• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Need Help with setup

Started by louish, May 04, 2020, 03:36:03 PM

Previous topic - Next topic

louish

First and foremost I want to say thanks to Justin and Wes. I have received great support from both of them last week and they were quick and very knowledgeable.


I am taking over my companies 3rd party patch management as we are moving away from a vendor and handling it in house. My company has purchased PatchMyPC and has mostly set it up.

I've re-ran the publisher tool as I went through the documentation on setting  it up just so I can get the hang of it. I've had the publisher service connect and view our sites database and have selected all applications we are currently using and set up the custom options for each/all applications we are wanting PatchMyPC to update for us. I then ran the publisher sync service.


I've created a device collection within SCCM and have placed 2 PC's in their to test with. Both are running outdated versions of Firefox, and Chrome that were installed manually.

I then created an ADR and point it to the test collection I created earlier. I specific the ADR to pull any and all updates from the Vendor" PatchMyPC" and then tell it there is no deployment package since these updates are stored within WSUS.  (Not sure if these is the right way to do this) and the proceed to finish building out the ADR.

I've made sure that the client settings are configured to allow third party software updates as well as made sure that the SUP is configured to allow 3rd party updates. I have unsubscribed from the PatchMyPC Third Party Software Catalog. I've synchronized the software update catalog, and ran all site actions under the configmgr client as well as cleared the cache and I am still not seeing any of the updates show up in software center.

Any insite as to what I am missing would be greatly appreciated.









Cody Mathis (Patch My PC)

Hey there!

I noticed you mention 'then tell it there is no deployment package since these updates are stored within WSUS.'

This is likely the cause of your problem. The content being stored on your WSUS server just changes where Configuration Manager will download the content from when it creates a deployment package. For first party updates  Configuration Manager will typically reach out to the Microsoft Catalog and download the updates, putting them into the deployment package specified. For third party updates the content is downloaded from WSUS instead.

You will still need to download that content, and put it into a Deployment Package and distribute that out to your Distribution Points in order for your clients to perform a content lookup, and download the content from a Distribution Point.

Wes Mitchell

Hi Louis
  You will either need to select an already created deployment package or Create a new deployment package for this update group within your ADR. 

louish

Thanks for all the help. I guess here my blocker is identifying the creation of the Deployment Package. When creating the ADR and creating a new Deployment package am I pointing the package source to the "WSUS Content" folder?

Cody Mathis (Patch My PC)

#4
You will want to create a new folder dedicated to storing the updates for the new Deployment Package.

The distribution of third party patches is handled in the same way that first-party updates to windows and office are.

It should not be located in your WSUS folders, but instead in a similar location to your Microsoft Updates. Whatever source location share you are already using for other things such as updates, applications, etc.

Configuration Manager will download the updates from WSUS, even if it is on the same server, and then process the content and put it into the folder specified as the source for the Deployment Package.

louish

Thanks for everyone's help I am getting much closer to getting this off the ground.

I created a deployment package and all the content looks to have been placed there and looks to be distributed to our DP's.

Currently as of right now. Updates are being presented in Software center but look to either be timing out or getting the failure code 0x800B0109(-2146762487) which looks to be an in issue with the certificate. I have made sure that the SUP is configured to allow 3rd party updates.I have also made sure that the client policy is set to allow Third Party Updates as well not sure what could be the hiccup.  Looking at the Certificates MMC Snap-In Console on my PC I am not seeing the certificate? Should this be showing in the certificate snap-in?

Wsyncmgr log is not showing any errors. the Certificate in the PatchmyPC tool looks to be good.Not sure how long it takes for the clients to pull updated policy.

One other unusual thing is the ADR I created is failing to run. Ruleengine.log is spitting out errors however It's not clear to me in their output what the exact issue is.

The fact that updates are now showing in software center is a great start and I think i am pretty close to getting this off the ground.

Cody Mathis (Patch My PC)

Progress!

Is your software update point remote from your Site Server? If so, there are additional steps needed in order to have the WSUS Signing certificate get transferred from your SUP / WSUS to your Site Server.

If your Site Server does not have the certificate, it will not be able to transfer it down to the clients and you will see the certificate chain errors as you've seen.

If you go to the location shown in the attached photo, do you see the certificate details populated?

louish

#7
Quote from: Cody Mathis on May 07, 2020, 06:30:06 AM
Progress!

Is your software update point remote from your Site Server? If so, there are additional steps needed in order to have the WSUS Signing certificate get transferred from your SUP / WSUS to your Site Server.

If your Site Server does not have the certificate, it will not be able to transfer it down to the clients and you will see the certificate chain errors as you've seen.

If you go to the location shown in the attached photo, do you see the certificate details populated?


Hey Cody, The SUP role is running on our primary/only site server. Yes the cert does look to be present in ConfigMgr under the SUP roles configuration. I've made sure that our client policy is also enabled to allow ThirdParty Updates.


Additionally, In hindsight I am not certain that this is the right certificate. I was not involved in the certificate creation process since this project was partially started by time it was created. So it could have been done incorrectly.



louish

Furthermore - Confirming my final comment in my last post. I watched a wonderfully insightful and helpful video from Justin regarding the cert setup for PatchMyPC.It is clear to me now that we are using a self-signed cert and need to get a code-signing cert issued from our CA. I will work this from my end and update

Cody Mathis (Patch My PC)

Appreciate the update.

Please let us know if you have issues once those additional changes are made.

louish

#10
Alright, so I was able to create a new template for Code-Signing per the youtube video mentioned earlier. I've enrolled and exported, and imported it via the PatchMyPc Publishing service.

I ran a software synchronization, and saw that the new certificate was found in the wsyncmgr log. Additionally I see that the new cert is showing under the third party updates tab on the SUP role configuration page within SCCM.

The client policies are configured to allow third party updates.

I've ran all actions on my test client, and have cleared cache and restarted. So far it looks like updates are still failing. looking at the certificate store on my PC I am testing with by running CertLM to load the snap in console I do not see this new code-signing cert  in the trusted root or the trusted publishers.

Does the content need to be republished since the cert was replaced in order for the new cert to be pushed to the clients? Are there any logs that can help from here?


Thanks for all your help!



Cody Mathis (Patch My PC)

#11
You are correct!

Now that you have a new certificate in place, you will have to republish all the updates that you had previously published. This is because they were signed with a different certificate. Republishing them will ensure they are signed with the appropriate certificate that you've set up.

As for not seeing the certificate on the clients, the only factor for this is the client settings. It might be good to check the resultant client settings of an affected device. See this link for instructions. https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/configure-client-settings#view-client-settings This will show if you possibly have another policy conflicting. Aside from that, you are seeing the certificate in the Third Party Updates tab, so that is all set.

Let us know if you can't get it figured out. We can also set up a support call as well.

louish

Hi Cody, Thanks for getting back to me. I ran a the resultant client settings check on my PC that I am testing with. I was able to confirm that Third Party Updates is enabled. I have also made sure that my client version supports SCCM 1906.  ( I had read in a previous PatchMyPC post on reddit that this could cause issues too if the client is not new enough)

I've right clicked on all the applications and toggled "Republish Updates for these products during the next sync schedule"


Just waiting for all the content to finish republishing.

Are you able to speak to how the code-signing certificate is pushed to the client machines?



Thanks,

-Louis


Cody Mathis (Patch My PC)

The code signing certificate is supposed to come down as part of the Software Update Deployment Evaluation cycle. The certificate deployment should be reflected in the updatesdeployment.log on the client. The docs link below provides a little bit of information regarding this.

https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates#enable-third-party-updates-on-the-clients

louish

I've republished content and still seem to be getting the error 0x800b0109 regarding the certificate. I've looked at the updatesdeployment.log and cannot find any reference or entry to the certificate being handed out to the clients. I also do not see the certificate in the Trusted Root and Trusted Publishers folders. I have installed the certificate and placed them in both areas but have not had success. I have attached a few logs.

Additionally look at this - https://patchmypc.com/third-party-updates-fail-to-install-with-error-0x800b0109-in-sccm - Does this registry edit need to be made as well on top of everything else?