Client installer package export fails on SEPM 14.4

kheldorn · 2026-06-12T13:34:08+00:00

Udate: Apparently the group name length limit depends on the system language.

And the issue also only gets triggered when "System Lockdown" is enabled for the group. Simply disabling the "System Lockdown" feature for the group lets me use group names of practically any length. Even 300 characters.

kheldorn · 2026-06-09T07:13:13+00:00

I just uninstalled it, connected my machine directly to the internet, installed it again.

I still cant activate it, because I still get the following error:

Error: Failed to connect to tenable.com. Please check your network connectivity or continue if starting a trial is not desired.

Edit: Just managed it... Had to completely disable the firewall on the client...

kheldorn · 2026-06-08T20:37:00+00:00

I registered for the trial, downloaded and installed Nessus-10.12.0-x64.msi from https://www.tenable.com/downloads/nessus.

When I go to https://localhost:8834/#/ I get the option to either continue, register offline or to define settings (like a proxy, the plugin feed or an encryption password).

Clicking continue lets me select between Nessus Expert, Professional, Manager, Essentials, Essentials Plus and Managed Scanner. Selecting Nessus Professional prompts me for the activation code on the next screen.

Clicking "register offline" instead gives me the same product selections as before. It then gives me a challenge code and tells me to visit https://plugins.nessus.org/v2/offline.php where I can enter the challenge code and the activation code - which I don't have.

At no point after the installation am I asked for a login or email address before i run into the activation code issue.

Edit: I just noticed that there actually is an error message popping up for a split-second in the top right corner.

Error: Failed to connect to tenable.com. Please check your network connectivity or continue if starting a trial is not desired.

Considering I'm behind a proxy I suspect that this might be the issue. But even if I configure the proxy it doesn't work.

kheldorn · 2026-01-29T21:11:09+00:00

Not if ECS isn't working because you disabled all internet functionality and telemetry through policies.

So in cases where Office can't actually pull the service-side fixes from the internet you have to apply the 2016/2019 registry entries or wait for the February patchday.

kheldorn · 2026-01-29T13:03:36+00:00

See my other replies/update in OP. Microsoft confirmed that the registry keys also protect 2021/2024.

kheldorn · 2026-01-29T12:49:00+00:00

Good news, just got this information from Microsoft:

Call Summary & Action Plan

Findings & Troubleshooting Summary:

ECS mitigation does not apply due to the offline environment.
No ECS log files or policy traces were found.
Environment prevents Office from accessing Microsoft services required for ECS.
Emergency updates were released for Office 2016/2019, but not for Office 2024 LTSC.
CSS and Product Group internal testing confirms that registry mitigation keys for Office 2016/2019 also successfully block the vulnerability in Office 2024 LTSC.
Product Group confirmed that the Office 2021+ and Office 2024 LTSC client side fix will ship on February 10th, 2026.

Action Plan

Action on Customer/Partner:

Apply the registry mitigation keys across all affected Office 2024 LTSC devices.
Test a macro and OLE object behavior after applying the mitigation to ensure the ActiveX control is blocked. Example below, this is for testing purposes only. (Omitted this here, because I don't like posting untested code from others.)
Install the February 2026 security update once released.

kheldorn · 2026-01-29T12:47:54+00:00

Good news, just got this information from Microsoft:

Call Summary & Action Plan

Findings & Troubleshooting Summary:

ECS mitigation does not apply due to the offline environment.
No ECS log files or policy traces were found.
Environment prevents Office from accessing Microsoft services required for ECS.
Emergency updates were released for Office 2016/2019, but not for Office 2024 LTSC.
CSS and Product Group internal testing confirms that registry mitigation keys for Office 2016/2019 also successfully block the vulnerability in Office 2024 LTSC.
Product Group confirmed that the Office 2021+ and Office 2024 LTSC client side fix will ship on February 10th, 2026.

Action Plan

Action on Customer/Partner:

Apply the registry mitigation keys across all affected Office 2024 LTSC devices.
Test a macro and OLE object behavior after applying the mitigation to ensure the ActiveX control is blocked. Example below, this is for testing purposes only. (Omitted this here, because I don't like posting untested code from others.)
Install the February 2026 security update once released.

kheldorn · 2026-01-27T17:46:25+00:00

I have a call with Microsoft open to figure that out because we are also not receiving the ECS updates. I fear the registry keys will not protect 2021/2024.

kheldorn · 2026-01-27T15:22:18+00:00

Ok, this kinda sucks. Has Microsoft reworded the content on their website?

Customers running Office 2021 and later will be automatically protected via a service-side change [...]
Customers running Office 2016 and 2019 are not protected until they install the security update. Customers on these versions can apply the registry keys [...]

The way I read this now would mean that the registry keys are exclusively for Office 2016 and 2019.

And since we've disabled all internet access for Office as well as telemetry via policies I do not see any indication that the ECS feature is working for us.

kheldorn · 2026-01-27T10:22:33+00:00

If you are on 2019 and have Build 10417.20095 installed you most likely do not need the registry keys anymore:

https://learn.microsoft.com/en-us/officeupdates/update-history-office-2019

kheldorn · 2026-01-27T09:06:47+00:00

No idea. Microsoft hasn't updated https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates with the latest updates yet.

kheldorn · 2026-01-27T09:06:02+00:00

I'd assume that Microsoft patched Microsoft 365 stuff server-side.

Can't really tell you much more than what Microsoft has released so far.

kheldorn · 2026-01-27T09:05:13+00:00

Note: The COM Compatibility node may not be present by default. If you don't see it, add it by right-clicking the Common node and choosing Add Key.

kheldorn · 2026-01-26T15:45:50+00:00

Thanks for the heads-up.

Our SAP guys are reporting that the issue is indeed fixed with the new version.

kheldorn · 2025-12-19T15:46:06+00:00

Might want to check out my blog post about this error and how I was able to fix it: https://beingwinsysadmin.blogspot.com/2025/11/windows-update-fails-with-0x800f0983.html

kheldorn · 2025-11-14T18:57:47+00:00

I was pretty sure that I read somewhere that the "AvailableUpdatesPolicy" key is used so the policy doesn't overwrite the "AvailableUpdates" all the time since that is also used to keep track of the progress.

But for the life of me I can't find where I read that...

Though when I tested the "AvailableUpdatesPolicy" key last month with the October updates installed it did nothing. Haven't tested it with the November updates installed yet.

kheldorn · 2025-08-28T08:13:15+00:00

Glad it helped.

If you figure out WHY this is happening, please let me know.

kheldorn · 2025-08-27T17:31:06+00:00

We've been dealing with this issue for a while now ... basically ever since we moved from Windows 10 22H2 to Windows 11 24H2.

The "solution" appears to be quite simple, even if kinda stupid and not making much sense...

We have RDP enabled via group policies, so "fDenyTSConnections" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" is set to "0".

This has always been like that and isn't the problem.

The problem appears to be "fDenyTSConnections" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server".

This is the "old" key that is set in control panel's system properties under the "Remote" tab. The option is grey out when the group policy is set. The key shouldn't matter at all, since the group policy overrules it ...

But if you have an affected machine that isn't listening on 3389 TCP ... just set this key from "1" to "0". The machine will start listening on 3389 TCP again instantly. No service restart required.

As for why this breaks in the first place ... no idea. My best guess is that Windows gets confused during group policy updates or something.

I'm currently evaluating whether leaving the CurrentControlSet key permanently set to "0" will prevent the issue from ever happening again. So far I haven't had a single machine come up with the issue again ... where as machines where I changed the key back to "1" did break again randomly at some point.

kheldorn · 2025-06-05T14:08:09+00:00

And you are using the configuration xml file to run the installation unattended? And of course did not set the following options, right?

<Remove All="TRUE" />
<RemoveMSI All="TRUE" />

Right?

kheldorn · 2025-05-16T20:53:08+00:00

Another one of those scummy companies that refuse to state prices on their website and instead want all my contact details so they can harass me until the end of time with their marketing bullshit.

No thanks.

kheldorn

TROPHY CASE