Link to home
Start Free TrialLog in
Avatar of Rick Goodman
Rick Goodman

asked on

System Center Deployment Packsge Issues

I configured a stand alone primary site with SCCM 2012 R2 SP1. I also installed the distribution point and software update point site system roles. I have done a sync with MS and have created a device collection and a software update group for windows updates to a test group of Win 7 computers. However, when I try to deploy I get the following error. I have the feeling it's an issue with my folder structure or permissions? I've been putting the path to the share created for WSUSContent during the WSUS role install, \\sccm\source\WSUSContent. Any idea what I might be missing?
User generated image
Avatar of shauncroucher
shauncroucher
Flag of United Kingdom of Great Britain and Northern Ireland image

Take a look in the PatchDownloader.log for more information (client directory on site server).

It's almost certainly a problem with the permissions on your package for updates.
Check the package that you specified for holding the downloaded updates.

You can try to setup a new package, and\or confirm that the account you are using within SCCM has the right permissions for the package folder you are using.

Shaun
Also, It is probably better practice to have a separate folder assigned as the package for updates and not point to your wsuscontent share. It is just a holding place for the updates, they will be delivered to your distribution point for the clients to access.

Shaun
Avatar of Rick Goodman
Rick Goodman

ASKER

Thanks Shaun. I checked the log and below is what I got from the last attempt. The thing I'm really confused about is that I was selecting a different share than that the Deployment Package I'm using has a different share listed. It's using \\sccm01\DeploymentPackages. Although both shares do exist and have identical security settings. It's just I created the new one to try and "start over". The share permissions I have are Everyone - Read, and Administrators and Domain Admins with Full. I even tried outing the SCCM server account in as Full. Still seems to fail. Are there other permissions I need?
Sorry, forgot to paste the output.

Trying to connect to the \\SCCM01.domain.local\root\sms\site_ABC namespace on the SCCM01.domain.local machine.      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
Connected to \\SCCM01.domain.local\root\sms\site_ABC      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
Download destination = \\sccm01\MS Update Pilot Group\d39a3fb1-8469-423d-a3db-dd3f4de3233c.1\Windows10.0-KB3163018-x64.cab .      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
Contentsource = http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/secu/2016/06/windows10.0-kb3163018-x64_d6fc6184a2bd63272f0289d465a7ca6a05a91702.cab .      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
Downloading content for ContentID = 16780654,  FileName = Windows10.0-KB3163018-x64.cab.      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
Failed to create directory \\sccm01\MS Update Pilot Group\d39a3fb1-8469-423d-a3db-dd3f4de3233c.1\, error 5      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3356 (0x0D1C)
ERROR: DownloadContentFiles() failed with hr=0x80070005      Software Updates Patch Downloader      6/30/2016 7:46:36 AM      3780 (0x0EC4)
ASKER CERTIFIED SOLUTION
Avatar of shauncroucher
shauncroucher
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, as a side note, sometimes I've seen this error occur, not due to permissions on folder but when the server is not able to grab the content upstream.

Do you use a proxy? The server that does the work to download the updates from Microsoft needs to have access to the Microsoft site, and if a proxy is used, it needs the proxy in the SCCM console.

Check in a browser that you can access Microsoft. *microsoft.com* and *windowsupdate.com* covers it pretty much.

Shaun
Also worth checking in WSUS that the sync with Microsoft is working.
But don't change anything at all in WSUS, it's a read only place if you're using SCCM ;)

Shaun
Actually, I'm ashamed I didn't think of trying the Run as Administrator. But that appears to be working. Is that the normal process or might I have something configured wrong to require me to have to do that?
You shouldnt need to do that in all honesty, but it does tell us it's a permissions issue.

It may be that when you don't run as administrator. The process runs under your account. Can you manually add a file to the folder with the account you log in with.

I suspect this is a known behaviour in certain scenarios, I'll have a look around when I'm next at a PC

Shaun
Avatar of Mike Taylor
Hi,

You need to give the path \\sccm01\MS Update Pilot Group\ Read/write permissions. As Shaun mentioned don't touch the WSUS folder either. These are two separate things.

The WSUS content is the source that CM will use, but the \\sccm01\MS Update Pilot Group\ path is where  CM copies that content to from WSUS and then uses to distribute from the DP. Hence CM *must* have full permissions to that, rather the than WSUS content.

Error 5 access denied is all through the log.

The folder itself doesn't need sharing - it is just a directory for the package content. I tend to think of that, and driver packages are just wrappers that hold content.
I normally use a path like

\\CM01\Sources$\Updates\2016
.........\2017
etc.

The share point is lower down and the lower folders are just directories so have no explicit permissions to set. Everything is MS default, read & write.

Mike
Thanks Shaun and Mike. I'll close this as it does work at least with the work around. But I'll play around with permissions and see if I can figure out a way to not have to run as administrator. If I do I'll update this so you all know as well. Mike, I do have full permissions on the\\sccm01\MS Update Pilot Group\ , that's why I don't get the access denied errors. And I'm logged to the server in as a domain admin. The whole UAC thing just seems kind of flakey to me at times. Thanks for all the input, much appreciated.
Thanks for the assistance Shaun and Mike. It was very helpful, glad to see it working now.
Glad to be of assistance,

Shaun
It worked like a charm! I added SYSTEM account to both "Security" tab and also "PERMISSION" on "sharing" tab.