Windows-itpro-docs: Update documentation for 2004

No, the document isn't kept up to date for every release. The push is to use SetupDiag for all upgrade failure troubleshooting and not rely on these procedures so much.

But if you tell me what you're seeing I can try to add it.

@Sumitdhiman thank you for reaching out. Please confirm if this issue has been resolved or are you needing any more assistance?

Hi lindspea,
I have some specific 2004 failure files but cannot figure out what the exact cause is, the error code is namely 1900101-40017. I have tried the steps given in the documentation but do not have success to find what exactly is the issue.

Panther logs are here:

https://1drv.ms/u/s!AjF425jZa3VggxhPKi1AqGrdbqPr?e=kVkmiW

From \UnattendGC

https://1drv.ms/u/s!AjF425jZa3Vggx14K8_fXOB1Cs-C?e=tQT45v

I have seen around ~10 threads in the last month where OP was trying to update from 03/1909 to 2004 with the same error code. Unusually high.

Can you please try using the SetupDiag tool? I will try to use it to analyze these logs myself also.

I ran setupdiag on your logs and it wasn't able to match a rule. However, we have a solution for this error code in the article which says it is a driver issue. Have you tried disabling encryption and antivirus, and performing a clean boot?

Sorry for the delay. In most of the cases I remember working with, none of those applied. Clean boot is my first recommendation for the people and it did not help. The bigger picture is, none of the logs give a trace where the update fails. Happy to share you other logs as well, if you need.

Thanks Greg for looking into this matter and sticking with me on this 👍

You're welcome! I contacted an expert here and he says that the rollback setupact.log (from %systemdrive%\$Windows.~bt\Sources\Panther\Rollback) is needed to diagnose this, but the first thing to try is to find any unsigned drivers and remove or update them. He provided the following link, but said we don't recommend 3rd party tools, so watch out for these: https://www.blogsdna.com/27914/how-to-find-unsigned-drivers-installed-on-windows.htm#:~:text=How%20to%20Find%20Unsigned%20Drivers%20on%20Windows%2010.,scanned%20and%20verified%20as%20digitally%20signed%E2%80%9D.%20More%20items

I'm going to follow up by adding information to the resolution procedures on how to locate unsigned drivers. At this point, I don't think I can do much more than that, so I'm closing the issue. I appreciate bringing the issue up so that I can add more depth to the resolution procedures.

I'm in the middle of writing this now. The tools you should check out, if you haven't already tried them, are sigverif, sigcheck and driverquery.

Many thanks, I look forward to it. A set of Rollback Logs from a customer I am working on this morning is here:

https://1drv.ms/u/s!AmzJ4dYDN4IW2TdCLguM7rs1hXSR?e=aM4FPn

I see error 1900101-40017 on line 15668. I ran setupdiag again but it didn't find a match. However, the 1900101-40017 error is almost always associated with a driver problem. Can you run sigverif to see if there are any unsigned drivers on the system?

If unsigned drivers are present, it there could be a corrupt or missing catalog file. I do see some problems with cab files in Windows\System32\spool\drivers\W32X86\PCC.

Sure. I am working with the user and continue to report as per the outcomes. Setupdiag from his machine indicates an unnamed service issue. I can ask for the additional logs if required. Right now working with sigverif.

<?xml version="1.0" encoding="utf-16"?> <SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag"> <Version>1.6.0.0</Version> <ProfileName>FindRollbackFailure</ProfileName> <ProfileGuid>3A43C9B5-05B3-4F7C-A955-88F991BB5A48</ProfileGuid> <FailureData>Error: SetupDiag reports rollback failure found.Last Phase = Post First BootLast Operation = Ensure suspended services are stoppedError = 0xC1900101-0x40017</FailureData> <FailureData>LogEntry: </FailureData> <FailureData>Refer to "https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes" for error information.</FailureData> <FailureDetails>RollbackErrorCode = 0xC1900101, ExtendedCode = 0x40017, LastOperation = Ensure suspended services are stopped, LastPhase = Post First Boot</FailureDetails> <SetupPhaseInfo> <PhaseName>Post First Boot</PhaseName> <PhaseStartTime>10/8/2020 4:29:09 PM</PhaseStartTime> <PhaseEndTime>10/8/2020 4:29:34 PM</PhaseEndTime> <PhaseTimeDelta>0:00:00:25.0000000</PhaseTimeDelta> <CompletedSuccessfully>true</CompletedSuccessfully> </SetupPhaseInfo> <SetupOperationInfo> <OperationName>Ensure suspended services are stopped</OperationName> <OperationStartTime>10/8/2020 4:29:34 PM</OperationStartTime> <OperationEndTime>1/1/0001 12:00:00 AM</OperationEndTime> <OperationTimeDelta>0:00:00:00.0000000</OperationTimeDelta> <CompletedSuccessfully>false</CompletedSuccessfully> </SetupOperationInfo> </SetupDiag>

Re-opening issue until we can get the root cause figured out and documented.

Sigverify results say rdpidd.dll is unsigned.
https://drive.google.com/file/d/19b5qDb25IA6_a7HwmTuOOL78JKfPSKrh/view

Text file:
https://drive.google.com/file/d/1pOdP78eFikECPsL075HjX_2TuEd-YZ27/view?usp=sharing

You need to check the status of

C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.19041.508.cat

See below. This driver should be signed.

C:\Sigcheck> .\sigcheck -i c:\windows\system32\drivers\umdfrdpidd.dll

Sigcheck v2.80 - File version and signature viewer
Copyright (C) 2004-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\drivers\umdf\RdpIdd.dll:
Verified: Signed
Signing date: 1:16 PM 9/6/2020
Signing date: 1:16 PM 9/6/2020
Catalog: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.19041.508.cat
Signers:
Microsoft Windows
Cert Status: Valid
Valid Usage: NT5 Crypto, Code Signing
Cert Issuer: Microsoft Windows Production PCA 2011
Serial Number: 33 00 00 02 66 BD 15 80 EF A7 5C D6 D3 00 00 00 00 02 66
Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
Algorithm: sha256RSA
Valid from: 11:30 AM 3/4/2020
Valid to: 11:30 AM 3/3/2021
Microsoft Windows Production PCA 2011
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 61 07 76 56 00 00 00 00 00 08
Thumbprint: 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D
Algorithm: sha256RSA
Valid from: 11:41 AM 10/19/2011
Valid to: 11:51 AM 10/19/2026
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 2:57 PM 6/23/2010
Valid to: 3:04 PM 6/23/2035
Counter Signers:
Microsoft Time-Stamp Service
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Time-Stamp PCA 2010
Serial Number: 33 00 00 01 2D 2E 4D 41 CA 63 65 33 A0 00 00 00 00 01 2D
Thumbprint: 9FCE5FC77E877BB174BE09B2525CF6C3CDA5D0B1
Algorithm: sha256RSA
Valid from: 6:15 PM 12/18/2019
Valid to: 6:15 PM 3/16/2021
Microsoft Time-Stamp PCA 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 61 09 81 2A 00 00 00 00 00 02
Thumbprint: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Algorithm: sha256RSA
Valid from: 2:36 PM 7/1/2010
Valid to: 2:46 PM 7/1/2025
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 2:57 PM 6/23/2010
Valid to: 3:04 PM 6/23/2035
Company: Microsoft Corporation
Description: Rdp Indirect Display
Product: Microsoft« Windows« Operating System
Prod version: 10.0.19041.423
File version: 10.0.19041.423 (WinBuild.160101.0800)
MachineType: 64-bit
C:\Sigcheck>

Looks like your catalog might have a slightly different version number than mine the lines below are from the first setupact.log file you provided.

2020-09-23 18:58:54, Info MIG Excluding OS catalog based on name match: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~it-IT~10.0.18362.1016.cat 2020-09-23 18:58:54, Info MIG Excluding OS catalog based on name match: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.18362.997.cat 2020-09-23 18:58:54, Info MIG Excluding OS catalog based on name match: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package02~31bf3856ad364e35~amd64~~10.0.18362.997.cat 2020-09-23 18:58:54, Info MIG Excluding OS catalog based on name match: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.18362.1016.cat

If possible, examine a system that is running the same version of Windows 10 and see what the name of that catalog is. Use the .\sigcheck -i c:\windows\system32\drivers\umdfrdpidd.dll command shown above.

Maybe C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.18362.693 just based on the version reported in your sigverif output.

If possible, copy the catalog file over from another device and reboot, assuming you find the correct catalog file. Otherwise you can try uninstalling the driver before upgrading. I am not positive, but I think this might be a display driver for a Generic Non-PnP Monitor. You can run dxdiag and it might show up there, and look in device manager at the properties of the Generic Non-PnP Monitor device if you have one.

Another option is to run dxdiag and confirm that the system is using this driver. Then simply replace the Generic Non-PnP monitor driver with a driver that is specific to the monitor that is attached. This way the unsigned driver will not be loaded - although I'm not entirely positive that this driver isn't needed during the update process for temporary use.

The catalog name is as follows from my 1909 VM, essentially what OP is using:

C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~x86~~10.0.18362.900.cat

It is possible that some program may have replaced it with an unsigned version, right?

The problem is I can't supply my file as mine is an X86 architecture OS. I would go by the uninstallation method with the steps as suggested and would let you know. Thanks.

Thanks, please let me know how it turns out. FYI, I edited your comment above slightly. It turns out that some special characters in the file name don't display quite right on this page unless you use 'code' quotes.

I was hopeful that this would be our issue, but after looking at this DLL on one of my own VMs the results are confusing. Sigverif says that the DLL is unsigned, but sigcheck says it is signed. I think that it is really signed, and sigverif is reporting incorrect results. If I look at DXDIAG, I see "WHQL Logo'd: Yes" which means it is signed.

I think we are going to have to look somewhere else for the issue here, but let me know what you find out.

Display Devices

       Card name: Microsoft Remote Display Adapter
    Manufacturer: Microsoft
       Chip type: Unknown
        DAC type: Unknown
     Device Type: Display-Only Device
      Device Key: Enum\SWD\REMOTEDISPLAYENUM
   Device Status: 0180600A [DN_DRIVER_LOADED|DN_STARTED|DN_DISABLEABLE|DN_REMOVABLE|DN_NT_ENUMERATOR|DN_NT_DRIVER]

Device Problem Code: No Problem
Driver Problem Code: Unknown
Display Memory: 2047 MB
Dedicated Memory: 0 MB
Shared Memory: 2047 MB
Current Mode: 1366 x 768 (32 bit) (32Hz)
HDR Support: Not Supported
Display Topology: Internal
Display Color Space: DXGI_COLOR_SPACE_RGB_FULL_G22_NONE_P709
Color Primaries: Red(0.000000,0.000000), Green(0.000000,0.000000), Blue(0.000000,0.000000), White Point(0.000000,0.000000)
Display Luminance: Min Luminance = 0.000000, Max Luminance = 0.000000, MaxFullFrameLuminance = 0.000000
Monitor Name: Generic Non-PnP Monitor
Monitor Model: unknown
Monitor Id:
Native Mode: unknown
Output Type: Other
Monitor Capabilities: HDR Not Supported
Display Pixel Format: DISPLAYCONFIG_PIXELFORMAT_32BPP
Advanced Color: Not Supported
Driver Name: c:\windows\system32\drivers\umdfrdpidd.dll,c:\windows\system32\drivers\wudfrd.sys
Driver File Version: 10.00.19041.0423 (English)
Driver Version: 10.0.19041.423
DDI Version: 12
Feature Levels: 12_1,12_0,11_1,11_0,10_1,10_0,9_3,9_2,9_1
Driver Model: WDDM 1.3
Hardware Scheduling: Supported:False Enabled:False
Graphics Preemption: DMA
Compute Preemption: DMA
Miracast: Not Supported
Detachable GPU: No
Hybrid Graphics GPU: Not Supported
Power P-states: Not Supported
Virtualization: Not Supported
Block List: No Blocks
Catalog Attributes: N/A
Driver Attributes: Final Retail
Driver Date/Size: 6/20/2006 5:00:00 PM, 243200 bytes
WHQL Logo'd: Yes
WHQL Date Stamp: Unknown
Device Identifier: {D7B71AF4-43CC-11CF-E463-616AAFC2C735}
Vendor ID: 0x1414
Device ID: 0x008C
SubSys ID: 0x00000000
Revision ID: 0x0000
Driver Strong Name: rdpidd.inf:c14ce88470d6efe0:RdpIdd_Install.NT:10.0.19041.423:RdpIdd_IndirectDisplay
Rank Of Driver: 00FF0000
Video Accel: Unknown
DXVA2 Modes: Unknown
Deinterlace Caps: n/a
D3D9 Overlay: Not Supported
DXVA-HD: Not Supported
DDraw Status: Not Available
D3D Status: Enabled
AGP Status: Not Available
MPO MaxPlanes: 0
MPO Caps: Not Supported
MPO Stretch: Not Supported
MPO Media Hints: Not Supported
MPO Formats: Not Supported
PanelFitter Caps: Not Supported
PanelFitter Stretch: Not Supported

Unfortunately, disabling the generic PNP monitor did not help, so we are back to square one. After disabling it, there are no unsigned drivers listed. The same error code 1900101-40017 is reported. I wouldn't have bothered with the case but as there are many users hitting the same error, it would be a great help if we can identify the root cause.

New logs:

https://drive.google.com/file/d/1rO4f3QRc3oW4ulZhXDq7YKmC7Izajk7J/view?usp=sharing

https://drive.google.com/file/d/1rO4f3QRc3oW4ulZhXDq7YKmC7Izajk7J/view?usp=sharing

The links above seem to be bad. They don't match the text. I'll try copying the text instead of using the link.

Can you upload setupact.log from both panther and rollback? Both the links above are the same.

Ping

@Sumitdhiman are you there?

Sorry for the delayed response Greg. The OP replied yesterday that he ended up doing a reinstall. While I was closing this, I have another case of 40017.

https://www.dropbox.com/s/sjx1dcjh6qayukt/logs_1.zip?dl=0

Interesting in this case: OP attached a KernelAct.log which indicates some read errors of the Windows folder. I haven't seen that before, though. Setupdiag as usual, reports service suspended issue.

Error: SetupDiag reports rollback failure found. Last Phase = Post First Boot Last Operation = Ensure suspended services are stopped Error = 0xC1900101-0x40017

I also noticed that the PC is certified with version 2004 as well. Have asked for a Feedback Hub link if that helps.

FBH link below:

https://aka.ms/AA9ykt5

The first step to fix this error code is to perform a clean boot. Have they tried that? Also remove 3rd party antivirus or encryption if it is being used. This is also a common code when Citrix VDA is used - is that the case here?

I'm told that kernelact.log warnings are not fatal and won't cause a rollback. However, you should check the System event logs. 40017 can occur due to a number of reasons so it's not extremely easy to troubleshoot.

Thanks. Yes, definitely not easy to troubleshoot 👍
I have asked for unsigned drivers report and System Event logs. Clean boot didn't help and Citrix VDA isn't applicable.

I've been told that any failure in a low level component up to completion of the Windows sign-in process can cause a 0x40017 failure. This often requires a kernel debugger to figure out what is going on. But maybe the system logs will help.

The issue has gotten a bit stale.

I think that what we have learned is that if we see a 1900101 error it can be a few known causes for which there are fixes (corrupt drivers or Citrix VDA issues), but if these aren't the cause then a full debug analysis might be necessary.

Please let me know if you want to continue troubleshooting this.