• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Manual vs ADR download and client installation

Started by ThoDah, June 20, 2019, 02:54:19 AM

Previous topic - Next topic

ThoDah

I've tried searching the forum, but I've not found any hint resembling what I'm experiencing.
I've successfully subscribed to the "Patch my PC catalog", and used the publishing wizard to publish a number of updates with full content.
Now, if I setup an ADR, download fails with a certificate error.
If I manually download, the content successfully downloads, though installation fails on the clients I try to distribute them to.

I have during the install switched from a selfsigned WSUS signing certificate, to an internal PKI issued one, but when I look at the content manually downloaded to the package, I see it is still using the selfsigned one. Both signing certificates are present in Trusted Root/Publishers on clients, SUP/WSUS and Primary.

Need some help here  :(

Justin Chalfant (Patch My PC)

Quote from: ThoDah on June 20, 2019, 02:54:19 AM
Now, if I setup an ADR, download fails with a certificate error.

Please send the patchdownloader.log. Collecting Log Files for Support - https://patchmypc.com/faq-scup-catalog#log-files

You probably didn't deploy the WSUS signing certificate to the site server causing the ADR not to trust the update download.

ThoDah

Well, you're right the selfsigned WSUS certificate I initially used, wasn't in my Site servers certificate store and putting it there helped ADR to run, but why is it still using the selfsigned certificate?
I changed the signing certificate to a PKI issued one.

Justin Chalfant (Patch My PC)

Because these are updates that were published in the past would be the reason for that.

You could republish updates

When, Why, and How to Republish Update(s) - https://patchmypc.com/faq-scup-catalog#republishing-updates


ThoDah

So that fixed the certificate issue  :)
Unfortunately all computers I've tried to deploy to returns 0x87D00651(-2016410031) (Post install scan failed)

Justin Chalfant (Patch My PC)


ThoDah

yes, I will send them tomorrow, when I'm back at the office

ThoDah

Hi again

so, sorted out most of the issues, but I'm still unable to actually install the updates on clients, they return 0x800B0109(-2146762487), which I know is a certificate chain error.
As previously stated, I'm using a signing certificate from my own PKI, and have added that certificate to Trusted Publishers and Trusted Root (even though that shouldn't be necessary as the PKI root certificate is already in here). What other certificates does it need?

Justin Chalfant (Patch My PC)

Did you enable the GPO to allow third-party updates? https://patchmypc.com/scupcatalog/documentation/PublishingServiceSetupGuide.pdf

Quote from: ThoDah on July 22, 2019, 04:26:42 AM
Hi again

so, sorted out most of the issues, but I'm still unable to actually install the updates on clients, they return 0x800B0109(-2146762487), which I know is a certificate chain error.
As previously stated, I'm using a signing certificate from my own PKI, and have added that certificate to Trusted Publishers and Trusted Root (even though that shouldn't be necessary as the PKI root certificate is already in here). What other certificates does it need?

ThoDah

Well no  ??? I'm on SCCM 1806 and have enabled third party updates through client settings, thought that was enough? I do however have a remote https SUP, so I might need the GPO?

Justin Chalfant (Patch My PC)

Yeah, if the SUP is remote it would need to be in HTTPs to manage the cert more details here https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates#additional-requirements-when-the-sup-is-remote-from-the-top-level-site-server.

I assume the certificate details are missing in the third-party updates tab on the SUP. You can use GPO as a workaround to having SCCM manage the cert.