Access denied on client when downloading software updates

Question

Hello all,
I have run into an issue that I've been unable to find a solution and I am hoping someone can point me in the right direction.

First my environment. I am running MEM 2107 with the latest hotfix installed with SQL 2014. The clients have the latest version of the MEM client installed. MEM is attached to Azure and I have a CMG. Clients are running Win10 1909, 20H2, or 21H2. I know this issue is happening with some 1909 machines and I haven't found other versions with the same issue (yet.)

I have a number of PCs that are failing to download some software updates from DPs. As of now, most clients that I have checked are having issues downloading these

• Windows Malicious Software Removal Tool x64 - v5.99 (KB890830)
• 2022-03 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB5011485)
• Microsoft 365 Apps Update - Current Channel Quality Update for x64 based Edition Version 2202 (Build 14931.20132)

What I have observed:

• Updatestore.log reports the client is missing these updates so this isn't a detection issue
  
• DataTransferService.log reports the client is trying to download the updates from the DP
  
• After a second or two the download stops and the MEM agent cancels the download job
  
• UpdatesHandler.log shows the content failed to download due to 0x80070005 which translates to access denied
  
• CAS.log doesn't show any problems but I cleared the ccmcache folder on a few clients anyway to rule it out as a cause
• I am using Patch My PC for 3rd party software updates and the same affected clients have downloaded and installed those updates with no issue
• I have a large number of PCs that were able to download and install the aforementioned MS updates from the same DP(s) with no problem. Also newly imaged PCs have no issues either.

To rule out the DPs as a cause, I recently modified the Software Deployment Group and Boundary Groups to have clients prefer cloud based sources. After allowing the clients to update policy and try to download the updates again, the client logs show they are attempting to download from Microsoft Update but the same issue remains as I had already mentioned. My next step is to try reinstalling the MEM agent but I haven't tried it yet as I have a fairly large number of clients to fix. In addition, I have some content cached for a Win10 feature update that I am planning soon and I would like to not reinstall the agents as I will be forced to cache the content again.

Has anyone come across this problem or can suggest any additional troubleshooting?

Thanks.

Answer 1

Reinstalling the ConfigMgr agent here has no value as this isn't the result of the agent breaking or not doing its job. "Something" is interfering with the agent's attempt to create or write to a file and thus the OS is returning the access denied. What that something is those is unknown. In many cases, access denied is caused by file system permissions but that's not the only possibility. Anti-virus and other security software can also cause this. This may be deliberate, i.e., the software actively blocking the file access, or a byproduct of the alternate software opening and locking the file to perform an operation like scanning. You should review the logs of your AV software on the system to see if it is scanning the files in question or if it is blocking the activity. You can also use a tool like ProcMon to monitor all file system activity for this set of files which will give you a deeper and hopefully clearer picture of why the error code is being returned by the OS to the ConfigMgr agent.