1032 IdleTimer       WU operation (SR.Update;ScanForUpdates ID 8, operation # 66) stopped; does use network; is not at background priority

win 10 1703
2018/07/11 13:31:51.2173924 5228 6680 SLS             [0]146C.1A18::07/11/2018-13:31:51.217 [sls]SLS DatastoreLookup: 0x80248007
2018/07/11 13:31:51.2173936 5228 6680 SLS             [0]146C.1A18::07/11/2018-13:31:51.217 [sls]Retrieving SLS response from server...
2018/07/11 13:31:51.2178629 5228 6680 SLS             [0]146C.1A18::07/11/2018-13:31:51.217 [sls]Making request with URL HTTPS://sls.update.microsoft.com/SLS/{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}/x64/10.0.15063.0/0?CH=14...
2018/07/11 13:31:51.6445072 5228 6680 SLS             [0]146C.1A18::07/11/2018-13:31:51.644 [sls]SLS Response is Error response type. Attempting to extract the HRESULT in the payload...
2018/07/11 13:31:51.6450036 5228 6680 SLS             [0]146C.1A18::07/11/2018-13:31:51.645 [sls]Succeeded in extracting the HRESULT from the payload => 0x80240042
2018/07/11 13:31:51.6450368 5228 6680 Metadata        [0]146C.1A18::07/11/2018-13:31:51.645 [metadataintegrity] failed: hr = 0x80245004
2018/07/11 13:31:51.6450389 5228 6680 Metadata        [0]146C.1A18::07/11/2018-13:31:51.645 [metadataintegrity]GetFragmentSigningConfig failed with 0x80245004. Using default enforcement mode: Audit.
2018/07/11 13:31:51.6450397 5228 6680 Metadata        [0]146C.1A18::07/11/2018-13:31:51.645 [metadataintegrity] failed: hr = 0x80245004
2018/07/11 13:31:51.6450475 5228 6680 Metadata        [0]146C.1A18::07/11/2018-13:31:51.645 [metadataintegrity]Policy-driven service enabled. Using Ignore Policy.
2018/07/11 13:31:51.6450635 5228 6680 ProtocolTalker [0]146C.1A18::07/11/2018-13:31:51.645 [agent]SyncExtendedUpdateInfo - 0 bad out of 0 metadata signatures checked using Audit enforcement mode.

Mark Szili · ‎Aug 05 2018

what version of Server is your WSUS service running? From what I understand, to use the surface pro driver servicing, the WSUS server must be minimum of Server 2016.

Joseph Perry · ‎Aug 07 2018

Windows Server 2016 Standard (64 bit)

Joseph Perry · ‎Aug 07 2018

We decided to exclude the surfaces from managed patching...
Particularly models 1796 and 1807.

https://blogs.technet.microsoft.com/surface/2018/07/28/updates-for-surface-pro-26-july-2018/

Installing these updates to Surface UEFI firmware requires that the device be already updated with a newer Surface System Aggregator firmware (v234.2110.1.0 or greater). Instructions to ensure this are stated below.

If you install these updates using Windows Update, Windows Update will automatically install components in the necessary order. You may need to check for updates, install updates, and restart several times to fully install all these updates.

If you install these updates using the MSI, the MSI will automatically detect if prerequisites have been met and install updates in the correct order. The MSI will first install an updated Surface System Aggregator Firmware and restart to apply that firmware. After restart, a scheduled task will run the MSI again to install an updated Surface UEFI Firmware and restart to apply that firmware. After restart, a scheduled task will run the MSI again to install all the remaining components and restart one more time.

If you use WSUS to install updates and you have turned on automatic approval for all driver updates, you must offline update all Surface Pro (Model 1796) and Surface Pro with LTE Advanced (Model 1807) devices using the July 2018 MSI files unless they already have the required Surface System Aggregator firmware (v234.2110.1.0 or greater). If they do not already have the required Surface System Aggregator firmware (v234.2110.1.0 or greater), do not update these devices using WSUS with automatic approval turned on for driver updates for your Surface devices, as the firmware may not be installed in the required order.

For deployments of new devices, you need to ensure firmware is applied in the correct order. If your new devices already have Surface System Aggregator v234.2110.1.0 or greater installed, you can extract the July 2018 MSI and use that for new deployments. You can check the version installed on a new device by booting into Surface UEFI (Volume Up button + Power button when the device is off) and checking the version for “SAM Controller”.

If your devices have Surface System Aggregator that is lower than v234.2110.1.0, you need to ensure that Surface System Aggregator firmware v234.2237.257.0 (the version in the July 2018 MSI) is installed first. Here are two methods to accomplish that:

1) Turn on the new devices, quickly go through all the steps to get into Windows (you do not need to install updates or connect to a network), then run the July 2018 MSI file and let it automatically update firmware in the correct order. Then you can reimage that device with your normal deployment process.

2) Extract the July 2018 MSI, install only Surface System Aggregator Firmware v234.2237.257.0, and restart before installing any other Surface firmware component updates (Surface UEFI Firmware, Surface Management Engine Firmware, Surface Integrated Sensor Hub Firmware).

Joseph Perry · ‎Aug 07 2018