One of the common issue that many of us face is SCCM application downloads are stuck at 0% in Software Center. There could be lot of reasons why the SCCM deployment doesn’t work and let us look at troubleshooting tips.
First of all there is no exact solution for this issue because the error code that you see is a generic one. Therefore a lot of research needs to be done in order to find the cause and fix the issue.
Sometimes you see the software change returned error code 0x87D00607 in software center or probably some other error code. You cannot always say it’s a boundary group related issue even thought that’s the first thing most people guess.
If you are the IT guy working on this issue, you might be looking for the easiest way to fix this issue. Your first task is to find out why are the applications stuck downloading in Software Center. Or rather understand the application model installations on clients.
If the app downloads are not working on a single machine, you can assume that issue could be with that specific computer. However on all computers if you see SCCM application download Stuck at 0% in Software Center, that’s something to worry about.
What’s the point in deploying brand new apps to the client machines when users cannot install any applications ?.
SCCM Application Download Stuck at 0% in Software Center
So last week, I was working on switching the SCCM distribution points in some of the remote sites. We recently installed Configuration Manager current branch in our setup while we still have the old SCCM 2012 R2 running.
The goal was to shutdown the old DP and test the new DP (test OSD and App installs) and perform a switch over from old DP to new one.
The strange thing I found after DP switch over is that none of the applications nor windows updates were downloading in Software Center. The SCCM application downloads were stuck at 0% in Software Center.
This issue was observed in almost all the remote sites. Selecting any application and clicking Install button showed Downloading..0% in Software Center and there was absolutely no progress.
I thought of creating a guide and covering all the reasons why this issue could occur. I know I cannot cover everything but I will try to cover most of the relevant solutions for this issue.
If you find any solution or rather a workaround not covered in this post, you may share it in comments section. I will add it to the post if it’s relevant.
Alright, so lets see how to tackle this issue and find common solutions for this issue.
Step 1 – Check the Boundaries
Needless to say, the applications install only when they first locate the distribution point and download the content. If the clients don’t know from where the content has to be downloaded, they sit on downloading state for some time and eventually fail.
So it is important that you first check the boundaries and boundary groups. The Boundaries in Configuration Manager define network locations on your intranet. These locations include devices or clients that you want to manage.
Boundaries can be either an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range. I prefer to use IP range as my boundary for every site. In some cases I also create another boundary with type Active Directory site name for every site.
In my experience I have seen the IP range boundaries working fine in most of the environments. I don’t use IP subnets as they didn’t work well for me especially with SCCM 2012 R2.
Step 2 – Check the Boundary Groups
So let’s assume the boundary is defined correctly. The next thing that you need to check is the boundary group. The Boundary groups are logical groups of boundaries that you configure.
For any site you create the boundary first and then associate a boundary and a distribution point with boundary group. The clients in your network use a boundary group for :-
- Automatic site assignment.
- To find a site system server that can provide a service such as Distribution points for content location.
- Software update points and State migration points.
- Preferred management points.
- Cloud management gateway.
You can see why it is important to configure the boundary groups correctly.
When you create a new boundary group, you associate or add a boundary to it. This is done in the General tab of boundary group properties. Ensure you add the right boundary.
Next, under References tab, you can use this boundary group for site assignment. Most of all under Site system servers, ensure you have associated a distribution point.
In most cases, I see people fail to define a DP for the boundary group. If you don’t specify a distribution point server here, the clients will not know from where the content needs to be downloaded.
Step 3 – Is the Application distributed to SCCM Distribution Point
If you have gone through solution 1 and 2, then you may now focus on the content availability part. In some cases, we ignore checking if the application or the content is distributed to the distribution point.
If the content is not distributed to the SCCM distribution point, the clients would go to the DP and find no content to download. Hence you might notice that SCCM application downloads are stuck at 0% in Software Center.
I have seen this in few environments that have got large number of distribution points. Typically you right click the content and distribute it to distribution points.
However if you have got lot of DP’s in your setup, I would recommend creating a distribution point group. Let’s say you add a new distribution group in your hierarchy. You simply add the distribution point to the already existing distribution point group.
All the content defined for the distribution point group will be automatically distributed to the newly added distribution point server. Finally the point that I want to make here is you must ensure the content is distributed to the distribution point before clients download it.
Step 4 – Has the Content reached the Distribution Point
Sometimes we distribute the content to distribution point(s) and assume the content would have reached the distribution point. You should always ensure the content distribution to DP is successful.
The tricky part here is how do you monitor the SCCM content transfer. I will give you some options, you can choose the ones that you feel easy.
Use the Monitoring Workspace to find the content distribution status
When you distribute/re-distribute any content to distribution point, you can monitor the content transfer using the Monitoring workspace.
In the Monitoring workspace, go to Distribution Status > Content Status. Right click the content and click View Status.
Now you see the content status window where you can see some states. Here you should be able to find out the status of the content distribution.
If the content is successfully distributed to the DP, you will find that info under Success tab. If the content is too large and is still being distributed to DP, you will find that info under In Progress tab.
And if the content appears under Error tab, it means for some reason the content couldn’t reach the distribution point server. Here is where your actual troubleshooting begins.
Or perhaps you may find more than one reason for distribution failure. So I wouldn’t rely much on those messages. The best thing that you do from this console is redistribute the failed content.
Examine Distmgr.log and PkgXfermgr.log files
I always rely on log files for troubleshooting any SCCM issues. I have published several SCCM troubleshooting guides and in most guides, I have found the actual errors in the SCCM log files. Hence I always examine the log files.
When it comes to content distribution, you should examine distmgr.log and PkgXfermgr.log files.
When you distribute content to distribution points in a site, the Distribution Manager creates a content transfer job. It then notifies the Package Transfer Manager on primary and secondary site servers to transfer the content to the remote distribution points.
If you monitor the above log files and don’t see any errors during content distribution, you can say the content distribution is successful. If you find any errors in these files, some of my SCCM troubleshooting posts can help you.
Use the Distribution Point Job Queue Manager Tool
The Distribution Point (DP) Job Queue Manager is one of the Configuration Manager tools. You can use it to troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
I have published a dedicated post on the DP job queue manager tool explaining it’s importance and usage.
Step 5 – Examine LocationServices.log
After you have ensured the content is available on the distribution point, examine the LocationServices.log. This is a very important log file and you can find the log file on the client computer here – C:\Windows\CCM\Logs.
This log file records the client activity for locating management points, software update points, and distribution points. Any errors in this log file should be considered important. If the clients don’t retrieve the management point info, no way they can download the policies.
Attempting to retrieve lookup MP(s) from AD LocationServices Lookup Management Points from AD: Name: 'CORPSCCM.PRAJWAL.ORG' HTTPS: 'Y' ForestTrust: 'N' LocationServices Retrieved lookup MP(s) from AD
Now in rare cases you will find some errors. You will have to go through each line and figure out the actual reason.
For example, in the below screenshot, you can see the LocationServices.log file is showing WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set error.
This occurs when you have deployed PKI certs and your MP and DP’s are on HTTPS and you haven’t set the correct certificate under IIS bindings > HTTPS. I have also covered about the solution in this post.
With invalid certificate assigned under IIS, if you attempt to image the machine, you will encounter error 80072f8f. However you have to dig the smsts.log file to find this error.
Step 6 – Check the SCCM IIS Web Server Certificate
I have published a detailed guide on implementing PKI for SCCM. One of the important section within that guide is to request the web server certificate and assign it under IIS > HTTPS.
Furthermore you must always ensure that the web server certificate that you have assigned is not expired.
Let’s say your LocationServices.log file shows the below warnings. One can clearly make out that the client is unable to discover the management point.
Assigned MP error threshold reached, moving to next MP. LocationServices Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 0 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 1 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 2 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 3 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 4 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices Assigned MP error threshold reached, moving to next MP. LocationServices
- Failed to check if the client is a peer source
- Matching DP location found 0
- Matching DP location found 1
- Download request only, ignoring location update
If you are facing the same issue, you will also notice that nothing gets downloaded to ccmcache folder. Even thought the DP locations are correct, nothing gets downloaded and the SCCM application download is stuck at 0% in Software Center.
As I mentioned before, you must first check if the certificate is valid. You can do that by selecting the SSL certificate under HTTPS site binding. Click View button and the certificate window, take a look at valid field.
Check the Subject Alternative Name of the Certificate
Another simple yet important thing that you need to check is the subject alternative name of the certificate. This should point to the right distribution point server.
For example, in my lab setup, I have changed the SAN to point to my domain controller which is incorrect. This was done to reproduce the above errors. If you have entered a wrong DP name in the cert, you must correct it.
You cannot edit the certificate and correct it here. Instead you must delete the Web server certificate and request a new one. You can follow this guide to request and assign web server certificate to distribution point server.
When you enroll the new web server certificate, ensure you enter the right FQDN.
In the General tab, do not forget to provide a friendly name to the certificate.
This makes your task easier while assigning the cert under IIS > HTTPS site binding.