License server is already assigned and everything seems fine in RD License Diagnose but still getting error 0x808 while taking remote desktop

If you are seeing below error while taking RDP even after you have already configured RDS license server license server details in client machine.

Remote desktop error 0x808 while taking remote console.

You may follow below steps to fix the RDP issue.

1. Verify you have not installed any RD roles other than session host.

2. Open services.msc using command mode -> Restart remote desktop service 

3. Try RDP if still not working

4. Open MMC ->  Certificate -> Computer account -> Remote desktop certificate -> export existing certificate and delete it.

5. Restart remote desktop service

6. Refresh Remote desktop certificate tab and check the issue date of new imported certificate if everything seems fine.

7. Try RDP, it should work now.

vTPM Assessment | vTPM enable using Native Key Provider

 

1. Moving from native to standard KMS? (question 8)

Yes. Define a new key provider, set it as the new default provider for the cluster, and then use the UI or PowerCLI to perform a shallow rekey/re-encrypt to the new provider (instructions for rekeying are below). This process will cause vSphere to re-encrypt the DEKs with a new KEK from the new key provider. A similar process is available for vSAN, too (also below).

https://core.vmware.com/native-key-provider-questions-answers#im-having-trouble-enabling-native-key-provider-what-should-i-look-at

2. VMware encrypt Horizon golden image? If new VMs are created from the golden image, will they be encrypted with the same or different key?

When you create new VMs from the encrypted golden image, each new VM will inherit the encryption status of the golden image. However, the encryption keys used for each new VM can differ.

3. Multiple KMS servers, will they be used if one of the KMS is down?

We can have multiple KMS servers, but only one can be set as the default.

4. Import native keys to a KMS server?

Native Key Provider is for use only within vSphere and does not support traditional KMS connectivity. It is designed specifically for encryption in vSphere and does not support KMIP or other protocols for key interchange.

5. Maximum number of native keys imported into vCenter during cross-vCenter vMotion?

vSphere 6.7 and Earlier: A maximum of 16 KMS servers per KMS Cluster is allowed. vSphere 7.0 and Later: In vSphere 7.0, Key Providers were introduced to replace KMS Clusters. There is no limit on the number of Key Providers. However, there is still a maximum of 16 KMS servers per Standard Key Provider. vSphere 7.0 Update 2 introduced Native Key Providers. There is no limit on the number of Native Key Providers that can be created.

6. Which native key is used for which encryption?

There is currently no method to tell which virtual machines are using a key provider except by examining the .vmx file for each virtual machine. To work around this, we suggest setting the default key provider as desired, then re-encrypting the virtual machines to ensure they’re using the key provider you want.

7. If ESXi is not in contact with the native key provider, will any alarms be triggered? What happens if vCenter is down?

There is no immediate impact on encrypted virtual machines while vCenter Server is offline. When using a properly configured Native Key Provider, each ESXi host in a cluster has a copy of the KDK stored and can operate independently.

8. Is an encrypted VM exportable with OVF? How to decrypt a VM?

Can I export an OVF/OVA of a VM with a vTPM? Virtual machines with a vTPM device do not support the OVF/OVA template format directly. You cannot export a VM with a vTPM device to an OVF/OVA file using the vSphere Client. The vTPM device must be removed before exporting the VM as an OVF/OVA template. The OVF Tool can automate this process by adding a vTPM placeholder attribute. See the section “TPM as a Virtual Device in OVF” in the OVF Tool User Guide for more details.

Can I import an OVF/OVA with a vTPM? When importing an OVF/OVA into vSphere using the vSphere Client, a vTPM device must be manually added to the VM after import. The OVF Tool can automate this process by parsing a vTPM placeholder attribute. See the section “TPM as a Virtual Device in OVF” in the OVF Tool User Guide for more details.

9. When moving an windows 11 encrypted VM to another vCenter?

Yes, you can remove encryption and it shouldn't affect the vm working but the vcenter where it is getting backed up should have old key added.

Please take time to test this configuration out.

 10. Backup of encrypted VM (flat and guest OS backup) using Veeam and restoring on a different vCenter?

The destination vCenter should have the key! Set up policies on backup and restore operations. Not all backup architectures are supported. See Virtual Machine Encryption Interoperability. Set up policies for restore operations. Because backup is always in cleartext, plan to encrypt virtual machines right after the restore is finished. You can specify that the virtual machine is encrypted as part of the restore operation. If possible, encrypt the virtual machine as part of the restore process to avoid exposing sensitive information. To change the encryption policy for any disks associated with the virtual machine, change the storage policy for the disk. Because the VM home files are encrypted, ensure that the encryption keys are available at the time of a restore.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-B3DA9865-A28F-4EFD-ACF4-CBC8813ED110.html#removing-encryption-keys-best-practices-6

11. When the ESXi goes down or needs to be reinstalled, what key needs to be stored to get the VMs back up and running?

The Native Key Provider KDK is stored in the encrypted configuration. If a TPM is present and configured, it will be used to help protect the encrypted configurations. Ensure that replicated copies of virtual machines encrypted with vSphere Virtual Machine Encryption have access to the encryption keys at the recovery site. For standard key providers, this is handled as part of the design of the Key Management System, outside of vSphere. For vSphere Native Key Provider, ensure that a backup copy of the Native Key Provider key exists and is protected against loss.

 

References taken :

https://core.vmware.com/native-key-provider-questions-answers#im-having-trouble-enabling-native-key-provider-what-should-i-look-at

How DFSR file conflict algorithm works | DFSR replicated file missing

How DFSR file conflict algorithm works:

Conflict resolution in DFSR (Distributed File System Replication) is crucial for maintaining data consistency across multiple servers. Here’s a more detailed look at how DFSR handles conflicts:

1. Initial Sync Conflict Algorithm

Scenario: When setting up a new replication group, if different versions of the same file exist on each server.

Resolution: The file from the primary server wins all conflicts. For example, if Server A is set as the primary server, its version of the file will be replicated to all other servers1.

2. Last Writer Wins Conflict Algorithm

Scenario: When existing files that have been replicated previously are modified on multiple servers before replication.

Resolution: The file with the latest UTC timestamp wins. For instance, if Server A modifies a file last, its version will be replicated to Server B1.

3. New Files Conflict Algorithm

Scenario: When new files are created on multiple servers before replication, but initial sync is not happening.

Resolution: The behavior depends on the Windows Server version and updates. In some cases, the older file is replicated, while in others, the newer file is replicated1.

Conflict and Deleted Folder

When conflicts occur, DFSR moves the losing file to a special folder called DfsrPrivate\ConflictAndDeleted. This ensures that no data is lost and administrators can review and restore files if necessary2.

Ongoing Replication Conflicts

During ongoing replication, DFSR uses a set of conflict-handling algorithms to ensure that the appropriate files replicate between servers. This includes detecting file collisions and appropriately handling a winning and losing file3. 

Remote desktop issue [Expanded Information] Error code: 0x808 Extended error code: 0x101

 

If you are seeing below error while taking machine to RDP, you need to check below configuration.

1. Please check your RDS CALs Terminal license server is reachable.

2. Please check whether all required ports are open between RDS license server and session client.

3. Please check whether you have assigned license server or not.

4. Open license diagnose from client machine and check whether your machine is connecting to correct license server or not and getting the license or not.   

License server cannot issue licenses to the remote desktop session host server because the "License server security group" group policy setting is enabled

If you are getting below error you need check below parameters.

License server cannot issue licenses to the remote desktop session host server because the "License server security group" group policy setting is enabled.

1. Whether RD Session host and License server is in same domain.
2. Incase of RD Session host and License server is in cross domain then you need to correct below things.

Make sure we have two-way trust enabled in both domain.
License server must be a member of the Terminal Server License Servers group in those domains.

Make sure TS License server is member of Terminal Server License Servers Properties in both the domain.

Get-Certificate: CertEnroll::CX509Enrollment::Enroll: Error Parsing Request The request subject name is invalid or too long. 0x80094001

 Get-Certificate: CertEnroll::CX509Enrollment::Enroll: Error Parsing Request  The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT) The request ID is 1109849. A certificate could not be issued by the certification authority.: The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting.

When you are getting error The request subject name is invalid or too long. 0x80094001 make sure you are not using more than two characters for C= 

Get-Certificate -Template WebServerCustom -SubjectName "CN =DEMOVC002.ads.com,OU = DEMO,O = DEMO,L = Dubai,S = IND,C = DE" -DnsName DEMOVC002.ads.com, DEMOVC002 -CertStoreLocation cert:\LocalMachine\My

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

 If you are getting below error while adding node or connecting node in existing cluster .

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Solution -: Make sure you have installed all latest patches in node before adding to the cluster.

In-Place Upgrade failed with error 0x8007042B - 0x4000D

 

If you  see error code 0x8007042B - 0x4000D at 82-83% during In-Place upgrade from 2012 R2 to windows server 2016 or 2019.

Make sure, you have enough space in  C drive, always keep C drive space around 100GB free space before going for In-Place Upgrade.

Office 365 Admin Console

Steps need to follow for Creation modification and deletion of Accounts.

Click on Admin to open Dashboard.

Click on Active Users for check users list or R.C here and select New user for create

Click on Group to add any user to this Group.

For check License click on Billing>License

Change or provide full access to User for create, Delete and modification.

Script to create Multiple local Users and set Password never Expire

function create-account ([string]$accountName) {

 $hostname = hostname

 $comp = [adsi]"WinNT://$hostname"

 $user = $comp.Create("User", $accountName)

 $user.SetPassword("P@ssw0rd")

 #$user.SetInfo()

 $User.UserFlags[0] = $User.UserFlags[0] -bor 0x10000 #ADS_UF_DONT_EXPIRE_PASSWD flag is 0x10000

 $user.SetInfo()}

 # Create 30 administrator users named user1 ... user 30

for($i=20; $i -le 23; $i++){

  create-account("TRAIN-$i")

  }

DHCP Configuration, Single Scope Backup from windows server 2012r 2 to 2016

1. Export and Import DHCP Single Scope from one Server to another also overwrite the Scope

Open PowerShell with administrative privilege and run below command  

Export-DhcpServer -ComputerName "192.168.0.16" -File "C:\temp\dhcpexport1.xml" -ScopeId 192.168.1.0 –Leases

192.168.0.16 DHCP Server Name

192.168.1.0 Scope ID

Now move the dhcpexport1.xml file to destination machine

And run below command to import the Scope in another server.

Import-DhcpServer -ComputerName "192.168.0.16" -File "C:\temp\dhcpexport1.xml" -ScopeId 192.168.1.0 -Leases

Type 1 in BackupPath

To overwrite backup on existing scope run below command

Import-DhcpServer -ComputerName "192.168.0.16" -File "C:\temp\dhcpexport1.xml" -ScopeId 192.168.1.0 -Leases -ScopeOverwrite –Force

Failed to install roles in Windows Server 2019 with error 0x80073701

 ISSUE:

Failed to install IIS roles on one Windows Server 2019 with error 0x80073701. 

 

TROUBLESHOOTING:

1. We ran the scripts sfc /scannow and DISM.exe /Online /Cleanup-Image /Restorehealth to check the system file integrity, from the output of which we noticed the corruptions related to patch KB5014669 and KB5014022.

2023-05-09 09:26:34, Info                  CBS    =================================

2023-05-09 09:26:34, Info                  CBS    Checking System Update Readiness.

2023-05-09 09:26:34, Info                  CBS    

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5472_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5477_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

…

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing               0x80070490                Package_2566_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2566_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing                0x80070490                Package_2567_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2567_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2. As I learned that we have deleted the reg keys for KB5014022 before, we suggested you restore the reg keys or reinstall the package to fix it.

2. From the CBS log, we noticed that the assembly missing issue is caused by package KB5014669, thus we suggested to remove all the related reg key with script remove-Item -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*KB5014669*".

2023-05-09 09:34:05, Error                 CSI    000068ef (F) STATUS_SXS_ASSEMBLY_MISSING #56773556# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]

2023-05-09 09:34:05, Error                 CSI    000068f0 (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #56773398# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = be61d6ca2ab4dcc4eede90c05a096ade, version 10.0.17763.1790, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = 'Package_5931_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10.5014669-10806_neutral', rah = (null), manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

2023-05-09 09:34:05, Info                  CBS    Failed to pin deployment while resolving Update: Package_5931_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10.5014669-10806_neutral from file: (null) [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

2023-05-09 09:34:05, Info                  CBS    Failed to bulk stage deployment manifest and pin deployment for package:Package_3995_for_KB5023702~31bf3856ad364e35~amd64~~10.0.1.10 [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

RESOLUTION:

1. Restore the reg key related to KB5014022 or re-install the patch KB5014022 to fix the corruption.

2. Remove the package KB5014669 by running remove-Item -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*KB5014669*" with powershell as admin.

 

RELATED KNOWLEDGE BASE ARTICLES:

Windows Update (microsoft.com)

Windows Update troubleshooting - Windows Deployment | Microsoft Docs 

Failed to install IIS, Failover Cluster roles on one Windows Server 2019 named with error 0x80073701

Issue Definition:

Failed to install IIS, Failover Cluster roles on one Windows Server 2019 named with error 0x80073701.

 

Scope Agreement: 

We consider the case as resolved when this issue has been fixed, or the root cause is identified to be product by-design issue, or a third-party issue, which is not supported by Microsoft, we will also let you know.

We are now working together to resolve your issue. If you do not agree with the scope defined above, or would like to amend it, please let me know as soon as possible.

 

Analysis:

Refer log below-:

C:\Windows\Logs\CBS CBS.log to analyze which KB is creating issue.

1. From the output of running restorehealth, we noticed that there’s some corruptions related to patch KB5014669 and KB5014022.

2023-05-09 09:26:34, Info                  CBS    =================================

2023-05-09 09:26:34, Info                  CBS    Checking System Update Readiness.

2023-05-09 09:26:34, Info                  CBS    

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5472_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5477_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5480_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5483_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

2023-05-09 09:26:34, Info                  CBS    (p)               CBS Catalog Missing            (n)                                           Package_5487_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10

2023-05-09 09:26:34, Info                  CBS    Repair failed: Missing replacement mum/cat pair.

…

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing               0x80070490                Package_2566_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2566_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing                0x80070490                Package_2567_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2567_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing                0x80070490                Package_2572_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2572_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing                0x80070490                Package_2577_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2577_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

2023-05-09 09:26:34, Info                  CBS    (w)               CBS Package Index Package Missing                0x80070490                Package_2578_for_KB5014022~31bf3856ad364e35~amd64~~0.0.0.0                Package_2578_for_KB5014022~31bf3856ad364e35~amd64~~10.0.1.14              

…

2023-05-09 09:32:04, Info                  CBS    Summary:

2023-05-09 09:32:04, Info                  CBS    Operation: Detect and Repair 

2023-05-09 09:32:04, Info                  CBS    Operation result: 0x800f0954

2023-05-09 09:32:04, Info                  CBS    Last Successful Step: Entire operation completes.

2023-05-09 09:32:04, Info                  CBS    Total Detected Corruption:   28026

2023-05-09 09:32:04, Info                  CBS        CBS Manifest Corruption: 19

2023-05-09 09:32:04, Info                  CBS        CBS Metadata Corruption:                28005

2023-05-09 09:32:04, Info                  CBS        CSI Manifest Corruption:   0

2023-05-09 09:32:04, Info                  CBS        CSI Metadata Corruption:  0

2023-05-09 09:32:04, Info                  CBS        CSI Payload Corruption:    2

2023-05-09 09:32:04, Info                  CBS    Total Repaired Corruption:    0

2023-05-09 09:32:05, Info                  CBS        CBS Manifest Repaired:     0

2023-05-09 09:32:05, Info                  CBS        CSI Manifest Repaired:       0

2023-05-09 09:32:05, Info                  CBS        CSI Payload Repaired:         0

2023-05-09 09:32:05, Info                  CBS        CSI Store Metadata refreshed:         True

2. From CBS log, we noticed that the IIS roles failed to be installed with error 0x80073701 due to KB5014669 corruption.

2023-05-09 09:34:05, Error                 CSI    000068ef (F) STATUS_SXS_ASSEMBLY_MISSING #56773556# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]

2023-05-09 09:34:05, Error                 CSI    000068f0 (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #56773398# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = be61d6ca2ab4dcc4eede90c05a096ade, version 10.0.17763.1790, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = 'Package_5931_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10.5014669-10806_neutral', rah = (null), manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

2023-05-09 09:34:05, Info                  CBS    Failed to pin deployment while resolving Update: Package_5931_for_KB5014669~31bf3856ad364e35~amd64~~10.0.1.10.5014669-10806_neutral from file: (null) [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

2023-05-09 09:34:05, Info                  CBS    Failed to bulk stage deployment manifest and pin deployment for package:Package_3995_for_KB5023702~31bf3856ad364e35~amd64~~10.0.1.10 [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

2023-05-09 09:34:05, Info                  CBS    CommitPackagesState: Started persisting state of packages

2023-05-09 09:34:05, Info                  CBS    CommitPackagesState: Completed persisting state of packages

2023-05-09 09:34:05, Info                  CSI    000068f1@2023/5/9:02:34:05.375 CSI Transaction @0x1bde6e79700 destroyed

2023-05-09 09:34:05, Info                  CBS    Perf: Resolve chain complete.

2023-05-09 09:34:05, Info                  CBS    Failed to resolve execution chain. [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

2023-05-09 09:34:05, Error                 CBS    Failed to process single phase execution. [HRESULT = 0x80073701 - ERROR_SXS_ASSEMBLY_MISSING]

2023-05-09 09:34:05, Info                  CBS    WER: Generating failure report for package: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.17763.1, status: 0x80073701, failure source: Resolve, start state: Installed, target state: Installed, client id: DISM Package Manager Provider

Next Action:

I noticed that you told that have tried the workaround provided in case #2303240010000356, which I believe is running remove-Item -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*KB5014022*" with PowerShell. (If I misunderstood, please let me know.) Please help confirm if you have backup for the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages key before you running the script? 

If so, 

1. Please restore the backup 

2. Run below script to remove the registry key for KB5014669 with PowerShell. 

remove-Item -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*KB5014669*"

3. Please reinstall the IIS roles and check if it could be installed then.

If no backup prepared,

1. Please backup the reg key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

2. Run below script to remove the registry key for KB5014669 with PowerShell. 

remove-Item -path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\*KB5014669*"

3. Reinstall the package KB5014022 with instructions below as well.

- Create folder C:\Temp\cab 

- Download patch from Microsoft Update Catalog by searching the KB number and save under C:\Temp.

- Run the following script with cmd as administrator to extract the installer

Expand -f:* <File Path> C:\Temp\cab

(For example: Expand -f:* C:\Temp\Windows10.0-KB5008212.msu C:\Temp\cab)

- You will see CAB file created under C:\Temp\cab, please run below script to remove the package,

Dism /online /remove-package /packagepath:<cab file path>

(For example: dism /online /remove-package /packagepath:C:\Temp\Windows10.0-KB5008212-x64.cab )

- Then run below script to reinstall it.

Dism /online /add-package /packagepath:<cab file path>

(For example: dism /online /add-package /packagepath:C:\Temp\Windows10.0-KB5008212-x64.cab )

4. Please reinstall the IIS roles and check if it could be installed then.