Windows 11 Locked out of PC when trying to "repair‑install (in‑place upgrade)"

Answering your question: after Phase 1 (uninstall ESET + reboot + reset SoftwareDistribution/Catroot2 + reboot), Windows Update still tells me the installation of KB5077181 has failed, same code: 0x800f0993.
 
Staying on 0x800f0993 even after (1) uninstalling ESET and (2) resetting SoftwareDistribution/Catroot2 strongly suggests this is no longer a “Windows Update cache” problem—it’s a servicing/commit/applicability problem on the OS side.
At this point, the next least-disruptive step is to bypass the Windows Update UI entirely and install KB5077181 offline. If that still fails, then the “durable fix” pattern we’ve been seeing with this KB is an in‑place repair upgrade using same-branch, newer media + BitLocker safety (the approach documented in the KB5077181 fix guide). t least disruptive): Install KB5077181 from Microsoft Update Catalog (offline)

0) Safety prep (do this first)​

1) Make sure your work is still backed up (you already did—good).
2) Plug in AC power.
3) Suspend BitLocker protectors (this avoids another recovery-key circus during reboot):
manage-bde -protectors -disable C:
(After everything is stable, we’ll re-enable it.)

1) Download the update package(s)​

  • Go to Microsoft Update Catalog, search for KB5077181, and download the package for Windows 11 Version 25H2 for x64-based Systems.
  • Save it to a simple folder like:
    • C:\Packages\KB5077181\
(Some LCUs come as a single .msu; others may have companion packages. If the Catalog lists more than one item that applies to 25H2 x64, download the relevant ones into the same folder.)

2) Install it (start with the normal installer)​

Right-click the .msuOpen / Install
If it fails or just “does nothing”, install via admin command prompt:
DISM /Online /Add-Package /PackagePath:C:\Packages\KB5077181\<name-of-the-msu>.msu

3) Reboot, then verify​

After reboot:
  • Win + R → winver
  • And optionally:
    dism /online /get-packages | findstr /i 5077181
If you land on 26200.7840, you’re done.

4) Re-enable BitLocker protectors​

manage-bde -protectors -enable C:

If Phase 2 still fails with 0x800f0993​

Then we’re in the “servicing baseline is unhealthy even though DISM/SFC look OK” bucket, and the most reliable fix for this KB family has been:

Phase 3: In‑place repair upgrade using Installation Assistant (NOT the base ISO)​

Your ISO you downloaded is older than your installed build, so it’s not appropriate repair media. Instead, use Windows 11 Installation Assistant / Create Installation Media, because that path is what tends to pull newer setup components and complete the “baseline refresh” that makes KB5077181 installable—this is essentially the same solution described in the KB5077181 fix guide you originally followed.
Important for Phninstalled** during the repair-install attempt (you already did).
  • Suspend BitLocker protectors first (manage-bde -protectors -disable C:).
  • Disconnect non-essential USB devices.

Quick log request (so we don’t fly blind if Phase 2 fails)​

If the offline install fails, please grab these immediately after the failure and paste/upload:
1) CBS log (zipped is best):
  • C:\Windows\Logs\CBS\CBS.log
2) Windows Update log:
Open PowerShell as Admin:
Get-WindowsUpdateLog -LogPath "$env:USERPROFILE\Desktop\WindowsUpdate.log"
These will show exactly what 0x800f0993 maps to on your machine (missing component, applicability mismatch, staging failure, etc.).

One yes/no question before you do Phase 2​

When you open Windows Update, do you currently see KB5077181 listed as a Security update (not a Preview), or are you only seeing the Preview Update entry?
(Reason: I want to ensure we’re targeting the correct package/build path, since you previously mentioned the Preview entry too. )
 
Perfect — thanks for confirming it’s the Security update (not Preview). dn’t change the error code (still 0x800f0993), going to the offline/Catalog install is the right “least disruptive” next step.
While you’re attempe the exact “guard rails” so we don’t accidentally trigger another BitLocker/boot drama:

Phase 2 checklist (do/verify in this order)​

1) Keep ESET uninstalled for this attempt​

You already did this in Phase 1 — good. (Reinstall only after you’re fully patched.)

2) Suspend BitLocker protectors before you install / reboot​

Open Command Prompt (Admin):
Code: 
manage-bde -protectors -disable C:
manage-bde -status C:
You want it to show protection is suspended/off for the next reboot(s). (This is the step you missed originally that caused the recovery-key loop.)

3) Install the Catalog MSU​

WhicheverOption A (simplest): double-click the .msu you downloaded from Microsoft Update Catalog.
Option B (more “tell me exactly what happened” friendly): Admin Command Prompt:
wusa "C:\Packages\KB5077181\Windows11.0-KB5077181-x64.msu" /quiet /norestart
Then reboot manually.
Option C (if WUSA errors): DISM:
DISM /Online /Add-Package /PackagePath:"C:\Packages\KB5077181\Windows11.0-KB5077181-x64.msu"

4) Reboot (expect 1–2 reboots)​

Let it do its thing. If you get a BitLocker prompt anyway, use the recovery key, but suspending protectors usually prevents repeated prompts.

5) Verify success​

After you get back into Windows:
  • Win + R → winver
  • And/or:
    dism /online /get-packages | findstr /i 5077181

After Phase 2 (only if it succeeds)​

Turn BitLocker protectors back on:
manage-bde -protectors -enable C:

If Phase 2 fails (what I need from you)​

Reply with one of these outcomes:
1) “It installed” + your new OS build from winver, or
2) The exact error text/code shown by WUSA or DISM (copy/paste), or
3) If it still just reports 0x800f0993, then please upload or paste the last relevant part of:
  • C:\Windows\Logs\CBS\CBS.log (zipped is best)
  • C:\Windows\Logs\DISM\dism.log (zipped is best)
If you already tried uploading logs and they didn’t attach properly, tell me—this post thread sometimes “looks like” it attached but didn’t.

If it fails and your PC starts acting unstable again​

Stop and don’t keep retrying endlessly; we can pivot immediately to the “baseline refresh” fix using Installation Assistant / Media Creation Tool (not the older ISO), but we’ll do it with BitLocker safety from the start so you never see that recovery loop again.
Post back with what Phase 2 reports (success or the exact err
 
Phase 2 failed. The details:

- I downloaded the following msu file listed under "2026-02 Cumulative Update for Windows 11, version 25H2 for x64-based Systems (KB5077181) (26200.7840)":

windows11.0-kb5077181-x64_33d38563662e659ceb84fb8b65aa05ce5876f5a4

- I tried the simple "double-click" option. After the attempted installation ("copying.../installing..."), I got the following message:

"Some updates were not installed

The following updates were not installed:
Security Update for Windows (KB5077181)"

- On Command Prompt, I entered:

DISM /Online /Add-Package /PackagePath:"C:\Packages\KB5077181\windows11.0-kb5077181-x64_33d38563662e659ceb84fb8b65aa05ce5876f5a4.msu"

This is what I got:

Processing 1 of 1 -​
[==========================100.0%==========================]​
[===========================73.0%========== ] An error occurred - C:\Packages\KB5077181\windows11.0-kb5077181-x64_33d38563662e659ceb84fb8b65aa05ce5876f5a4.msu Error: 0x800f0993​
Error: 0x800f0993​
DISM failed. No operation was performed.​
For more information, review the log file.​
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log​

- I've attached the CBS and dism logs as zip files. I have to say I couldn't tell where "the last relevant parts" started (CBS.log in particular seems endless), so I zipped the complete files. I hope it's OK.
 

Attachments

You did everything right here — and the key takeaway is:
If KB5077181 fails with 0x800f0993 even when installed offline (Catalog MSU) and even after uninstalling ESET + resetting SoftwareDistribution/Catroot2, you’re basically in the “servicing baseline is broken/mismatched” bucket. At that point, the fix is not another retry, it’s a baseline refresh via an in‑place repair upgrade using same-branch, newer media (exactly the pattern documented in the KB5077181 fix guide thread). ll logs was absolutely OK.

Important limitation right now​

I can’t actually read the contents of the ZIPs you attached with the tools available in this chat session (the attachment processor returned them as binary blobs, not extracted text). So I can’t point to the exact CBS “root cause” line from your logs yet. What I can do is give you the correct next step based on the fact pattern you’ve already proven.

What your results prove​

  • Windows Update fails KB5077181 with 0x800f0993 (your repeated symptom).
  • Offline instaOnline /Add-Package ...KB5077181...` fails at ~73% with the same 0x800f0993. (Your post.)
    That means it’s not a Windows Update download/cache problem anymore — it’s the servicing engine refusing to stage/commit the package.
This matches the broader KB5077181 pattern where “normal repairs” don’t fix it, and the durable fix is an in-place repair upgrade with newer same-branch media.

The next click-path (the one thatlass of failure)​

Phase 3: In‑place repair upgrade using Installation Assistant (recommended)​

Do not use the base ISO you downloaded (yours showed ServicePack Build 6584 earlier, which is older than your installed 7171, and that’s a recipe for rollback again).
Instead:
1) Keep ESET uninstalled (leave it off until you’) Suspend BitLocker protectors (so you don’t relive the recovery-key nightmare):
manage-bde -protectors -disable C:
(After you’re stable we’ll re-enable.)
3) Go to Microsoft’s Windows 11 download page and run:
  • Windows 11 Installation Assistant (on the PC you’re upgrading)
4) Choose the option that keeps:
  • Personal files and apps (this is the “repair-install / in-place upgrade” mode)
5) Let it complete and reboot as needed.
6) When you’re back in Windows:
  • Run Windows Update again and you should now be able to take the cumulative update(s), including the build jump this KB is meant to deliver (26200.7840 and up), because the baseline is re-laid down.
7) Re-enable BitLocker:
manage-bde -protectors -enable C:
That’s the exact “baseline refresh” idea described in the KB5077181 fix guide: use same branch/edition + newer build media, do an in-place upgrade, then servicing starts working again.

Two small safety notes (so you don’t get trapped again)​

1) Leave external ing the upgrade (except power + mouse).
2) If it offers “download updates during setup”, you can pick Not right now** for the repair pass (goal is to get a clean OS baseline), then do Windows Update afterward.

If you want me to interpret your CBS/DISM logs anyway​

Because I can’t extract your ZIPs in this session, the fastest workaround is:
1) On your PC, open:
  • C:\Windows\Logs\CBS\CBS.log
2) Search for 0x800f0993 and copy/paste ~50 lines above and below the first relevant occurrence for KB5077181.
3) Also open:
  • C:\Windows\Logs\DISM\dism.log
Search for 0x800f0993 and paste the block around it.
If you paste those snippets here, I can tell you whether it’s a missing component, applicability mismatch, PSFX/hydration issue, etc. (But the practical fix remains the in-place upgrade.)

One question before you run Installation Assistant​

When you previously attempted the repair-install that rolled back with 0xC1900101-0x20017 SAFE_OS BOOT, did you still have ESET installed at that time?
If yes, uninstalling ESET plus the BitLocker suspend step you’re now doing makes the next attempt much me cleanly.
 
To your question: yes, when I tried the repair-install that rolled back with 0xC1900101-0x20017 SAFE_OS BOOT, I did have ESET installed. And speaking of BitLocker, currently manage-bde -status C: tells me "Protection Status: Protection Off (1 reboots left)". So after each reboot it would be wise to check the status, correct?

The logs are mazes to me, but I can tell you that practically every time 0x800f0993 appears on CBS.log it's in this context:

[HRESULT = 0x800f0993 - PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING]​

As for the dism log, I suppose this is what's relevant, right after the installation hit 73%:

2026-02-26 05:53:39, Error ICbsServicingProcessor->Process for the non-SSU packages failed: 800f0993 [Error,Facility=(000f),Code=2451 (0x0993)]​
2026-02-26 05:53:39, Error Staging packages failed, hrControllerResult = -2146498157​
2026-02-26 05:53:39, Error CDeploymentSession::Install::<lambda_1>:perator ()(10300): Result = 0x800F0993​
2026-02-26 05:53:39, Info OnError: [0x800F0993]​
2026-02-26 05:53:39, Info WatsonHelper: Setting bucket parameter [3]: [0x800F0993]​
2026-02-26 05:53:39, Info Error is fatal: [TRUE]. UpdateResult: [1].​
2026-02-26 05:53:39, Info [Plugins]::Serialize: 0 plugins present​
2026-02-26 05:53:39, Info WatsonHelper: Setting bucket parameter [2]: [1]​
2026-02-26 05:53:39, Info WatsonHelper: No opt-in​
2026-02-26 05:53:39, Info ReportEventInstallEnd: ExtensionName = [OS]​
2026-02-26 05:53:39, Info ReportEventInstallEnd: hr = [0x800F0993]​
2026-02-26 05:53:39, Info ReportEventInstallEnd: InternalFailureResult = [0x0]​
2026-02-26 05:53:39, Info ReportEventInstallEnd: result = [1]​
2026-02-26 05:53:39, Info ReportEventInstallEnd: CancelRequested = [FALSE]​
2026-02-26 05:53:39, Info ReportEventInstallEnd: UpdatePriority = [0]​
2026-02-26 05:53:39, Error DISM DISM Package Manager: PID=2180 TID=5348 Installation failed. - CDISMPackageManager:rocessWithUpdateAgent(hr:0x800f0993)​
2026-02-26 05:53:39, Info Deleting non payload files from sandbox.​
2026-02-26 05:53:39, Info Deleting C:\Users\swing\AppData\Local\Temp\B5EF3701-7C13-4D80-BE0A-9799C87C3586\windlp.state.xml​
2026-02-26 05:53:39, Info Deleting C:\Users\swing\AppData\Local\Temp\B5EF3701-7C13-4D80-BE0A-9799C87C3586\windlp.state-old.xml​
2026-02-26 05:53:39, Info UpdateAgent logging ends.​
2026-02-26 05:53:39, Error DISM DISM Package Manager: PID=2180 TID=5348 Failed to install UUP package. - CMsuPackage:oInstall(hr:0x800f0993)​
2026-02-26 05:53:39, Error DISM DISM Package Manager: PID=2180 TID=5348 Failed to execute the install in expanded MSU folder C:\Users\swing\AppData\Local\Temp\B5EF3701-7C13-4D80-BE0A-9799C87C3586. - CMsuPackage:rocessMsu(hr:0x800f0993)​
2026-02-26 05:53:39, Error DISM DISM Package Manager: PID=2180 TID=5348 Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0993)​
2026-02-26 05:53:39, Info DISM DISM Package Manager: PID=2180 TID=5348 Trying to delete expand dir - CMsuPackage::Install​
2026-02-26 05:53:54, Info DISM DISM Package Manager: PID=2180 TID=5348 Loaded servicing stack for online use. - CDISMPackageManager::CreateCbsSession​
2026-02-26 05:53:54, Info CSI 00000001 Shim considered [l:123]'\??\C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.7911_none_a4ec25d37778e59e\wcp.dll' : got STATUS_SUCCESS​
2026-02-26 05:53:54, Error DISM DISM Package Manager: PID=2180 TID=5348 Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0993)​
2026-02-26 05:53:54, Info DISM DISM Package Manager: PID=2180 TID=5348 Further logs for online package and feature related operations can be found at %WINDIR%\logs\CBS\cbs.log - CPackageManagerCLIHandler::ExecuteCmdLine​
2026-02-26 05:53:54, Error DISM DISM.EXE: DISM Package Manager processed the command line but failed. HRESULT=800F0993​
2026-02-26 05:53:54, Info DISM DISM Package Manager: PID=2180 TID=7180 Finalizing CBS core. - CDISMPackageManager::Finalize​
2026-02-26 05:53:55, Info DISM DISM Manager: PID=3092 TID=7356 Closing session event handle 0x268 - CDISMManager::CleanupImageSessionEntry​
2026-02-26 05:53:55, Info DISM DISM.EXE: Image session has been closed. Reboot required=no.​
2026-02-26 05:53:55, Info DISM DISM.EXE:​
2026-02-26 05:53:55, Info DISM DISM.EXE: <----- Ending Dism.exe session ----->​
2026-02-26 05:53:55, Info DISM DISM.EXE:​
 
Yes — it’s smart to check BitLocker status after a reboot, because your current state “Protection Off (1 reboots left)” means BitLocker will try to automatically re-arm after the next reboot unless you extend the suspension.

1) Keep BitLocker suspended for the whole upgrade (recommended)​

Instead of suspending for only 1 reboot, set a bigger reboot count (so you don’t get dragged back into the recovery-key loop mid-upgrade like before). From Command Prompt (Admin):
Code: 
manage-bde -protectors -disable C: -RebootCount 10
manage-bde -status C:
That should show Protection Off with more reboots left. After the upgrade is fully done and you’re stable, re-enable:
manage-bde -protectors -enable C:
(Your earlier BitLocker loop experience came from not doing the “BitLocker safety” step before a reboot boundary in setup.) /DISM clue is the smoking gun: this is a servicing-baseline mismatch
What you found in CBS:
0x800f0993 - PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING
Click to expand...
…means the cumulative update is using the newer PSFX “hydration/rebase” mechanism and Windows can’t find the baseline “candidates” it expects, so staging/commit fails. That aligns perfectly with your DISM log where staging packages failed and DISM bails out at ~73% with 0x800f0993.
This is why:
  • Windows Update fails,
  • the Catalog MSU fails, and
  • DISM can’t force it in.
At this point, continuing to retry KB5077181 is very unlikely to change the result.

3) The correct next step: an in-place repair upgrade using newer setup bits (but done safely)​

You already proved an in-place upgrade attempt can roll back with:
0xC1900101-0x20017 (SAFE_OS / BOOT)
…and you confirmed still had ESET installed (big difference). Also, the ISO you downloaded (ServicePack Build 6584) is older than your installed 7171, which makes rollback more likely.
So, the practical “most likely to succeerep (reduces SAFE_OS/BOOT failures)
1) Keep ESET uninstalled (do not reinstall yet).
2) Disconnect all non-essential USB devices (printers, hubs, external drives).
3) Ensure you have at least ~30–40 GB free on C:.
4) Do a Clean Boot (this helps a lot with 0xC1900101 class failures):
  • Win + R → msconfig
  • Services tab → check Hide all Microsoft servicesDisable all
  • Startup tab → open Task Manager → disable all startup items
  • Reboot

B) Run the upgrade using Installation Assistant (preferred over the old ISO)​

Run Windows 11 Installation Assistant from Microsoft’s download page (the same page where you got the ISO). This route is more likely to pull setup components that can actually “refresh” the servicing baseline than the older base ISO.
When prompted, choose Keep personal files and apps.

C) After it completes​

1) Check build: Win + R → winver
2) Run Windows Update again (KB5077181 usually becomes installable once the baseline is normalized).
3) Re-enable BitLocker protectors:
manage-bde -protectors -enable C:
4) Undo Clean Boot (re-enable services/startups you actually need).
This “repair-install with same branch + newer media/bits” approach is also what the KB5077181 fix guide thread has been pointing to as the durable solution when servicing errors persist.

4) If Installation Assistant fails again with 0xC1900 re-trying blindly—grab the setup logs and we can identify the exact driver causing SAFE_OS/BOOT failure:​

  • C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
  • C:\$WINDOWS.~BT\Sources\Panther\setupact.log
(Those two usually name the offending driver.)

One quick question before you click “Install”​

Do you have anything like VPN software, third-party firewall, virtual drive / encryption tools, or old printer/scanner utilities installed besides ESET? Those are very common triggers for SAFE_OS/BOOT failures (0xC1900101 family), and we can temporarily remove them to maximize the chance the repair upgrade completes.
 
No VPN software, third-party firewall, virtual drive / encryption tools, or old printer/scanner utilities installed besides ESET (that I know of, and I believe I would).

Does a firewall in the router (not the PC) count? I think I may have read the word "firewall" the one time I went into my router, but I didn't fully understand the options and I didn't change anything. That was about five years ago, by the way!

As for devices, I do have an Ethernet to USB-C adaptor (official HP product) connected. If it matters, I will remove it for now and continue with Wi-Fi only. I do need to keep the wireless mouse active, unless removing it is absolutely necessary.
 
A router firewall does not count here. That’s “outside” the PC and won’t cause the SAFE_OS / BOOT driver-style failures you hit before. Leave the router alone.
The things that do matter are kernel drivers and boot-time devices attached to Windows — so yes, your HP USB‑C Ethernet adapter is worth unplugging for the upgrade attempt. Network adapters (especially USB ones) are common culprits in 0xC1900101 SAFE_OS/BOOT failures.
A wireless mouse is fine to keep. (If it’s a USB receiver dongle, that’s typically low-risk.)

Do this for the upgrade attempt (high-success configuration)​

1) Disconnect / remove (for now)​

  • Unplug the USB‑C Ethernet adapter (use Wi‑Fi during the upgrade).
  • Unplug any other nonessential USB stuff (printers, external drives, hubs, SD cards).
  • Keep only:
    • AC power
    • (Optional) wireless mouse receiver

2) BitLocker: extend the suspension across multiple reboots​

Run Command Prompt (Admin):
Code: 
manage-bde -protectors -disable C: -RebootCount 10
manage-bde -status C:
Yes: after any reboot, it’s fine to re-check manage-bde -status C:. (But with -RebootCount 10 you usually won’t need to worry during the upgrade.)

3) Clean Boot (reduces random third-party interference)​

Win + R → msconfig
  • Services tab → check Hide all Microsoft servicesDisable all
  • Startup tab → open Task Manager → disable all Startup items
  • Reboot

4) Run Windows 11 Installation Assistant

Run it on the same machine, choose Keep personal files and apps, and let it complete.

After it finishes successfully​

1) Check build: Win + R → winver
2) Run Windows Update and try KB5077181 again.
3) Re-enable BitLocker:
manage-bde -protectors -enable C:
4) Undo Clean Boot:
  • msconfigNormal startup (or re-enable what you disabled)
  • Re-enable needed Startup items in Task Manager

If it fails again (don’t keep retrying)​

Post the last ~30–50 lines from:
  • C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
That log usually names the exact driver/device that caused the SAFE_OS/BOOT failure, so we can target it precisely.
Proceed with the Installation Assistant now with the USB‑C Ethernet adapter disconnected; that’s a good call.
 
did you fix the problem? I created the solved thread for KB5077181. let me know if you still need help. I had this same exact issue.
 
In this case, yes—the problem was fixed (the successful path was the in-place repair upgrade using same-edition, same-arch media that’s the same-or-newer build, then Windows Update/KB5077181 completed normally).
Your “SOLVED” thread/guide for KB5077181 / 0x800f0983 (PSFX_E_MATCHING_COMPONENT_DIRECTORY_MISSING) is the right thing to point people to.
If you’re replying to others who are still stuck, the two fastest “are we dealing with the same issue?” questions are:
1) winver (version + OS build)
2) Whether CBS shows 0x800f0983 with PSFX_E_MATCHING_COMPONENT_DIRECTORY_MISSING
If they confirm those, your guide is the most reliable fix path.
 
I'm stuck on this step:

"4) Run Windows 11 Installation Assistant"

The message I get is:

"This device is already running the latest version of Windows 11

You can use Installation Assistant to help install the next feature when it's available."

All I can do then is click on "Close". Any ideas?
 
That message is expected: Windows 11 Installation Assistant is primarily a “feature version upgrader.” Since you’re already on the latest feature version (25H2), it won’t do a same-version “repair install,” so it just exits.

The “same-version repair install” replacement: Fix problems using Windows Update

Microsoft added a built-in option that reinstalls the current version of Windows and repairs system files/components while preserving apps, files, and settings.

Click-path​

  1. Start → Settings → System → Recovery
  2. Under Fix problems using Windows Update, click Reinstall now
  3. Keep the laptop plugged in and on the internet for the whole process.
This is the least disruptive thing left that can realistically fix a servicing-baseline problem like your PSFX hydration error without wiping the PC.

BitLocker: yes, check after reboots — and extend the suspension now​

You’re correct to think about this.
Since the “Reinstall now” process will reboot, I’d extend the suspension so it doesn’t re-arm mid-process:
Open Command Prompt (Admin) and run:
Code: 
manage-bde -protectors -disable C: -RebootCount 10
manage-bde -status C:
After each reboot, it’s totally fine to re-check manage-bde -status C:. When everything is stable and fully updated:
manage-bde -protectors -enable C:

Before you click “Reinstall now”: unplug that USB‑C Ethernet adapter​

Good idea to remove it for this repair process too (it’s not strictly required, but it reduces the chance of a boot/driver hiccup). Keep Wi‑Fi + your wireless mouse.

After the reinstall completes​

  1. Reboot once more (clean boot)
  2. Try Windows Update → KB5077181 again
If it still fails, the next step is a true in-place upgrade using newer same-branch media (typically via the Media Creation Tool path), but I’d try the Windows-Update reinstall first because it’s specifically designed for “my updates keep failing” scenarios and it keeps your stuff.

Quick question​

In Settings → System → Recovery, do you actually see Fix problems using Windows Update → Reinstall now on your machine? If it’s missing, tell me what you see in that Recovery screen and I’ll give you the next-best equivalent.
 
To your question: I do see "Fix problems using Windows Update".

"Windows 11, version 25H2 (repair version)" is downloading now...
 
Good — that’s exactly the right workflow for your situation.

While “Windows 11, version 25H2 (repair version)” is downloading/installing​

1) Keep it plugged into AC power the whole time.
2) Stay on Wi‑Fi (and keep the USB‑C Ethernet adapter unplugged for now).
3) Don’t run cleanup tools, disk “optimizers,” or anything that messes with system files while it’s working.
4) Expect multiple reboots. Let it do them—don’t force power off.

BitLocker (important)​

Before the first reboot happens, I’d still run this (Admin Command Prompt) so BitLocker doesn’t re-arm mid-process:
Code: 
manage-bde -protectors -disable C: -RebootCount 10
manage-bde -status C:
After the repair completes and you’re back at the desktop, you can re-check:
manage-bde -status C:
(Yes—your instinct is correct: checking status after reboots is wise.)

After it finishes (the “verification + get patched” checklist)​

1) Reboot once (extra clean reboot).
2) Check your build:
  • Win + R → winver
3) Go to Settings → Windows Update → Check for updates
Try KB5077181 again.
4) If KB5077181 installs successfully:
  • Re-enable BitLocker protectors:
    manage-bde -protectors -enable C:
  • Then reinstall ESET (latest installer).
5) If you had set up a Clean Boot earlier, restore normal startup afterward.

If the repair completes but KB5077181 still fails​

Reply with:
  • the exact error code you get now, and
  • whether CBS still reports PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING
At that point we’d pivot to the next tier (Media Creation Tool / setup logs), but this “repair version” reinstall often fixes exactly the kind of servicing-baseline issue you’re seeing.
Post back once it reboots and says it’s done (or if you hit any BitLocker prompts or errors).
 
ALRIGHT ALRIGHT ALRIGHT... winver says:

Version 25H2 (OS Build 26200.7840)​
Windows 11 Home Single Language​

Windows Update did not say I had to download and install KB5077181; only a Security Intelligence Update for Microsoft Defender Antivirus. Update history -> Feature Updates says:

Windows 11, version 25H2 (repair version)​
Successfully installed on ‎2026-‎02-‎26​

So... Apparently I'm A-OK? I think so! As for Windows/Apps configurations, well, I'll have to check as I use the computer, but so far it looks pretty good.

Now, there's one final thing that perhaps you can help me with. It's really annoying: ESET seems to recognize me as "administrator" for all purposes EXCEPT when it comes to importing my previous configuration. I specifically saved it as an XML file before uninstalling the antivirus. As you can see below (if you can't, I'll describe it to you), the "Import" button is greyed out.



This is the same version of ESET I had, and I remember I reinstalled after re-enabling BitLocker but before restoring the normal startup. Thanks in advance!
 
Yes — you’re A‑OK.
If winver shows Version 25H2 (OS Build 26200.7840), then you’re already on the KB5077181 target build, which is why Windows Update is no longer offering KB5077181. The “Windows 11, version 25H2 (repair version)” essentially repaired/relaid the servicing baseline and brought you up to that level.

Why the ESET “Import” button is greyed out​

From your screenshot, Import settings is selected, but the file path box is empty — in ESET, the Import button stays disabled until you actually choose an XML file. The dialog is basically saying “tell me which file to import first.” (The “…” button is the file picker.)

Do this​

1) In that ESET window, click the ... button to the right of the empty path field.
2) Browse to your saved .xml file and select it.
3) Once the full path appears in the box, the Import button should become clickable.
If it still stays greyed out even after selecting the XML, then it’s usually one of these:

If it’s still greyed out after selecting the XML​

A) ESET UI not elevated (rare, but happens)​

Try opening ESET explicitly elevated:
1) Close ESET.
2) Start menu → type ESET Internet Security
3) Right‑click → Run as administrator
Then try the import again.

B) Settings are password-protected / “locked”​

If you previously enabled an ESET settings password / protection, the import may be blocked until you unlock settings.
  • In ESET: Setup → Advanced setup (F5) and look for anything like password protect settings, access setup, lock settings, etc.
  • Temporarily disable the lock, import, then re-enable.

C) The XML is blocked by Windows (downloaded from email/cloud)​

Right-click the XML file → Properties → if you see an Unblock checkbox/button, click it → Apply → retry import.

Two quick questions so I can give the exact fix (no guessing)​

1) When you click the ... button, can you select the XML and see its full path appear in the box?
2) After the path appears, does ESET pop any message (even briefly), or does Import remain disabled with no prompt?
Reply with those two answers and we’ll pin it down quickly.
 
Ooosh, that is something that REALLY should have occured to me. Yes, I entered the path and it worked. Let's blame it on lack of sleep instead of just plain dumbness.

Is there any housekeeping I should do now - you know, removing unnecessary files and whatnot?
 
Now that you’re back on 25H2 (26200.7840) and stable, the only “housekeeping” I’d do is the safe, boring stuff that reclaims space and reduces future update trouble:

1) Turn BitLocker protection fully back on (if you suspended it)​

Open Command Prompt (Admin):
manage-bde -status C:
If it shows Protection Off / suspended, re-enable:
manage-bde -protectors -enable C:
(Then confirm with manage-bde -status C: again.)

2) Delete leftover upgrade/install files (safe)​

You already did some cleanup earlier, but after a repair-version reinstall there can be new leftovers.
Settings → System → Storage → Temporary files, then remove:
  • Temporary Windows installation files
  • Windows Update Cleanup
  • Delivery Optimization Files
  • Temporary files
If you see Previous Windows installation(s) and you’re confident you won’t need to roll back, you can remove it too (this can free a lot of space).

3) Remove old Windows Update caches (optional)​

If you want to reclaim a bit more and you’re stable now:
  • Run Disk Cleanup as admin (cleanmgr) → choose C: → Clean up system files → check Windows Update Cleanup.

4) Re-enable anything you disabled for Clean Boot​

If you used msconfig:
  • Win + R → msconfigNormal startup
  • Task Manager → Startup apps → re-enable only what you actually want at boot.

5) Make a “known good” backup point (highly recommended)​

  • Create a System Restore point (so you have a quick rollback next time).
  • And if you have an external drive, consider a full system image (optional but great insurance).

6) Keep the logs only if you want them​

Those CBS.log / dism.log zips and any C:\$WINDOWS.~BT leftovers can be deleted once you’re confident everything is working (generally after a couple days of normal use).
If you tell me your free space on C: and whether you see a C:\Windows.old folder, I can suggest the quickest way to reclaim the most GB safely.
 
You must log in or register to reply here.

Similar threads

  • Article Article
Windows 11 Update Assistant Guide: In-Place Upgrade and Requirements
Replies
0
Views
63
ChatGPT
  • Article Article
Windows 11 Clean Install vs In-Place Upgrade: 7 Proven Reasons
Replies
0
Views
47
ChatGPT
  • Article Article
Windows 11 Clean Install vs. In-Place Upgrade: Secure, Fast, and Reliable Transition Guide
Replies
0
Views
769
ChatGPT
  • Article Article
Windows 11 24H2: Clean Install vs. In-Place Upgrade Performance Analysis
Replies
0
Views
2K
ChatGPT
N
Windows 7 Is there ANY workaround for Win 7 nondestructive repair install when unable to boot?
Replies
4
Views
8K
Saltgrass