I'm unable to install updates from our WSUS server (or from Windows Update) and error 7024 appears in the System Event Log:
The Delivery Optimization service terminated with the following service-specific error:
General access denied error
Error messages like these appear in the Windows Update log:
2020/03/12 15:55:10.2967680 11116 8720 DownloadManager *FAILED* [80010108] Method failed [CAgentDownloadManager::DownloadUpdate:8538]
2020/03/12 15:55:10.2967780 11116 8720 DownloadManager *FAILED* [80010108] Got error starting update 0 in call 8. Notifying call.
2020/03/12 15:55:10.2992536 11116 7112 Handler *FAILED* [80004004] CAppxRangeRequestJobNoBlockValidation::Run {9EA297F8-07ED-4D73-B705-7C68F2CACF7B} [d:98DED0BF]: Job shutdown
2020/03/12 15:55:10.2997565 11116 7112 Handler *FAILED* [80004004] Method failed [CAppxStreamingDataSource::CreateRangeRequestJob:1301]
2020/03/12 15:55:10.3006678 11116 7112 Handler *FAILED* [80240007] FindDeploymentOperationForUpdate
2020/03/12 15:55:10.4196302 11116 7112 Handler *FAILED* [80070057] IA call to resume download for app category BBC38914-FE0A-41D6-B45F-24A64071962D [UpdateId: 9EA297F8-07ED-4D73-B705-7C68F2CACF7B]
2020/03/12 15:55:10.4196336 11116 7112 Handler *FAILED* [80070057] CreateDataSource failed for uri 'x-windowsupdate://9EA297F8-07ED-4D73-B705-7C68F2CACF7B/BBC38914-FE0A-41D6-B45F-24A64071962D/98ded0bf9f36e0649f79c0a30c087fe2dc1f9981'
2020/03/12 15:55:10.4554179 12552 12264 ComApi ClientId = Acquisition;explorer: Exit code = 0x00000000; Call error code = 0x80240022
2020/03/12 15:55:29.6739766 11116 15248 Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
Error messages like these appear in the Delivery Optimization log:
2020-03-04T04:43:32.4368707Z 1B78 EF8 {ServiceMain} *** Starting service ***
2020-03-04T04:43:32.4371455Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\statepersistence\persistencelocation.cpp] (hr:80070005)
2020-03-04T04:43:32.4409756Z 1B78 EF8 {ServiceMain} ** Service was started due to trigger event **
2020-03-04T04:43:32.4409779Z 1B78 EF8 {CService::Run} Service starts running, with idle timeout of 300 s...
2020-03-04T04:43:32.4420184Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\configmanagement\globalconfigmanager.cpp] (hr:80070005)
2020-03-04T04:43:32.4423674Z 1B78 EF8 {} onecore\enduser\deliveryoptimization\configmanagement\globalconfigmanager.cpp(57)\dosvc.dll!00007FFFA2EC07E7: (caller: 00007FFFA2E7D7D8) Exception(1) tid(ef8) 80070005 Access is denied.
[onecore\enduser\deliveryoptimization\deliveryoptimization\globalobjects.cpp] (hr:80070005)
2020-03-04T04:43:32.4423806Z 1B78 EF8 {CDeliveryOptimizationManager::Init} Failed in initialization, hr = 80070005
2020-03-04T04:43:32.4423876Z 1B78 EF8 {CDeliveryOptimizationManager::Init} Assert (!L"DO manager failed in initialization"): Failed
2020-03-04T04:43:32.4423961Z 1B78 EF8 {CService::Run} DO manager init failed with hr = 80070005
2020-03-04T04:43:32.4423976Z 1B78 EF8 {CService::_OnStop} Received service stop notification; system shutdown: 0
2020-03-04T04:43:32.4424369Z 1B78 EF8 {CDeliveryOptimizationManager::Shutdown} DoManager shutting down, final? 0
2020-03-04T04:43:32.4428958Z 1B78 EF8 {CDeliveryOptimizationManager::Shutdown} DoManager shutting down, final? 1
2020-03-04T04:43:32.4431130Z 1B78 EF8 {CService::Run} Service shutdown complete, hr = 80070005
2020-03-04T04:43:32.4431148Z 1B78 EF8 {ServiceMain} *** Service out of Run loop. Exiting... ***
2020-03-04T04:43:32.4433721Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\statepersistence\persistencelocation.cpp] (hr:80070005)
2020-03-04T04:43:32.4433792Z 1B78 EF8 {ServiceMain} Assert (0): SUCCEEDED(hr)
What might be causing this and how can it be corrected?
One possible cause is that the permissions on the root of C drive have been changed in a way that prevents the Delivery Optimization service from initializing successfully. (However, this problem only occurs if the permissions were changed before the first time a download was attempted; once the Delivery Optimization service has successfully initialized itself, it will continue to function even if the permissions are later changed.)
The default permissions on the root of the C drive look like this (Windows 10 version 1809):
C:\ BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
In our case the permissions had been inadvertently changed by a package deployed via SCCM, so that they looked like this:
C:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
OWNER RIGHTS:
OWNER RIGHTS:(OI)(CI)(IO)
NT AUTHORITY\INTERACTIVE:(RX)
NT AUTHORITY\INTERACTIVE:(OI)(CI)(IO)(GR,GE)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Of particular note is that neither Users
nor Authenticated Users
appear in the modified ACL, only INTERACTIVE
. That meant that any system services running without administrator-level permissions did not have read access to the root directory. In the case of the Delivery Optimization service, this was causing an access denied error during initialization.
The least disruptive change necessary to resolve the problem is as follows:
icacls C:\ /grant Users:(RX)
This affects only the permissions on C:\ itself and not on any of the files or folders it may contain. Depending on your circumstances, you might prefer to restore the default permissions, or to set custom permissions; so long as the Delivery Optimization service has read access, it will be able to initialize.
User contributions licensed under CC BY-SA 3.0