none
0xC1800118 with 15063.0.170317-1834.rs2_*.esd after KB3159706 (+manual steps) the DecryptionKey in SUSDB is again NULL RRS feed

  • Question

  • Hello, after spending very much time with this 0xC1800118 issue on many WSUS/SCCM Sites, i have successfully deployed the 1607 feature update, but now with the 1703 creators update, the decryption keys in SUSDB are again NULL. 

    What is the suggested way?
    Reapply the Workaround as described in https://support.microsoft.com/en-us/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus and expand it with...

    $1703Updates = $s.SearchUpdates("version 1703")
    $1703Updates | foreach { $_.Decline() }
    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    ...or can Microsoft give us a new (working) Fix?

    Many thank's!


    four4four

    Wednesday, April 12, 2017 8:29 AM

Answers

  • Got it!

    As already suspected with the addition of $1703 the errors can be corrected.

    PS #1

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable

    $s = Get-WsusServer

    $1703Updates = $s.SearchUpdates("version 1703")

    $1703Updates | foreach { $_.Decline() }

    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification


    WSUS / SUSDB

    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);

    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%15063%.esd'  except select FileDigest from tbFileForRevision);

    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)

    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    PS #2

    $s = Get-WsusServer

    $sub = $s.GetSubscription()

    $sub.StartSynchronization()

    Check SUSDB:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    Result:

    select * from tbFile where FileName like '%15063%.esd'
    Result:





    Thursday, April 20, 2017 9:14 AM

All replies

  • Hi,

    Same problem here, WSUS downloaded the 1703 update but can't install it on W10-1607 PC because of the exact same error we had last year when upgrading from 1511 to 1607 :

    2017-04-13 09:53:04, Error                 MOUPG  RecoverCrypto: File is encrypted, but no key was provided.
    2017-04-13 09:53:04, Error                 MOUPG  CDlpActionRecoverCrypto::DoCrypto(1713): Result = 0xC1800118

    I reopened the previous thread here, so I guess we have to wait for a new KB. Hope it will be solved quickly :(

    Friday, April 14, 2017 7:21 AM
  • Got it!

    As already suspected with the addition of $1703 the errors can be corrected.

    PS #1

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable

    $s = Get-WsusServer

    $1703Updates = $s.SearchUpdates("version 1703")

    $1703Updates | foreach { $_.Decline() }

    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification


    WSUS / SUSDB

    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);

    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%15063%.esd'  except select FileDigest from tbFileForRevision);

    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)

    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    PS #2

    $s = Get-WsusServer

    $sub = $s.GetSubscription()

    $sub.StartSynchronization()

    Check SUSDB:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    Result:

    select * from tbFile where FileName like '%15063%.esd'
    Result:





    Thursday, April 20, 2017 9:14 AM
  • Many thanks for the confirmation!



    Thursday, April 20, 2017 9:22 AM
  • when i run first script in powershell  get the following Error

    You cannot call a method on a null-valued expression.
    At line:1 char:1
    + Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

    Thursday, April 27, 2017 1:55 PM
  • Maybe an typical copy & paste error with missing line breaks.

    Had now added the missing line breaks in the post.

    take a closer a look at the previsious, well formatted an documented fix:  "0xc1800118" error when you push Windows 10 Version 1607 by using WSUS


    Thursday, April 27, 2017 5:59 PM
  • Thanks
    Thursday, May 4, 2017 7:11 AM
  • Hello,

    I ran the power shell commands, but there is not any SQL on my WSUS server.

    I still receive the error message.

    Any recommendation?

    Friday, May 5, 2017 8:10 PM
  • Take a look at The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance and follow Step 3....

    If you installed SUSDB on Windows Internal Database (WID) you will need to install SQL Management Studio Express...

    ...HKLM\Software\Microsoft\Update Services\Server\Setup to verify. Look for the SQLServerName value. If you see just a server name or server\instance, you are using SQL server. If you see something that has the string ##SSEE or ##WID in it...


    Saturday, May 6, 2017 9:26 AM
  • Yep.  Here we go again!!   Luckily I stumbled on your post.  Will give it a try.   Just wish MS can start delivering proper updates.  The 1703 update have now been failing on 283 of my 475 workstations, putting such a load on the WSUS it is slowly dieing!!  
    Thursday, May 11, 2017 2:09 PM
  • Got it!

    As already suspected with the addition of $1703 the errors can be corrected.

    PS #1

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable

    $s = Get-WsusServer

    $1703Updates = $s.SearchUpdates("version 1703")

    $1703Updates | foreach { $_.Decline() }

    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification


    WSUS / SUSDB

    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);

    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%15063%.esd'  except select FileDigest from tbFileForRevision);

    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)

    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    PS #2

    $s = Get-WsusServer

    $sub = $s.GetSubscription()

    $sub.StartSynchronization()

    Check SUSDB:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    Result:

    select * from tbFile where FileName like '%15063%.esd'
    Result:


    four4four


    I ran these steps but now the 1703 update isn't showing up in my wsus server at all even after synchronizing.

    Friday, May 12, 2017 5:20 PM
  • Friday, May 12, 2017 10:56 PM
  • Good to know that you can fix your Error, but a Client Update reset and NW Driver Update doesn't fix missing Decryption Key's in SUSDB. It looks like more Client-side Errors than a failed Server Function...



    Tuesday, May 16, 2017 7:29 AM
  • Actually updating driver is required for me because even with Win Server 2016 they were not able to get the update but as soon as I update the driver the updates start to download on the computers.
    Monday, May 22, 2017 1:23 AM
  • Yes well if it fixes your download error, but in my case the download did not fail, but at the decryption of the * .esd package because the key was not deposited. This results in a different use case and should be edited in another thread. Thx and best regards.
    Monday, May 22, 2017 9:24 AM
  • Got it!

    As already suspected with the addition of $1703 the errors can be corrected.

    PS #1

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable

    $s = Get-WsusServer

    $1703Updates = $s.SearchUpdates("version 1703")

    $1703Updates | foreach { $_.Decline() }

    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification


    WSUS / SUSDB

    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);

    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%15063%.esd'  except select FileDigest from tbFileForRevision);

    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)

    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    PS #2

    $s = Get-WsusServer

    $sub = $s.GetSubscription()

    $sub.StartSynchronization()

    Check SUSDB:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    Result:

    select * from tbFile where FileName like '%15063%.esd'
    Result:


    four4four


    Hi, 

    I'm following these steps, but when I run:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    this is what I got:

    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'DecryptionKey'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.

    What does it mean?


    • Edited by Valerio Monday, June 26, 2017 2:05 PM
    Monday, June 26, 2017 9:58 AM
  • That depends on many things, but...
    • Make sure that you have installed KB3095113, KB3159706 and select "Upgrade" in Classifications and "Windows 10" in Products
    • Make sure to run the Query on SUSDB (USE SUSDB)
    • Make sure to have results with the following Query and if not synchronize Updates

    select * from tbFile where FileName like '%%.esd'

    Monday, June 26, 2017 11:29 AM
  • <snip>

    Hi, 

    I'm following these steps, but when I run:

    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 

    this is what I got:

    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'DecryptionKey'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.

    What does it mean?


    @Valerio - i'm guessing it means that the wsus database schema isn't update to date (I'm facing the same issue). Question is, will it require a reinstall of the server or is there any thing manually to do


    Regards Dennis

    Tuesday, July 4, 2017 7:04 AM
  • I'm a facing the same issue as Valerio, and i have both updates, and have run the query on the SUSDB, and yes items are returned from that query... 

    If only i knew what types those columns are ;) better not mess around with the schema of the wsus database... then for sure am i going to reinstall the server ...


    Regards Dennis

    Tuesday, July 4, 2017 7:17 AM
  • I had same issue on clients that had version 5.00.8355.1307 of the SCCM Agent. Once I upgraded them to my Pre-Production version (5.00.8498.1711) then the update succeeded. :-) Sometimes the simplest things are most frustrating!
    Wednesday, July 5, 2017 6:17 AM
  • When I run the SQL script to check the SUSDB, it returns 0 results. So, the fix obviously worked. Clients are able to successfully install the update if I clear out their SoftwareDistribution folder, but many of them still get the 0xC1800118 error if I do not do that first. Even when they re-download the update, they still continue to get the error unless I clear out the SoftwareDistribution folder. Considering we have to deploy this to over 9,000 Workstations, having to clear out that folder on all of them would be quite a pain. Any idea what might be going on here? FYI, we do use MS as the source for our update downloads. WSUS provides approvals, but updates are downloaded from MS. Maybe this has to do with it?
    • Edited by Evan T Sunday, July 16, 2017 12:54 AM Corrected wording
    Sunday, July 16, 2017 12:52 AM
  • With the number of clients I assume that a management suite is used. So you could distribute a batch script on the affected clients.

    net stop bits
    net stop wuauserv
    net stop appidsvc
    net stop cryptsvc
    Ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak
    Ren %systemroot%\system32\catroot2 catroot2.bak
    net start bits
    net start wuauserv
    net start appidsvc
    net start cryptsvc 
    wuauclt /resetauthorization /detectnow /updatenow

    Monday, July 17, 2017 6:13 AM
  • Ah ha. I had done almost all of that without any improvement, but I had not been resetting the catroot2 folder. It looks like that did the trick. Thanks!

    FYI, I also included dosvc (Delivery Optimization) in the net stop and start commands.

    Tuesday, July 18, 2017 9:34 PM
  • While that did help with some of them, I continue to run into various Windows Update errors. Some of them cleaning up Windows Update via a script fixes, and others I have to download some updates from online before it will successfully install the Creators Update.

    I think a large portion of them might do better if I could install the Creators Update Privacy Settings Update (KB4013214) onto them first. Why isn't this update available via WSUS or even the Microsoft Update Catalog already?!?! It's been out for MONTHS!!

    Thursday, July 20, 2017 3:22 AM
  • While that did help with some of them, I continue to run into various Windows Update errors. Some of them cleaning up Windows Update via a script fixes, and others I have to download some updates from online before it will successfully install the Creators Update.

    I think a large portion of them might do better if I could install the Creators Update Privacy Settings Update (KB4013214) onto them first. Why isn't this update available via WSUS or even the Microsoft Update Catalog already?!?! It's been out for MONTHS!!

    It's not clear for me and i am wondering why each Client downloads Updates from the Online Repository?!
    I don't think that KB4013214 is necessary, but maybe Update and Location Settings as well as Concept and Rules, but this should be better discussed in a new Thread.

    Thursday, July 20, 2017 11:21 AM
  • These are Windows 10 1511 computers that we are upgrading. Dual scan didn't become a problem until 1607. We do not use any Windows Update for Business GP settings anyways though.

    Our WSUS server only handles the approvals. The update content is downloaded by the clients from MS. We do this because many of our locations have only 5-15 computers. We have 630+ locations though. Having a WSUS server at each location would be more trouble than it is worth. Instead, we just tell the clients to download the updates from MS, and use WUDO for the larger updates.

    MS claims "This update (KB4013214) is required before Windows Update will download and install the Windows 10 Creators Update." However, our systems appear to download it just fine. They just cannot install it successfully.

    I have opened a new thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/60342a99-34be-4b51-9d74-f3ab7210de95/issues-upgrading-1511-to-1703-via-wsus?forum=winserverwsus


    • Edited by Evan T Thursday, July 20, 2017 4:36 PM
    Thursday, July 20, 2017 4:35 PM
  • I got this too : 

    Msg 207, Level 16, State 1, Line 3

    Invalid column name 'IsEncrypted'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'DecryptionKey'.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name 'IsEncrypted'.

    But after you apply patch KB3159706 you must run :

    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing 

    Regards Jari

    Monday, July 31, 2017 11:48 AM
  • Hi you can run this command and it will update the database schema: 

    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

    Regards Jari Rautio

    Monday, July 31, 2017 11:50 AM
  • I would suggest to try "Long Path Tool" program.
    Wednesday, August 23, 2017 10:23 AM
  • My new version of my WSUS Cleanup script has a new switch called -DirtyDatabaseCheck which will check to see if there are issues with the database (using a modified set of SQL queries from Microsoft mentioned in this thread) and if it is in fact a 'Dirty Database', my script will automatically fix it (using modified commands from Microsoft mentioned in this thread).

    All a user would have to do is run

    .\Clean-WSUS.ps1 -DirtyDatabaseCheck

    And my script will do everything else!

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, September 2, 2017 3:17 AM