WU_E_NO_USERTOKEN, Failed to generate security token with auth tickets; error 0x80070426

1

A Windows 10 machine fails to update with the unusual WU_E_NO_USERTOKEN error, despite reporting clean state (no third-party antivirus installed)

PS> systeminfo
OS Name:      Microsoft Windows 10 Pro N
OS Version:   10.0.15063 N/A Build 15063
Hotfix(s):    3 Hotfix(s) Installed.
              [01]: KB4022405     [thats the servicing stack 2017-06-13]
              [02]: KB4022730     [thats the flash player 2017-06-13]
              [03]: KB4022725     [thats windows 10 update 15063.413]

> sfc /scannow
Windows Resource Protection did not find any integrity violations.

> dism /online /cleanup-image /scanhealth
No component store corruption detected.
The operation completed successfully.

This is the message from the update screen:

There were some problems installing updates, but we’ll try again later.
If you keep seeing this and want to search the web or contact support for information,
this may help: (0x80070426)

I guess 0x80070426 is the same as ERROR_SERVICE_NOT_ACTIVE, though i can not see which service that would be referring to.

What could have gone wrong? What other Logs should i review in hopes of identifying the root cause? How can i isolate the fault from windows update internals? Any suggestions much appreciated.

Steps attempted:

  • Checked disk for defects. All good.
  • Checked Windows Activation Status. All good.
  • Disabled Windows Firewall. No Change.
  • Manually installed the latest servicing stack update from WU catalog. Works, but no change.
  • Unchecked Give me updates for other Microsoft products when I update Windows.
  • Ran the Windows update Troubleshooter. No change.
  • Reset windows update components manually (as suggested on support.microsoft.com)
  • used MediaCreationTool.exe to in-place-reinstall Windows: partial success, updates initially working: after installing software & configuring the problem reoccurred.
  • Removed 8b24b027-1dee-babb-9a95-3517dfb9c552 from AutoUpdate RequestedAppCategories as suggested by Microsoft to resolve a different update error message

using PS> Get-WindowsUpdateLog i obtained readable logs:

Agent           [agent]WU client version 10.0.15063.168
Agent           [agent]Base directory: C:\WINDOWS\SoftwareDistribution
Agent           [store]Datastore directory: C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
DataStore       [store]JetEnableMultiInstance succeeded - applicable param count: 5, applied param count: 5
Shared          [susenginelib]UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
Shared          [susenginelib]UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
Shared          [agent]Network state: Connected
Misc            [regutil]LoadHistoryEventFromRegistry completed, hr = 8024000C
Shared          [susenginelib]UpdateNetworkState Ipv6, cNetworkInterfaces = 0.
Shared          [susenginelib]UpdateNetworkState Ipv4, cNetworkInterfaces = 1.
Shared          [agent]Power status changed
Agent           [agent]Initializing global settings cache
Agent           [agent]WSUS server: NULL
Agent           [agent]WSUS status server: NULL
Agent           [agent]Alternate Download Server: NULL
Agent           [agent]Fill Empty Content Urls: No
Agent           [agent]Target group: (Unassigned Computers)
Agent           [agent]Windows Update access disabled: No
Agent           [agent]Initializing Windows Update Agent
DownloadManager [agent]Download manager restoring 0 downloads
Agent           [agent]CPersistentTimeoutScheduler | GetTimer, returned hr = 0x00000000
DownloadManager [agent]PurgeExpiredFiles::Found 0 expired files to delete.
DownloadManager [agent]PurgeExpiredUpdates::Found 1 non expired updates.
DownloadManager [agent]PurgeExpiredUpdates::Found 0 expired updates.
DownloadManager [agent]Received power state change notification: Old: <unknown>; New: AC.
DownloadManager [agent]Power state changed from <unknown> to AC.
ComApi          [comapi]* START *   Federated Search ClientId = UpdateOrchestrator (cV: DzIeGSPtj0OdJrpi.0.1.0)
IdleTimer       [agent]WU operation (SR.UpdateOrchestrator ID 1) started; operation # 4; does<NULL> use network; is not at background priority<NULL>
Agent           [agent]Processing auto/pending service registrations and recovery.
IdleTimer       [agent]WU operation (SR.UpdateOrchestrator ID 1, operation # 4) stopped; does<NULL> use network; is not at background priority<NULL>
ComApi          [comapi]Federated Search: Starting search against 2 service(s) (cV = DzIeGSPtj0OdJrpi.0.1.0)
ComApi          [comapi]* START *   Search ClientId = UpdateOrchestrator, ServiceId = 9482F4B4-E343-43B6-B170-9A65BC822C77 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
IdleTimer       [agent]WU operation (CSearchCall::Init ID 2) started; operation # 7; does<NULL> use network; is not at background priority<NULL>
Agent           [agent]* START * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 2]
Agent           [agent]Service 9482F4B4-E343-43B6-B170-9A65BC822C77 is not in sequential scan list
Agent           [agent]Added service 9482F4B4-E343-43B6-B170-9A65BC822C77 to sequential scan list
ComApi          [comapi]* START *   Search ClientId = UpdateOrchestrator, ServiceId = 8B24B027-1DEE-BABB-9A95-3517DFB9C552 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
Agent           [agent]Service 9482F4B4-E343-43B6-B170-9A65BC822C77 is in sequential scan list
IdleTimer       [agent]WU operation (CSearchCall::Init ID 3) started; operation # 10; does<NULL> use network; is not at background priority<NULL>
Agent           [agent]* END * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 2]
Agent           [agent]* START * Finding updates CallerId = UpdateOrchestrator  Id = 2
Agent           [agent]Online = Yes; Interactive = Yes; AllowCachedResults = No; Ignore download priority = No
Agent           [agent]Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""
Agent           [agent]ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
Agent           [agent]Search Scope = {Machine}
Agent           [agent]Caller SID for Applicability: S-1-5-21-3763057220-2112301883-1427527280-1001
Agent           [agent]ProcessDriverDeferrals is set
Agent           [agent]* START * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 3]
Agent           [agent]Service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 is not in sequential scan list
Agent           [agent]Service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 is not in sequential scan list
Agent           [agent]* END * Queueing Finding updates [CallerId = UpdateOrchestrator  Id = 3]
Agent           [agent]* START * Finding updates CallerId = UpdateOrchestrator  Id = 3
Agent           [agent]Online = Yes; Interactive = Yes; AllowCachedResults = No; Ignore download priority = No
Agent           [agent]Criteria = IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1""
Agent           [agent]ServiceID = {8B24B027-1DEE-BABB-9A95-3517DFB9C552} Third party service
Agent           [agent]Search Scope = {Machine}
Agent           [agent]Caller SID for Applicability: S-1-5-21-3763057220-2112301883-1427527280-1001
Agent           [agent]ProcessDriverDeferrals is set
Misc            [endpointproviders]Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Client/Server URL: https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx""
Driver          [lib]Skipping printer driver 4 due to incomplete info or mismatched environment - HWID[microsoftmicrosoft_musd] Provider[Microsoft] MfgName[Microsoft] Name[Microsoft enhanced Point and Print compatibility driver] pEnvironment[Windows NT x86] LocalPrintServerEnv[Windows x64]
Misc            [endpointproviders]Got 8B24B027-1DEE-BABB-9A95-3517DFB9C552 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx""
Misc            [store]Token Requested with 0 category IDs.

This is where the strange error code appears:

Misc            [store]GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
Misc            [store]GetDeviceTickets failed with error 80070426
Misc            [store]GetDeviceTickets failed with error 80070426
Misc            [store]Unable to obtain device tickets as Local System, error 80070426
Misc            [store]AddTickets failed with error 80070426
Misc            [store]Failed to generate security token with auth tickets; error 0x80070426
Misc            [store]Failed to acquire Agent Token From Server, hr 0x80070426
Misc            [store]Failed to Retrieve Agent Token, hr 0x80070426
Misc            [endpointproviders]EP: error: 0x80070426: Call to GetEndpointToken failed
Misc            [endpointproviders]Failed to obtain service 8B24B027-1DEE-BABB-9A95-3517DFB9C552 plugin Client/Server auth token of type 0x00000001, error = 0x80070426
ProtocolTalker  [agent]CAgentProtocolTalkerContext::DetermineServiceEndpoint failed, hr=0x80070426
ProtocolTalker  [agent]Initialization failed for Protocol Talker Context 0x80070426
Agent           [agent]Exit code = 0x80070426
Agent           [agent]* END * Finding updates CallerId = UpdateOrchestrator  Id = 3
IdleTimer       [agent]WU operation (CSearchCall::Init ID 3, operation # 10) stopped; does<NULL> use network; is not at background priority<NULL>
ComApi          [comapi]*RESUMED*   Search ClientId = UpdateOrchestrator, ServiceId = 8B24B027-1DEE-BABB-9A95-3517DFB9C552 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
ComApi          [comapi]Exit code = 0x00000000, Result code = 0x80070426 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
ComApi          [comapi]* END *   Search ClientId = UpdateOrchestrator, Updates found = 0, ServiceId = 8B24B027-1DEE-BABB-9A95-3517DFB9C552 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
ComApi          [comapi]Failed to process completed federation member search, hr=0x80070426, code=6 (cV = DzIeGSPtj0OdJrpi.0.1.0)
ProtocolTalker  [agent]ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
ProtocolTalker  [agent]OK to reuse existing configuration
ProtocolTalker  [agent]OK to reuse existing configuration
ProtocolTalker  [agent]PTWarn: Anonymous plug-in skipped for WU
IdleTimer       [agent]WU operation (CAgentProtocolTalker::GetCookie_WithRecovery) started; operation # 11; does<NULL> use network; is<NULL> at background priority<NULL>
WebServices     [webserviceinfra]Auto proxy settings for this web service call.
IdleTimer       [agent]WU operation (CAgentProtocolTalker::GetCookie_WithRecovery, operation # 11) stopped; does<NULL> use network; is<NULL> at background priority<NULL>
Agent           [agent]Update excluded by policy: 6CD9712A-521C-4AF1-9511-61B59EFF147A.201
Agent           [agent]Update excluded by policy: B731D43D-5A03-4D80-B4F1-187B9EED6901.201
Agent           [agent]Update deferred by policy: 2316DA64-1300-4912-BA4B-729E60D0A3BE.204
Agent           [agent]Update deferred by policy: ADE56166-6D55-45A5-9E31-0FAC924E4BBE.200
Agent           [agent]Update excluded by policy: 6DA1A66F-8940-49F1-8F50-B57EB517C9B6.201
Agent           [agent]Update excluded by policy: EDE0C184-119B-442F-A6F7-6B014FD64727.200
Agent           [agent]Update deferred by policy: 200F429C-9BCF-4446-89AF-EB5FC0CDBC07.200
Agent           [agent]Update deferred by policy: 3D32769F-52F8-4C4C-B198-5ADD18772685.201
Agent           [agent]Update deferred by policy: 3A4111B7-7238-4B2D-B744-9537B1C6CDFC.200
Agent           [agent]Update excluded by policy: 78F23AEE-D5FF-4B13-9ED7-8964463592C6.201
IdleTimer       [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 12; does<NULL> use network; is<NULL> at background priority<NULL>
IdleTimer       [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 12) stopped; does<NULL> use network; is<NULL> at background priority<NULL>
Agent           [agent]Update excluded by policy: 6CD9712A-521C-4AF1-9511-61B59EFF147A.201
Agent           [agent]Update excluded by policy: B731D43D-5A03-4D80-B4F1-187B9EED6901.201
Agent           [agent]Update deferred by policy: 2316DA64-1300-4912-BA4B-729E60D0A3BE.204
Agent           [agent]Update deferred by policy: ADE56166-6D55-45A5-9E31-0FAC924E4BBE.200
Agent           [agent]Update excluded by policy: 6DA1A66F-8940-49F1-8F50-B57EB517C9B6.201
Agent           [agent]Update excluded by policy: EDE0C184-119B-442F-A6F7-6B014FD64727.200
Agent           [agent]Update deferred by policy: 200F429C-9BCF-4446-89AF-EB5FC0CDBC07.200
Agent           [agent]Update deferred by policy: 3D32769F-52F8-4C4C-B198-5ADD18772685.201
Agent           [agent]Update deferred by policy: 3A4111B7-7238-4B2D-B744-9537B1C6CDFC.200
Agent           [agent]Update excluded by policy: 78F23AEE-D5FF-4B13-9ED7-8964463592C6.201
ProtocolTalker  [agent]PTInfo: syncing with server using normal query
IdleTimer       [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 13; does<NULL> use network; is<NULL> at background priority<NULL>
IdleTimer       [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 13) stopped; does<NULL> use network; is<NULL> at background priority<NULL>
ProtocolTalker  [agent]SyncUpdates - 0 bad out of 0 metadata signatures checked using Unknown enforcement mode.
ProtocolTalker  [agent]SyncUpdates round trips: 2
Agent           [agent]Update excluded by policy: 6CD9712A-521C-4AF1-9511-61B59EFF147A.201
Agent           [agent]Update excluded by policy: B731D43D-5A03-4D80-B4F1-187B9EED6901.201
Agent           [agent]Update deferred by policy: 2316DA64-1300-4912-BA4B-729E60D0A3BE.204
Agent           [agent]Update deferred by policy: ADE56166-6D55-45A5-9E31-0FAC924E4BBE.200
Agent           [agent]Update excluded by policy: 6DA1A66F-8940-49F1-8F50-B57EB517C9B6.201
Agent           [agent]Update excluded by policy: EDE0C184-119B-442F-A6F7-6B014FD64727.200
Agent           [agent]Update deferred by policy: 200F429C-9BCF-4446-89AF-EB5FC0CDBC07.200
Agent           [agent]Update deferred by policy: 3D32769F-52F8-4C4C-B198-5ADD18772685.201
Agent           [agent]Update deferred by policy: 3A4111B7-7238-4B2D-B744-9537B1C6CDFC.200
Agent           [agent]Update excluded by policy: 78F23AEE-D5FF-4B13-9ED7-8964463592C6.201
Agent           [agent]Update excluded by policy: 6CD9712A-521C-4AF1-9511-61B59EFF147A.201
Agent           [agent]Update excluded by policy: B731D43D-5A03-4D80-B4F1-187B9EED6901.201
Agent           [agent]Update deferred by policy: 2316DA64-1300-4912-BA4B-729E60D0A3BE.204
Agent           [agent]Update deferred by policy: ADE56166-6D55-45A5-9E31-0FAC924E4BBE.200
Agent           [agent]Update excluded by policy: 6DA1A66F-8940-49F1-8F50-B57EB517C9B6.201
Agent           [agent]Update excluded by policy: EDE0C184-119B-442F-A6F7-6B014FD64727.200
Agent           [agent]Update deferred by policy: 200F429C-9BCF-4446-89AF-EB5FC0CDBC07.200
Agent           [agent]Update deferred by policy: 3D32769F-52F8-4C4C-B198-5ADD18772685.201
Agent           [agent]Update deferred by policy: 3A4111B7-7238-4B2D-B744-9537B1C6CDFC.200
Agent           [agent]Update excluded by policy: 78F23AEE-D5FF-4B13-9ED7-8964463592C6.201
Agent           [agent]Update D43ECD2D-0179-4CFD-943E-FAE7B66F4F89.200 is pruned out due to potential supersedence
Agent           [agent]Update 45CA72F6-AC0E-47DD-9D33-682766A8EC40.200 is pruned out due to potential supersedence
Agent           [agent]Added update 1AE333AC-9DBA-45F5-AD7A-304EB9771D75.200 to search result
Agent           [agent]Found 1 updates and 27 categories in search; evaluated appl. rules of 1367 out of 2067 deployed entities
Agent           [agent]* END * Finding updates CallerId = UpdateOrchestrator  Id = 2
IdleTimer       [agent]WU operation (CSearchCall::Init ID 2, operation # 7) stopped; does<NULL> use network; is not at background priority<NULL>
ComApi          [comapi]*RESUMED*   Search ClientId = UpdateOrchestrator, ServiceId = 9482F4B4-E343-43B6-B170-9A65BC822C77 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
ComApi          [comapi]* END *   Search ClientId = UpdateOrchestrator, Updates found = 1, ServiceId = 9482F4B4-E343-43B6-B170-9A65BC822C77 (cV = DzIeGSPtj0OdJrpi.0.1.0.0)
ComApi          [comapi]* END *   All federated searches have completed. Jobs = 2, Succeeded = 1, ClientId = UpdateOrchestrator (cV = DzIeGSPtj0OdJrpi.0.1.0)
ComApi          [comapi]ISusInternal:: DisconnectCall failed, hr=8024000C
ComApi          [comapi]ISusInternal:: DisconnectCall failed, hr=8024000C
ComApi          [comapi]ISusInternal:: DisconnectCall failed, hr=8024000C
Misc            [agent]CSusClientGlobal::DoServicePreShutdown
IdleTimer       [agent]Idle timer disabled in preparation for service shutdown
Misc            [agent]WUTaskManager uninit
Misc            [susenginelib]CreateSessionStateChangeTrigger, TYPE:2, Enable:No
Misc            [susenginelib]CreateSessionStateChangeTrigger, TYPE:4, Enable:No
Misc            [agent]Agent uninit
Handler         [lib]CUHCbsHandler::CancelDownloadRequest called
Misc            [agent]network cost manager uninit
Misc            [agent]Eventer uninit
Misc            [agent]ServiceManager uninit
Misc            [agent]PersistentTimeoutScheduler uninit
Misc            [agent]datastore uninit
Misc            [agent]setting cache uninit
Misc            [agent]security checker uninit
Misc            [agent]Test Hook uninit
Misc            [agent]IdleTimer uninit
Shared          [agent]* END * Service exit Exit code = 0x240001

WER Logs are not much more specific either

Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 10.0.15063.168
P2: 80070426
P3: 00000000-0000-0000-0000-000000000000
P4: Scan
P5: 0
P6: 0
P7: 0
P8: UpdateOrchestrator
P9: {8B24B027-1DEE-BABB-9A95-3517DFB9C552}
P10: 0
windows
windows-10
windows-update
asked on Super User Jun 28, 2017 by (unknown user) • edited Jul 17, 2017 by (unknown user)

1 Answer

0

Check that the Microsoft Account Sign-in Assistant service is set to automatic startup and is running. I had disabled this service since I did not require the ability to allow "...user sign-in through Microsoft account identity services".

Fun fact, kids: it transpires that Windows Update does in fact want to do this, and if it can't then it sulks with error 80070426. Amusing, eh?

answered on Super User Aug 21, 2017 by Eight-Bit Guru

User contributions licensed under CC BY-SA 3.0