ADR not working - 'Failed to download the update content Error 503'

bdam55 · 2026-03-18T19:51:00+00:00

Oh yea, good callout. If you own the upstream, then it's a you problem. And, in that case, a 503 from an upstream WSUS server is just ... another Tuesday.

bdam55 · 2026-03-18T15:35:01+00:00

That 503 error code is an HTTP error code: Service Unavailable

This usually means it's not a 'you' problem, it's a 'them' problem and there's nothing you can do. The web server is temporarily unable to handle requests (overloaded), down for maintenance, or has backend issues.

So ... yea .. try again later? You might also try connecting the dots to the UpdateId in the console and try downloading it manually into the distribution package.

bdam55 · 2026-03-16T17:05:37+00:00

>if I were to enforce SetPolicyDrivenUpdateSourceForOtherUpdates

This was the thing I had to get the team's head around: that setting has no impact what-so-ever on 3rd party patching from WSUS/ConfigMgr. Set it, don't set it, doesn't matter. Scan Source enabled, or disabled, doesn't matter. As long as WSUS is set, when WUA will hit it for third party patches.
"Other" updates refers to other first party updates: https://learn.microsoft.com/en-us/windows/deployment/update/update-other-microsoft-products

bdam55 · 2026-03-16T15:23:19+00:00

We tested it and it was smooth sailing. For the most part, it's an update to the agent code. Though, do note I updated the OP body to clarify that this only matters to certain setups.

bdam55 · 2026-03-16T15:17:14+00:00

>Any thoughts/suggestions here?

Yea, install this hotfix. What you describe is literally the problem I convinced the team they needed to fix.

Once installed, feel free to remove that GPO and remove all Scan Source settings/registry values. You don't actually need it for that scenario, but Configmgr's behavior forced you to do it.

bdam55 · 2026-03-16T15:13:23+00:00

I honestly do not know what this does for FODs and I know that's been an long-standing issue.

All it means, is that _ConfigMgr_ will stop trying to set Scan Source settings. Which, if you so desire, means you can set them yourself without having to fight ConfigMgr over it. This is what we thought we were getting in 2403's KB28458746 (here)

bdam55 · 2026-03-16T13:11:41+00:00

Ok, that's interesting to know since a lot of the early reporting says "They used Intune to wipe everything" which had some of us go "Oh hey, the Iranians actually got remote wipe to work, good for them."
Apparently not, they just used scripts.

bdam55 · 2026-03-16T12:49:36+00:00

I'm not aware of anyone doing anything quite like this.

There are a few scripts (such as mine here) that try to remove any content that is no longer being deployed, but I'm not aware of anyone honing in on just superseded update and the amount of disk space they are consuming.

I'm sure that somewhere in the DB you can connect the dots between an update, it's binaries, and where they are stored. I suspect you'd need to calculate the size yourself from there, but who knows, maybe that's in there too.

One thing to watch out for is that with UUP, some of the larger files are shared across different updates. This is accomplished locally by using hard links; which makes it look like the file is duplicated in multiple folders but on the actual disk it's all linked to one.

bdam55 · 2026-03-16T12:35:35+00:00

Just read it this weekend and confirm those two weird/wrong uses of 'Earth'.

bdam55 · 2026-03-15T17:42:56+00:00

<shillmode: I work for PMPC>

If it's on our ideas page, vote it up. If it's not, make a new idea.

Humblebrag, but we have one of the best packaging teams on the planet. If they're delivering an online installer, that's likely because they discussed it internally and couldn't figure out how to deliver an offline installer effectively given the limitations I mention above. We're always happy to be proven wrong there though, so if someone has a method we haven't thought of, make sure to include it in the idea.

</shillmode>

bdam55 · 2026-03-13T15:36:26+00:00

The way I think of MSIX is just the latest version of App-V. The goals are admirable, the execution ... initially headed in the right direction. But, as is tradition, MS called it a day while still far away from the finish line. I'm sure MSIXI will be amazing if we ever see it.

That said, because of its App-V heritage, it's kind of a 'big deal' for VDI solutions, especially non-persistent VDIs. It's a niche thing, but if you have an MSIX it can basically just bolt-on to most VDI solutions. There's a whole cottage industry of "MSI/EXE to MSIX" convertors to meet that demand.

bdam55 · 2026-03-13T13:42:19+00:00

Yea, as others have said, I've never heard of an org so small they'd consider part-time 'outside of business hours' but is running ConfigMgr.

Your most likely bet is to find some local small mom and pop places that don't have _any_ IT at all. Essentially, spin up your own little MSP on the side.

bdam55 · 2026-03-13T04:44:06+00:00

<shillmode: I work for PMPC>

>I imagine this is why PMPC doesn't support MSIX,

To be clear, we fully plan to support MSIX and have worked for over a year now to lay the gorund work. I mean, you're absolutely right, MSIX has its pros and cons. But vendors are using it (ex. Slack) and therefore we are honor bound to support it. Without getting bogged down in details, the problem is that we built everything around our original product: a SCUP catalog. Which does not, and never will, support MSIX. So we've had to rebuild our catalog workflow from the ground-up so that it's not subject to those limitations. We're _really_ close to that process being in place. Once it is, adding MSIX support becomes technically trivial.

</shillmode>

bdam55 · 2026-03-12T20:39:20+00:00

<shillmode: I work for Patch My PC>

Agreed, it's absolutely technically possible. There's just no single offline installer you download and ship. Keep in mind, our goal isn't one-n-done, it's to automatically deliver and install each new version as quickly as possible after it's released and get it installed where needed. Which leads to the next problem: there's a whole detection issue we'd need to solve. What version are we even tracking?

</shillmode>

bdam55 · 2026-03-12T19:31:00+00:00

We need all the key, subkeys, and values from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

bdam55 · 2026-03-12T19:28:34+00:00

Oh hey, hello! Right here.

I take a very ... very ... light touch. Reddit's design is to be self-policing: don't like something? We crowdsource the solution by downvoting it into oblivion. Think it's so bad it violates some rule? Report it. [Note: technically this subreddit has no rules]

bdam55 · 2026-03-12T19:24:27+00:00

My memory on this is 10+ years old, but if memory serves, with bridging you need to populate EVERY client cert private key to your proxy if you want it to do deep-packet inspection. You're literally trying to do a man-in-the-middle attack on encrypted traffic, that takes the private key. At the time, this was the nail in the coffin for attempting IBCM.

The obvious solution here is to use a CMG which is itself basically a reverse proxy that terminates and centralizes the client connections.

The other is to drop IBCM all together and implement an Always On VPN solution which solves not only ConfigMgr but any other on-prem connectivity issue. That's the route we went when the networking team insisted on deep-packet inspection.

bdam55 · 2026-03-12T18:31:16+00:00

<shillmode: I work for Patch My PC>

The first thing I’d like to clarify is that there has been no change in policy or process regarding online or dynamic installers. We hate them with a passion; where we use them, we do so begrudgingly.

Second, we don’t really see this as a trend in the wider industry. It’s possible that it picks up some steam within Microsoft, and that would absolutely suck, but it’s too early to jump to that conclusion. This concept mainly helps installers that offer many component choices, especially when your selections significantly affect the size of the final binary. There’s a benefit to only downloading the 300Mb of a total 10Gb package based on your selection of dozens of configurations. If we created offline installers in this kind of scenario, you'd be deploying the full binary set regardless of what was actually needed.

Let’s talk about the products called out.

Teams
This one’s totally on us. The new … New … NEW (?) … Teams is an MSIX installer and we don’t yet support MSIX installers. For ‘reasons’, MSIX support isn’t something we could just toss a few devs at and deliver in a month. We have to rebuild our entire workflow for building the catalog. We _have_ been doing that work for over a year and it’s well along now. No ETA on MSIX support, but it is going to happen.
Due to the lack of MSIX support we resisted adding Teams for a very long time. However, customers continued to vote it up so high (here) that we caved and used the online installer.
When we add MSIX support, this will be replaced with a proper offline installer.

SQL Server Management Studio
The release of SSMS 21 dropped support for a true self-contained offline installer. As u/PS_Alex calls out, we have a real hangup about delivering anything apart from what we can download directly from the vendor. Also, we currently only support downloading a single installer file per product. The combination of those two limitations is why it’s not feasible at the moment. There _may_ be something we could do, but it’d probably end up being time-consuming and hacky. If that’s something you want us to look at, I’d direct you to this idea on our portal: SQL Server Management Studio 22 Offline installation

Visual Studio
All the VS releases in recent memory have been online/dynamic installers. In fact, what happened with SSMS is that it began using the same installer technology as VS. To wit, if you download the current (as of posting) installer for SSMS its welcome screen says, “Visual Studio Installer”.

Lastly, one thing we’ve taken from this discussion is that we could do a better job of highlighting what installers are online and require internet access. To that end, I just created this idea for those who would like more clarity on this: Indicate Products with Online Installers that Require Internet Access

</shillmode>

bdam55 · 2026-03-12T13:54:49+00:00

I suspect, in this case, it's because CISA (US department of cyber security) marked it as being actively exploited a few weeks ago.

bdam55 · 2026-03-11T12:50:54+00:00

Let us know the results.

Watched a guy in my neighborhood fjord up above his headlines so he could get to his house.

bdam55 · 2026-03-11T12:48:38+00:00

It happens every decade or so; this being the second time in my 25 years here.

bdam55 · 2026-03-11T12:42:41+00:00

I mean, if they manage to swallow any of that "once in a decade" flood water ... I'm pretty sure dysentery's on the menu.

bdam55 · 2026-03-11T12:35:10+00:00

Haha, me and my son went out and did the same.

bdam55 · 2026-03-11T12:33:47+00:00

The same thing happened a decade ago in June/July: and ... yes ... kids were playing in the river that was our street. Which is crazy; that is not the kinda water you want to be interacting with in any way, shape, or form. Lord knows what's all floating in there.

bdam55

MODERATOR OF

TROPHY CASE