Failed to decrypt state encryption key (0x80070057) – Can't get StateEncryptDecryptKey property error in SCCM/ConfigMgr User State Migration Console
August 10, 2018
I found this issue today and hope to get some help from the ConfigMgr team on it but figured it was worth writing up the workaround for now.
The Issue
While attempting to perform a user state backup on a machine using an SCCM task sequence, we received the error in SMSTS.LOG:
Failed to decrypt state encryption key (0x80070057) Failed to run the action: Request User State Storage. The parameter is incorrect. (Error: 00000057; Source: Windows)
Looking at the User State Migration node in the SCCM console, I couldn’t find any computer associations for this computer (it should have an In-place relationship created). I checked the StateMigration table in the DB found 3 entries for this device and none of them had an encryption key in the DB. When I SQL below, I found about 30 more records with no key (along with about 90 valid records).
I then checked WMI on the SCCM Primary using WMIExplorer to run the query below and was unable to find a record for the device in question. I spot checked several more of the machines that I found with SQL and they were all missing from WMI.
At this point, I’ve got an incomplete/invalid record in the DB that I can’t access through WMI to delete using the DeleteAssociation method on the SMS_StateMigration object and I don’t want to make direct change to the DB. Next I tried creating a new Computer Association in the ConfigMgr console. When I used the machine in question as either the source or destination machine, then opened the Recovery Information pane for the device, I received this error:
To remove the invalid entries from the DB without directly editing the DB turned out to be pretty simple.
Create a new Computer Association in the console using an invalid computer from the DB as the source and a random computer as the destination.
Delete the newly created Computer Association.
That’s it. Check the DB and you should see the offending records disappear. I haven’t tracked down the root cause yet, so this will have to work for now.
If you have a large number of machines with this issue, you can consider scripting this in PowerShell using the WMI AddAssociation method on the SMS_StateMigration WMI object. If I make a script, I’ll post here.