Messages

Perfect, Thanks for the help. One last question. I will need to create the code-signing certificate for the new SUP, correct? or should it still be generated for the primary site server?

That is wonderful news and eases my worries. Do I need to install the configman console as well on the SUP? and do I need to run a preview release or is the current public/prod release of the PatchMyPC  client good?

Hi all, I see here on your site https://patchmypc.com/wsus-signing-certificate-options-for-third-party-updates-in-configuration-manager that this is a feature supported. We've recently just rebuilt our WSUS and for reasons specific to our environment I've moved WSUS/SUP to a dedicated server and it is no longer co-located on our Primary Site Server.


From what I can tell this is not an issue but am wanting to know if there is anything special that I need to do with in the PatchMyPC application?  Currently the application is running on our primary site server and not the WSUS/SUP role server. Also we are not configured for WSUS SSL yet but plan to be soon.


best,

Louis

Hi all, I had to rebuild our SCCM/WSUS implementation this weekend and decided at the time to part ways with the original SUSDB. I marked all subscribed applications in the PatchMyPCConsole to be republished on the next sync and let it run it's course. Things seem to be working fine however, exclusively to 3rd party updates pretty much all reporting is marking as "non-compliant" with most machines reporting "not installed" for only about 5 out of the 11. The other applications marking as installed.  We have a new MS Update deployment as well that is running and reporting back more comforting and believable data so I know our WSUS is working.


Looking at the Updateshandler.log, CAS.log, and the accompanied PatchMyPC logs that are created for each application that is upgraded I  was not seeing the content's GUIDS being downloaded in the CAS/UpdatesHandler.log and furthermore I am not seeing a log file for any of the applications that are listed as "non-compliant"


Wsyncmgr.log and the patchmypc.log located on the primary site server don't appear to show any issues. Looking at the content of the applications in the SUG that are not installing shows that they are downloaded and deployed. I've looked at everywhere I could think albeit my mind is a bit frazzled from the weekend. Please let me know if you need any logs or if you have any suggestions. I have seen 2 other posts regarding this but neither seemed fully applicable to my situation.


Cheers!

HI all, were not seeing Oracle java, specifically Java 7 and 8 in our ADR previews as well as Wireshark. When looking at the deployment package we use for PatchMyPc i am not seeing it in their either. When I search our software updates within SCCM I am seeing updates for Oracle Java 7 and 8 and Wireshark from April of 2020 but that is it.


Are these not being published due to possible agreements/terms of the install or is there something else I should be looking for.


Additionally in our ADR previews were seeing Oracle java

Hi Cody, Yes, I have made sure that the content is downloaded, added to the appropriate Deployment package and that the deployment package has been distributed to the DPs

Hi all, my org has been using PatchMyPC since May and it has been performing really well. However this month I noticed an oddity. Our 3rd party application deployments are appearing to install most but not all updates thus causing our deployment compliancy data to report that non are compliant but are "in Progress" when looking at the data for each endpoint they all collectively seem to be stuck with Webex Teams Version 3.0.16605.0. When looking at one of the machines I see that the application is showing as available in software center and when attempting to install it just sits at Downloading.

I've made sure the application is downloaded to the deployment package. I've also gone in to the PatchMyPc configurator and set the webex teams installer to republish at next sync and forced a manual sync. I am testing to see if this has an impact.


Looking at the UpdatesDeployment.log I see that the download has started but nothing seems to happen.  My work machine that is in the same testing deployment got all the updates but about 95% of all other workstations seem to have this issue.

Hi All,  Our weekly ADR for all third-party patching ran over the weekend. In the deployment among other apps was a Node.JS update and it looks to have broken parts of Production. My question here is in regards to roll back. I updated the deployment rule to exclude Node.JS in SUG creation. However the Node.JS update kept re-installing itself after we would revert it. I relaized that the node.JS updates still had membership to the SUGs generated by the ADR. I've edited the membership for all Node.JS updates from PatchMyPC and removed  membership  by right clicking on the software>edit membership>un-checked the SUGS that they were apart of.

Is this sufficient enough to stop the updates from installing again on the systems or is there more that I should be doing to stop the node.js updates from installing again.


Thanks,

Louis.

Hi Cody, I have been meaning to get back out to you. Looks like all is working now. Thanks for all of your help. I had to manually import the certificate on my end. However, my client seems to be the outlier in this equation. All other machines that I have tested with have the correct policy settings, Registry entry, and are pupating just fine. Thanks again for all of your help.

I've republished content and still seem to be getting the error 0x800b0109 regarding the certificate. I've looked at the updatesdeployment.log and cannot find any reference or entry to the certificate being handed out to the clients. I also do not see the certificate in the Trusted Root and Trusted Publishers folders. I have installed the certificate and placed them in both areas but have not had success. I have attached a few logs.

Additionally look at this - https://patchmypc.com/third-party-updates-fail-to-install-with-error-0x800b0109-in-sccm - Does this registry edit need to be made as well on top of everything else?

Hi Cody, Thanks for getting back to me. I ran a the resultant client settings check on my PC that I am testing with. I was able to confirm that Third Party Updates is enabled. I have also made sure that my client version supports SCCM 1906.  ( I had read in a previous PatchMyPC post on reddit that this could cause issues too if the client is not new enough)

I've right clicked on all the applications and toggled "Republish Updates for these products during the next sync schedule"


Just waiting for all the content to finish republishing.

Are you able to speak to how the code-signing certificate is pushed to the client machines?



Thanks,

-Louis

Alright, so I was able to create a new template for Code-Signing per the youtube video mentioned earlier. I've enrolled and exported, and imported it via the PatchMyPc Publishing service.

I ran a software synchronization, and saw that the new certificate was found in the wsyncmgr log. Additionally I see that the new cert is showing under the third party updates tab on the SUP role configuration page within SCCM.

The client policies are configured to allow third party updates.

I've ran all actions on my test client, and have cleared cache and restarted. So far it looks like updates are still failing. looking at the certificate store on my PC I am testing with by running CertLM to load the snap in console I do not see this new code-signing cert  in the trusted root or the trusted publishers.

Does the content need to be republished since the cert was replaced in order for the new cert to be pushed to the clients? Are there any logs that can help from here?


Thanks for all your help!

Furthermore - Confirming my final comment in my last post. I watched a wonderfully insightful and helpful video from Justin regarding the cert setup for PatchMyPC.It is clear to me now that we are using a self-signed cert and need to get a code-signing cert issued from our CA. I will work this from my end and update

Progress!

Is your software update point remote from your Site Server? If so, there are additional steps needed in order to have the WSUS Signing certificate get transferred from your SUP / WSUS to your Site Server.

If your Site Server does not have the certificate, it will not be able to transfer it down to the clients and you will see the certificate chain errors as you've seen.

If you go to the location shown in the attached photo, do you see the certificate details populated?

Hey Cody, The SUP role is running on our primary/only site server. Yes the cert does look to be present in ConfigMgr under the SUP roles configuration. I've made sure that our client policy is also enabled to allow ThirdParty Updates.


Additionally, In hindsight I am not certain that this is the right certificate. I was not involved in the certificate creation process since this project was partially started by time it was created. So it could have been done incorrectly.

Thanks for everyone's help I am getting much closer to getting this off the ground.

I created a deployment package and all the content looks to have been placed there and looks to be distributed to our DP's.

Currently as of right now. Updates are being presented in Software center but look to either be timing out or getting the failure code 0x800B0109(-2146762487) which looks to be an in issue with the certificate. I have made sure that the SUP is configured to allow 3rd party updates.I have also made sure that the client policy is set to allow Third Party Updates as well not sure what could be the hiccup.  Looking at the Certificates MMC Snap-In Console on my PC I am not seeing the certificate? Should this be showing in the certificate snap-in?

Wsyncmgr log is not showing any errors. the Certificate in the PatchmyPC tool looks to be good.Not sure how long it takes for the clients to pull updated policy.

One other unusual thing is the ADR I created is failing to run. Ruleengine.log is spitting out errors however It's not clear to me in their output what the exact issue is.

The fact that updates are now showing in software center is a great start and I think i am pretty close to getting this off the ground.