none
PCs cannot install feature update 1607 or 1703, can't check if WSUS server is affected by problem in KB 3194588

    Question

  • Consider the following scenario:

    -My customer has a WSUS server running Server 2008 R2 (*NOT* 2012/2012R2). WSUS is v3.0 SP2 (build 3.2.7600.226)

    -We have a "fleet" of 60 Win10Pro Surface tablets having trouble installing the 1607 and 1703 feature updates.  In most cases, the Windows Update client reports error 0x8000FFFF when the installation fails.

    -It was suggested that I look at KB article 3194588, "'0xc1800118' error when you push Windows 10 Version 1607 by using WSUS".  It's not an exact match for the error, but it would explain why every single Surface is having trouble with the update.

    -However, when I try to run the WID query the KB article suggests:

    select Count(*)
    from tbFile as f, tbFileForRevision as fr, tbRevision as r, tbUpdate as u, tbProperty as p
    where f.FileDigest = fr.FileDigest and fr.RevisionID = r.RevisionID and r.LocalUpdateID = u.LocalUpdateID
    and p.RevisionID = r.RevisionID and 
    (f.FileName like '%15063%.esd' or f.FileName like '%14393%.esd' or f.IsEncrypted = 1) 
    and f.DecryptionKey is null
    and p.PublicationState = 0

    I get an error message:

    Msg 207, Level 16, State 1, Line 5
    Invalid column name 'IsEncrypted'.
    Msg 207, Level 16, State 1, Line 6
    Invalid column name 'DecryptionKey'.

    Another admin suggested running this instead:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%14393%.esd' and IsEncrypted = 0) 

    which returns the error:

    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'DecryptionKey'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.

    So I can't tell if WSUS is in a bad state or not.

    With all of that established:

    1) How can I determine whether my WSUS instance is in a bad state or not?  

    2) Also, the patch the KB article refers to--that you're supposed to install before allowing Win10 upgrades--is for Server 2012, not 2008 R2. Does this mean I can't use WSUS on Server 2008 R2 to manage Win 10 upgrades?

    3) What else could be the cause of the 8000FFFF errors preventing the feature update from installing?
    Saturday, November 11, 2017 3:01 AM

All replies

  • It is my understanding that Win 10 feature updates, which appear in a category called "upgrades" in WSUS, are not supported on Server 2008 and there are no plans to do so either. The KB's you reference apply to Server 2012 only, and will not work/help on a WSUS server installed on Server 2008.

    I myself tried to "find" a way to make it work with WSUS 3.2 on a Server 2008/R2 setup and never succeeded. Best I could do, other than upgrading to server 2012, was to have the Win10 stations get the upgrade features directly from Windows update, instead of WSUS. Once updated, the Win10 stations continued getting their updates from WSUS with no issues I could find.

    However, since that time I have heard unconfirmed reports of something that will work if you have a large number of Windows 10 computers on a network. First, all of those computers need to be set up to get their updates from WSUS *and* any other Windows 10 computers on the local network. To set this in Windows 10, go to Settings >> Updates & Security. Then on the right scroll down and select Advance Options. Then scroll down and select Delivery Optimization. Then turn on the option to allow downloads from other PCs, and select PCs on My Local Network.

    Now on anywhere from 2 to 10 PCs run Windows Updates and manually elect to get updates directly from Microsoft. That will get your the desired upgrades. Let it install on those PCs (can take up to an hour) and you're done. Over the next few days the other PCs on your network that have been set up to get updates from WSUS and Local PCs on  your network, will eventually get the upgrade from the PCs you manually installed it on via Windows Updates.

    Note also that it's important you run through the KB article 3194588 to not only disable the upgrades classification in WSUS, but to also delete the upgrades classification content from the WSUS database. Otherwise, things will continue to fail as computers download the undecryptable upgrade from your WSUS.

    If you have a rather large network, these settings can be propagated via group policy. Sure beats going around to 100 or more computers manually, one at a time.

    Again, I do not know for a fact that this works. It's just something I heard about after I'd already upgraded my servers to 2016. Personally, I would not expect it to work since I don't see how a Window 10 computer would download the upgrade from other computers, if that upgrade is not first approved on the WSUS. Of course if you approve it on WSUS, then it will download it to WSUS, and that download will be useless since it will be encrypted.


    • Edited by Carl1959 Saturday, November 11, 2017 4:23 AM
    • Proposed as answer by Yan Li_Moderator Monday, November 13, 2017 7:48 AM
    Saturday, November 11, 2017 4:14 AM
  • Carl959 is correct. Windows Server 2008/2008R2 will NOT allow for Upgrades to Windows 10. Updates are fine, but Upgrades (feature upgrades like you're trying to do) it will not do due to the fact that the upgrades are encrypted and there are no keys on a 2008/2008R2 WSUS to decrypt the upgrade. They use a different schema, partially increased by KB3159706 on 2012 to enable the download from Microsoft of not only the update, but the decryption key of the ESD Files.

    I doubt Carl's workaround will work, but it does have merit. The GPO setting for turning on LAN Updates is located at

    Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode Enabled
    Download Mode: LAN (1)

    I would recommend doing this anyways, as it distributes the load of bandwidth used through your WSUS Server if other Windows 10 systems have the updates (*there's still a caveat to this - they have to have at LEAST 250GB free HDD Space in order to share*)

    You have 3 choices.

    1. Either upgrade to Server 2012+ (I'd just go to 2016 if possible) for your WSUS Server
    2. Use a 3rd party tool like PDQ Deploy to push out the update to the systems and execute the upgrade. Then WSUS will allow you to approve the new cumulative updates to the new Windows 10 version you just upgraded to.
    3. Upgrade each system manually, and then WSUS will allow you to approve the new cumulative updates to the new Windows 10 version you just upgraded to.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, November 12, 2017 1:48 AM
  • After you work that out, or even before

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, November 12, 2017 1:49 AM