(Alternative title: "Help, I followed the steps provided earlier and I'm still seeing failures!"
This applies to anyone who missed KB 3159706 when it was offered as a hotfix to Windows Server 2012/R2, and who subsequently enabled synching of Upgrades in their environment before patching WSUS. The Upgrades that were likely downloaded most recently happen to be for the Windows 10 1607 feature update, but the steps referenced could be modified to suit a different set of content.)
In this scenario, WSUS has downloaded content that it cannot use. Because parsing only happens once, and WSUS does not know what “Upgrades” are without having installed KB 3159706, it incorrectly identifies the upgrade as a quality update and saves it to the SUSDB (and managed clients) as such. This will cause any future deployment of this content to fail until the patch is applied, unusable content is purged, and WSUS properly syncs the information.
If the symptom seems familiar, it is because the guidance for KB3095113 addresses a similar class of issue. The steps detailed in that post are sufficient for repairing a WSUS that has downloaded unencrypted feature updates, but encrypted content involves a few more steps in order to fully clean your WSUS and its affected clients. For information on why Upgrades are now being encrypted, please refer to our earlier blog post.
Full coverage of error 0xc1800118 (and how to clean your environment after downloading unsupported encrypted Upgrades to WSUS) can be found in KB 3194588, which was created to help address these failures in the wild. Feel free to share questions and feedback for that KB by using the comments section for this post. Finally, several folks shared some PowerShell advice in the comments section for the post regarding KB3095113: you may find it worthwhile to review that if the steps published do not quite fit your needs.