© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

Windows 10 Feature Upgrades Not Downloading or Check for ESD Decryption Issue

  1. Depending upon when you find out that you have an ESD decryption error the issue could apply to any Windows 10 Feature Upgrade.  Somewhere on the internet there is a list that states what Windows 10 feature upgrades are effected this is true except it applies to only the Windows 10 Versions that were released up to then so its not a definitive list. In this segment I will go over how to check if you have an ESD decryption issue and how to correct.  Keep in mind that I am only checking this on two builds that we have in our environment but depending upon your environment you may need to look at additional builds.
    # Windows 10 Builds in our environment
    Windows 10 Build 1607 = 14393
    Windows 10 Build 1703 = 15063
  2. Check if you have an ESD Issue for Build 1703 on your SQL Server by running the commands below.  If the results show 1 or more you have a problem for any build you have an issue.  If you receive a “0” for all the queries you are good.
    # Run for 1703 Build.  If total Results in Greater than 0 you have a problem
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%15063%.esd' and IsEncrypted = 0) 
    # Run for 1607 Build.  If total Results in Greater than 0 you have a problem
    select TotalResults = Count(*)
    from tbFile
    where (IsEncrypted = 1 and DecryptionKey is NULL) or (FileName like '%14393%.esd' and IsEncrypted = 0)
  3. To Fix this issue: Within the WSUS or Software Management Point Disable the Upgrades Classification from WSUS and/or SCCM or by running the powershell command below.  The example is set to 1607 and 1703 but if you have other builds in your environment you will need to modify the below to fit your needs.
    #1 #PowerShell WSUS SERVER
    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable
    $s = Get-WsusServer
    $1703Updates = $s.SearchUpdates("version 1703")
    $1703Updates | foreach { $_.Decline() }
    $1703Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }
    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification
    Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} | Set-WsusClassification -Disable
    $s= Get-WsusServer
    $1607Updates = $s.SearchUpdates("version 1607")
    $1607Updates | foreach { $_.Decline() }
    $1607Updates | foreach { $s.DeleteUpdate($_.Id.UpdateId) }

    4.  Run this SQL query below on your SQL Server with the builds associated in your environment to delete the bad digests/hashes.

    #RUN on SQL Server - deletes the bad digests.
    declare @NotNeededFiles table (FileDigest binary(20) UNIQUE);
    insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%15063%.esd'  except select FileDigest from tbFileForRevision);
    delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
    delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)

    5. For this step follow this guide to install the hotfix and make the necessary adjustments  from Microsoft https://support.microsoft.com/en-us/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012

6. Make sure the server is fully up to date with the latest updates.  Avoid .net 4.7.   Make sure your WSUS Server has the following .esd MIME type added to your IIS Management Server for WSUS

7. Reboot your server – re-nable in SCCM/WSUS the Upgrades Classification and force a synchronization

8. After Synchronization is complete run the checks for #2 (remember to modify the code for each Windows 10 build you have in your environment to be safe it may be a good idea to get the entire list of builds to check against as newer builds will come out and will not be listed in this article) on the SQL Server you should receive “0” as your result.  This means the issue is gone.

If you still have anything higher than “0” you still have the issue.  You will need to go through the entire process again or see this article called “SCCM Reinstall SUSDB” to reinstall your SUSDB to start fresh.  The only parts you should do prior to reading this article is perform step #5 & #6.