Topics

[Important Update]

Important Update

All future feature request should be created on the following website: Ideas Website. This change is to use a platform that supports up-voting and better tracking of feature request.

Thanks
Justin

Request from customer

https://support.freedomscientific.com/Downloads/OfflineInstallers#zoomtext
Offline Download http://fusion2019.vfo.digital/2019.1904.22.400/3D9C4299-1C20-4CFD-9C6E-4713B845DA67/ZF2019.1904.22.400-Offline.exe
Online http://zoomtext2019.vfo.digital/2019.1904.80.400/9FEC84C4-BE3D-4AC0-A5A6-E0144384DFA5/ZT2019.1904.80.400.exe
Install Trigger D:\SETUP /NI /asn:{serial number w/o dashes} {optional parameters}
Patch Notes https://zoomtext.zendesk.com/hc/en-us/articles/202525463-Perform-a-silent-installation-of-ZoomText
Info https://support.freedomscientific.com/Downloads/ZoomText/ZoomText-System-Requirements

Request from customer having issues posting.


1. Product: WinEst | Vendor: Trimble
2. x64: https://drive.google.com/file/d/0B2Lt3y1AV_Z5akhuM25tcDJ2Tmc/view|
4. /S /norestart
5. https://drive.google.com/file/d/0B2Lt3y1AV_Z5SmZWLXBkZ3ViSTQ/view
6.  https://gc.trimble.com/product/winest

New product request via email:

1. Product: RingCentral Meetings | Vendor: RingCentral, Inc.
2. http://dn.ringcentral.com/data/web/download/RCMeetings/1210/RCMeetingsClientSetup.msi
3. http://dn.ringcentral.com/data/web/download/RCMeetings/1210/RCMeetingsClientSetup.msi
4. /i <msi> /qn
5. https://success.ringcentral.com/lc/cms/downloads?_ga=2.10431797.1472147521.1557930486-334561116.1557930486 (Admin Downloads section in middle of page for system based installs)
6. https://support.ringcentral.com/s/article/5541?language=en_US

It would be great if detection could be set up to also detect the exe version (installs in user appdata) and install this msi version in it's place.  I believe the system based install given here handles ripping out the user based installs, etc.

Publishing Fails - SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA

In this knowledge base article, we will review an error you may receive when attempting to right-click a third-party software update and choosing Publish Third-Party Software Update Content.

In the SMS_ISVUPDATES_SYNCAGENT.log, you will see the following error lines in the log file.

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA).
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_FAIL).

Video Guide for SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA Error

Please review the step-by-step video guide below for information about why the SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA error occurs while publishing third-party software update content and the resolution.



This scenario is also documented on the Microsoft Docs - Third-Party Software Updates Known Issues page.

• The third-party software update synchronization service can't publish content to metadata-only updates that were added to WSUS by another application, tool, or script, such as SCUP. The Publish third-party software update content action fails on these updates. If you need to deploy third-party updates that this feature doesn't yet support, use your existing process in full for deploying those updates.

Error: The process is not in background processing mode. ERROR: DownloadContentFiles() failed with hr=0x80070193

When attempting to download third-party software updates into an SCCM deployment package, you receive the following error message in the console: Failed to download content id <IDNumber>. Error: The process is not in background processing mode.



If you review the PatchDownloader.log file, you will see errors similar to the errors listed below:

HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED

ERROR: DownloadContentFiles() failed with hr=0x80070193

Why Does ERROR: DownloadContentFiles() failed with hr=0x80070193?

This error occurs when the WSUS Content virtual directory is configured to require SSL. In Internet Information Services (IIS) Manager, click the WSUS Administration website, click the Content virtual directly, then click SSL Settings in the right pane.

If Require SSL is checked, uncheck that option and choose to apply the changes



The WSUS Content virtual directly in IIS should not be configured to Require SSL even if your WSUS server is configured in SSL. Please see the following Microsoft documentation for more details: How to Configure the WSUS Web Site to Use SSL

If this was your issue, third-party updates should now successfully download to an SCCM deployment package.

[Important Update]

Please include the following details in the new product request for a new product. These details will allow us to analyze new product request more efficiently.

Important Update

All future application request should be created on the following website: Ideas Website. This change is to use a platform that supports up-voting and better tracking of request products.

• Before submitting a new application request at Ideas Website please search to ensure it's not already submitted. If it's already submitted please just use the up-vote feature
• Please still include all the required metadata mentioned below for new idea/application submissions at Ideas Website

Requirements for New Products

1) Supports silent installation via command line
2) Install successfully under SYSTEM context
3) Public download URL for the offline installer (Note: some exceptions may be made for highly up-voted request as we can use the content repository feature for some licensed products.)
4) The products installer must be digitally signed
5) Please only include one product request per idea submission
6) Uses EXE, MSI, or MSP file download for the installer (No ZIP)

Required Details to Enter in new Product Request

1) Product and vendor name
2) Public download URL for the latest offline installer. A product whose download is behind a paywall is not supported
3) Download URL for an older versions offline installer (If Available)
4) Silent installation switch with "no restart" switch
5) Download page
6) Release notes page

Example Request:

1. Product: Notepad++ | Vendor: Notepad++ Teams
2. x64: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe | x86: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
3. x64: https://notepad-plus-plus.org/repository/7.x/7.6.3/npp.7.6.3.Installer.x64.exe | x86: https://notepad-plus-plus.org/repository/7.x/7.6.3/npp.7.6.3.Installer.exe
4. /S /norestart
5. https://notepad-plus-plus.org/download
6. https://notepad-plus-plus.org/news/

[If you are using the SCCM 1806+ third-party software update catalog feature:]

Third-Party Update Digest Verification Fails When Publishing Outdated Updates

In this article, we will review file digest verification failures when publishing third-party software update content and the most common reason this error happens.

What Does a File Digest Failure Look Like?

If you are using Microsoft's legacy method for publishing updates through System Center Updates Publisher, you will see an error similar to the error below in the UpdatesPublishing.log or SCUP.log located in your users %temp% directory.

--- Digest verification failed on content for software update 'Google Chrome 72.0.3626.119 (x64) (UpdateId:'626b77a4-61e5-4e84-9870-3aa68abafd0e' Vendor:'Patch My PC' Product:'SCUP Updates')'.

If you are using the SCCM 1806+ third-party updates feature directly in the SCCM console, you will see the following errors in the SMS_ISVUPDATES_SYNCAGENT.log which is located on the top-level software update point in the site system logs folder.

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_HASH_FAIL).

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_FAIL).

Why Does the Digest Verification Fail When Publishing Updates?

Whenever a third-party update is being published with full-content, the update needs to pass security validation checks. The first check is the update binary downloaded from the vendor's website must match the file digest of the update we created it.When vendors use the same download URL for a product such as Google Chrome: https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi, hash validations can fail if you are publishing an older version of the update due the the latest catalog not being imported.

Resolving Digest Verification Failures

To fix the digest validation error, you will need to import or sync the latest Patch My PC Update Catalog so you can are publish the most recent software update that will match the hash of the vendor's latest update binary.

If you are using the SCCM 1806+ third-party software update catalog feature:

You will need to perform a sync of catalog manually. In the Third-Party Software Update Catalog node in your SCCM console, right-click the Patch My PC Catalog and choose Sync now. By default, SCCM will only automatically sync a third-party software update catalog every 7 days.

You can review the catalog sync progress in the SMS_ISVUPDATES_SYNCAGENT.log. located on the top-level software update point in the site system logs folder.

Once the catalog publishing sync is complete, you can perform a sync of your software update point to have any newly released third-party updates show up in the "All Software Updates" node of the SCCM console.

Once the sync is complete, you should see new updates for the product, and the previous updates that were failing should become superseded. The latest version of the update should be able to publish the update content successfully.

If you are using System Center Updates Publisher:

You will need to import the latest catalog manually from the console:

Once the newest catalog is imported, you should see the latest update(s) for the product that was previously failing to publish. Choose to publish the latest software updates(s).

You Can Switch to Our Publishing Service to Reduce Hash Errors

When using System Center Updates Publisher or the SCCM 1806+ Third Party Updates feature, you will be more likely to run across hash errors, because there is a delay between when the catalog syncronizes and when you choose to manually publish the content.For example, the SCCM 1806+ catalog feature can only perform an automatic catalog sync every 7 days, and this is not currently configurable.

• If SCCM syncronized our third-party update catalog on March 2, 2019, and on that date, Google Chrome 72.0.3626.119 (x64) was the latest version it would be published automatically to SCCM.
• If we then released Google Chrome 72.0.3626.121 (x64) on March 3, 2019, and you hadn't previously published the content for Google Chrome 72.0.3626.119 (x64) before it was updated on Googles web server you would receive a hash error.
• Since SCCM only syncs the catalog every 7 days, you would continue to have hash failures when trying to publish the update content until the next automatic sync occurs on March 9, 2019, or you perform a manual catalog sync in the SCCM console.

Benefits of using our publishing service with regards to hash digest errorsIf you were to switch to our publishing service, you would have complete control over how often our catalog syncronizes. The scheduling options will allow you to sync the catalog more frequently to ensure you have the most recent catalog metadata.

Our publishing service will always download the most recent catalog before downloading any third-party update content. By downloading the newest metadata, it will ensure we are pulling the most recent updates with the current file digest before performing content publishing.

There are other benefits to switching to our publishing service including full automation. You can get more details about the benefits of our publishing service below.

What's the Difference our Publishing Service and SCCM 1806+ In-Console Publishing?

What if You Receive the Hash Error when Using the Latest Catalog?

If you receive the hash digest error after verifying you have imported the latest catalog and you are publishing the latest update available, it's probably because the vendor just posted a new software update that hasn't been made available in our catalog yet.

You can let us know you are getting a hash error when publishing the latest available update by using our technical support contact form. Generally, we release updates the same day a vendor makes releases the update so it will just automatically resolve itself when we update the catalog.

Third-Party Updates Fail to Download - Error: The cloud file provider exited unexpectedly.

When attempting to download a published third-party software update, you receive the following error:

Failed to download content id <IDNumber>. Error: The cloud file provider exited unexpectedly.

In PatchDownloader.log, you will also see the following error in the log.

HttpSendRequest failed HTTP_STATUS_NOT_FOUND

ERROR: DownloadContentFiles() failed with hr=0x80070194

Error 0x80070194 translates to "The cloud file provider exited unexpectedly."

Why does Error 0x80070194 Happen?

This error occurs when the published update content does not exist in the WSUSContent folder, therefore, the update is unable to be downloaded from IIS on the WSUS server to the deployment package in SCCM.

There are a variety of reason the update (.CAB) file for the published update(s) may not exist in the WSUSContent folder including:

• Custom cleanup scripts removing content from the WSUSContent directory
• The WSUSContent folder is configured incorrectly in IIS
• The WSUSContent folder is pointing to a UNC network share and the appropriate configurations and permissions weren't configured

SQL Query to determine if any Deployment Packages are referencing the WSUS content directories:

SELECT

PackageId, Name, PkgSourcePath

FROM

v_Package

Where PkgSourcePath like '%UpdateServicesPackages%' or PkgSourcePath like '%WsusContent%'

If you are using multiple software update points in a Shared WSUS confgurtaion, please review this guide to ensure that you shared the WSUSContent folder out on all software update points https://youtu.be/y7w7hBSHShc?t=838 

Resolution to Error 0x80070194

Please review and video guide below to understand possible causes and resolutions for the errors listed below.

• ERROR: DownloadContentFiles() failed with hr=0x80070194
• HttpSendRequest failed HTTP_STATUS_NOT_FOUND

[Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM]

Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

When attempting to install third-party software updates, you receive error code 0x800b0109.

In WUAHandler.log, you will also see the following error in the log.

Failed to download updates to the WUAgent datastore. Error = 0x800b0109

Why does Error 0x800b0109 Happen?

Error code 0x800b0109 translates to:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This error occurs when a client is attempting to install third-party software update(s) that are signed using a WSUS signing certificate that isn't trusted on the client devices.

Resolution to Error 0x800b0109

To resolve error code 0x800b0109, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your client devices.

You can distribute the certificate using the third-party software updates feature in SCCM 1806+ (Microsoft Docs), or you can deploy the certificate using group policy (PDF Guide).

We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy to resolve error 0x800b0109 on your clients.

Requested by Sirwarlord on Slack.

Will be added in our next update (v 1.2.3) later this week.

[error that a web filter is blocking the download]

Digest Mismatch Due To Download URL Being Filtered by Firewall or Web Filter

If you received an error message in the PatchMyPC.log similar to the one shown below when publishing a third-party update this article should help.

Digest of the downloaded update doesn't match the digest from the catalog: Hash from catalog [0Io0A82tYc06ybySLZ1osB5VYzY=] doesnÔÇÖt match downloaded update hash of [YQMfSKsyclBqVjGnvRdBuoCCcvY=]
This error appears to be a known error. Please see our KB article https://patchmypc.com/digest-mismatch-download-filtered for the resolution.

Why the Hash Check?

Whenever we download an update file from a vendor's website to publish to WSUS/SCCM, we validate the hash of the current binary downloaded matches the original hash within the catalog metadata. This check ensures that if a binary is compromised or changed on vendors website, we will not publish the software update. We have a deep dive into our security validation process here.

Resolution to this Specific Hash Check Failure

If you received the error message above that links our to this article, that means the hash check failed, and the downloaded file size was less than 100 kb.When the downloaded file is less than 100 kb in size, this almost always correlates to a web filter or firewall blocking the download from the server that is running our publishing service.Step 1 - Open the PatchMyPC.log from the publishing service.

Step 2 - Copy the download URL from the PatchMyPC.log for any updates receiving this hash error.

 

Step 3 - Paste the download URL into a web browser on the same server running the publishing service and check if you receive an error that a web filter is blocking the download.

Step 4 - You will need to get exceptions created for any downloads receiving this hash error for "digest mismatch download filtered". 

Please see https://patchmypc.com/list-of-domains-used-for-downloads-in-patch-my-pc-update-catalog for the most recent list of the domains used to download update files for our catalog.

Please see Selectively Choose Products to Publish - Patch My PC Update Catalog for more details

_________________________________________________

To better support the upcoming third-party software update integration in Microsoft System Center Configuration Manager (SCCM), we are adding the ability to import our catalog per-product. The SCCM third-party software update catalogs feature will publish ALL updates in a catalog with metadata only. We want to give our customers the ability to add our catalog by-product if needed. This feature will allow you to selectively publish products to  SCCM, and not have SCCM publish all 150+ Products.

For the most recent version of this post please see https://patchmypc.com/filtering-specific-third-party-product-from-adrs-in-microsoft-sccm-patch-my-pc-update-catalog

In this video, we will demonstrate how to use Title filters in the automatic deployment rules in Microsoft Configuration Manager. This filtering can be helpful if there are specific products you need to exclude in your ADRs from our third-party software update catalog for SCCM.

Full List of Titles for Product in Our Update Catalog

7-Zip
Adobe Acrobat DC
Adobe Acrobat Reader DC
Adobe Air
Adobe Digital Editions
Adobe Flash Player 32-bit/64-bit ActiveX
Adobe Flash Player 32-bit/64-bit Plugin
Adobe Flash Player 32-bit/64-bit PPAPI
Adobe Lightroom
Adobe Shockwave Player
AirServer Universal
AirSquirrels Reflector
Allway Sync
Apache Tomcat
Apple Application Support
Apple Bonjour
Apple iCloud
Apple iTunes
Apple Mobile Device Support
Apple Quicktime
Apple Safari
Apple Software Update
Attendant Pro
Archi
Articulate 360
Audacity
Autodesk Design Review 2018
AutoHotkey
Bandicam
Bandicut
BlueJeans
Blue Jeans Outlook Addin
Box Drive
Box For Office
Box Sync
Box Tools (Box Edit)
Camtasia
CCleaner
CDBurnerXP
Charles
Citrix HDX RealTime Media Engine
Citrix Receiver
Citrix Workspace
Classic Shell
ClickShare Launcher
CPUID CPU-Z
Crypto Prevent
CutePDF Writer
DisplayLink
Docker
Dropbox
ESET Endpoint Security
ESET File Security
ESET Remote Administrator Agent
Evernote
FastStone Capture
FileZilla Client
FlashBack Express
Foxit PhantomPDF
Foxit Reader
GanttProject
Garmin Express
GIMP
Git
GoodSync
Google Chrome
Google Earth Pro
Google Picasa
GoToMeeting
Greenshot
grepWin
HandBrake
HipChat
Huddle
ImgBurn
Inkscape
IrfanView
IZArc
KeePass
K-Lite Basic Codec Pack
K-Lite Mega Codec Pack
Lenovo System Update
LibreOffice
LogMeIn Client
Malwarebytes
MapInfo Pro
MicroDicom Viewer
Microsoft .NET Core Runtime
Microsoft .NET Core: Runtime & Hosting Bundle
Microsoft .NET Core SDK
Microsoft Azure Storage Explorer
Microsoft EMET
Microsoft Mouse and Keyboard Center
Microsoft Power BI Desktop
Microsoft SQL Management Studio
Microsoft Visual Studio Code
MinuteTraq
Mozilla Firefox
Mozilla Firefox ESR
Mozilla Firefox to ESR Migration
Mozilla SeaMonkey
Mozilla Thunderbird
mRemoteNG
Nextcloud Client
Nitro Pro
Nitro Pro Enterprise
Nmap
Node.js
Node.js LTS
Notepad++
OCZ SSD Utility
OpenOffice
Opera
Oracle Java 6/7 (x64) to Java 8 (x64) Migration
Oracle Java 7
Oracle Java 8
Oracle VM VirtualBox
Paint.NET
PDF Split And Merge
PDF24 Creator
PDFCreator
PDF-XChange Editor
PDF-XChange PRO
PeaZip
PhraseExpress Client
Pidgin
Plantronics Hub
Plex Media Player
PowerShell Core
ProgrammerÔÇÖs Notepad
ProjectLibre
PuTTY
R For Windows
RealTimes (RealPlayer)
RealVNC (VNC Server)
Remote Desktop Manager Enterprise
RoboForm
Royal TS
RStudio
ShareX
SketchUp Make 2016
SketchUp Pro 2016
SketchUp Make 2017
SketchUp Pro 2017
Skype
Snagit
SRWare Iron
Sublime Text
SyncBackFree
Tableau Reader
TeamViewer
Telerik Progress TestStudio Ultimate
Terminals
TightVNC
TortoiseGit
TortoiseHg
TortoiseSVN
TreeSize Free
UltraVNC
VitalSource Bookshelf
Vivaldi
VLC Media Player
VMware Horizon Client
VMware Tools
VMware Workstation
VMware Workstation Player
VNC Enterprise
WinRAR
WinSCP
WinZip
Wireshark
XMind
XnView
Yahoo! Messenger
Zoom Meetings
Zoom Outlook Plugin

[Overview]

Overview

• In this video guide, we will cover how you can use a code-signing certificate from an Active Directly Certificate Services infrastructure or using a public certificate authority such as DigiCert for signing third-party software updates in Microsoft System Center Configuration Manager (SCCM). Using a trusted PKI based code-signing certificate can be an alternative to using a self-signed certificate.

Topics in Video

• Create the code-signing certificate templates needed for the WSUS singing feature - https://youtu.be/lqapp8j7CHk?t=34
• Issuing the certificate template for deployment - https://youtu.be/lqapp8j7CHk?t=188
• How to request the cert from a machine - https://youtu.be/lqapp8j7CHk?t=206
• Exporting the requested certificate to a PFX file - https://youtu.be/lqapp8j7CHk?t=280
• Review the Configuration Manager 1806 option to allow ConfigMgr to manage the WSUS certificate - https://youtu.be/lqapp8j7CHk?t=327
• Importing PFX file to WSUS using the publishing service - https://youtu.be/lqapp8j7CHk?t=394
• Sync the SUP and review wsyncmgr.log to verify ConfigMgr received the imported code-signing PFX certificate- https://youtu.be/lqapp8j7CHk?t=460
• Add catalog and publish a third-party update to verify the .CAB file is signed using the PFX certificate - https://youtu.be/lqapp8j7CHk?t=536
• Switch to use a third-party code-signing certificate from DigiCert - https://youtu.be/lqapp8j7CHk?t=670
• Verify SCCM switches from using the code-signing certificate from AD CS to DigiCert's code-signing certificate - https://youtu.be/lqapp8j7CHk?t=715

Helpful Resources:

• Publishing Service Download - https://patchmypc.com/publishing-service-setup-documentation
• System Center Updates Publisher Download - https://www.microsoft.com/en-us/download/details.aspx?id=55543
• Enable third-party updates - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates
• Automatically manage the WSUS signing certificate - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#automatically-manage-the-wsus-signing-certificate
• Manually manage the WSUS signing certificate - https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#manually-manage-the-wsus-signing-certificate
• Manually manage the WSUS signing certificate - https://patchmypc.com/publishing-service-setup-documentation

We heard your feedback. In this blog post, we want to cover some changes to the way we set update classifications in our third-party software update catalog and why we decided to make these changes based on our customer's feedback.

A Little Background on Software Update Classifications from Microsoft

First, we want to cover what update classifications are and how we classify updates in our catalog and some of the changes we are making to better align with the Microsoft terminology for classifications.Every software update in WSUS/ConfigMgr will be assigned to a Vendor/Product and have an Update Classification. There are currently nine types of classifications for software updates in Configuration Manager.

• Critical Updates | Definition: A widely released fix for a specific problem that addresses a critical, non-security-related bug.
• Definition Updates | Definition: A widely released and frequent software update that contains additions to a productÔÇÖs definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code, phishing websites, or junk mail.
• Feature Packs | Definition: New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release.
• Security Updates | Definition: A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
• Service Packs | Definition: A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product. Service packs may also contain a limited number of customer-requested design changes or features.
• Tools | Definition: A utility or feature that helps complete a task or set of tasks.
• Update Rollups | Definition: A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).
• Updates | Definition: A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
• Upgrades | Definition: A feature upgrade for Windows 10.

How We Classified Updates in the Past and Why

When the Configuration Manager synchronizes software updates from WSUS, only software updates assigned to an enabled classification will synchronize and show up in the configuration manager console.



When we initially started to author updates, we decided to classify all third-party software updates with the Security Classification. The reason we decided to classify all updates with the Security classification is because it s the most common classification that would be enabled for synchronization in ConfigMgr/WSUS. By setting updates to use the Security Classification, it would ensure any third-party updates are published regardless of whether they are Security Updates, Critical Updates, Updates, etc. from our catalog would synchronize and be visible in Configuration Manager.

Why We are Changing the Classification to Best Match Each Update

We've received feedback that by having all third-party software updates classified as Security Updates it can cause the software update compliance reporting to be skewed when filtering on the security classification. Based on customer feedback, we will now be classifying all third-party software updates based on the vendors release notes and best align each software update to correspond to the closest update classification. We plan to utilize the following two update classifications for our third-party software updates.

• Critical Updates | A widely released fix for a specific problem that addresses a critical, non-security-related bug.
• Security Updates | A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
• Updates | A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
• Update Rollups | The Update Rollups Classification will be used for migration updates such as JRE 6/7 to JRE 8 migration or Firefox to Firefox ESR migration.

What do These Changes Mean for You?

We believe this change is necessary and will provide a better experience for our customers to ensure the update metadata best aligned with the actual update type.This change will have no impact on the publishing process you are performing today. When publishing third-party updates, you will want to ensure the classifications in the software update point that corresponds to the third-party updates are enabled.If the classification isn't enabled, the third-party software update will not sync into the Configuration Manager console until the classification is enabled in your software update point and another synchronization is performed.

When Will This Change Happen?

We plan to apply these metadata changes to all updates going forward as well as retroactively for updates released in the past. Since this is only a metadata change, updates can be republished/revised so the new software update classification will be reflected after the software update point synchronization in Configuration Manager. These metadata changes will be released in the October 22, 2018 catalog update.

[download URL]

We understand IT security is an extremely critical aspect to organizations.  IT Security is probably more vital to your organization than the industry on average considering you are actively looking into a third-party patch management solution to help reduce vulnerabilities.

We often get asked how we validate the integrity of the third-party updates included in our catalog. This question is crucial for you to understand. In this post, we will describe in detail the procedures we take to ensure the quality and integrity of the patches we publish in our third-party software update catalog.

Step 1: Creating Third-Party Updates and Storing the Hash

The first step in our process for creating an update is to download the update binary (EXE, MSI, or MSP) from the official vendor's download mirror. This update binary will be the file executed on client computers to update the product. The original hash of the binary and download URL is stored in our catalog metadata. The download URL is what will be used when downloading and publishing the update within your environment.

Whenever we add new updates to our catalog, the catalog metadata gets exported and saved into a CAB file. This catalog (.CAB) is imported into your environment and used to publish updates. To ensure the integrity of the catalog when downloaded and import to your environment, we dual code-sign the catalog file with our code-signing certificate. When the catalog gets downloaded in your environment, the import will only occur in our publishing service, SCCM 1806+, or SCUP if the catalog is code-signed from a trusted publisher.

Step 2: Running the Update Installer Through VirusTotal

Once we obtained the vendors binary and file hash, we then will then upload the binary to VirusTotal. VirusTotal will analyze the binary file through 55+ anti-virus engines. Here's an example of the Slack 3.3.1.0 MSI binary file from Step 1.

We post all VirusTotal results for any third-party updates released in our RSS feed and email newsletter. These results will include the archived VirusTotal scan from our scan as well as a link to the latest VirusTotal scan for the binary.

We also maintain a complete repository of every update binary at the time of our scan on the VirusTotal Scan Reporting page.

Step 3: How Update Binaries are Verified During Publishing

Before the catalog metadata evaluated for publishing, there is a digital signature check on the downloaded catalog file. This check validates the catalog is signed from Patch My PC.

Once the catalog is validated, only then will the catalog metadata be evaluated for processing. Since we don't control the servers used for content downloads, it's essential to ensure the file downloaded from the vendor's website is the exact same file used when initially creating the update that went through the VirusTotal scans. When an updated binary is downloaded, we will compare the hash of the downloaded binary with the hash from the catalog and only publish the update if they match.

Step 4: Trust Within Your Environment

The final layer of trust for third-party software updates before client-side installation is between your servers and clients. Whenever third-party updates are published to your WSUS environment, they are added into a CAB file that gets digitally signed using the code-signing certificate that you configure within your environment. Client devices will only install third-party patches that are signed using a trusted certificate that you have configured and deployed to your devices.

If you have any more detailed questions about our security testing, please reach out to our team using our contact form.

Moving to Supersedence Software Update Model

Starting December 28, 2018, we are moving to a supersedence model for software updates in our third-party software update catalog. Before this change, we would mark previous versions of software updates as expired.

Why the Change?

With the Third-Party Software Update Catalogs feature in Configuration Manager 1806+, all third-party updates in a catalog are published. When we expired previous updates in our catalog, those previous versions were immediately marked expired when a new update is released. When an update is marked as expired, it can't be deployed in Configuration Manager. The immediate expiring of updates could cause issues where customers don't have enough time to fully deploy updates through all testing cycles for products where new updates are released frequently.

When using our publishing service, you can delay expiring previous versions of updates for up to 30 days to accommodate for this scenario.

What's the Supersedence Model Look Like?

By moving to a supersedence model, you will have complete control over how long you want to keep previous versions available for deployment that have been superseded.

You can control whether you want superseded updates to be immediately expired or delay expiring superseded updates for a certain number of months using the Supersedence Rules option on your software update point. In the example below, configuration manager won't expire superseded updates until they have been superseded for 1 month.

In today's catalog update in our lab, we can see the previous versions of applications are superseded and not expired. This change will allow the superseded application updates to continue being deployed for an additional month in our configuration.

If you are not expiring superseded immediately and using automatic deployment rules, you will want to ensure that you exclude superseded updates in your criteria to ensure your ADR's only deploy the latest updates.

Please see the Local Content Repository Post for the most up to date version of this post!

To support products that require a login portal to download the latest update, we have created a feature to allow you to define a folder that we will automatically search when a product is enabled that requires a manual download.



There are currently no products that require this manual download, but we expect with licensing changes to Java Runtime Environment will require a manual download in early 2019.

If there is a product the requires a manual download and the file doesn't exist is the defined "Local Content Path", you will be notified in the log file and if email notifications are enabled you will receive the following email letting you know the name of the file you need to manually download.