Failed to decrypt state encryption key (0x80070057) – Can't get StateEncryptDecryptKey property error in SCCM/ConfigMgr User State Migration Console

I found this issue today and hope to get some help from the ConfigMgr team on it but figured it was worth writing up the workaround for now.

The Issue

While attempting to perform a user state backup on a machine using an SCCM task sequence, we received the error in SMSTS.LOG:

Failed to decrypt state encryption key (0x80070057) Failed to run the action: Request User State Storage. The parameter is incorrect. (Error: 00000057; Source: Windows)

A Square Dozen Image

Looking at the User State Migration node in the SCCM console, I couldn’t find any computer associations for this computer (it should have an In-place relationship created). I checked the StateMigration table in the DB found 3 entries for this device and none of them had an encryption key in the DB. When I SQL below, I found about 30 more records with no key (along with about 90 valid records).

1
2
3
SELECT *
FROM [dbo].[StateMigration] sm
where StateEncryptDecryptKey is null

I then checked WMI on the SCCM Primary using WMIExplorer to run the query below and was unable to find a record for the device in question. I spot checked several more of the machines that I found with SQL and they were all missing from WMI.

1
SELECT * FROM SMS_StateMigration WHERE SourceClientResourceID = 12345678

At this point, I’ve got an incomplete/invalid record in the DB that I can’t access through WMI to delete using the DeleteAssociation method on the SMS_StateMigration object and I don’t want to make direct change to the DB. Next I tried creating a new Computer Association in the ConfigMgr console. When I used the machine in question as either the source or destination machine, then opened the Recovery Information pane for the device, I received this error:

A Square Dozen Image

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
ConfigMgr Error Object:
instance of SMS_ExtendedStatus
{
    CauseInfo = "";
    Description = "Can't get StateEncryptDecryptKey property.";
    ErrorCode = 3242528002;
    File = "..\\sspstatemigration.cpp";
    Line = 1049;
    Operation = "ExecMethod";
    ParameterInfo = "SMS_StateMigration.RestoreClientResourceID=11223344,SourceClientResourceID=12345678";
    ProviderName = "WinMgmt";
    StatusCode = 2147749889;
};

-------------------------------
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException
The SMS Provider reported an error.

Stack Trace:
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.ExecuteMethod(String methodName, Dictionary`2 methodParameters, Boolean traceParameters)
   at Microsoft.
ConfigurationManagement

.ManagementProvider.WqlQueryEngine.WqlResultObject.ExecuteMethod(String methodName, Dictionary`2 methodParameters)
   at Microsoft.ConfigurationManagement.AdminConsole.MachineAssociation.RecoverUserStateDialog.Initialize(Assembly assembly, SmsFormData propertySheet, SmsPageData pageData)
   at Microsoft.ConfigurationManagement.AdminConsole.SmsCustomDialog.Initialize()
   at Microsoft.ConfigurationManagement.AdminConsole.ShowDialogTaskHandler.DoTask(NavigationModelNodeBase node, SccmTaskConfiguration sccmTask, PropertyDataUpdated dataUpdatedDelegate, Boolean readOnly)
   at Microsoft.ConfigurationManagement.AdminConsole.SccmTaskHandlerBase.DoTask(IList`1 navigationNodes, NavigationModelNodeTask task)
   at Microsoft.EnterpriseManagement.ConsoleFramework.WindowTaskHandler.WindowTaskOperation.ExecuteTaskJob(Object sender, ConsoleJobEventArgs jobArguments)
   at Microsoft.ConfigurationManagement.AdminConsole.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

-------------------------------

System.Management.ManagementException
Generic failure 


Stack Trace:
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.ExecuteMethod(String methodName, Dictionary`2 methodParameters, Boolean traceParameters)
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.ExecuteMethod(String methodName, Dictionary`2 methodParameters)
   at Microsoft.ConfigurationManagement.AdminConsole.MachineAssociation.RecoverUserStateDialog.Initialize(Assembly assembly, SmsFormData propertySheet, SmsPageData pageData)
   at Microsoft.ConfigurationManagement.AdminConsole.SmsCustomDialog.Initialize()
   at Microsoft.ConfigurationManagement.AdminConsole.ShowDialogTaskHandler.DoTask(NavigationModelNodeBase node, SccmTaskConfiguration sccmTask, PropertyDataUpdated dataUpdatedDelegate, Boolean readOnly)
   at Microsoft.ConfigurationManagement.AdminConsole.SccmTaskHandlerBase.DoTask(IList`1 navigationNodes, NavigationModelNodeTask task)
   at Microsoft.EnterpriseManagement.ConsoleFramework.WindowTaskHandler.WindowTaskOperation.ExecuteTaskJob(Object sender, ConsoleJobEventArgs jobArguments)
   at Microsoft.ConfigurationManagement.AdminConsole.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

-------------------------------

Workaround

To remove the invalid entries from the DB without directly editing the DB turned out to be pretty simple.

  1. Create a new Computer Association in the console using an invalid computer from the DB as the source and a random computer as the destination.
  2. Delete the newly created Computer Association.

That’s it. Check the DB and you should see the offending records disappear. I haven’t tracked down the root cause yet, so this will have to work for now.

If you have a large number of machines with this issue, you can consider scripting this in PowerShell using the WMI AddAssociation method on the SMS_StateMigration WMI object. If I make a script, I’ll post here.