Windows Server 2019 .NET Cumulative Update Installation Fails: Bypassing WUA Using DISM

When installing a .NET Framework cumulative update on Windows Server 2019, if double-clicking the .msu or using the wusa.exe path consistently fails and WindowsUpdate.log shows 0xC8000402 PopulateDataStore failed, the problem may not be a CBS installation failure but rather a broken WUA scan layer.

Background

Some .NET cumulative updates are container packages that contain multiple individually applicable .msu files. For example, a parent KB might embed:

• An MSU for .NET 3.5 + 4.7.2.
• An MSU for .NET 3.5 + 4.8.

If the system is already running .NET 4.8, only the one corresponding to 4.8 needs to be installed.

Key Logs

WindowsUpdate.log repeatedly shows:

ProtocolTalker  *FAILED* [C8000402] PopulateDataStore failed
ProtocolTalker  *FAILED* [C8000402] Sync of Updates
Agent           * END * Finding updates ... Exit code = 0xC8000402

Meanwhile, CBS.log has no trace of the target KB.

This indicates the patch hasn't even entered the CBS installation engine — the failure occurs at the earlier WUA scan stage.

Root Cause Determination

The flow of wusa.exe installing an .msu is roughly:

Double-click .msu -> wusa.exe -> WUA applicability scan -> CBS installation

If WUA's DataStore is corrupted, or if repeated registration of offline scan sources causes metadata pollution, WUA may fail at the PopulateDataStore stage, ultimately returning "0 updates found" or an installation failure.

At this point, continuing to double-click .msu is pointless, since execution never reaches CBS.

Solution: Extract and Inject CAB Using DISM

The core idea is to bypass WUA and let CBS handle the CAB package directly.

1. Extract the MSU

$msu = "C:\Patches\windows10.0-kbxxxxx-x64-ndp48.msu"
$dst = "C:\Patches\Extract"
New-Item -ItemType Directory -Force -Path $dst | Out-Null
expand.exe -F:* $msu $dst

2. Install the CAB Using DISM

$cab = Get-ChildItem $dst -Filter "Windows10.0-KB*.cab" | Select-Object -First 1
DISM.exe /Online /Add-Package /PackagePath:"$($cab.FullName)" /NoRestart /LogPath:C:\Patches\dism.log

3. Reboot

shutdown /r /t 30

4. Verify

Get-HotFix -Id KBxxxxx
DISM.exe /Online /Get-Packages | findstr /I "DotNetRollup"

For .NET updates, you can also check whether key .NET file versions have been updated.

Optional: Repair the WUA Scan Channel

If you need Windows Update scanning to work normally going forward, you can reset the WUA database:

Stop-Service -Name wuauserv, BITS, cryptSvc -Force
Rename-Item C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
Rename-Item C:\Windows\System32\catroot2 C:\Windows\System32\catroot2.old

$svc = New-Object -ComObject Microsoft.Update.ServiceManager
$svc.Services | Where-Object { $_.IsScanPackageService } |
  ForEach-Object { $svc.RemoveService($_.ServiceID) }

Start-Service -Name wuauserv, BITS, cryptSvc

This is not a required step for installing the patch — it only restores WUA scanning capability.

Summary

If the target KB has no trace at all in CBS.log and WindowsUpdate.log points to 0xC8000402 PopulateDataStore failed, the issue should be located in the WUA scan layer.

The approach is:

1. Confirm the applicable embedded MSU.
2. Extract the MSU to obtain the CAB.
3. Inject it directly using DISM /Add-Package.
4. Reboot and verify.

This method is suitable for scenarios where WUA is corrupted but CBS is still functioning normally.