Skip to main content

Windows Server 2016 Keeps Rolling Back After Patch Installation

Checo5/13/26About 2 minAWSWindowsAWSEC2Windows Server 2016Windows UpdateCBS

Windows Server 2016 Keeps Rolling Back After Patch Installation

After installing a cumulative update on Windows Server 2016, if the reboot phase displays "We couldn't complete the updates" and repeatedly rolls back, the root cause may not be disk space or component store corruption — it could be historical user profile corruption causing the per-user registry phase to fail.

Symptoms

The patch installation phase appears successful, but upon reboot:

We couldn't complete the updates
Undoing changes
Don't turn off your computer

After entering the system, the OS Build has not increased, and reinstalling still results in repeated rollbacks.

WindowsUpdate.log may show:

Post-reboot status ... 0x800f0922

CBS.log contains:

CBS_E_INSTALLERS_FAILED
Per-User Registry Installer ... 0x80070002

CSI logs may also show historical user NTUSER.DAT unload failures.

Troubleshooting Approach

First, rule out common causes:

sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth

Also check:

  • Whether SSU is already installed.
  • Whether the C drive has sufficient space.
  • Whether failure persists after resetting SoftwareDistribution / catroot2.

If all of these are normal, examine the CBS/CSI logs to see if failures are concentrated in the Per-User Registry Installer phase.

Root Cause

In this case, the issue was concentrated in historical user profiles. The server had multiple legacy user directories, Unknown Profiles, and even abnormally large user profiles. During the reboot phase, updates need to load or unload user registry hives, and some NTUSER.DAT files cannot be properly unloaded, causing the patch transaction to fail and triggering a rollback.

Solution

1. Back Up First

Before performing operations in production, create an AMI or snapshot. User profile cleanup carries data risk and should not be done by blindly deleting in production.

2. Clean Up Unknown Profiles

Via the GUI:

  1. Run sysdm.cpl.
  2. Go to the "Advanced" tab.
  3. Click "Settings" in the "User Profiles" section.
  4. Delete profiles with Unknown status or those confirmed to be no longer in use.

3. Clean Up Registry ProfileList If Necessary

Carefully open the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Cross-reference the C:\Users directory with SIDs in ProfileList, and clean up invalid entries. Export a registry backup before proceeding.

4. Reinstall the Patch

After cleanup, reboot, then reinstall the target cumulative update.

5. Temporary Workaround

If profiles cannot be cleaned up immediately and a newer monthly patch has been released, you can test installing the updated cumulative patch directly. Windows cumulative updates typically include the previous month's security content, but this should only be used as a temporary workaround — the underlying issue should still be addressed through cleanup.

Summary

When Windows patches roll back during the reboot phase, don't focus solely on Windows Update. If CBS/CSI logs point to the Per-User Registry Installer and user hive unload failures, focus on examining historical user profiles.

Profile accumulation is common on servers that have been accessed by many users over a long period. It is recommended to regularly clean up obsolete profiles to avoid issues surfacing during patch windows.

Edit this page
Last Updated:
Contributors: sergioperezcheco
© 2026 Checo's Blog. All rights reserved.
Copyright © 2026 Checo