Steps to resolve error 0xc1800118


(Alternative title: "Help, I followed the steps provided earlier and I'm still seeing failures!"

This applies to anyone who missed KB 3159706 when it was offered as a hotfix to Windows Server 2012/R2, and who subsequently enabled synching of Upgrades in their environment before patching WSUS.  The Upgrades that were likely downloaded most recently happen to be for the Windows 10 1607 feature update, but the steps referenced could be modified to suit a different set of content.)

In this scenario, WSUS has downloaded content that it cannot use.  Because parsing only happens once, and WSUS does not know what “Upgrades” are without having installed KB 3159706, it incorrectly identifies the upgrade as a quality update and saves it to the SUSDB (and managed clients) as such.  This will cause any future deployment of this content to fail until the patch is applied, unusable content is purged, and WSUS properly syncs the information.

If the symptom seems familiar, it is because the guidance for KB3095113 addresses a similar class of issue.  The steps detailed in that post are sufficient for repairing a WSUS that has downloaded unencrypted feature updates, but encrypted content involves a few more steps in order to fully clean your WSUS and its affected clients.  For information on why Upgrades are now being encrypted, please refer to our earlier blog post.

Full coverage of error 0xc1800118 (and how to clean your environment after downloading unsupported encrypted Upgrades to WSUS) can be found in KB 3194588, which was created to help address these failures in the wild.  Feel free to share questions and feedback for that KB by using the comments section for this post.  Finally, several folks shared some PowerShell advice in the comments section for the post regarding KB3095113: you may find it worthwhile to review that if the steps published do not quite fit your needs.

 

Comments (79)

  1. Poison Dwarf says:

    Hi,

    Based on Article KB 3159706, there is some weird stuff about the SubDB SQL commands

    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);
    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like ‘%14393%.esd’ except select FileDigest from tbFileForRevision);
    deletefrom tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    That deletefrom is obvious but I mean query part

    (select FileDigest from tbFile where FileName like ‘%14393%.esd’ except select FileDigest from tbFileForRevision);

    The whole query result 0 rows affected If there is that “except select FileDigest from tbFileForRevision” part included

    What I am missing or doing wrong?

    1. Poison Dwarf says:

      Nevermind.

      I have to use also

      $s = Get-WsusServer
      $1607Updates = $s.SearchUpdates(“versio 1607”)
      $1607Updates | foreach { $_.Decline() }
      $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

      Because finnish 🙂

      1. Great point, Poison Dwarf: the search query that we specify is in English, so you’ll need to translate to whatever language your WSUS is configured to use. Thanks for sharing!

      2. Oliver Prade says:

        In my Case, i had to use:

        $s = Get-WsusServer
        $1607Updates = $s.SearchUpdates(“version [Release]”)
        $1607Updates | foreach { $_.Decline() }
        $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

        There were 372 Updates with this Name inside.

        In my Case, the German Version does not show the name correctly

        The Updates were named like this, when i opened the SCCM Mangement Console (German):
        Funktionsupdate für Windows 10 Enterprise, Version [Release], [Sprachencode]

        After enable Upgrades classification, I deleted the files in the Database with:

        declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);
        insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like ‘%14393%.esd’ except select FileDigest from tbFileForRevision);
        delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
        delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

        I checked the Database with step 1 -> Total Result is 0

        The Upgrade to 1607 is now working 🙂

        1. Great news, Oliver. We’re also updating the KB with a note that the guidance is for English OS installations, to help prevent confusion from this.

      3. sccmteam says:

        We are running this powershell in one our secondary server. However it continuously gives time out error as below

        Exception calling “DeleteUpdate” with “1” argument(s): “Timeout expired. The timeout period elapsed prior to
        completion of the operation or the server is not responding.”
        At line:1 char:26
        + $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : SqlException
        __________________________________________________________
        $s = Get-WsusServer
        $1607Updates = $s.SearchUpdates(“versio 1607”)
        $1607Updates | foreach { $_.Decline() }
        $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

        1. You have a typo in your SearchUpdates query: “versio” should be “version”. Did you enter it this way into PowerShell, as well?

    2. Lukas Rozsypalek says:

      I have the same problem as Poison Dwarf.
      This query (select FileDigest from tbFile where FileName like ‘%14393%.esd’ except select FileDigest from tbFileForRevision) result is 0 rows affected.

      But if i run query:
      select TotalResults = Count(*)
      from tbFile
      where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like ‘%14393%.esd’ and IsEncrypted = 0)
      Result is: TotalResults 48.

      What is wrong?

      1. JvanRensburg says:

        Have you managed to resolve the issue.
        Our environment has the exact same issue and the SQL Query does not delete the entries.

        But if i run query:
        select TotalResults = Count(*)
        from tbFile
        where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like ‘%14393%.esd’ and IsEncrypted = 0)
        Result is: TotalResults 32

        Then after following KB3194588 the entries are still present.

        1. The query does not delete the entries. It only detects whether you have feature updates (Upgrades) that have been synched without the needed decryption keys. Once identified, those rows must be manually deleted from the SQL or WID database. Simply deleting them via PowerShell will not remove the decryption key information, and thus will not resolve the issue.

  2. Daniele Montagnoli says:

    The sql codes in https://support.microsoft.com/en-us/kb/3194588 is not correct, it’s possible have it ?

    1. We did have a typo in the first draft (changes should go live later today): “deletefrom” should be “delete from”. Did you notice any other errors?

      Also, some formatting oddities showed up on some browsers after the initial publish; we’re working those out, as well.

      1. Henry says:

        declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);

        + declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);
        + ~~~~~~~~~~
        + CategoryInfo : ObjectNotFound: (FileDigest:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

        1. Henry says:

          Okay, i figured it out, its not powershell, its sql. 🙂

  3. Jon Larson says:

    YES, finally. This has solved my issues with WSUS and SCCM 2012 1606 deploying the anniversary update.

  4. BradG87 says:

    Just for fun, I ran the query in KB3194588. The results are below:

    Changed database context to ‘SUSDB’.
    TotalResults
    ————
    0

    Next, I did this –> del %windir%\SoftwareDistribution\DataStore\*

    on the client PC, after stopping the service.

    The PC’s download other updates like defender updates and cumulative updates to 1511. When trying to download the feature update to 1607, it just sets at 0% downloading.

    Any help with this issue would be appreciated.

    Thanks.

    1. Please post this in our TechNet forum to get assistance from the community as well as our support staff. Without seeing your client logs, I couldn’t tell you exactly what’s going on here.

  5. Sven J says:

    How do I run this script on 2012R2 if I don’t have SQL management studio..?

    1. There is a free version of SQL Management Studio (Express) that you can use. With that said, we acknowledge this is a painful workaround; better solutions are coming, but we wanted to get this guidance out there for the DIY crowd.

  6. Ole R says:

    Out of curiosity: Why do we need to delete the datastore to get this working?

    1. The client will not update the metadata for any files it has already downloaded. Both it and WSUS have long assumed that metadata never changed, so this was no issue. What’s different now is that an unpatched WSUS will essentially save different metadata (and so will the client). After patching, the metadata will remain the same, so the problem persists. You have to purge the incomplete files after enabling the scenario in order to repair it.

      1. sialaser says:

        Hello,
        I make a big error, I deleted from tbFile all FileName like ‘%14393%.esd’ without exclude FileDigest from tbFileForRevision.
        Now all clients do not see Windows 10 1607 update anymore.
        I try a wsusutil /reset, I also reapprove 1607 update… WSUS redownload the file but select * from tbFile where FileName like ‘%14393%.esd’ return 0 records.
        How can I solve this?
        Thanks

      2. sialaser says:

        Finally I solved the problem.
        Using the powershell command (change “version” with my localization) now WSUS redownload 1607 update:
        $s = Get-WsusServer
        $1607Updates = $s.SearchUpdates(“versione 1607”)
        $1607Updates | foreach { $_.Decline() }
        $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

        Thanks for this best post!

  7. CSAD Florenc says:

    Thank you, Support guys, for updating https://support.microsoft.com/en-us/kb/3194588
    Do you think, is this workaround ready for worldwide deployment, or should we wait some more time?
    Thank You, Amarok

    1. This is a heavy workaround; we’re working on cutting out the step to “modify database tables directly”, which will lead to our final solution. If you can wait until this is released, then we recommend doing so.

      1. CSAD Florenc says:

        Any news about upcoming hotfix? We realy don`t want to install SSMS on our WSUS (also DC) server. Thank you.

  8. John David says:

    I’m having trouble being able to connect to the database to run the commands. I’ve tried using SQL Management Studio and the sqlcmd line as well. Any ideas? The KB article gives no indication on how to connect to the DB, which I’ve never had to do before.

    Doing research I found information saying to install SQL Mgt Studio and connect to \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query which fails. I also tried this command line: sqlcmd -s np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

    and I get the following:
    Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Named Pipes Provider: C
    ould not open a connection to SQL Server [2]. .
    Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login timeout expired.
    Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : A network-related or in
    stance-specific error has occurred while establishing a connection to SQL Server
    . Server is not found or not accessible. Check if instance name is correct and i
    f SQL Server is configured to allow remote connections. For more information see
    SQL Server Books Online..

    Any help would be greatly appreciated.

    1. Sorry for the confusion, John. This isn’t our ideal workaround, and we’re looking to ship something that fixes this issue without having to open SQL Management Studio. If you can hang on until Thanksgiving, then we recommend waiting for that (which we’re hoping to ship before the US holiday); otherwise, you’ll need to debug your connection issue. From the error, it looks like you might have the named pipe incorrect.

      1. Denise Pellegrini says:

        Steve – I have no clue how to access the local database to find out if it is in a bad state or not… Are we still looking at the global fix coming out around Thanksgiving?

        1. Denise Pellegrini says:

          So if we did this correctly, my TotalResults show 496. So is this considered “bad” and I need to move on to other steps?

        2. Sadly, we ran into shipping complications that I’ll detail in a separate blog post, and we were unable to get this convenience fix out last year. Most of the administrators were able to self-repair by downloading SQL Management Studio (free software) and connecting to the SUSDB that way. For those that are still in pain, we’re looking at ways to repair this without requiring you to get your hands in the database.

      2. FB says:

        I think you are using an internal database with your WSUS. I have the exact same problem.
        Where can we found the workaround for an internal WSUS Datatbase?

      3. Corey says:

        Has a cleaner solution been produced yet. I tried running the database part using sqlcmd but i get an error about Invalid object name ‘tbFile’

      4. AR says:

        Was there ever a less painful, post-Thanksgiving solution / workaround offered?

  9. Chris says:

    The query to detect if WSUS is in a bad state on KB3194588 returns 0 for me so it is in a good state yet still seeing 0xc1800118 on clients in UpdateHandler.log. I have tried to delete %windir%\SoftwareDistribution\DataStore\* incase a previous bad download or something might have been the cause I also cleared %windir%\ccmcache and it seemed to work however I am not getting 0xc190012f in the WUAHandler.log after rebooting. No idea what this error is, not much info on the web about it other than people experiencing it.

    1. Please post this in the TechNet forum so that it can be properly discussed. If your WSUS is not in a bad state, then all that remains is to make sure your client is healthy. Sounds like there might be one more step to getting that particular result.

  10. Rodrigo says:

    There is the possibility to launch the latest cumulative update for Windows 10 v1607 as GDR-DU on WSUS?
    So it would install with the upgrade and solve the problem of not updating by WSUS.

    1. The issue is that you’ve synched content to WSUS before installing KB3159706 (and following the manual steps). Patching the client is fine, and your suggestion is a good one, but it alone cannot prevent this error.

  11. Luke says:

    Hi,
    We have encountered this issue and can verify that deleting the datastore contents on a client machine fixes the issue (and the upgrade proceeds without error). But can you verify what other action is recommended on the server? The WSUS database is not in a bad state.
    We don’t want to have to delete the datastore contents on every machine. Thanks

    1. If your WSUS is not in a bad state, then you need delete nothing. Getting upgrades to proceed without error is the goal: if you’re there, then you’re done.

      1. Luke says:

        Thanks Steve, so the answer is “we need to delete the %windir%\SoftwareDistribution\DataStore\*” on every machine before proceeding? Manual intervention is required for every upgrade?

        1. BradG87 says:

          Luke,
          I hope your results are different but deleting the data store on the PC make no difference for me.

          1. Doug says:

            Same here. I have verified my WSUS database is in a good state. I can successfully update my workstations to 1607 ONLY IF I REIMAGE THEM! I have 200 or so workstations that have Win10 on them already and I still keep getting the error. I even deleted the DataStore as outlined in the KB article. Still nothing. Only way I can get it to work is by reimaging them to our Win10 RTM image.

  12. zaww says:

    Hello,
    id like to report sth not directly connected to blog entry, however its a bit annoying:
    WSUS keeps reporting my AU systems with version .187, even tho tehy are already quite higher (in this case, .321).
    any hints on whats going on? is it common problem or i can solve it somehow?
    http://i.imgur.com/t2DwhUq.png

    1. This is actually a bug in the WSUS console that does not update the revision number when a new update is installed. Major, Minor, and Build versions will always be correct, but Revision might not be.

  13. JCCU1tech says:

    Any timeline/updates on the availability of an easier fix for this, rather than having to connect to the Windows Internal DB?

  14. MiteshSudan says:

    Hi,

    I ran a query as below and total result = 0.
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like ‘%14393%.esd’ and IsEncrypted = 0)

    I have already performed the manual steps as described on article KB 3159706 but no luck.

    Windows 10 machines fail to upgrade. WSUS errror report:
    – (Unable to Find Resource:) ReportingEvent.Client.181; Parameters: Feature update to Windows 10 Pro, version 1607, en-us, Retail
    – Installation Failure: Windows failed to install the following update with error 0x8024200d: Feature update to Windows 10 Pro, version 1607, en-us, Retail
    – Installation Failure: Windows failed to install the following update with error 0xc1800118: Feature update to Windows 10 Pro, version 1607, en-us, Retail

    I have also deleted del %windir%\SoftwareDistribution\DataStore\* and resync udpates from WSUS but no luck.

    Is there something that I am missing?

    1. A result = 0 suggests that you do not have the problem described in this post, but your symptoms suggest otherwise. Did you end up figuring this out?

  15. Vilius Šumskas says:

    Since this is the last update in WSUS blog and since then Microsoft rolled out new update model for Windows 7/8.1 and nobody on other related blogs cannot answer my question I’m writing it here. Hopefully Steve will be able to answer them.

    The new update model for Windows 7 says, that every update from now on will be cumulative. So, if every update is cumulate and I approve them in WSUS every month, does this mean that from now on WSUS server needs a lot more disk space?

    1. The WSUS server storage requirements will certainly increase as a result of the cumulative packaging across all platforms. However, it also means that you can safely decline previous cumulative updates (and then clean them up) after approving newer ones, and you won’t be missing any needed content.

  16. Todd James says:

    @Steve Henry [MSFT]

    Are there any updates to this process? I noticed you mentioned a better method without using SQL Management Studio would have been out around Thanksgiving, but it’s January and I’m having a hard time finding it.

    1. Sorry, Todd: this easier way has not been released yet, for reasons that I’ll share in a separate blog post. Are you still having trouble getting this to work?

  17. Steve Gear says:

    So, there are numerous individual threads about patching WSUS to fix this or that. And this thread just “ends” in October with a promise of a new patch by Thanksgiving 2016 but I don’t see a new post about that ever being published?

    What we need as administrators is a start to finish guide on setting up WSUS on Server 2012 R2 and which patches in which order to load to get it to work successfully with Windows 10 and Server 2016. A similar guide for setting up a 2016 WSUS server would also be nice. I know there are guides out there for setting up WSUS but I can’t find one that references the patches needed.

    Aside from that, why is it so hard to patch a server that is designed to patch our client devices? WSUS should be easier to patch, Period.

    Sorry for the Rant and Thanks!

    1. Thanks for the suggestion, Steve. Agreed that it would be nice if WSUS were easier to patch; the reason it used to be so simple is that we’d package a new version as a full release, and the product was rarely serviced through Windows updates. Given our new reality and the lessons learned from 2016, we’re being extra careful about making additional changes to WSUS.

      The next update that we ship to WSUS will be cumulative, and will therefore include all the fixes you need. Going forward, it will be much easier to ensure that you’re properly patched.

  18. DCourtel says:

    Since I have apply this KB, my Wsus Version is 6.3.9600.18324 but my Wsus Console on my computer (via RSAT) is still 6.3.9600.17477. So I can’t do local publishing with Wsus Package Publisher. How can I upgrade my Wsus Console on my computer ?
    Thanks.

    1. The fix is on the server itself, not in RSAT. As long as you’ve patched your actual WSUS server, your RSAT operations against it should work fine. Can you describe the local publishing issue in more detail?

  19. sccmteam says:

    Can someone please suggestion on this timeout expired related error.

  20. dominique says:

    Hello,

    Here we go again, after fighting with the 1607 update, same error comes back with the 1703 update in WSUS :

    2017-04-13 09:53:04, Error MOUPG RecoverCrypto: File is encrypted, but no key was provided.
    2017-04-13 09:53:04, Error MOUPG CDlpActionRecoverCrypto::DoCrypto(1713): Result = 0xC1800118

    What to do now ?
    Thanks.

    1. Is this still happening, or did it sort itself out? Sometimes the decryption key is not published at the exact time the ESD becomes available, in which case you can be on the problematic end of this race condition. If that’s the case, then the steps outlined in this article may be needed to help you try again with a fresh sync attempt, since the decryption key is most certainly available now.

  21. GT-Seattle says:

    Wondering if the update promised by the author in November was ever released? If so, what is the KB #? Thanks.

    1. The update has not been released yet, but we’ll be sure to post the information when it has.

  22. Matt says:

    Hi,

    our clients are already on version 1607 and we set up a new WSUS. Now I have the same problem as described in KB3194588 except that it’s about the version 1703.
    So I followed the KB3194588 with the following changes:
    DB query:
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like ‘%15063%.esd’ and IsEncrypted = 0)

    PS:
    $s = Get-WsusServer

    $1703Updates = $s.SearchUpdates(“version 1703”)

    $1703Updates | foreach { $_.Decline() }

    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    The last line ($1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }) has been running for about 15 hours and still hasn’t finished. Any idea why and how to proceed? Can I just abort the command?

    Thanks
    Matt

    1. You can abort the command, but there’s no guarantee as to how much processing was completed or not. It shouldn’t take 15 hours to complete unless you have a large number of languages (and therefore Upgrades) synched to your WSUS. If you began by setting up a new WSUS for these clients, then we recommend setting up the WSUS server again (flatten and rebuild the server, if you can), installing the necessary updates (for Windows Server 2012/R2, that is KB3159706) and performing necessary manual steps to complete the installation, and only then checking the Upgrades classification. You can go through the painful process of deleting updates and database rows, but it’s less error prone to simply start over if your installation is already relatively new.

      1. Matt says:

        Thanks for your reply.
        I’ve already gone through the painfull process of declining several thousand language packages. Is there a good tutorial on how to properly deploy a new WSUS without declining thousands of language packages? I only need German, English and French. Our infrastructure is pretty heterogeneous so we get updates for a lot of products.
        Thanks
        Matt

        1. Matt says:

          Quick update:
          I aborted the command and executed the following in management studio:
          declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);
          insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like ‘%15063%.esd’ except select FileDigest from tbFileForRevision);
          delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
          delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)
          after that I ran the first the first query again:
          select TotalResults = Count(*)
          from tbFile
          where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like ‘%15063%.esd’ and IsEncrypted = 0)
          I got the surprising reply that it worked! The result was 0!

  23. earlofglen says:

    My WSUS reports it is version 6.39600.18228 running on Windows Server 2012 R2. I believe I have I have gone through all the recommended steps to make the decryption piece work including the manual steps. I’ve queried the database and come up with a “0” when checking for Upgrades that might be downloaded but not registered properly. That includes 1607 and 1703 releases. What I have experienced is that clients with the 1511 build are properly recognizing the 1607 feature upgrade as “needed” (which is approved) and the 1703 feature upgrade as “needed” (which is not approved). As soon as 1607 is installed the clients don’t appear to get their updates including cumulative updates from WSUS and 1703 isn’t “needed” any longer. They are showing up as being 100% patched. Cumulative updates do install but appear to come from another source (Windows Update?). I changed Group Policy last night to allow CB (was CBB) distribution yesterday and this morning I installed on my workstation. What am I missing preventing WSUS from recognizing the clients need the cumulative updates and 1703? Distribution Optimization is set for BYPASS which I’ve seen recommended.

    Is this behavior a result of the WSUS server patch problems over the last year or so or Group Policy?

    1. You might want to read this blog post on Dual Scan to get a better understanding of why your client might be ignoring search results from WSUS after upgrading to 1607. If you follow the workaround mentioned in that post, then you should see your applicability detection return to normal.

  24. Eidechse says:

    Getting:

    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘IsEncrypted’.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘DecryptionKey’.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘IsEncrypted’.

    Is it because we have WSUS 3.0?

    1. Yes, WSUS 3.0 (including SP1 and SP2) cannot manage encrypted content. Please deselect the Upgrades classification, and do not expect to successfully sync or deploy this content using that version of WSUS.

      1. Eidechse says:

        What is the best way to update to WSUS 4.0?

  25. Leunis says:

    Hope someone can help me, I am also getting:

    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘IsEncrypted’.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘DecryptionKey’.
    Msg 207, Level 16, State 1, Line 3
    Invalid column name ‘IsEncrypted’.

    This WSUS was installed on Server 2012 R2 so it cant be the previously mentioned WSUS upgrade that is needed can it?

    1. Your WSUS server does not understand these new columns, which suggests a mismatch between your schema and your database. Please review the post on KB3159706 and follow the manual steps to which it links.

  26. DaddyPig says:

    Hi Steve, could you clear something up for me please? in the kb3194588 blog a ‘bad state’ is indicated by a “TotalResult = 0” is that true? after running the SQL query what should a good result be.. (greater than 0)?? even running through this blog some seem to be taking a “0” result as good.. – many thanks

    1. The logic is a bit confusing. Might be helpful to restate it as “TotalResult = 0” means that you have not successfully identified the updates that are causing issues in your environment. If you’re hitting 0xc1800118, then it is surely because of feature updates, and if the SQL query is unable to locate the offending updates, then that is a “bad” result. It might mean that you need to tweak the query–different languages describe the updates differently, for example–to ensure that you successfully locate the update to be deleted from the SUSDB.

  27. A. Buttigieg says:

    I have had this issue also. I have followed the procedure in kb 3194588 to correct it, first with the top WSUS and then with the downstream WSUS. The downstream WSUS is not receiving the DecryptionKey (still NULL). I’ve repeated the procedure several times on the downstream server.

    1. A. Buttigieg says:

      I have manage to resolve the issue but I saw an ugly side effect. The issue is from the below:
      $s = Get-WsusServer
      $1703Updates = $s.SearchUpdates(“version 1703”)
      $1703Updates | foreach { $_.Decline() }
      $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

      The above will also expire the most recent cumulative update! And the KB article does not seem to be available anymore…

  28. Hi there,
    Noob question here.

    I’m trying to paste this as request in wsus db
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL and filename like ‘.esd’)
    but i have this issue :
    Msg 102, Level 15, State 1, Line 3
    Error ‘‘’.
    I execute request directly on the pipe : \\.\pipe\MICROSOFT##WID\tsql\query

    What is the problem ? Thanks !

Skip to main content