我无法从我们的 WSUS 服务器(或 Windows Update)安装更新,并且系统事件日志中出现错误 7024:
The Delivery Optimization service terminated with the following service-specific error:
General access denied error
Windows 更新日志中会出现类似以下的错误消息:
2020/03/12 15:55:10.2967680 11116 8720 DownloadManager *FAILED* [80010108] Method failed [CAgentDownloadManager::DownloadUpdate:8538]
2020/03/12 15:55:10.2967780 11116 8720 DownloadManager *FAILED* [80010108] Got error starting update 0 in call 8. Notifying call.
2020/03/12 15:55:10.2992536 11116 7112 Handler *FAILED* [80004004] CAppxRangeRequestJobNoBlockValidation::Run {9EA297F8-07ED-4D73-B705-7C68F2CACF7B} [d:98DED0BF]: Job shutdown
2020/03/12 15:55:10.2997565 11116 7112 Handler *FAILED* [80004004] Method failed [CAppxStreamingDataSource::CreateRangeRequestJob:1301]
2020/03/12 15:55:10.3006678 11116 7112 Handler *FAILED* [80240007] FindDeploymentOperationForUpdate
2020/03/12 15:55:10.4196302 11116 7112 Handler *FAILED* [80070057] IA call to resume download for app category BBC38914-FE0A-41D6-B45F-24A64071962D [UpdateId: 9EA297F8-07ED-4D73-B705-7C68F2CACF7B]
2020/03/12 15:55:10.4196336 11116 7112 Handler *FAILED* [80070057] CreateDataSource failed for uri 'x-windowsupdate://9EA297F8-07ED-4D73-B705-7C68F2CACF7B/BBC38914-FE0A-41D6-B45F-24A64071962D/98ded0bf9f36e0649f79c0a30c087fe2dc1f9981'
2020/03/12 15:55:10.4554179 12552 12264 ComApi ClientId = Acquisition;explorer: Exit code = 0x00000000; Call error code = 0x80240022
2020/03/12 15:55:29.6739766 11116 15248 Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN.
类似这样的错误消息会出现在传递优化日志中:
2020-03-04T04:43:32.4368707Z 1B78 EF8 {ServiceMain} *** Starting service ***
2020-03-04T04:43:32.4371455Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\statepersistence\persistencelocation.cpp] (hr:80070005)
2020-03-04T04:43:32.4409756Z 1B78 EF8 {ServiceMain} ** Service was started due to trigger event **
2020-03-04T04:43:32.4409779Z 1B78 EF8 {CService::Run} Service starts running, with idle timeout of 300 s...
2020-03-04T04:43:32.4420184Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\configmanagement\globalconfigmanager.cpp] (hr:80070005)
2020-03-04T04:43:32.4423674Z 1B78 EF8 {} onecore\enduser\deliveryoptimization\configmanagement\globalconfigmanager.cpp(57)\dosvc.dll!00007FFFA2EC07E7: (caller: 00007FFFA2E7D7D8) Exception(1) tid(ef8) 80070005 Access is denied.
[onecore\enduser\deliveryoptimization\deliveryoptimization\globalobjects.cpp] (hr:80070005)
2020-03-04T04:43:32.4423806Z 1B78 EF8 {CDeliveryOptimizationManager::Init} Failed in initialization, hr = 80070005
2020-03-04T04:43:32.4423876Z 1B78 EF8 {CDeliveryOptimizationManager::Init} Assert (!L"DO manager failed in initialization"): Failed
2020-03-04T04:43:32.4423961Z 1B78 EF8 {CService::Run} DO manager init failed with hr = 80070005
2020-03-04T04:43:32.4423976Z 1B78 EF8 {CService::_OnStop} Received service stop notification; system shutdown: 0
2020-03-04T04:43:32.4424369Z 1B78 EF8 {CDeliveryOptimizationManager::Shutdown} DoManager shutting down, final? 0
2020-03-04T04:43:32.4428958Z 1B78 EF8 {CDeliveryOptimizationManager::Shutdown} DoManager shutting down, final? 1
2020-03-04T04:43:32.4431130Z 1B78 EF8 {CService::Run} Service shutdown complete, hr = 80070005
2020-03-04T04:43:32.4431148Z 1B78 EF8 {ServiceMain} *** Service out of Run loop. Exiting... ***
2020-03-04T04:43:32.4433721Z 1B78 EF8 {} (null) [onecore\enduser\deliveryoptimization\statepersistence\persistencelocation.cpp] (hr:80070005)
2020-03-04T04:43:32.4433792Z 1B78 EF8 {ServiceMain} Assert (0): SUCCEEDED(hr)
可能是什么原因造成这种情况以及如何纠正?
答案1
一个可能的原因是 C 盘根目录的权限已被更改,从而阻止了 Delivery Optimization 服务成功初始化。(但是,只有在第一次尝试下载之前更改权限时才会出现此问题;一旦 Delivery Optimization 服务成功初始化,即使权限后来被更改,它仍将继续运行。)
C 盘根目录的默认权限如下(Windows 10 版本 1809):
C:\ BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
在我们的案例中,权限被通过 SCCM 部署的包无意中更改了,因此它们看起来像这样:
C:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
OWNER RIGHTS:
OWNER RIGHTS:(OI)(CI)(IO)
NT AUTHORITY\INTERACTIVE:(RX)
NT AUTHORITY\INTERACTIVE:(OI)(CI)(IO)(GR,GE)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
特别值得注意的是,修改后的 ACL 中既没有出现Users也没有出现,只有。这意味着任何没有管理员级权限运行的系统服务都没有对根目录的读取权限。在 Delivery Optimization 服务的情况下,这导致初始化期间出现访问被拒绝错误。Authenticated UsersINTERACTIVE
解决该问题所需的破坏性最小的变更如下:
icacls C:\ /grant Users:(RX)
这只会影响 C:\ 本身的权限,而不会影响它可能包含的任何文件或文件夹。根据您的情况,您可能希望恢复默认权限,或设置自定义权限;只要 Delivery Optimization 服务具有读取权限,它就能够初始化。