I currently use a Automatic Deployment Rule (ADR) for deploying System Center Endpoint Protection definition updates. Setting up an ADR is pretty straight forward however I was seeing the following error in the ruleengine.log file (Located at <ConfigMgr Installation Directory>\Logs)
Downloading content with ID <Unique Content ID> in the package
Failed to download the update from internet. Error = 1326
Failed to download ContentID <Unique Content ID> for UpdateID <Unique Update ID>. Error code = 1326
There are a few things that you need to be aware of when setting up a ADR:
- The ADR will run in the SYSTEM context
- If a proxy server is in use for internet access ensure that rules are setup appropriately for your site server
- Ensure that the permissions for the file share (Full) and source directory (Modify) are setup appropriately. If your source directory is located on a different server the computer account of your site server will need modify access to the package source directory
- The ADR will use the UNC path to access the share even when the directory is local to that site server
For my setup everything checked out. The site server and the package source were located on the same server so permissions weren't the issue. Proxy server rules were already setup to allow the site server to download the required content for specific sites. I double checked and verified that the site server was indeed able to connect to the URL required yet the problem persisted. This server had been recently upgraded to Server 2012 R2 and I was connecting to it using a CNAME so what I found was that when I was logged onto the server and then browsed to the share using the UNC path (Using a CNAME in place of the server name) I was prompted for credentials. So when the ADR would run it would fail at the point where it tried to access the share for the package source path. With Server 2008 R2 disabling strict name would resolve this problem however with Server 2012 R2 you need to disable loopback checking.
- Open Regedit.exe
- Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Create a new DWORD value called "DisableLoopbackCheck"
- Set the value to “1”
- Test by connecting to the UNC path using your CNAME (If you are still being prompted reboot your server)
Once loopback checking was disabled the ADR ran without issue.
