Windows 10 [Fall] Creator Upgrade 1703 or 1709 provisioned by WSUS (Win Srv 2012 R2) [SOLVED / Walkthrough] RRS feed

  • Question

  • I write this, cause s.b. would appreciate it. It took me some time.

    This walkthrough describes how to provision 1703 oder 1709 directly from 1706 by WSUS run on Win 2012 R2.

    Prerequisites is installed KB 3159706, that should be installed (if you go by the book), before any Win 10 upgrades on 1703 are classified in WSUS.

    If KB is installed, WSUS should have patch level 6.3.9600.18694

    If so, no poblems should happen. But if upgrades are set to go and Win 10 client are already connected, you better check this.

    My symptoms were: Windows 10 clients failed while trying to install 1703/1709 with 0x8000FFF.

    This description is o n e explanation, cause 0x8000FFF may have dozens and hundreds of reasons.

    We gonna check, whether WSUS's db is actually in good condition by using this select query. I made it with SQL Management Studio. 
    1.Connect to WSUS db (\\.\pipe\Microsoft##WID\tsql\query).
    2.Check if esd-files are already avail. esd-files are used for 1703.
    select TotalResults = Count(*) from tbFile where FileName like '%.esd%'

    If return value >0, esd-files have been downloaded.
    3.Check, if tables have important rows!
    select TotalResults = Count(*) from tbFile where IsEncrypted = 1 and FileName like '%.esd%' and DecryptionKey is NULL

    If return value >0, you have esd-files avail but no chance to decipher! No wonder for 0x8000FFF!

    All you need to is: Remove all Win 10 clients, remove all Win 10 1703 upgrades, prepare DB, reconnect clients, re-classify 1703 updates

    I go along according article https://support.microsoft.com/en-us/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus, but consider some extra jobs!

    1.PowerShell-CmdLet for declining  "Upgrades".
    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification -Disable
    2.Im PowerShell ISE (admin) reject Windows 10 Upgrades
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
    $wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.ProductTitles -contains 'Windows 10'} `| ForEach-Object {$_.Decline(); Write-Host $_.Title declined}

    3Remove all Win 10 upgrades in WSUS-DB:
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
    $wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.ProductTitles -contains 'Windows 10'} ` | ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed}
    4.In SQL (!) via Mangegement Studio remove all esd-files in table dbo.tbfFile:
    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE)
    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%.esd%'  except select FileDigest from tbFileForRevision)
    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    5. Now you check, if all necessary steps are done for KB3159706, which are not all done by the KB update according to this https://support.microsoft.com/en-us/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012.
    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
    7.Check, if  feature "HTTP Activation" in .Net Framework 4.5 => WCF Services is installed.

    8.Check WSUS's web.config has these entries marked bold
                      These 4 endpoint bindings are required for supporting both http and https
                    <endpoint address=""
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                   <endpoint address=""
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />

    9.Also check last line  multipleSiteBindingsEnabled="true", if not:
    </bindings> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" /> </system.serviceModel>

    10.Quite important is to add MIME-Type: .esd as application/octet-stream in WSUS's IIS
    11.restart IIS-service.
    12.Back to the article we started with step 5: Re-classify all upgrades.
    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq “Upgrades”} | Set-WsusClassification

    13.restart WSUS-service - a reboot of the server (VM / physical) is not needed.
    14.restart clients' windows update service => net stop wuauserv
    15.delete this folder => del %windir%\SoftwareDistribution\DataStore\*
    16.either you reboot the clients or restart wuausrv.

    17.Accept 1703 in WSUS plus all depending upgrades, or you choose upgrade 1709 without depending upgrades.

    You can accept those after successful installation if 1709 (pls consider new GPO files for 1709 regarding 1709).

    The 1709 upgrade should downloaded once again by WSUS. After that the clients will grab for it and hopefully install it successfully.

    Friday, October 27, 2017 11:27 PM

All replies

  • Any comments appreciated.
    Saturday, October 28, 2017 12:07 AM
  • Great sharing, thanks DenLei. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 31, 2017 2:42 AM
  • THX!

    Pls mark my notes as answer ;-)

    Wednesday, November 1, 2017 10:36 AM
  • You can mark yourself. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 2, 2017 4:28 AM
  • In tsql command:

    "select TotalResults = Count(*) from tbFile where IsEncrypted = 1 and FileName like '%.esd%' and DecryptionKey is NULL"

    ... fields "IsEncrypted" and "DecryptionKey" don't exist in susdb.dbo.tbFile table.  Assuming all good since >0 value for previous count() command.

    Also wondering if the sequence of above is correct; when I install the KB first WSUS stops working entirely; auth failure against SUSDB for NT AUTHORITY\NETWORK SERVICE.


    • Edited by SteveBottoms Thursday, December 14, 2017 1:35 AM typo
    Thursday, December 14, 2017 1:35 AM