SCCM Automatic Deployment Rule: Download failed

Once you create an Automatic Deployment Rule to update Windows, the SCCM error “Automatic Deployment Rule download failed” is possible. Some of the most common error codes in ADR are “0X87D20417“, “Enforcing Actions for Rule 5 failed” and “0x80070005“. Below, we’ll explain how to identify the error with logs and the solution.
Error Automatic Deployment Rules Download Failed in SCCM
First of all, youmust check that from our Site Server the requests to download.windowsupdate.com correctly are being sent and received and allow the connections in case of being blocked.
Once the communications have been checked, to determine if this is your problem, you can read the logs ruleengine.log and PatchDownloader.log. These logs will be in the Logs folder within the System Center Configuration Manager installation on your Site Server.
- ruleengine.log location: C:\Program Files\Microsoft Configuration Manager\Logs\ruleengine.log.
- PatchDownloader.log location: C:\Program Files\Microsoft Configuration Manager\Logs\PatchDownloader.log
Errors should look something like this:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | List of update content(s) which match the contnt rule criteria = {16817629}	SMS_RULE_ENGINE Downloading content with ID 16817629 in the package	SMS_RULE_ENGINE Failed to download the update from internet. Error = 5	SMS_RULE_ENGINE Failed to download ContentID 16817629 for UpdateID 16826923. Error code = 5	SMS_RULE_ENGINE Failed to download any update	SMS_RULE_ENGINE Failed to download update contents.	SMS_RULE_ENGINE No new update was added to the package. Package "ABC00001" would not be updated.	SMS_RULE_ENGINE Failed to run the DownloadAction for the AutoDeployment.	SMS_RULE_ENGINE STATMSG: ID=8706 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_RULE_ENGINE" SYS=MyServer.Contoso.com SITE=ABC PID=5344 TID=8380 GMTDATE=ju. nov. 08 12:10:30.093 2018 ISTR0="SMS Rule Engine" ISTR1="Failed to download one or more content files" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0	SMS_RULE_ENGINE Creating Software Update Group for ADR	SMS_RULE_ENGINE     Parsing Deployment Action XML...	SMS_RULE_ENGINE     Parsing Rule XML...	SMS_RULE_ENGINE     SQL is: select cis.CI_ID from vCI_ConfigurationItems cis join vProvisionedCIs pci on cis.CI_ID = pci.CI_ID where cis.CI_ID in (16817929, 16819205, 16819885, 16819911, 16826875, 16826923) order by cis.CI_ID	SMS_RULE_ENGINE       1 of 6 updates are downloaded and will be added to the Deployment.	SMS_RULE_ENGINE     SQL is: select CI_UniqueID from vCI_ConfigurationItems where CI_ID in (16819885) order by CI_ID	SMS_RULE_ENGINE     SQL is: select distinct cira.ReferencedCI_ID from v_CIRelation_All cira ~join v_AuthListInfo ugi on cira.CI_ID = ugi.CI_ID~where ugi.CI_UniqueID = 'ScopeId_0B20F666-E6F4-4260-80C4-7EFF269FDD43/AuthList_b0664cd6-8629-4178-ad4e-948300f67d71'~and cira.RelationType = 1 and cira.Level = 1 order by cira.ReferencedCI_ID	SMS_RULE_ENGINE The rule found no new updates. Skipping update group creation or update	SMS_RULE_ENGINE Enforcing Create Deployment Action	SMS_RULE_ENGINE   Create Deployment Rule Action XML is: <DeploymentCreationActionXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DeploymentId>{712135a0-0be5-4b59-9f67-9039bd783aa0}</DeploymentId><DeploymentNumber>0</DeploymentNumber><CollectionId>ABC00001</CollectionId><IncludeSub>true</IncludeSub><Utc>false</Utc><Duration>7</Duration><DurationUnits>Days</DurationUnits><AvailableDeltaDuration>0</AvailableDeltaDuration><AvailableDeltaDurationUnits>Hours</AvailableDeltaDurationUnits><SoftDeadlineEnabled>false</SoftDeadlineEnabled><SuppressServers>Checked</SuppressServers><SuppressWorkstations>Unchecked</SuppressWorkstations><PersistOnWriteFilterDevices>Unchecked</PersistOnWriteFilterDevices><AllowRestart>true</AllowRestart><DisableMomAlert>false</DisableMomAlert><GenerateMomAlert>false</GenerateMomAlert><UseRemoteDP>false</UseRemoteDP><UseUnprotectedDP>true</UseUnprotectedDP><UseBranchCache>true</UseBranchCache><RequirePostRebootFullScan>Checked</RequirePostRebootFullScan><EnableDeployment>true</EnableDeployment><EnableWakeOnLan>false</EnableWakeOnLan><AllowDownloadOutSW>false</AllowDownloadOutSW><AllowInstallOutSW>true</AllowInstallOutSW><EnableAlert>false</EnableAlert><AlertThresholdPercentage>0</AlertThresholdPercentage><AlertDuration>2</AlertDuration><AlertDurationUnits>Weeks</AlertDurationUnits><EnableNAPEnforcement>false</EnableNAPEnforcement><UserNotificationOption>DisplayAll</UserNotificationOption><LimitStateMessageVerbosity>false</LimitStateMessageVerbosity><StateMessageVerbosity>10</StateMessageVerbosity><AllowWUMU>false</AllowWUMU><AllowUseMeteredNetwork>false</AllowUseMeteredNetwork></DeploymentCreationActionXML>	SMS_RULE_ENGINE   Rule XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <DeploymentId></DeploymentId> <DeploymentName>ADR: Windows 10 1703</DeploymentName> <UpdateGroupId>ScopeId_0B20F666-E6F4-4260-80C4-7EFF269FDD43/AuthList_b0664cd6-8629-4178-ad4e-948300f67d71</UpdateGroupId> <UpdateGroupName></UpdateGroupName> <LocaleId>1033</LocaleId> <UseSameDeployment>false</UseSameDeployment> <AlignWithSyncSchedule>false</AlignWithSyncSchedule> <NoEULAUpdates>false</NoEULAUpdates> <EnableAfterCreate>true</EnableAfterCreate> <ScopeIDs><ScopeID>SMS00UNA</ScopeID> </ScopeIDs> <EnableFailureAlert>true</EnableFailureAlert> <IsServicingPlan>false</IsServicingPlan> <IsOldUpdateGroupCurrent>true</IsOldUpdateGroupCurrent> </AutoDeploymentRule>	SMS_RULE_ENGINE   Criteria Filter Result XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <DeploymentId></DeploymentId> <DeploymentName>ADR: Windows 10 1703</DeploymentName> <UpdateGroupId>ScopeId_0B20F666-E6F4-4260-80C4-7EFF269FDD43/AuthList_b0664cd6-8629-4178-ad4e-948300f67d71</UpdateGroupId> <UpdateGroupName></UpdateGroupName> <LocaleId>1033</LocaleId> <UseSameDeployment>false</UseSameDeployment> <AlignWithSyncSchedule>false</AlignWithSyncSchedule> <NoEULAUpdates>false</NoEULAUpdates> <EnableAfterCreate>true</EnableAfterCreate> <ScopeIDs><ScopeID>SMS00UNA</ScopeID> </ScopeIDs> <EnableFailureAlert>true</EnableFailureAlert> <IsServicingPlan>false</IsServicingPlan> <IsOldUpdateGroupCurrent>true</IsOldUpdateGroupCurrent> </AutoDeploymentRule>	SMS_RULE_ENGINE     Parsing Deployment Action XML...	SMS_RULE_ENGINE     Parsing Rule XML...	SMS_RULE_ENGINE     SQL is: select cis.CI_ID from vCI_ConfigurationItems cis join vProvisionedCIs pci on cis.CI_ID = pci.CI_ID where cis.CI_ID in (16817929, 16819205, 16819885, 16819911, 16826875, 16826923) order by cis.CI_ID	SMS_RULE_ENGINE       1 of 6 updates are downloaded and will be added to the Deployment.	SMS_RULE_ENGINE     SQL is: select CI_UniqueID from vCI_ConfigurationItems where CI_ID in (16819885) order by CI_ID	SMS_RULE_ENGINE The rule found no new updates. Skipping deployment creation or update	SMS_RULE_ENGINE CRuleHandler: Enforcing Actions for Rule 5 failed!	SMS_RULE_ENGINE CRuleHandler: ResetRulesAndCleanUp()	SMS_RULE_ENGINE Rule result is: 0	SMS_RULE_ENGINE CRuleHandler::CreateFailureAlert - Alert ID = 16777258	SMS_RULE_ENGINE Updated Failure Information for Rule: 5	SMS_RULE_ENGINE | 
| 1 2 3 4 5 6 7 8 9 | Trying to connect to the \\MyServer.Contoso.com\root\sms\site_ABC namespace on the MyServer.Contoso.com machine. Connected to \\MyServer.Contoso.com\root\sms\site_ABC Download destination = \\MyServer.Contoso.com\SCCM\Updates\ADR\ADR Windows 10 1703\e2bdf884-bc71-4498-923b-b3c5dd89eeea.1\Windows10.0-KB4091663-v5-x64.cab . Contentsource = http://download.windowsupdate.com/d/msdownload/update/software/updt/2018/09/windows10.0-kb4091663-v5-x64_58e4580d5144211b9e9acb0d6037242a3aa3c8cb.cab . Failed to create directory \\MyServer.Contoso.com\SCCM\Updates\ADR\ADR Windows 10 1703\e2bdf884-bc71-4498-923b-b3c5dd89eeea.1\Windows10.0-KB4091663-v5-x64.cab, error 5 CreateLinkToExistingFile() failed for ContentID 1611846. hRes = 0x80070005 . Downloading content for ContentID = 16811846, FileName = Windows10.0-KB4091663-v5-x64.cab. Failed to create directory \\MyServer.Contoso.com\SCCM\Updates\ADR\ADR Windows 10 1703\e2bdf884-bc71-4498-923b-b3c5dd89eeea.1\, error 5 ERROR: DownloadContentFiles() failed with hr=0x80070005 | 
In the logs ruleengine.log and PatchDownloader.log you can see that they are indicating the error codes “Enforcing Actions for Rule 5 failed” and “ERROR: DownloadContentFiles() failed with hr=0x80070005” (0x80070005), which are access denied. You will have to check the permissions in the folder where we have indicated that the KBs are downloaded.
A fact to keep in mind: When you run the ADR manually from the console, you use your user account (your administrator user) . And when the ADR runs automatically, it uses the Primary Site Server machine account. Both accounts must have write and read permissions on the folder at both the NTFS and Share levels.
After the ADR permissions have been reviewed, when you run the Automatic Deployment Rule again, it should run successfully. You can open the ruleengine.log and PatchDownloader logs.log to follow the download process:
| 1 2 3 4 5 6 7 8 9 | Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 12 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 24 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 36 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 48 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 60 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 72 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 84 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab in progress: 96 percent complete	Software Updates Patch Downloader Download http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/16.0.10730.20205/s641027.cab to C:\Windows\TEMP\CAB3AF9.tmp returns 0	Software Updates Patch Downloader | 
SCCM Automatic Deployment Rule failed with error code 0X87D20417
If after applying these solutions you get the SCCM Automatic Deployment Rule failed with error code 0X87D20417 error, try the following steps:
- Delete and recreate the ADR. Although it seems strange, it is the best method.
- You may be using an old version of SCCM such as System Center Configuration Manager 2012 R2. There is a hotfix for this version that fixes error 0X87D20417 and error 0x80070197
- Check the ruleengine.log and PatchDownloader.log logs and look for other error codes.
- Check again that the download locations are correct and that you have permissions with both your administrator user and the machine account.
If after all this you still have problems, leave a comment and I will help you in any way possible.







