Messages

That registry entry is supposed to be set by the client setting for ÔÇ£Enable Third Party PatchingÔÇØ when it is set to Yes.

If you do not have a client settings deployment, or your default client settings, with the Enable Software Updates setting, found under software updates, set then the client wonÔÇÖt manage that registry entry on your endpoints.

If that registry entry is not getting set by the Configuration Manager Client, and you know that setting is set, then you may need to repair the CCM client, or check into a corrupt registry.pol

Would you be available for a remote support session? We could quickly work through many of the common problems.

Hi there,

Would you be able to share with us the MSI product code for the version of Java you have currently installed on an affected machine that is seeing this error?

We may have missed a product code within our rule. You should be able to find this within the registry, let us know if you need help finding it!

The code signing certificate is supposed to come down as part of the Software Update Deployment Evaluation cycle. The certificate deployment should be reflected in the updatesdeployment.log on the client. The docs link below provides a little bit of information regarding this.

https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates#enable-third-party-updates-on-the-clients

You are correct!

Now that you have a new certificate in place, you will have to republish all the updates that you had previously published. This is because they were signed with a different certificate. Republishing them will ensure they are signed with the appropriate certificate that you've set up.

As for not seeing the certificate on the clients, the only factor for this is the client settings. It might be good to check the resultant client settings of an affected device. See this link for instructions. https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/configure-client-settings#view-client-settings This will show if you possibly have another policy conflicting. Aside from that, you are seeing the certificate in the Third Party Updates tab, so that is all set.

Let us know if you can't get it figured out. We can also set up a support call as well.

Appreciate the update.

Please let us know if you have issues once those additional changes are made.

Progress!

Is your software update point remote from your Site Server? If so, there are additional steps needed in order to have the WSUS Signing certificate get transferred from your SUP / WSUS to your Site Server.

If your Site Server does not have the certificate, it will not be able to transfer it down to the clients and you will see the certificate chain errors as you've seen.

If you go to the location shown in the attached photo, do you see the certificate details populated?

You will want to create a new folder dedicated to storing the updates for the new Deployment Package.

The distribution of third party patches is handled in the same way that first-party updates to windows and office are.

It should not be located in your WSUS folders, but instead in a similar location to your Microsoft Updates. Whatever source location share you are already using for other things such as updates, applications, etc.

Configuration Manager will download the updates from WSUS, even if it is on the same server, and then process the content and put it into the folder specified as the source for the Deployment Package.

Hi there,

We just wrote a KB to address this issue.

https://patchmypc.com/scup-catalog-download-could-not-create-secure-ssl-tls-channel

Please let us know if this helps resolve your issue.

Thanks!

Hey there!

I noticed you mention 'then tell it there is no deployment package since these updates are stored within WSUS.'

This is likely the cause of your problem. The content being stored on your WSUS server just changes where Configuration Manager will download the content from when it creates a deployment package. For first party updates  Configuration Manager will typically reach out to the Microsoft Catalog and download the updates, putting them into the deployment package specified. For third party updates the content is downloaded from WSUS instead.

You will still need to download that content, and put it into a Deployment Package and distribute that out to your Distribution Points in order for your clients to perform a content lookup, and download the content from a Distribution Point.