# Patch Download Failure

Patch downloads in Endpoint Central depend on your network access model. In an open network, the Endpoint Central server can directly reach Microsoft and third-party CDNs, and patch downloads usually succeed without additional configuration. In a closed or restricted network, outbound internet access is blocked by default. Patch downloads will fail unless required vendor domains, CDN URLs, IP ranges, and ports are explicitly allowlisted on the firewall or proxy. This is a mandatory requirement. Network restrictions commonly trigger errors such as Patch Download Failed, 10008, 10009, SSLHandshakeException, SocketException, or timeout errors. These typically indicate blocked HTTPS traffic, proxy authentication issues, or SSL inspection interfering with secure connections. Ensure proxy settings are correctly configured and exclude patch-related traffic from SSL inspection to prevent repeated download failures.

This document outlines the common causes, log traces, and resolution steps for various patch download failures encountered in Endpoint Central. Included are known issues and workarounds for related errors.

## Table of Contents

- [Windows Feature Patch Issue](#feature)
- [Windows Enterprise Patch Issue](#enterprise)
- [Windows Security Patch Issue](#security)
- [Third-Party Patch Issues](#third)
- [Office Patch Issues](#office)
  - [Office Patch Download Failure](#download)
  - [Proxy Issues](#proxy)
  - [Extraction Issues](#extraction)
- [Common Errors & Workarounds](#errors)
  - [10008 — Patch download failed](#err-10008)
  - [10009 — Checksum mismatch](#err-10009)
  - [CHECKSUM MISMATCH / DLOAD_FAILED_CHECKSUMFAILED](#err-checksum)
  - [HTTP 403 — Forbidden](#err-403)
  - [HTTP 404 — Not Found](#err-404)
  - [HTTP 503 / 504 — Gateway Timeout](#err-503)
  - [- — Office Deployment Tool (ODT) error](#err-odt)
  - [Error code 5930](#error-code-5930)
  - [Error code 12030](#error-code-12030)
  - [Error code 703](#error-code-703)
  - [HTTP Error 12002](#http-error-12002)
  - [Error code 12029](#error-code-12029)
  - [HTTP Error 12007](#http-error-12007)
  - [Connection Errors (ConnectException, SocketException, Timeout, Reset)](#err-connection)
- [Java exceptions (log-based troubleshooting)](#java-exceptions)
  - [MalformedURLException](#ex-malformedurl)
  - [Exception Type: UnknownHostException](#ex-unknownhost)
  - [ConnectException](#ex-connect)
  - [SocketTimeoutException](#ex-timeout)
  - [SocketException: Connection reset](#err_socket)
  - [EOFException](#ex-eof)
  - [ProtocolException: Bug in authorization handling](#ex-protocol)
  - [SSLHandshakeException / PKIX path building failed](#ex-ssl)
  - [NullPointerException](#ex-null)
- [Manual troubleshooting with commands (Office / ODT)](#manual-commands)
- [Log locations](#log-locations)
- [Steps to find the vendor patch download link](#vendor-url-steps)
- [Quick contact references](#contacts)

## Windows Feature Patch Issue

### Problem

- Patch download or deployment fails
- Patch not available in the store

### Causes

- Proxy/firewall restrictions
- Latency issues
- Unstable internet connection

### Troubleshooting Steps

1. Check `patchdownload.log` for the patch ID. Search across all logs (0, 1, 2...) for the relevant trace.

   Example trace:

   ```plaintext
   [16:56:53:146]|[<id>]|[PatchDownloadLogger]|[INFO]| Patch <id>-Win10_21H1_enx64.iso DLOAD_FAILED
   ```

   If download failed, check `patchdownloadtool.log` for exceptions like:

   ```plaintext
   org.openqa.selenium.TimeoutException: Expected condition failed...
   ```

### Resolution

- Whitelist `www.microsoft.com`

**Note:** For builds above 2228.5, ISO must be uploaded via server.

## Windows Enterprise Patch Issue

### Problem

- Deployment failure
- Patch not available

### Causes

- Incorrect ISO naming or path
- Checksum mismatch
- Incorrect language ISO used

### Troubleshooting Steps

1. Check `patchmgmt.log` using the patch ID. Locate the server thread and validate the language list:

   ```plaintext
   List of languages present in the network is [1, 16, 21]
   ```

   Look for checksum mismatch or deletion errors in the logs.

### Resolution

- Ensure ISO for each language is placed correctly.
- Re-download ISO and redeploy if checksum mismatch is found.

**Note:** For builds above 2228.5, ISO upload must be done via the server UI.

## Windows Security Patch Issue

### Problem

- Patch download/deployment fails
- Patch not found in store

### Causes

- Proxy/firewall issues
- Checksum mismatch

### Troubleshooting Steps

1. Check `patchdownload.log` for patch ID status.
2. Use the download URL in `downloadmanager.log` to find related exceptions:

   ```plaintext
   java.net.ConnectException: Connection refused
   ```

   ```plaintext
   java.net.SocketTimeoutException: Read timed out
   ```

Check for **Checksum Failed** or **Mismatch** errors.

### Resolution

- Whitelist the domains used for patch download. Refer to the [vendor page](https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) for whitelisting.
- Download the file via browser to verify checksum.

## Third-Party Patch Issues

### Problem

- Patch download or deployment fails
- Patch not available

### Causes

- Proxy/firewall restrictions
- Checksum mismatch

### Troubleshooting Steps

1. Check `patchdownload.log` for download status.
2. In `downloadmanager.log`, search the patch URL and look for:

   ```plaintext
   java.net.ConnectException
   ```

   ```plaintext
   javax.net.ssl.SSLHandshakeException
   ```

Check for **Checksum Failed** or **DLOAD_FAILED_LESSSIZE** errors.

### Resolution

- Whitelist necessary domains
- Try downloading the file manually to test availability

## Office Patch Issues

### Office Patch Download Failure

Office patch download failure occurs when Microsoft Office patches (such as Microsoft 365 Apps, Office 2021, Office 2019, and related versions) cannot be successfully downloaded by ManageEngine Endpoint Central / Patch Manager Plus. In such cases, the server fails to fetch the required patch binaries from Microsoft sources and store them in the Patch Store, causing the patch to remain unavailable for deployment. This failure is commonly indicated by errors such as Command execution failure, Unable to execute command, or unknown error codes. To know more about this, refer to [this page](https://www.manageengine.com/products/desktop-central/help/patch_management/kb/office-patch-download-failure.html).

### Proxy Issues

Occurs when firewall or proxy restrictions block access to Microsoft CDN endpoints or required domains, IPs, and ports. When Endpoint Central cannot connect to the Microsoft Content Delivery Network, Office patch downloads and dependent updates fail. To know more about this, refer to [this page](https://www.manageengine.com/products/desktop-central/help/patch_management/kb/office-patch-download-whitelisting.html).

### Extraction Issues

Occurs when the Office Deployment Tool (ODT) fails to extract patch files into the Patch Store. Even if the download starts successfully, extraction failures prevent the patch from being staged for deployment. To know more about this, refer to [this page](https://www.manageengine.com/products/desktop-central/help/patch_management/kb/office-patch-extraction-issue.html).

## Common Errors & Workarounds

### 10008 — Patch download failed

#### Cause

The patch binaries could not be downloaded by the **Distribution Server / DC Server** due to network, proxy, or firewall restrictions.

#### Resolution

- Verify internet connectivity from the DC Server.
- Check proxy and firewall rules for outbound access.
- Re-initiate the patch download from the Endpoint Central / Patch Manager Plus console.

### 10009 — Checksum mismatch

#### Cause

The downloaded patch failed integrity validation, indicating corruption or an incomplete download.

#### Resolution

- Clear the patch store cache and retry the download.
- Ensure **Patch DB Sync** completes successfully.
- Whitelist patch download locations in antivirus and firewall.

### CHECKSUM MISMATCH / DLOAD_FAILED_CHECKSUMFAILED

#### Cause

The patch file was altered or partially downloaded during transfer, typically due to antivirus or firewall inspection.

#### Resolution

- Ensure antivirus or firewall is not modifying downloaded files.
- Exclude the Endpoint Central installation directory and patch store path from antivirus scanning.
- Retry the download after completing Patch DB Sync.

### HTTP 403 / 403 Forbidden

#### Cause

Access to the vendor patch repository is blocked by the proxy or firewall.

#### Resolution

- Whitelist required vendor URLs in proxy and firewall settings.
- Verify proxy authentication is configured for the **SYSTEM account** used by the DC Server.

### HTTP 404 — Not Found

#### Cause

The patch binary is unavailable from the vendor repository, or the Patch DB is not updated.

#### Resolution

- Run **Patch DB Sync** manually and retry the patch download.
- Verify that the patch is still available from the vendor.

### HTTP 503 / HTTP 504 — Gateway Timeout

#### Cause

The vendor repository is temporarily unavailable, or the request timed out due to network latency.

#### Resolution

- Retry the download after some time.
- Verify proxy timeout values and firewall rules.

### - — Office Deployment Tool (ODT) error

#### Cause

The Microsoft Office Deployment Tool was executed without the required **SYSTEM account** context.

#### Resolution

- Execute the ODT using the SYSTEM account.
- Ensure proxy settings are configured at the system level on the DC Server.

### Error code 5930

#### Cause

Patch download or patch staging failed at the product-processing layer after the deployment job was triggered. This is not a raw HTTP code. In practical patch workflows, this usually means the patch could not be obtained or prepared locally even though the task had already entered execution. The most likely underlying conditions are:

- Patch binary missing from repository
- Repository path mismatch
- Local cache or staging write failure
- Corrupted or incomplete downloaded patch
- Extraction or verification failure before install

#### Resolution

- Verify that the required patch file is present in the configured patch repository.
- Confirm that the repository path currently configured in the server matches the actual storage location.
- Clear the agent-side patch cache or temporary download folder and retry the deployment.
- Check whether the target machine has enough free disk space for download and extraction.
- Verify that antivirus or EDR has not blocked or quarantined the downloaded patch payload.
- If the repository was recently moved, ensure the old content was copied completely to the new location.
- Re-download the patch content from the server side and redeploy.

### Error code 12030

#### Cause

The connection to the download source was established but got aborted before completion.

#### Resolution

- Check for unstable connectivity between the agent and the server or distribution server.
- Inspect firewall, proxy, SSL inspection, or content-filtering devices for session termination.
- Check whether the server service restarted or closed the session during download.
- Retry the download and confirm whether the failure occurs mid-transfer rather than at connection start.
- If large patch files are affected more often, check network interruption or proxy session timeout.

### Error code 703

#### Cause

In patch operations, it happens when the downloaded content could not be processed successfully. That usually points to:

- Corrupted patch file
- Checksum mismatch
- Extraction failure
- Invalid or incomplete cached payload
- Access denied while writing or moving patch content

#### Resolution

- Delete the existing cached copy of the patch and force a fresh download.
- Validate that the file was fully downloaded and is not zero-byte or truncated.
- Check whether the patch fails during extraction instead of during initial download.
- Verify read or write permission on the patch cache, temp folder, and install staging path.
- Check security software for quarantine or block events on CAB, MSU, MSP, EXE, or DLL files.
- If only specific patches fail, suspect payload corruption rather than network reachability.

### HTTP Error 12002

#### Cause

The request timed out.

#### Resolution

- Check latency, packet loss, and link stability between agent and server.
- Verify whether the proxy is delaying or holding the request too long.
- Check for overloaded server conditions causing slow response.
- Retry from the same machine to confirm whether the delay is repeatable.
- Use a closer distribution point if available.
- Review timeout-related settings if they are configurable in the environment.

### Error code 12029

#### Cause

The client could not establish a connection to the target server.

#### Resolution

- Verify that the target hostname and port are correct.
- Check whether the server or distribution server service is actually listening.
- Confirm that firewall rules allow the connection.
- Validate proxy settings on the affected machine.
- Test TCP reachability to the target endpoint.
- Check whether the agent is still trying an old or invalid server address.

### HTTP Error 12007

#### Cause

The target server name could not be resolved.

#### Resolution

- Verify that the configured server or distribution server hostname is correct.
- Test DNS resolution from the affected machine.
- Flush DNS cache and retry.
- Check whether the machine is using the correct DNS server.
- Prefer FQDN over short hostname if resolution is inconsistent.
- If the endpoint is internal, confirm VPN or corporate network connectivity.

### Connection Errors (ConnectException, SocketException, Timeout, Reset)

#### Cause

Network instability or proxy/firewall interference during patch download.

#### Resolution

- Validate internet access from the DC Server.
- Ensure the SYSTEM account has the required network permissions.
- Review proxy and firewall rules and avoid unstable network conditions.

## Java exceptions (log-based troubleshooting)

If patch download/synchronization fails, review the server-side patch download logs and correlate the error to the exception type.

### Exception Type: MalformedURLException

#### Cause

- Patch metadata or vendor link contains an invalid/incomplete URL (missing protocol, invalid characters, etc.).
- Patch DB is outdated/corrupted, or vendor has changed the download path.

#### Resolution

1. In the console, go to **Patches** and locate the failed patch (Patch ID / Bulletin ID).
2. Open patch details and copy the **Vendor URL**.
3. Test the URL from the server (browser test). If it fails, the vendor may have moved/removed the file.
4. Run **Admin → Patch Database → Sync Now** to refresh metadata and retry download.
5. If it still fails, collect PatchDownloader.log and escalate to support.

### Exception Type: UnknownHostException

#### Cause

- Java cannot resolve the hostname of the CDN or vendor repository to an IP address.
- DNS servers may be unreachable, external DNS resolution may be blocked, or the hostname may be incorrect/outdated. This is common in restricted enterprise DNS environments.

#### Troubleshooting Steps

- Run `nslookup` or `dig` for the affected hostname.
- Verify DNS server configuration on the Endpoint Central server.
- Test name resolution using an alternate DNS server (if permitted).
- Check for typos or outdated hostnames in the configuration.

#### Resolution

- Configure valid DNS resolvers on the system.
- Allow DNS resolution for required external domains.
- Correct repository/CDN hostnames.

### Exception Type: ConnectException

#### Cause

- **Connection timed out:** The agent attempts to establish a TCP connection but does not receive any response within the connection timeout period.
- **Connection refused:** The target host actively rejected the connection request.

#### Troubleshooting Steps

- Test connectivity using `telnet` or `curl` to the target host and port.
- Verify outbound firewall and network ACL rules.
- Check routing table and default gateway configuration.
- Validate the URL and port used in the download configuration.
- If an internal mirror/repository is used, confirm the service is running.
- Review proxy/firewall logs for blocks, deny rules, or explicit rejects.

#### Resolution

- Allow outbound access to ManageEngine CDN and vendor URLs (and required ports such as 80/443).
- Correct proxy or gateway configuration.
- Correct the repository or CDN URL/port configuration.
- Ensure the destination service is running (if internal mirror/repository).
- Update firewall or proxy rules to allow the connection.

### Exception Type: SocketTimeoutException

#### Cause

- A TCP connection to the CDN or vendor repository is established, but no data is received within the configured read timeout.
- Proxy, firewall, or security appliance delays responses due to deep packet inspection.
- Network latency, packet loss, slow CDN response, or bandwidth throttling during large file downloads.

#### Troubleshooting Steps

- Verify whether the same URL can be downloaded manually using `curl` or `wget`.
- Check proxy logs for delayed or stalled responses.
- Test network latency and packet loss using `ping` or `traceroute`.
- Validate whether the issue occurs only for large downloads.

#### Resolution

- Whitelist ManageEngine CDN and vendor domains from SSL inspection.
- Increase proxy or firewall timeout values if configurable.
- Stabilize network connectivity or ensure sufficient bandwidth.
- Retry the download during off-peak hours if CDN throttling is suspected.

### Exception Type: SocketException: Connection reset

#### Cause

- An already established TCP connection was abruptly terminated by the remote server or an intermediate network device.
- Common causes include proxy/firewall forcibly closing the connection, IDS/IPS interference, SSL inspection issues, TLS renegotiation failures, or unstable network links causing TCP reset packets.

#### Troubleshooting Steps

- Check firewall and proxy logs for TCP reset events.
- Attempt download from a different network or bypass proxy if possible.
- Verify TLS versions and cipher compatibility.
- Monitor network stability during the download attempt.

#### Resolution

- Exclude ManageEngine and vendor URLs from SSL inspection.
- Ensure the endpoint supports required TLS protocols.
- Adjust proxy connection handling policies.
- Resolve network instability issues.

### Exception Type: EOFException

#### Cause

- Unstable internet/proxy connection.
- Firewall/antivirus interrupted the file stream.
- Vendor server closed the session early.

#### Resolution

1. Retry the download from the console.
2. Whitelist ManageEngine directories and Patch Store in antivirus.
3. Delete incomplete files from Patch Store and retry.
4. Test vendor URL availability in a browser.

### Exception Type: ProtocolException: Bug in authorization handling

#### Cause

- Failure in HTTP authorization or header processing, commonly encountered when proxy authentication is involved.
- Improper proxy authentication configuration, unsupported authentication methods, malformed authorization headers, or conflicts between proxy authentication and the Java HTTP client can trigger this error.

#### Troubleshooting Steps

- Check whether the proxy requires authentication.
- Test proxy access manually using `curl` with credentials.
- Review proxy logs for authentication errors.
- Identify the authentication method enforced by the proxy.

#### Resolution

- Configure correct proxy authentication details in the ManageEngine server/agent settings.
- Use supported authentication methods such as Basic or Digest where applicable.
- Exclude ManageEngine CDN and vendor URLs from proxy authentication where possible.

### Exception Type: SSLHandshakeException / PKIX path building failed

#### Cause

- TLS/SSL handshake fails, preventing secure communication between the agent and the remote server.
- Common causes include SSL inspection re-signing certificates, missing root/intermediate CA certificates in the Java truststore, unsupported TLS versions/ciphers, expired certificates, or incorrect system time.

#### Troubleshooting Steps

- Inspect the certificate chain using `openssl s_client`.
- Verify Java version and supported TLS protocols.
- Check whether required CA certificates are present in the Java `cacerts` truststore.
- Confirm system date and time synchronization.

#### Resolution

- Import the required CA or proxy certificate into the Java truststore.
- Upgrade Java to a supported version.
- Disable SSL inspection for ManageEngine and vendor domains.
- Correct system time and certificate trust configuration.

### Exception Type: NullPointerException

#### Cause

- Missing/invalid patch metadata, corrupt Patch DB, or interrupted download stream.
- Product-side defect/unhandled scenario.

#### Resolution

1. Run **Admin → Patch Database → Sync Now**.
2. Restart Patch Manager/Endpoint Central services.
3. Retry download; delete and re-download the affected patch if corruption is suspected.
4. Collect logs (PatchDownloader.log / wrapper logs) and escalate to support if required.

## Manual troubleshooting with commands (Office / ODT)

### Test extraction with Office Deployment Tool (ODT)

```
setup.exe /extract:C:\o365\ /quiet
```

- Verify the extraction creates `setup.exe` and supporting files in the target folder.

## Log locations

### Office setup logs (Temp folder)

- `%temp%\OfficeSetup[(timestamp).log`

### System Temp (if running as service)

- `C:\Windows\Temp\OfficeSetup[<timestamp>.log`

## Next steps

If the issue persists after applying the above fixes:

- Collect Server Logs and `%temp%\OfficeSetup.log`.
- Verify folder/file permissions.
- Escalate to ManageEngine support with logs.

## Steps to find the vendor patch download link

1. Log in to the Patch Manager Plus / Endpoint Central console with admin credentials.
2. Go to the **Patches** tab.
3. Search for the problematic patch by KB number, Patch ID, or Bulletin ID.
4. Open patch details to view **Vendor URL** and Patch Store path.
5. Copy the Vendor URL and test it in a browser on the server.
   - If it fails → indicates DNS/firewall issue → escalate to **Network Team**.
   - If it works but download fails in product → indicates proxy/SSL configuration issue → escalate to **System Administrator** or **ManageEngine Support**.
6. Update proxy settings in **Admin → Proxy Settings** if necessary.

## Quick contact references

- **Network Team:** DNS issues, proxy/firewall blocks, timeouts, routing issues.
- **System Administrator:** Service permissions, Patch Store cleanup, proxy configuration, JVM setup.
- **ManageEngine Support:** Patch metadata errors, product bugs, SSL/TLS fixes, product upgrade assistance.