SCCM Server OS Upgrade WSUS Error Failed to Decrypt Password

SCCM server OS upgrade is a critical task to keep the pace up with SCCM current branch (CB) updates in your SCCM environment. As you must be aware, we need a minimum server OS version Windows Server 2012 to upgrade the SCCM CB infra to 1702. This SCCM server OS upgrade is required for SCCM site servers and Site System Servers like MP, SUP, etc… SCCM CB 1707 DPs are still supported with server OS 2008 and above. In this post, I cover SCCM Server OS Upgrade WSUS Error which I faced after SCCM CB primary/CAS server OS in-place upgrade.

More details about SCCM Server OS Upgrade Checklist in the post “SCCM CB 1702 Upgrade of CAS and Primary Sites A Real world Experience

I have blogged about SCCM server OS upgrade WSUS reinstallation steps in the following post “SCCM Server OS Upgrade WSUS SUP Notes from Real World“. In that post, I’ve covered all the task which we need to take care before and after SCCM server OS in-place upgrade. In one scenario, after completing the post OS in place activities, I was not able to perform WSUS Sync on the SCCM CB site server. The error in the WSUSCtrl.log was “Failed to decrypt password of user (P). error = 0X8009200c“. The actual translation meaning of the error 0X8009200c is “Cannot find the certificate and private key to use for decryption”. Solution to the above error is given at the end of this post.

SCCM Sever in-place OS Upgrade_WSUS_SYNC_Connection-Error1

WSUSCtrl.log file snippet

Failed to decrypt password of user (P). error = 0X8009200c
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes

I have also seen the following errors in WSUSSYNC.log file when you have not completed the WSUS configuration after WSUS installation. To complete the configuration, you DON’T need to go through the post installation tasks of WSUS. Rather, we just need to connect to the same share location and DB server. This will help us to complete all the previous configuration.

WSYNCMGR.log file snippet

System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it [::1]:8530~~   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)~~   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
Remote configuration failed on WSUS Server.
Setting new configuration state to 3 (WSUS_CONFIG_FAILED)
Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=ServerName SITE=CAS PID=2852 TID=4608 GMTDATE=Sat Jun 17 16:19:06.908 2017 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

If you start going through the post installation steps of WSUS as suggested by server 2012 R2 “Add roles and features wizard”, then you will get similar errors as I have noted down below. Actually, you don’t have to complete this task. Rather, Just launch WSUS console and click on RUN button to complete the WSUS installation process.

Log file is located at C:\Users\anoop.nair\AppData\Local\Temp\tmp14EC.tmp
Post install is starting
Fatal Error: Failed to start and configure the WSUS service

Resolution for Failed to decrypt password of user ERROR

To resolve the error “Failed to decrypt password of user (P). error = 0X8009200c”, I just restarted the SCCM CB server. After the restart, WSUS Sync started working perfectly fine and the CAS server was able to send the notification to it’s child sites.

Reference :-

Upgrade on-premises infrastructure that supports SCCM/ConfigMgr – here

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.