• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Justin Chalfant (Patch My PC)

#1
Important Update

All future feature request should be created on the following website: Ideas Website. This change is to use a platform that supports up-voting and better tracking of feature request.

Thanks
Justin
#4
New product request via email:

1. Product: RingCentral Meetings | Vendor: RingCentral, Inc.
2. http://dn.ringcentral.com/data/web/download/RCMeetings/1210/RCMeetingsClientSetup.msi
3. http://dn.ringcentral.com/data/web/download/RCMeetings/1210/RCMeetingsClientSetup.msi
4. /i <msi> /qn
5. https://success.ringcentral.com/lc/cms/downloads?_ga=2.10431797.1472147521.1557930486-334561116.1557930486 (Admin Downloads section in middle of page for system based installs)
6. https://support.ringcentral.com/s/article/5541?language=en_US

It would be great if detection could be set up to also detect the exe version (installs in user appdata) and install this msi version in it's place.  I believe the system based install given here handles ripping out the user based installs, etc.
#5

Publishing Fails - SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA

In this knowledge base article, we will review an error you may receive when attempting to right-click a third-party software update and choosing Publish Third-Party Software Update Content.

In the SMS_ISVUPDATES_SYNCAGENT.log, you will see the following error lines in the log file.

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA).
STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_FAIL).

Video Guide for SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA Error



Please review the step-by-step video guide below for information about why the SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_NO_METADATA error occurs while publishing third-party software update content and the resolution.



This scenario is also documented on the Microsoft Docs - Third-Party Software Updates Known Issues page.
  • The third-party software update synchronization service can't publish content to metadata-only updates that were added to WSUS by another application, tool, or script, such as SCUP. The Publish third-party software update content action fails on these updates. If you need to deploy third-party updates that this feature doesn't yet support, use your existing process in full for deploying those updates.
#6

Error: The process is not in background processing mode. ERROR: DownloadContentFiles() failed with hr=0x80070193

When attempting to download third-party software updates into an SCCM deployment package, you receive the following error message in the console: Failed to download content id <IDNumber>. Error: The process is not in background processing mode.



If you review the PatchDownloader.log file, you will see errors similar to the errors listed below:

HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED

ERROR: DownloadContentFiles() failed with hr=0x80070193

Why Does ERROR: DownloadContentFiles() failed with hr=0x80070193?



This error occurs when the WSUS Content virtual directory is configured to require SSL. In Internet Information Services (IIS) Manager, click the WSUS Administration website, click the Content virtual directly, then click SSL Settings in the right pane.





If Require SSL is checked, uncheck that option and choose to apply the changes



The WSUS Content virtual directly in IIS should not be configured to Require SSL even if your WSUS server is configured in SSL. Please see the following Microsoft documentation for more details: How to Configure the WSUS Web Site to Use SSL

If this was your issue, third-party updates should now successfully download to an SCCM deployment package.

#7
Please include the following details in the new product request for a new product. These details will allow us to analyze new product request more efficiently.

Important Update

All future application request should be created on the following website: Ideas Website. This change is to use a platform that supports up-voting and better tracking of request products.


  • Before submitting a new application request at Ideas Website please search to ensure it's not already submitted. If it's already submitted please just use the up-vote feature
  • Please still include all the required metadata mentioned below for new idea/application submissions at Ideas Website

Requirements for New Products

1) Supports silent installation via command line
2) Install successfully under SYSTEM context
3) Public download URL for the offline installer (Note: some exceptions may be made for highly up-voted request as we can use the content repository feature for some licensed products.)
4) The products installer must be digitally signed
5) Please only include one product request per idea submission
6) Uses EXE, MSI, or MSP file download for the installer (No ZIP)

Required Details to Enter in new Product Request

1) Product and vendor name
2) Public download URL for the latest offline installer. A product whose download is behind a paywall is not supported
3) Download URL for an older versions offline installer (If Available)
4) Silent installation switch with "no restart" switch
5) Download page
6) Release notes page

Example Request:

1. Product: Notepad++ | Vendor: Notepad++ Teams
2. x64: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe | x86: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
3. x64: https://notepad-plus-plus.org/repository/7.x/7.6.3/npp.7.6.3.Installer.x64.exe | x86: https://notepad-plus-plus.org/repository/7.x/7.6.3/npp.7.6.3.Installer.exe
4. /S /norestart
5. https://notepad-plus-plus.org/download
6. https://notepad-plus-plus.org/news/
#8

Third-Party Update Digest Verification Fails When Publishing Outdated Updates

In this article, we will review file digest verification failures when publishing third-party software update content and the most common reason this error happens.

What Does a File Digest Failure Look Like?

If you are using Microsoft's legacy method for publishing updates through System Center Updates Publisher, you will see an error similar to the error below in the UpdatesPublishing.log or SCUP.log located in your users %temp% directory.

--- Digest verification failed on content for software update 'Google Chrome 72.0.3626.119 (x64) (UpdateId:'626b77a4-61e5-4e84-9870-3aa68abafd0e' Vendor:'Patch My PC' Product:'SCUP Updates')'.

If you are using the SCCM 1806+ third-party updates feature directly in the SCCM console, you will see the following errors in the SMS_ISVUPDATES_SYNCAGENT.log which is located on the top-level software update point in the site system logs folder.

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_HASH_FAIL).

STATMSG: (SRVMSG_SMS_ISVUPDATES_SYNCAGENT_UPDATECONTENT_FAIL).

Why Does the Digest Verification Fail When Publishing Updates?

Whenever a third-party update is being published with full-content, the update needs to pass security validation checks. The first check is the update binary downloaded from the vendor's website must match the file digest of the update we created it.When vendors use the same download URL for a product such as Google Chrome: https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi, hash validations can fail if you are publishing an older version of the update due the the latest catalog not being imported.

Resolving Digest Verification Failures

To fix the digest validation error, you will need to import or sync the latest Patch My PC Update Catalog so you can are publish the most recent software update that will match the hash of the vendor's latest update binary.

If you are using the SCCM 1806+ third-party software update catalog feature:

You will need to perform a sync of catalog manually. In the Third-Party Software Update Catalog node in your SCCM console, right-click the Patch My PC Catalog and choose Sync now. By default, SCCM will only automatically sync a third-party software update catalog every 7 days.

You can review the catalog sync progress in the SMS_ISVUPDATES_SYNCAGENT.log. located on the top-level software update point in the site system logs folder.

Once the catalog publishing sync is complete, you can perform a sync of your software update point to have any newly released third-party updates show up in the "All Software Updates" node of the SCCM console.

sync sccm software update point for declined updates

Once the sync is complete, you should see new updates for the product, and the previous updates that were failing should become superseded. The latest version of the update should be able to publish the update content successfully.

If you are using System Center Updates Publisher:

You will need to import the latest catalog manually from the console:

Once the newest catalog is imported, you should see the latest update(s) for the product that was previously failing to publish. Choose to publish the latest software updates(s).

You Can Switch to Our Publishing Service to Reduce Hash Errors

When using System Center Updates Publisher or the SCCM 1806+ Third Party Updates feature, you will be more likely to run across hash errors, because there is a delay between when the catalog syncronizes and when you choose to manually publish the content.For example, the SCCM 1806+ catalog feature can only perform an automatic catalog sync every 7 days, and this is not currently configurable.
  • If SCCM syncronized our third-party update catalog on March 2, 2019, and on that date, Google Chrome 72.0.3626.119 (x64) was the latest version it would be published automatically to SCCM.
  • If we then released Google Chrome 72.0.3626.121 (x64) on March 3, 2019, and you hadn't previously published the content for Google Chrome 72.0.3626.119 (x64) before it was updated on Googles web server you would receive a hash error.
  • Since SCCM only syncs the catalog every 7 days, you would continue to have hash failures when trying to publish the update content until the next automatic sync occurs on March 9, 2019, or you perform a manual catalog sync in the SCCM console.
Benefits of using our publishing service with regards to hash digest errorsIf you were to switch to our publishing service, you would have complete control over how often our catalog syncronizes. The scheduling options will allow you to sync the catalog more frequently to ensure you have the most recent catalog metadata.

Our publishing service will always download the most recent catalog before downloading any third-party update content. By downloading the newest metadata, it will ensure we are pulling the most recent updates with the current file digest before performing content publishing.

There are other benefits to switching to our publishing service including full automation. You can get more details about the benefits of our publishing service below.

What's the Difference our Publishing Service and SCCM 1806+ In-Console Publishing?

What if You Receive the Hash Error when Using the Latest Catalog?

If you receive the hash digest error after verifying you have imported the latest catalog and you are publishing the latest update available, it's probably because the vendor just posted a new software update that hasn't been made available in our catalog yet.

You can let us know you are getting a hash error when publishing the latest available update by using our technical support contact form. Generally, we release updates the same day a vendor makes releases the update so it will just automatically resolve itself when we update the catalog.

#9
Third-Party Updates Fail to Download - Error: The cloud file provider exited unexpectedly.

When attempting to download a published third-party software update, you receive the following error:

Failed to download content id <IDNumber>. Error: The cloud file provider exited unexpectedly.

Error The cloud file provider exited unexpectedly.

In PatchDownloader.log, you will also see the following error in the log.

HttpSendRequest failed HTTP_STATUS_NOT_FOUND

ERROR: DownloadContentFiles() failed with hr=0x80070194

Error 0x80070194 translates to "The cloud file provider exited unexpectedly."


Why does Error 0x80070194 Happen?

This error occurs when the published update content does not exist in the WSUSContent folder, therefore, the update is unable to be downloaded from IIS on the WSUS server to the deployment package in SCCM.

There are a variety of reason the update (.CAB) file for the published update(s) may not exist in the WSUSContent folder including:

  • Custom cleanup scripts removing content from the WSUSContent directory
  • The WSUSContent folder is configured incorrectly in IIS
  • The WSUSContent folder is pointing to a UNC network share and the appropriate configurations and permissions weren't configured

SQL Query to determine if any Deployment Packages are referencing the WSUS content directories:

SELECT

PackageId, Name, PkgSourcePath

FROM

v_Package

Where PkgSourcePath like '%UpdateServicesPackages%' or PkgSourcePath like '%WsusContent%'

If you are using multiple software update points in a Shared WSUS confgurtaion, please review this guide to ensure that you shared the WSUSContent folder out on all software update points https://youtu.be/y7w7hBSHShc?t=838 


Resolution to Error 0x80070194

Please review and video guide below to understand possible causes and resolutions for the errors listed below.

  • ERROR: DownloadContentFiles() failed with hr=0x80070194
  • HttpSendRequest failed HTTP_STATUS_NOT_FOUND

    #10
    Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

    When attempting to install third-party software updates, you receive error code 0x800b0109.

    Error-0x800b0109-Third-Party-Updates-SCCM

    In WUAHandler.log, you will also see the following error in the log.

    Failed to download updates to the WUAgent datastore. Error = 0x800b0109


    Why does Error 0x800b0109 Happen?

    Error code 0x800b0109 translates to:

    A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    This error occurs when a client is attempting to install third-party software update(s) that are signed using a WSUS signing certificate that isn't trusted on the client devices.


    Resolution to Error 0x800b0109

    To resolve error code 0x800b0109, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your client devices.

    You can distribute the certificate using the third-party software updates feature in SCCM 1806+ (Microsoft Docs), or you can deploy the certificate using group policy (PDF Guide).

    We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy to resolve error 0x800b0109 on your clients.

    #11
    Requested by Sirwarlord on Slack.

    Will be added in our next update (v 1.2.3) later this week.
    #12

    Digest Mismatch Due To Download URL Being Filtered by Firewall or Web Filter

    If you received an error message in the PatchMyPC.log similar to the one shown below when publishing a third-party update this article should help.

    Digest of the downloaded update doesn't match the digest from the catalog: Hash from catalog [0Io0A82tYc06ybySLZ1osB5VYzY=] doesnÔÇÖt match downloaded update hash of [YQMfSKsyclBqVjGnvRdBuoCCcvY=]
    This error appears to be a known error. Please see our KB article https://patchmypc.com/digest-mismatch-download-filtered for the resolution.

    Why the Hash Check?

    Whenever we download an update file from a vendor's website to publish to WSUS/SCCM, we validate the hash of the current binary downloaded matches the original hash within the catalog metadata. This check ensures that if a binary is compromised or changed on vendors website, we will not publish the software update. We have a deep dive into our security validation process here.

    Resolution to this Specific Hash Check Failure

    If you received the error message above that links our to this article, that means the hash check failed, and the downloaded file size was less than 100 kb.When the downloaded file is less than 100 kb in size, this almost always correlates to a web filter or firewall blocking the download from the server that is running our publishing service.Step 1 - Open the PatchMyPC.log from the publishing service.

    PatchMyPC-Publishing-Service-Open-PatchMyPC-Log-File-UI

    Step 2 - Copy the download URL from the PatchMyPC.log for any updates receiving this hash error.

     Copy-Download-URL-For-Update-Hash-Error-Due-To-Filtering

    Step 3 - Paste the download URL into a web browser on the same server running the publishing service and check if you receive an error that a web filter is blocking the download.

    Download URL Being Filtered in Browser

    Step 4 - You will need to get exceptions created for any downloads receiving this hash error for "digest mismatch download filtered". 
    #13
    Please see https://patchmypc.com/list-of-domains-used-for-downloads-in-patch-my-pc-update-catalog for the most recent list of the domains used to download update files for our catalog.
    #14

    Please see Selectively Choose Products to Publish - Patch My PC Update Catalog for more details



    _________________________________________________

    To better support the upcoming third-party software update integration in Microsoft System Center Configuration Manager (SCCM), we are adding the ability to import our catalog per-product. The SCCM third-party software update catalogs feature will publish ALL updates in a catalog with metadata only. We want to give our customers the ability to add our catalog by-product if needed. This feature will allow you to selectively publish products to  SCCM, and not have SCCM publish all 150+ Products.

    #15
    For the most recent version of this post please see https://patchmypc.com/filtering-specific-third-party-product-from-adrs-in-microsoft-sccm-patch-my-pc-update-catalog

    In this video, we will demonstrate how to use Title filters in the automatic deployment rules in Microsoft Configuration Manager. This filtering can be helpful if there are specific products you need to exclude in your ADRs from our third-party software update catalog for SCCM.

    Full List of Titles for Product in Our Update Catalog

    7-Zip
    Adobe Acrobat DC
    Adobe Acrobat Reader DC
    Adobe Air
    Adobe Digital Editions
    Adobe Flash Player 32-bit/64-bit ActiveX
    Adobe Flash Player 32-bit/64-bit Plugin
    Adobe Flash Player 32-bit/64-bit PPAPI
    Adobe Lightroom
    Adobe Shockwave Player
    AirServer Universal
    AirSquirrels Reflector
    Allway Sync
    Apache Tomcat
    Apple Application Support
    Apple Bonjour
    Apple iCloud
    Apple iTunes
    Apple Mobile Device Support
    Apple Quicktime
    Apple Safari
    Apple Software Update
    Attendant Pro
    Archi
    Articulate 360
    Audacity
    Autodesk Design Review 2018
    AutoHotkey
    Bandicam
    Bandicut
    BlueJeans
    Blue Jeans Outlook Addin
    Box Drive
    Box For Office
    Box Sync
    Box Tools (Box Edit)
    Camtasia
    CCleaner
    CDBurnerXP
    Charles
    Citrix HDX RealTime Media Engine
    Citrix Receiver
    Citrix Workspace
    Classic Shell
    ClickShare Launcher
    CPUID CPU-Z
    Crypto Prevent
    CutePDF Writer
    DisplayLink
    Docker
    Dropbox
    ESET Endpoint Security
    ESET File Security
    ESET Remote Administrator Agent
    Evernote
    FastStone Capture
    FileZilla Client
    FlashBack Express
    Foxit PhantomPDF
    Foxit Reader
    GanttProject
    Garmin Express
    GIMP
    Git
    GoodSync
    Google Chrome
    Google Earth Pro
    Google Picasa
    GoToMeeting
    Greenshot
    grepWin
    HandBrake
    HipChat
    Huddle
    ImgBurn
    Inkscape
    IrfanView
    IZArc
    KeePass
    K-Lite Basic Codec Pack
    K-Lite Mega Codec Pack
    Lenovo System Update
    LibreOffice
    LogMeIn Client
    Malwarebytes
    MapInfo Pro
    MicroDicom Viewer
    Microsoft .NET Core Runtime
    Microsoft .NET Core: Runtime & Hosting Bundle
    Microsoft .NET Core SDK
    Microsoft Azure Storage Explorer
    Microsoft EMET
    Microsoft Mouse and Keyboard Center
    Microsoft Power BI Desktop
    Microsoft SQL Management Studio
    Microsoft Visual Studio Code
    MinuteTraq
    Mozilla Firefox
    Mozilla Firefox ESR
    Mozilla Firefox to ESR Migration
    Mozilla SeaMonkey
    Mozilla Thunderbird
    mRemoteNG
    Nextcloud Client
    Nitro Pro
    Nitro Pro Enterprise
    Nmap
    Node.js
    Node.js LTS
    Notepad++
    OCZ SSD Utility
    OpenOffice
    Opera
    Oracle Java 6/7 (x64) to Java 8 (x64) Migration
    Oracle Java 7
    Oracle Java 8
    Oracle VM VirtualBox
    Paint.NET
    PDF Split And Merge
    PDF24 Creator
    PDFCreator
    PDF-XChange Editor
    PDF-XChange PRO
    PeaZip
    PhraseExpress Client
    Pidgin
    Plantronics Hub
    Plex Media Player
    PowerShell Core
    ProgrammerÔÇÖs Notepad
    ProjectLibre
    PuTTY
    R For Windows
    RealTimes (RealPlayer)
    RealVNC (VNC Server)
    Remote Desktop Manager Enterprise
    RoboForm
    Royal TS
    RStudio
    ShareX
    SketchUp Make 2016
    SketchUp Pro 2016
    SketchUp Make 2017
    SketchUp Pro 2017
    Skype
    Snagit
    SRWare Iron
    Sublime Text
    SyncBackFree
    Tableau Reader
    TeamViewer
    Telerik Progress TestStudio Ultimate
    Terminals
    TightVNC
    TortoiseGit
    TortoiseHg
    TortoiseSVN
    TreeSize Free
    UltraVNC
    VitalSource Bookshelf
    Vivaldi
    VLC Media Player
    VMware Horizon Client
    VMware Tools
    VMware Workstation
    VMware Workstation Player
    VNC Enterprise
    WinRAR
    WinSCP
    WinZip
    Wireshark
    XMind
    XnView
    Yahoo! Messenger
    Zoom Meetings
    Zoom Outlook Plugin

    #16


    Overview

    • In this video guide, we will cover how you can use a code-signing certificate from an Active Directly Certificate Services infrastructure or using a public certificate authority such as DigiCert for signing third-party software updates in Microsoft System Center Configuration Manager (SCCM). Using a trusted PKI based code-signing certificate can be an alternative to using a self-signed certificate.

    Topics in Video

    Helpful Resources:

    #17
    We heard your feedback. In this blog post, we want to cover some changes to the way we set update classifications in our third-party software update catalog and why we decided to make these changes based on our customer's feedback.

    A Little Background on Software Update Classifications from Microsoft

    First, we want to cover what update classifications are and how we classify updates in our catalog and some of the changes we are making to better align with the Microsoft terminology for classifications.Every software update in WSUS/ConfigMgr will be assigned to a Vendor/Product and have an Update Classification. There are currently nine types of classifications for software updates in Configuration Manager.
    • Critical Updates | Definition: A widely released fix for a specific problem that addresses a critical, non-security-related bug.
    • Definition Updates | Definition: A widely released and frequent software update that contains additions to a productÔÇÖs definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code, phishing websites, or junk mail.
    • Feature Packs | Definition: New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release.
    • Security Updates | Definition: A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
    • Service Packs | Definition: A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product. Service packs may also contain a limited number of customer-requested design changes or features.
    • Tools | Definition: A utility or feature that helps complete a task or set of tasks.
    • Update Rollups | Definition: A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).
    • Updates | Definition: A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
    • Upgrades | Definition: A feature upgrade for Windows 10.

    Update Classifications SCCM

    How We Classified Updates in the Past and Why

    When the Configuration Manager synchronizes software updates from WSUS, only software updates assigned to an enabled classification will synchronize and show up in the configuration manager console.

    Update Classifications SCCM Security Only

    When we initially started to author updates, we decided to classify all third-party software updates with the Security Classification. The reason we decided to classify all updates with the Security classification is because it s the most common classification that would be enabled for synchronization in ConfigMgr/WSUS. By setting updates to use the Security Classification, it would ensure any third-party updates are published regardless of whether they are Security Updates, Critical Updates, Updates, etc. from our catalog would synchronize and be visible in Configuration Manager.

    Why We are Changing the Classification to Best Match Each Update

    We've received feedback that by having all third-party software updates classified as Security Updates it can cause the software update compliance reporting to be skewed when filtering on the security classification. Based on customer feedback, we will now be classifying all third-party software updates based on the vendors release notes and best align each software update to correspond to the closest update classification. We plan to utilize the following two update classifications for our third-party software updates.
    • Critical Updates | A widely released fix for a specific problem that addresses a critical, non-security-related bug.
    • Security Updates | A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
    • Updates | A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
    • Update Rollups | The Update Rollups Classification will be used for migration updates such as JRE 6/7 to JRE 8 migration or Firefox to Firefox ESR migration.


    What do These Changes Mean for You?

    We believe this change is necessary and will provide a better experience for our customers to ensure the update metadata best aligned with the actual update type.This change will have no impact on the publishing process you are performing today. When publishing third-party updates, you will want to ensure the classifications in the software update point that corresponds to the third-party updates are enabled.If the classification isn't enabled, the third-party software update will not sync into the Configuration Manager console until the classification is enabled in your software update point and another synchronization is performed.

    Software Update Classifications Third-Party Software Updates

    When Will This Change Happen?

    We plan to apply these metadata changes to all updates going forward as well as retroactively for updates released in the past. Since this is only a metadata change, updates can be republished/revised so the new software update classification will be reflected after the software update point synchronization in Configuration Manager. These metadata changes will be released in the October 22, 2018 catalog update.
    #18

    We understand IT security is an extremely critical aspect to organizations.  IT Security is probably more vital to your organization than the industry on average considering you are actively looking into a third-party patch management solution to help reduce vulnerabilities.

    We often get asked how we validate the integrity of the third-party updates included in our catalog. This question is crucial for you to understand. In this post, we will describe in detail the procedures we take to ensure the quality and integrity of the patches we publish in our third-party software update catalog.

    Step 1: Creating Third-Party Updates and Storing the Hash

    The first step in our process for creating an update is to download the update binary (EXE, MSI, or MSP) from the official vendor's download mirror. This update binary will be the file executed on client computers to update the product. The original hash of the binary and download URL is stored in our catalog metadata. The download URL is what will be used when downloading and publishing the update within your environment.

    Slack Update Hash and Download URL

    Whenever we add new updates to our catalog, the catalog metadata gets exported and saved into a CAB file. This catalog (.CAB) is imported into your environment and used to publish updates. To ensure the integrity of the catalog when downloaded and import to your environment, we dual code-sign the catalog file with our code-signing certificate. When the catalog gets downloaded in your environment, the import will only occur in our publishing service, SCCM 1806+, or SCUP if the catalog is code-signed from a trusted publisher.

    Catalog Signed Catalog File

    Step 2: Running the Update Installer Through VirusTotal

    Once we obtained the vendors binary and file hash, we then will then upload the binary to VirusTotal. VirusTotal will analyze the binary file through 55+ anti-virus engines. Here's an example of the Slack 3.3.1.0 MSI binary file from Step 1.

    VirusTotal Scan For Slack MSI

    We post all VirusTotal results for any third-party updates released in our RSS feed and email newsletter. These results will include the archived VirusTotal scan from our scan as well as a link to the latest VirusTotal scan for the binary.

    RSS Feed VirusTotal Stats For Slack

    We also maintain a complete repository of every update binary at the time of our scan on the VirusTotal Scan Reporting page.

    VirusTotal Scan Repository

    Step 3: How Update Binaries are Verified During Publishing

    Before the catalog metadata evaluated for publishing, there is a digital signature check on the downloaded catalog file. This check validates the catalog is signed from Patch My PC.

    Catalog Download Digital Signature Check

    Once the catalog is validated, only then will the catalog metadata be evaluated for processing. Since we don't control the servers used for content downloads, it's essential to ensure the file downloaded from the vendor's website is the exact same file used when initially creating the update that went through the VirusTotal scans. When an updated binary is downloaded, we will compare the hash of the downloaded binary with the hash from the catalog and only publish the update if they match.

    Download Of Slack MSI And- Check

    Step 4: Trust Within Your Environment

    The final layer of trust for third-party software updates before client-side installation is between your servers and clients. Whenever third-party updates are published to your WSUS environment, they are added into a CAB file that gets digitally signed using the code-signing certificate that you configure within your environment. Client devices will only install third-party patches that are signed using a trusted certificate that you have configured and deployed to your devices.

    WSUS Code-Signed Third-Party Update

    If you have any more detailed questions about our security testing, please reach out to our team using our contact form.



    #19

    Moving to Supersedence Software Update Model

    Starting December 28, 2018, we are moving to a supersedence model for software updates in our third-party software update catalog. Before this change, we would mark previous versions of software updates as expired.

    Why the Change?

    With the Third-Party Software Update Catalogs feature in Configuration Manager 1806+, all third-party updates in a catalog are published. When we expired previous updates in our catalog, those previous versions were immediately marked expired when a new update is released. When an update is marked as expired, it can't be deployed in Configuration Manager. The immediate expiring of updates could cause issues where customers don't have enough time to fully deploy updates through all testing cycles for products where new updates are released frequently.

    When using our publishing service, you can delay expiring previous versions of updates for up to 30 days to accommodate for this scenario.

    Delay Expiring Updates

    What's the Supersedence Model Look Like?

    By moving to a supersedence model, you will have complete control over how long you want to keep previous versions available for deployment that have been superseded.

    You can control whether you want superseded updates to be immediately expired or delay expiring superseded updates for a certain number of months using the Supersedence Rules option on your software update point. In the example below, configuration manager won't expire superseded updates until they have been superseded for 1 month.

    Supersedence Rules SCCM

    In today's catalog update in our lab, we can see the previous versions of applications are superseded and not expired. This change will allow the superseded application updates to continue being deployed for an additional month in our configuration.

    Superseded Updates After Publishing New Updates

    If you are not expiring superseded immediately and using automatic deployment rules, you will want to ensure that you exclude superseded updates in your criteria to ensure your ADR's only deploy the latest updates.

    ADR Exclude Superseded Third-Party Updates

    #20
    Please see the Local Content Repository Post for the most up to date version of this post!

    To support products that require a login portal to download the latest update, we have created a feature to allow you to define a folder that we will automatically search when a product is enabled that requires a manual download.

    PatchMyPC-Local-Content-Repository

    There are currently no products that require this manual download, but we expect with licensing changes to Java Runtime Environment will require a manual download in early 2019.

    If there is a product the requires a manual download and the file doesn't exist is the defined "Local Content Path", you will be notified in the log file and if email notifications are enabled you will receive the following email letting you know the name of the file you need to manually download.

    PatchMyPC Email Notification when Content Not Downloaded