Patching a passive cluster node using a Configuration Manager 2007 Software Update fails with exit code -2068578304


When patching a passive cluster node using a System Center Configuration Manager 2007 Software Update task sequence, the following error message is reported in the summary log file:

Final result: The patch installer has failed to update the shared features. To determine the reason for failure, review the log files.
Exit code (Decimal): -2068578304 
Exit facility code: 1204 
Exit error code: 0 
Exit message: The SQL Server failover cluster instance <name> was not correctly detected. The instance was discovered on the local node but it was not found to be active. To continue, confirm the state of the instance installed on all applicable nodes of the cluster and the state of the failover cluster resources. 


This can occur if you are using a Software Update to patch a passive cluster node. When deploying a Software Update, Configuration Manager leverages the WUA agent using the local system account. By default that account does not have the permissions needed to access the remote registry for the partner node and thus the active node cannot be detected. Since the active node cannot be detected the patch cannot be applied.


There are three optional workarounds for this issue:

Option 1: Use Configuration Manager to install the patch on the ACTIVE cluster node first.

Option 2: Use Configuration Manager and choose the Software Distribution method rather than the Software Update method. See for more information.

NOTE: Please make sure that the “Program can run:” setting is configured for “Only when a user is logged on” and the “Run mode” setting is configured as “Run with user’s rights”.

Option 3: Grant the appropriate computer account (e.g. NTADMINcomputername$) read permissions to the following registry key on every node of the cluster:


More Information

This issue is by design as we cannot specify another account when performing a Software Update. Configuration Manager 2007 (ConfigMgr 2007) cannot guarantee that all machines will have a particular user-defined user account that can launch the update so it is hard coded to use the built-in account called “NT AUTHORITY\SYSTEM”. All machines must have this account by default and it has local admin permissions.