Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - louish

Pages: [1]
Hi All,  Our weekly ADR for all third-party patching ran over the weekend. In the deployment among other apps was a Node.JS update and it looks to have broken parts of Production. My question here is in regards to roll back. I updated the deployment rule to exclude Node.JS in SUG creation. However the Node.JS update kept re-installing itself after we would revert it. I relaized that the node.JS updates still had membership to the SUGs generated by the ADR. I've edited the membership for all Node.JS updates from PatchMyPC and removed  membership  by right clicking on the software>edit membership>un-checked the SUGS that they were apart of.

Is this sufficient enough to stop the updates from installing again on the systems or is there more that I should be doing to stop the node.js updates from installing again.



Hi Cody, I have been meaning to get back out to you. Looks like all is working now. Thanks for all of your help. I had to manually import the certificate on my end. However, my client seems to be the outlier in this equation. All other machines that I have tested with have the correct policy settings, Registry entry, and are pupating just fine. Thanks again for all of your help.

I've republished content and still seem to be getting the error 0x800b0109 regarding the certificate. I've looked at the updatesdeployment.log and cannot find any reference or entry to the certificate being handed out to the clients. I also do not see the certificate in the Trusted Root and Trusted Publishers folders. I have installed the certificate and placed them in both areas but have not had success. I have attached a few logs.

Additionally look at this - - Does this registry edit need to be made as well on top of everything else?

Hi Cody, Thanks for getting back to me. I ran a the resultant client settings check on my PC that I am testing with. I was able to confirm that Third Party Updates is enabled. I have also made sure that my client version supports SCCM 1906.  ( I had read in a previous PatchMyPC post on reddit that this could cause issues too if the client is not new enough)

I've right clicked on all the applications and toggled "Republish Updates for these products during the next sync schedule"

Just waiting for all the content to finish republishing.

Are you able to speak to how the code-signing certificate is pushed to the client machines?



Alright, so I was able to create a new template for Code-Signing per the youtube video mentioned earlier. I've enrolled and exported, and imported it via the PatchMyPc Publishing service.

I ran a software synchronization, and saw that the new certificate was found in the wsyncmgr log. Additionally I see that the new cert is showing under the third party updates tab on the SUP role configuration page within SCCM.

The client policies are configured to allow third party updates.

I've ran all actions on my test client, and have cleared cache and restarted. So far it looks like updates are still failing. looking at the certificate store on my PC I am testing with by running CertLM to load the snap in console I do not see this new code-signing cert  in the trusted root or the trusted publishers.

Does the content need to be republished since the cert was replaced in order for the new cert to be pushed to the clients? Are there any logs that can help from here?

Thanks for all your help!

Furthermore - Confirming my final comment in my last post. I watched a wonderfully insightful and helpful video from Justin regarding the cert setup for PatchMyPC.It is clear to me now that we are using a self-signed cert and need to get a code-signing cert issued from our CA. I will work this from my end and update


Is your software update point remote from your Site Server? If so, there are additional steps needed in order to have the WSUS Signing certificate get transferred from your SUP / WSUS to your Site Server.

If your Site Server does not have the certificate, it will not be able to transfer it down to the clients and you will see the certificate chain errors as you've seen.

If you go to the location shown in the attached photo, do you see the certificate details populated?

Hey Cody, The SUP role is running on our primary/only site server. Yes the cert does look to be present in ConfigMgr under the SUP roles configuration. I've made sure that our client policy is also enabled to allow ThirdParty Updates.

Additionally, In hindsight I am not certain that this is the right certificate. I was not involved in the certificate creation process since this project was partially started by time it was created. So it could have been done incorrectly.

Thanks for everyone's help I am getting much closer to getting this off the ground.

I created a deployment package and all the content looks to have been placed there and looks to be distributed to our DP's.

Currently as of right now. Updates are being presented in Software center but look to either be timing out or getting the failure code 0x800B0109(-2146762487) which looks to be an in issue with the certificate. I have made sure that the SUP is configured to allow 3rd party updates.I have also made sure that the client policy is set to allow Third Party Updates as well not sure what could be the hiccup.  Looking at the Certificates MMC Snap-In Console on my PC I am not seeing the certificate? Should this be showing in the certificate snap-in?

Wsyncmgr log is not showing any errors. the Certificate in the PatchmyPC tool looks to be good.Not sure how long it takes for the clients to pull updated policy.

One other unusual thing is the ADR I created is failing to run. Ruleengine.log is spitting out errors however It's not clear to me in their output what the exact issue is.

The fact that updates are now showing in software center is a great start and I think i am pretty close to getting this off the ground.

Thanks for all the help. I guess here my blocker is identifying the creation of the Deployment Package. When creating the ADR and creating a new Deployment package am I pointing the package source to the "WSUS Content" folder?

First and foremost I want to say thanks to Justin and Wes. I have received great support from both of them last week and they were quick and very knowledgeable.

I am taking over my companies 3rd party patch management as we are moving away from a vendor and handling it in house. My company has purchased PatchMyPC and has mostly set it up.

I've re-ran the publisher tool as I went through the documentation on setting  it up just so I can get the hang of it. I've had the publisher service connect and view our sites database and have selected all applications we are currently using and set up the custom options for each/all applications we are wanting PatchMyPC to update for us. I then ran the publisher sync service.

I've created a device collection within SCCM and have placed 2 PC's in their to test with. Both are running outdated versions of Firefox, and Chrome that were installed manually.

I then created an ADR and point it to the test collection I created earlier. I specific the ADR to pull any and all updates from the Vendor" PatchMyPC" and then tell it there is no deployment package since these updates are stored within WSUS.  (Not sure if these is the right way to do this) and the proceed to finish building out the ADR.

I've made sure that the client settings are configured to allow third party software updates as well as made sure that the SUP is configured to allow 3rd party updates. I have unsubscribed from the PatchMyPC Third Party Software Catalog. I've synchronized the software update catalog, and ran all site actions under the configmgr client as well as cleared the cache and I am still not seeing any of the updates show up in software center.

Any insite as to what I am missing would be greatly appreciated.

Thanks again for the help. I will be sure to follow this documentation and go from there.

Alright, I un-subscribed and have re-ran the publisher. however since they updates were pulled as meta already it looks like it will not publish full content to SCCM. Looks like I may need to purge these updates from WSUS?

Hey Mitchel, Thanks for pointing that out. We do in fact have a subscription to the Patch My PC Catalog under Third-Party Software Update Catalogs. Once I unsubscribe should I re-run the publisher sync service?



HI all, I am taking over a PatchMyPC implementation with our SCCM 1806 environment. Going through the tutorials it looks like it was already configured mostly correct. I am more or less just needing to build out the Device collections, Sugs, and the ADR's. However, one thing the that is stopping me is that even though we are using the publishing service  the updates are showing as meta data only even they the publisher is configured to download meta and full content.

Seeing no errors in the wsyncmgr.log or the patchmypc.log. Additionally 3rd party updates have been enabled on the SUP and the patch my pc product has been enabled.

Any help on this would be greatly appreciated it.



Pages: [1]